[Openswan Users] openSWAN to Cisco IOS

Christian Brechbühler brechbuehler at gmail.com
Fri Nov 24 15:45:53 EST 2006

On 11/15/06, Peter McGill <petermcgill at goco.net> wrote:
> Christian Brechbühler Wrote:
> > On a hunch I changed leftsubnet to -- and BINGO! IPsec
> SA established.  So Openswan seems happy, although
> > no packets go through.  I suspect now it's a routing/firewalling issue.

Not sure what happened there, because now we changed it back to, and it still works.

With leftsubnet, only that ip address on your end will be
> able to use the vpn tunnel.
> If you want your whole subnet to be able to use it, you must change
> leftsubnet to and have the cisco admin change
> your subnet on his end as well.

Well our subnet is, so that doesn't match anyway.  The Cisco
side instructed us to source-network-addres-translate all packets destinated
to them, which we do with this rule:

-A POSTROUTING -d -o eth1 -j SNAT --to-source


Anyway, the problem persists that we cannot get any traffic through the
tunnel.  When I tracepath from the VPN gateway to the "NYC" machine, packets
seem to go out to the public internet, not through the tunnel.

For comparison, I'm running an unrelated ipsec tunnel from an outside box
"lithium" running openswan 2.4.4 to our gateway (mentioned above), which
also runs openswan 2.4.4.  When I ping or traceroute or ssh from "lithium",
all is fine.  In other words, the response packets find their way back to
lithium.  But when the VPN gateway initiates any activity, the packets seem
to get lost.  Tcpdump doesn't show anything.

BTW, VPN gateway runs 2.6.11-gentoo-r5 (lithium has 2.6.9-1.11_FC2).

Any help to getting packets that start a connection find their way into the
appropriate tunnel would be greatly appreciated.  Or suggestions for
tcpdump-ing outgoing packets.

What other info would you need?  Output of route?  iptables?  ipsec.conf?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20061124/332f59c9/attachment-0001.html 

More information about the Users mailing list