[Openswan Users] Interop with Linksys: SA established, but no traffic coming through

Paul Wouters paul at xelerance.com
Wed Dec 5 14:20:07 EST 2007


On Tue, 4 Dec 2007, Michael Tinsay wrote:

> > Do a traceroute. It's most likely a routing loop.
>
> Traceroute is showing the packets are not being sent to my VPN router, but to my other router.  Does this mean it is not being sent through the tunnel?

But is it looping? Also, only now do i understand you can traceroute not
from the ipsec gateway but from the subnet behind it. If your subnet does
not know about the remote subnet needing a seperate route (via the vpn server
instead of the default route) then packets will never go to the right way.

A hackish solution is to have your subnet's default gateway use a host
route for the remote subnet to your ipsec gateway. That might make the packets
travel the LAN twice, so ideally you add that route to the host machines in
the subnet itself.

> NETKEY detected, testing for disabled ICMP send_redirects       [FAILED]
>
>   Please disable /proc/sys/net/ipv4/conf/*/send_redirects
>   or NETKEY will cause the sending of bogus ICMP redirects!
>
> NETKEY detected, testing for disabled ICMP accept_redirects     [FAILED]
>
>   Please disable /proc/sys/net/ipv4/conf/*/accept_redirects
>   or NETKEY will accept bogus ICMP redirects!

You should fix those in /etc/sysctl.conf

> Checking for RSA private key (/etc/ipsec.secrets)               [DISABLED]
>   ipsec showhostkey: no default key in "/etc/ipsec.secrets"

You can ignore this.

> Also, I tried putting the servers' subnet (222.222.222.0/24) into /etc/ipsec.d/policies/private to check if that will force tunneling.  Sadly, it did not change anything.

Those policies are for Opportunistic Encryption only. Do not use them
otherwise.

Paul
>

-- 
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155


More information about the Users mailing list