[Openswan Users] Interop with Linksys: SA established, but no traffic coming through

Michael Tinsay tinsami1 at yahoo.com
Wed Dec 5 22:03:30 EST 2007 


----- Original Message ----
> From: Paul Wouters <paul at xelerance.com>
> To: Michael Tinsay <tinsami1 at yahoo.com>
> Cc: users at openswan.org
> Sent: Thursday, December 6, 2007 3:20:07 AM
> Subject: Re: [Openswan Users] Interop with Linksys: SA established, but no traffic coming through
> 
> On Tue, 4 Dec 2007, Michael Tinsay wrote:
> 
> > Traceroute is showing the packets are not being sent to my
> VPN
> 
 router, but to my other router.  Does this mean it is not being sent
> through
> 
 the tunnel?
> 
> But is it looping?

In the traceroute, the last hop keeps repeating.  If that's a loop, then yes.

If a do a traceroute to the Internet-facing IP of the VPN router, the packets go through 5 or 6 routers before reaching the destination.

I was expecting something shorter for a traceroute going through a tunnel -- more along the line of two hosts only: one for the VPN router and then to the destination.  What I'm getting is almost the same hosts from the above paragraph and the last host keeps repeating.  So I'm thinking that maybe the packet is not being tunneled properly.


> Also, only now do i understand you can traceroute not
> from the ipsec gateway but from the subnet behind it. If your
> subnet does
> not know about the remote subnet needing a seperate route (via the
> vpn server
> instead of the default route) then packets will never go to the
> right way.

I was doing the traceroute from the roadwarrior PC.  As per the routing table, packets for subnet 222.222.222.0/4 go through ppp0.  And the SPD says to encrypt the packet and send it through the tunnel end at 111.111.111.111 -- but I don't think this is happening, or at least the send to 111.111.111.111 part.  Is there a way to find out if this is happening or not?


> A hackish solution is to have your subnet's default gateway use a host
> route for the remote subnet to your ipsec gateway. That might make
> the packets
> travel the LAN twice, so ideally you add that route to the
> host machines in the subnet itself.

I don't get this.

> > Also, I tried putting the servers' subnet (222.222.222.0/24)
> into
> 
 /etc/ipsec.d/policies/private to check if that will force
> tunneling.
> 
  Sadly, it did not change anything.
> 
> Those policies are for Opportunistic Encryption only. Do not use them
> otherwise.

I see.



--- mike t.

More information about the Users mailing list