[Openswan Users] Local router unable to send packets to remote LAN

lists lists at higgers.me.uk
Thu Dec 20 08:27:02 EST 2007

Hi All,

I've recently configured and IPsec VPN between my OpenSUSE 10.2 router
firewall running shorewall 3.4.4 and a friends Draytek Vigor 2930 ADSL
modem/router/firewall. All is good other than my router can't ping
anything on my friends (remote) LAN, however machines on my (local) LAN
behind the local firewall can ping machines on the remote LAN without

The routing table on the route looks like this: dev eth2 proto kernel scope link src dev eth2 proto kernel scope link src via dev eth2 dev eth0 proto kernel scope link src dev eth0 scope link dev lo scope link
      default via dev eth2

Where: is my public IP is my ISP router at the other end of my ADSL line is the local LAN is the remote LAN
eth0 is the internal interface
eth2 is the external interface

If I "ping -I eth0" to force ping requests via the local
interface I get responses from the remote address. This also works for
any other live IP on the remote LAN. This proves that it's technically
possible to access the remote LAN from my router.

If I delete the route to the remote LAN via eth2 (external NIC) and add
a new one via the internal NIC then no machines on my local LAN can
access the remote LAN. It basically screws the VPN.

I use shorewall for firewall/routing duties and have tried disabling it
but it made no difference.

I also added what I think are the correct entries to
/etc/racoon/setkey.conf but that didn't make any difference.

It seems like I need to force all packets destined for the remote LAN
that originate on the local router to go via the internal NIC instead of
going via the external NIC. Is that possible? And if so, how?

Also, would anyone happen to know if this is normal behaviour? I've
configured IPsec VPNs (using FreeS/WAN) under 2.4 in the past and never
had this problem. However, under 2.4 I'm sure the routing table was
different because there was a ipsec0 interface involved thus simplifying
the routing table. Well, it might not have simplified it per se but it
made would be a lot easier to direct packets for the remote LAN via an
interface designed specifically to pick up and push packets for the
remote LAN.

What am I missing?

Kind regards,


More information about the Users mailing list