[Openswan Users] OpenSWAN on OpenWRT not working

Nels Lindquist nlindq at maei.ca
Wed Feb 14 17:31:13 EST 2007 

Hi, Paul.

Paul Wouters wrote:

> On Tue, 13 Feb 2007, Nels Lindquist wrote:

<snip>

>> I tried eliminating the firewall as a potential blocker by flushing all
>> the rules, to no avail. ip_forward is set.
> 
> I always remove all the DROP rules from their configs. I don't need a
> firewall :P

I'm not sure what's going on.  It sure *looks* like the firewall is
interfering, but if I remove the firewall entirely, how can it be?

> Did you change the MASQ rule to exclude MASQ'ing ipsec destined packets?
> 
> openwrt comes with:
> 	iptables -t nat -A POSTROUTING -j postrouting_rule
> 	iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE -s 192.168.1.0/24
> which will kill your tunnels. Do something like:
> 	iptables -t nat -A POSTROUTING -j postrouting_rule
> 	iptables -t nat -A POSTROUTING -o $WAN -j RETURN -s 192.168.1.0/24 -d remote_lan1/24
> 	iptables -t nat -A POSTROUTING -o $WAN -j RETURN -s 192.168.1.0/24 -d remote_lan2/24
> 	iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE -s 192.168.1.0/24

I'm a bit confused as to why this should make a difference.  Aren't
outbound IPSEC packets going out over ipsec0, not vlan1?  I tried adding
these rules anyway, but it made no difference. :-(

>> Has anyone gotten this configuration to work?
> 
> Yes:
> 
> root at OpenWrt:~# ipsec eroute
> 167206     193.110.157.16/28  -> 0.0.0.0/0          => tun0x100a at 194.109.7.250
> 201        193.110.157.16/28  -> 10.112.44.0/24     => tun0x101a at 24.36.180.146
> 0          193.110.157.16/28  -> 192.168.88.0/24    => tun0x101c at 74.101.114.221
> 
>> I'm hoping I'm missing something silly and obvious.  I've attached a barf.
> 
> Lets have a look:
> 
> Unable to find KLIPS messages
> 
> so since there is no proper syslog, add to config setup in ipsec.conf:
> 
> 	plutostderrlog=/tmp/pluto.log

I'll try this and see if anything shows up.

> then i see:
> 
> Kernel IP routing table
> Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
> 192.168.53.0    0.0.0.0         255.255.255.0   U         0 0          0 br0
> 192.168.50.0    0.0.0.0         255.255.255.0   U         0 0          0 ipsec0
> 192.168.60.0    0.0.0.0         255.255.255.0   U         0 0          0 vlan1
> 192.168.60.0    0.0.0.0         255.255.255.0   U         0 0          0 ipsec0
> 0.0.0.0         192.168.60.1    0.0.0.0         UG        0 0          0 vlan1
> 
> I noticed too that a false route is inserted. This caused packets to loop and
> get dropped by klips. try: route del 192.168.60.0 dev ipsec0

route del couldn't seem to remove it; even with a "route del net
192.168.60.0 netmask 255.255.255.0 dev ipsec0".  I was able to use "ip r
del" though.  I'm still not seeing any packets being sent out, though.

> Other then that, I saw no problems in the barf.

----
Nels Lindquist

More information about the Users mailing list