[Openswan Users] One Way Traffic Flow?
Paul Wouters
paul at xelerance.com
Tue Feb 27 12:36:56 EST 2007
On Tue, 27 Feb 2007, Ben Batten wrote:
> Everything works fine to a point; the SA is successfully establishes but my
> routing seems to be somehow busted and I'm just not getting my noodle around
> it. I can ping from one side to the other (tcpdump show the incoming ESP)
> but I never get any ICMP replies back in either direction. There's nothing
> to speak of errorwise.
>
> HostA starts the connection from with it's NATed environment to HostB who
> adds the connection. Here's the topology and conn:
>
> HostA <----> NAT <---- internet ----> HostB
Make sure you're not nat'ing packets destined for an ipsec tunnel
> conn HostA-HostB
> left=HostBpublicIP
> leftnexthop=HostBPublicDefaultGW
> leftsubnet=HostB/32
That is almost always wrong. If you really just want a tunnel for the
host, leave out the subnet. If you still get a message with some /32 not known,
you probably misconfigured NAT-T.
> leftid=...
> leftca=...
> leftcert=...
> leftrsasigkey=%cert
> right=HostAPrivateIP
> rightid=HostAPublicIP
> rightnexthop=HostAPrivateDefaultGW
> rightca=...
> rightcert=%cert
> rightrsasigkey=...
> rightsubnet=HostA/32
Same for this /32
> The curious thing is that I can see the ike traffic going back and forth but
> ESP only goes one way. Any thoughts or pointers?
You shouldn't see ESP but ESPinUDP packets (udp port 4500).
You're nat-traversal seems broken.
Make sure to properly set nat_traversal=yes on both ends, and virtual_private
on the B host, which should have: rightsubnet=vhost:%priv,%no
Paul
--
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
More information about the Users
mailing list