[Openswan Users] NEKEY 2.6.18 subnet2subnet problem

Peter McGill petermcgill at goco.net
Mon Jun 18 12:25:17 EDT 2007 

> -----Original Message-----
> Date: Sun, 17 Jun 2007 23:16:54 +0200
> From: Adrian Gruntkowski <adrian at ima.pl>
> Subject: Re: [Openswan Users] NEKEY 2.6.18 subnet2subnet problem
> To: users at openswan.org
> 
> > On Sun, 17 Jun 2007, Adrian Gruntkowski wrote:
> 
> >> >> Connection is established succesfully. However when I try to
> >> >> ping host on the remote host the router one hop after the server
> >> >> returns network unreachable message.
> >> >> What I've noticed is that the packets are not sent through
> >> >> the tunnel but directly through public interface
> >> >> (I see attempts to send icmp echo to 10.0.1.X on public 
> interface
> >> >> eth0).
> >> >>
> >> >> There's following entry in routing table after 
> establishing connection:
> >> >>
> >> >> 10.0.1.0/24 via 12.34.56.97 dev eth0
> >>
> >> > That shouldn't matter for netkey.
> >>
> >> > Try lowering the mtu to 1400?
> >>
> >> > Paul
> >>
> >> Do you mean setting it in l2tpd? I think that this 
> particular tunnel doesn't
> >> use l2tp... ?
> 
> > Nope, I meant the mtu on the external interface of the 
> ipsec/l2tp server.
> 
> I have set mtu of external interface to 1400 (it was 1500). 
> Effect is still the same -
> packet doesn't go through tunnel, it's routed directly. Any 
> ideas? I'm going nuts :(
> 
> Adrian

With netkey both the encrypted and unencrypted packets are visible
On the external interface with tcpdump, etc... This is normal, it
Does not mean the traffic isn't encrypted. The route is also normal.
You should first see the unencrypted packet appear on the interface,
This packet will be grabbed by ipsec, encrypted and sent again on the
Interface as an esp packet. The unencrypted packet will appear to go
out, but if you sniff with another router, you should not see them,
but only the esp (encrypted) packets that follow the unencrypted packet.
If that is your only problem, and you can communicate you should be fine.

If your still getting unreachable messages, that might be something else.
Are you pinging from the ipsec server or a host on your lan?
If from server, did you set leftsourceip=<lan ip> in the conn?

Peter

More information about the Users mailing list