[Openswan Users] NEKEY 2.6.18 subnet2subnet problem

Adrian Gruntkowski adrian at ima.pl
Wed Jun 20 05:54:40 EDT 2007


>> -----Original Message-----
>> Date: Sun, 17 Jun 2007 23:16:54 +0200
>> From: Adrian Gruntkowski <adrian at ima.pl>
>> Subject: Re: [Openswan Users] NEKEY 2.6.18 subnet2subnet problem
>> To: users at openswan.org
>> 
>> > On Sun, 17 Jun 2007, Adrian Gruntkowski wrote:
>> 
>> >> >> Connection is established succesfully. However when I try to
>> >> >> ping host on the remote host the router one hop after the server
>> >> >> returns network unreachable message.
>> >> >> What I've noticed is that the packets are not sent through
>> >> >> the tunnel but directly through public interface
>> >> >> (I see attempts to send icmp echo to 10.0.1.X on public 
>> interface
>> >> >> eth0).
>> >> >>
>> >> >> There's following entry in routing table after 
>> establishing connection:
>> >> >>
>> >> >> 10.0.1.0/24 via 12.34.56.97 dev eth0
>> >>
>> >> > That shouldn't matter for netkey.
>> >>
>> >> > Try lowering the mtu to 1400?
>> >>
>> >> > Paul
>> >>
>> >> Do you mean setting it in l2tpd? I think that this 
>> particular tunnel doesn't
>> >> use l2tp... ?
>> 
>> > Nope, I meant the mtu on the external interface of the 
>> ipsec/l2tp server.
>> 
>> I have set mtu of external interface to 1400 (it was 1500). 
>> Effect is still the same -
>> packet doesn't go through tunnel, it's routed directly. Any 
>> ideas? I'm going nuts :(
>> 
>> Adrian

> With netkey both the encrypted and unencrypted packets are visible
> On the external interface with tcpdump, etc... This is normal, it
> Does not mean the traffic isn't encrypted. The route is also normal.
> You should first see the unencrypted packet appear on the interface,
> This packet will be grabbed by ipsec, encrypted and sent again on the
> Interface as an esp packet. The unencrypted packet will appear to go
> out, but if you sniff with another router, you should not see them,
> but only the esp (encrypted) packets that follow the unencrypted packet.
> If that is your only problem, and you can communicate you should be fine.

> If your still getting unreachable messages, that might be something else.
> Are you pinging from the ipsec server or a host on your lan?
> If from server, did you set leftsourceip=<lan ip> in the conn?

Actually I've managed to make that tunnel work - firewall rule was the
problem. Connection from the remote site to ipsec vpn server is ok.
However there's still problem with connecting from server and for
example roadwarrior. I have set the leftsourceip parameter but
it didn't give any effect.
I sniffed the connection on router directly after the vpn server and
unfortunately it tries to send these packets beyond the tunnel so
I still get "network unreachable" messages on the router level.
The same problem occurs when I try to ping host on remote subnet
from roadwarrior.
I'm not sure but one thing that could be the cause of this
is that these packets aren't forwarded. What should I do?

Adrian




More information about the Users mailing list