[Openswan Users] NEKEY 2.6.18 subnet2subnet problem

Peter McGill petermcgill at goco.net
Wed Jun 20 11:16:55 EDT 2007


> -----Original Message-----
> From: Adrian Gruntkowski [mailto:adrian at ima.pl] 
> Sent: June 20, 2007 5:54 AM
> To: Peter McGill
> Subject: Re[2]: [Openswan Users] NEKEY 2.6.18 subnet2subnet problem
> 
> >> -----Original Message-----
> >> Date: Sun, 17 Jun 2007 23:16:54 +0200
> >> From: Adrian Gruntkowski <adrian at ima.pl>
> >> Subject: Re: [Openswan Users] NEKEY 2.6.18 subnet2subnet problem
> >> To: users at openswan.org
> >> 
> >> > On Sun, 17 Jun 2007, Adrian Gruntkowski wrote:
> >> 
> >> >> >> Connection is established succesfully. However when I try to
> >> >> >> ping host on the remote host the router one hop 
> after the server
> >> >> >> returns network unreachable message.
> >> >> >> What I've noticed is that the packets are not sent through
> >> >> >> the tunnel but directly through public interface
> >> >> >> (I see attempts to send icmp echo to 10.0.1.X on public 
> >> interface
> >> >> >> eth0).
> >> >> >>
> >> >> >> There's following entry in routing table after 
> >> establishing connection:
> >> >> >>
> >> >> >> 10.0.1.0/24 via 12.34.56.97 dev eth0
> >> >>
> >> >> > That shouldn't matter for netkey.
> >> >>
> >> >> > Try lowering the mtu to 1400?
> >> >>
> >> >> > Paul
> >> >>
> >> >> Do you mean setting it in l2tpd? I think that this 
> >> particular tunnel doesn't
> >> >> use l2tp... ?
> >> 
> >> > Nope, I meant the mtu on the external interface of the 
> >> ipsec/l2tp server.
> >> 
> >> I have set mtu of external interface to 1400 (it was 1500). 
> >> Effect is still the same -
> >> packet doesn't go through tunnel, it's routed directly. Any 
> >> ideas? I'm going nuts :(
> >> 
> >> Adrian
> 
> > With netkey both the encrypted and unencrypted packets are visible
> > On the external interface with tcpdump, etc... This is normal, it
> > Does not mean the traffic isn't encrypted. The route is also normal.
> > You should first see the unencrypted packet appear on the interface,
> > This packet will be grabbed by ipsec, encrypted and sent 
> again on the
> > Interface as an esp packet. The unencrypted packet will appear to go
> > out, but if you sniff with another router, you should not see them,
> > but only the esp (encrypted) packets that follow the 
> unencrypted packet.
> > If that is your only problem, and you can communicate you 
> should be fine.
> 
> > If your still getting unreachable messages, that might be 
> something else.
> > Are you pinging from the ipsec server or a host on your lan?
> > If from server, did you set leftsourceip=<lan ip> in the conn?
> 
> Actually I've managed to make that tunnel work - firewall rule was the
> problem. Connection from the remote site to ipsec vpn server is ok.
> However there's still problem with connecting from server and for
> example roadwarrior. I have set the leftsourceip parameter but
> it didn't give any effect.
> I sniffed the connection on router directly after the vpn server and
> unfortunately it tries to send these packets beyond the tunnel so
> I still get "network unreachable" messages on the router level.
> The same problem occurs when I try to ping host on remote subnet
> from roadwarrior.
> I'm not sure but one thing that could be the cause of this
> is that these packets aren't forwarded. What should I do?
> 
> Adrian

You can't connect from server to a roadwarrior, since roadwarrior has
A dynamic ip, and the server doesn't know where to connect to. The
Roadwarrior has to initiate the connection always.
Also be sure to ping the private ip for tests, never the public ip's.

You can also check your firewall rules, make sure you have INPUT and
OUTPUT rules in addition to FORWARD rules. INPUT matches packets destined
For the server, OUTPUT sent by the server, and FORWARD just passing through
The server from somewhere else to somewhere else. Any one packet only
Matches one of the three chains.

Peter



More information about the Users mailing list