[Openswan Users] Unable to pass traffic on site-to-site VPN

Robyn Orosz rorosz at gmail.com
Tue Jun 26 09:44:22 EDT 2007


Peter,

You were absolutely correct.  Thank you so much!  I was totally stressing on
this one yesterday!

BTW - I'm sure I can find the info somewhere but, do you have any idea how I
can MASQ everything but the IPSEC packets when the tunnels are on 2
discontiguous subnets?

Thanks again for all your help.

-Robyn

On 6/26/07, Peter McGill <petermcgill at goco.net> wrote:
>
> > -----Original Message-----
> > Date: Mon, 25 Jun 2007 14:10:16 -0700
> > From: "Robyn Orosz" <rorosz at gmail.com>
> > Subject: [Openswan Users] Unable to pass traffic on site-to-site VPN
> > To: users at openswan.org
> >
> > Hi,
> >
> > I am running into an intermittent issue where no traffic will
> > pass on my
> > site to site VPN.  The tunnels are up but packets that match
> > the subnets in
> > the proposal do not enter the tunnel.
> >
> > Below I have replaced the local public IP address with
> > <local-ip> and the
> > remote public IP address with <remote-ip>.
> >
> > Here is the ipsec.conf
> > config setup
> >         interfaces="ipsec0=eth0"
> >         nat_traversal=yes
> >         virtual_private="%v4:192.168.1.0/24,%v4:192.168.50.0/24"
> >         hidetos=yes
> >         syslog=daemon.debug
> >         plutodebug="all"
>
> Set plutodebug=none or your logs will be virtually unreadable.
>
> > There are also 2 masquerade rules that are supposed to
> > masquerade all other
> > traffic that is not destined for the tunnel.  They seem to be
> > working fine.
> > Internet traffic passes without issues.
> >
> >    157  8715 MASQUERADE  0    --  any    eth0    192.168.44.0/24
> > !192.168.50.0/24
> >    45  4092 MASQUERADE  0    --  any    eth0    192.168.44.0/24
> > !192.168.1.0/24
>
> These iptables rules should not work. You will end up MASQing everything.
>
> Packets destined for internet will match first rule and get MASQ'd.
> They will work correctly.
>
> Packets destined for 192.168.50.0/24 will not match first rule.
> But will match second rule and get MASQ'd, this will break your pings,
> etc...
>
> Packets destined for 192.168.1.0/24 will match the first rule and get
> MASQ'd, breaking your pings etc...
>
> You must have only one MASQ rule.
>
> You will have to mark the ipsec packets then MASQ the unmarked packets.
>
> Peter
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20070626/d3750ae1/attachment-0001.html 


More information about the Users mailing list