[Openswan Users] One way tunnel

lewis shobbrook mylists at blue-matrix.org
Mon Mar 5 05:47:47 EST 2007

Hi Paul,
Thanks for the quick response.

On 3/5/07, Paul Wouters <paul at xelerance.com> wrote:
> On Mon, 5 Mar 2007, lewis shobbrook wrote:
> > I've set-up a tunnel between an openwrt White Russian 0.9 release and
> debian
> > sid with openswan 2.4.6 with a 2.6.17 kernel.
> >
> > First digression to note is that I have had this combination working
> > previously prior to WR 0.9.
> >
> > The tunnel works from the wrt end, through put is perfectly stable.
> > from the debian end I am unable to ping through the tunnel with errors
> > ...reply from X.X.X.X destination net unreachable.
> > x.x.x.x is the next hop to the DSL router connected to the debian box,
> i.e.
> > gateway to gateway.
> "destination net unreachable" means the tunnel is not up, and the subnet=
> is not reacahble. To get better logging in the openwrt, add to config
> setup:
>         plutostderrlog=/tmp/pluto.log
> Then check the logs in /tmp/

Not sure how the tunnel can not be up? If  I can connect through from one
subnet to another on th other end then it must be up.
Logs state IPSEC SA established at both ends.  Routes are also modified to
indicate the tunnel is up.  On the wrt the ipsec0 interface clocks rx & tx

Doesn't matter which side the tunnel is upped from.

> Other thing to note is that  traceroutes to and from the wrt to the debian
> > ends indicate different IP for the nexthop on the wrt side.
> Thats bad Point-to-point routing of ISPs assigning our dhcp paramters
> which
> are theoretically incorrect.
> Do a route -n on the openwrt. if you see two routes to reach your gateway,
> with one pointing into the ipsec device, delete the one pointing into the
> ipsec device.
> > I'm wondering if it might have something to do with the protocol 4 bug
> in
> > 2.6.17 that has been reported previously?
> > I've had to modify iptables on this box to accomodate the IP in IP
> > protocol bug.
> I have no idea what this bug is. Can you provide a link to information?

I can't seem to re-find any posts, but from memory it was a netfilter
connection tracking issue with ipsec.
Basically when upgrading from earlier 2.6 kernels,  you'd start finding
protocol 4 packets in your iptables logs.
I'll do a bit more digging and let you know what I can find on it.
Cheers & thanks,

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20070305/23b38c05/attachment.html 

More information about the Users mailing list