[Openswan Users] traffic won't go into the tunnel

Peter McGill petermcgill at goco.net
Wed Oct 31 16:11:02 EDT 2007

Did you specify the leftsubnet and rightsubnet options?
Did you specify the leftsourceip and rightsourceip options?
Generally speaking the traffic entering the tunnel is automatically handled by ipsec.
I've never had to worry about it.
The catch is you need to define conn's for each subnet you want to go through the tunnel.
You can't use route or ip route to send traffic to the tunnel.
Show us your ipsec verify output to make sure your installed correctly.
Show us your confs so we can be sure it's setup correctly.
(You may edit out all but the first few characters of your public keys if you want...
Ie: leftrsasig=0xAb1f... And your public ip addresses if you want, ie: 142.128.92.x,
Although nothing in your conf should break your security only the secret file is really sensitive.)
Also describe how your testing, what local host is sending pings/traceroutes to which remote host, etc...
Do you have any NATing firewall rules, ie: SNAT rules?

Peter McGill

> -----Original Message-----
> From: users-bounces at openswan.org 
> [mailto:users-bounces at openswan.org] On Behalf Of Bob Miller
> Sent: October 31, 2007 2:35 PM
> To: users at lists.openswan.org
> Subject: [Openswan Users] traffic won't go into the tunnel
> Hello:
> I have been trying for some time now to solve this issue, and I am
> finding it very difficult to figure out how to troubleshoot this.
> The essential problem is that I can get a subnet to subnet tunnel
> established, but I cannot get any traffic to go through the 
> tunnel.  For
> example, once the tunnel is up, if I traceroute to the remote subnet,
> the packet goes out to the internet at large.  Both ends are debian
> boxes with 2.6.22 kernel and openswan 2.4.8.
> I have been reading all over, and from that I am fairly 
> certain I have a
> firewall issue or a secrutiy association/policy issue.  From what I
> understand, whether the packet enters the tunnel is a function of the
> security policy/associations, and not the firewall, however, from all
> the man pages, articles, how-to's, and how-not-to's I have 
> read, I have
> the associations and policies set up correctly.
> I even went so far as to try the ipsec-tools method, and ran into the
> exact same issue, tunnel comes up and appears to be established, but
> nothing routes into it.  
> What I am hoping to find is some kind of information (documentation or
> explanation) on troubleshooting the security policies/associations,
> and/or some more detailed info on how one should be setting up his
> iptables.  I know it has to do with the mangle table, but 
> nothing I have
> tried so far has worked - which is to be expected if the reason the
> packets don't enter the tunnel has nothing to do with iptables.  I
> apologize if such an article is in existence, but if it is, it has not
> made itself apparent to me, and I would greatly appreciate a 
> pointer to
> it.
> I can provide any information necessary regarding my setup, 
> but I really
> would prefer an understanding instead of a fix.  However, if the best
> understanding is going to be achieved from playing with a working
> system, then a fix is just as valuable.
> Thank you...
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan: 
> http://www.amazon.com/gp/product/1904811256/104-3099591-294632
> 7?n=283155

More information about the Users mailing list