[Openswan Users] Connection only in one direction

Peter McGill petermcgill at goco.net
Wed Aug 6 11:13:49 EDT 2008 

Martin,

Thank you for the complete barf, makes debugging much easier, however please
turn off developer debugging, it makes looking through the logs insane.
> config setup
> 	interfaces=%defaultroute
	#klipsdebug=none
	#plutodebug=none # *** none
> 	uniqueids=yes
> 	#nat_traversal=1

Your conn definition looks good, but you should add rightsourceip=192.168.6.1 for server tunnel access.
Also it appears that your conf lines are indented with multiple tabs/spaces, there should be 1 tab for every
indented line, nothing else. Failure to observe this can have unpredictable results.
> conn edelweiss
>         auto=start
>         type=tunnel
>         authby=secret
>         pfs=no
>         ike=3des-md5-modp1024
>         esp=3des-md5
>         #aggrmode=no
>         compress=no
>         ikelifetime=480m
>         keylife=60m
>         keyexchange=ike
>        # dpddelay=30
>        ## dpdtimeout=120
>        ## dpdaction=hold
>         left=91.112.190.238
>         leftid=91.112.190.238
>         leftnexthop=91.112.190.237
>         leftsubnet=192.168.5.0/24
> 	  right=83.218.162.44
> 	  rightnexthop=83.218.162.62
>         rightsubnet=192.168.6.0/24
	rightsourceip=192.168.6.1

I see that you mark IPSec packets...
> + iptables -t mangle -L -v -n
> Chain PREROUTING (policy ACCEPT 6355K packets, 5751M bytes)
>  pkts bytes target     prot opt in     out     source               destination         
>  4058 1177K MARK       esp  --  *      *       0.0.0.0/0            0.0.0.0/0           MARK set 0x64 

And allow the IPSec packets on input and forward...
> + iptables -L -v -n
> Chain INPUT (policy DROP 0 packets, 0 bytes)
>  pkts bytes target     prot opt in     out     source               destination         
>   256 39992 ACCEPT     udp  --  *      *       0.0.0.0/0            83.218.162.44       udp spt:500 dpt:500 
>  4058 1177K ACCEPT     esp  --  *      *       0.0.0.0/0            83.218.162.44       
>     0     0 ACCEPT     ah   --  *      *       0.0.0.0/0            83.218.162.44       
>     0     0 ACCEPT     all  --  *      *       0.0.0.0/0            83.218.162.44       MARK match 0x64 **
>     0     0 ACCEPT     all  --  *      *       0.0.0.0/0            192.168.6.1         MARK match 0x64 
>     0     0 ACCEPT     all  --  *      *       0.0.0.0/0            192.168.10.1        MARK match 0x64 **
> Chain FORWARD (policy DROP 0 packets, 0 bytes)
>  pkts bytes target     prot opt in     out     source               destination         
>  3806  951K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           MARK match 0x64 
>  3977  475K ACCEPT     all  --  eth1   *       0.0.0.0/0            0.0.0.0/0           

This is good, note however that the local computer cannot use the tunnel except with 192.168.6.1;
192.168.10.1 and 83.218.162.44 cannot use the tunnel because they are not in the left/rightsubnet pair.
So the lines I've appended ** to, are useless. And for 192.168.6.1 to use the tunnel you should add
rightsourceip=192.168.6.1 to the conn definition. If you want the other local ips to be useable through
the tunnel, then you'll need to add additional conn definitions that include them in subnets.

Also I see your exempting IPSec from the SNAT, MASQUERADE rules, this is necessary; however
I do not see the tunneled traffic being exempted from the rules, this is also necessary.
> + iptables -t nat -L -v -n
> Chain POSTROUTING (policy ACCEPT 8449 packets, 1046K bytes)
>  pkts bytes target     prot opt in     out     source               destination         
>     0     0 ACCEPT     esp  --  *      eth0    0.0.0.0/0            0.0.0.0/0           
>     0     0 ACCEPT     ah   --  *      eth0    0.0.0.0/0            0.0.0.0/0           
ie) Add the following here:
iptables -t nat -A POSTROUTING -s 192.168.6.0/24 -d 192.168.5.0/24 -j RETURN # or ACCEPT
>     0     0 ACCEPT     all  --  *      tun+    0.0.0.0/0            0.0.0.0/0           
>     0     0 SNAT       tcp  --  *      *       192.168.6.0/24       192.168.10.10       tcp dpt:17344 to:192.168.6.1 
>     0     0 SNAT       tcp  --  *      *       192.168.10.0/24      192.168.10.10       tcp dpt:17344 to:192.168.10.1 
>     0     0 SNAT       tcp  --  *      *       192.168.6.0/24       192.168.10.62       tcp dpt:45850 to:192.168.6.1 
>     0     0 SNAT       tcp  --  *      *       192.168.10.0/24      192.168.10.62       tcp dpt:45850 to:192.168.10.1 
>  3555  257K MASQUERADE  all  --  *      eth0    0.0.0.0/0           0.0.0.0/0           
>     0     0 MASQUERADE  all  --  *      eth0    0.0.0.0/0           0.0.0.0/0           


Peter McGill
IT Systems Analyst
Gra Ham Energy Limited 

> -----Original Message-----
> From: users-bounces at openswan.org 
> [mailto:users-bounces at openswan.org] On Behalf Of Martin Gerstendorf
> Sent: August 5, 2008 2:04 AM
> To: users at openswan.org
> Subject: [Openswan Users] Connection only in one direction
> 
> Hi!
> I have an ipsec connection running between Linksys wrv200 and 
> an Openswan
> Gateway. The tunnel is up and i can connect everything behind 
> the openswan
> gatewy but there is no connection from the openswn gateway to the net
> behind my wrv200?
>

More information about the Users mailing list