[Openswan Users] IPsec tunnel with cisco Pix

Peter McGill petermcgill at goco.net
Fri Aug 22 10:34:05 EDT 2008 

Victor,

Usually this is due to a misunderstanding of how the tunnel works.
You cannot "route" traffic into the tunnel via route or ip route,
like other networks. The only traffic to use the tunnel is packets
which match the leftsubnet and rightsubnet values. Packets which
match are automatically "routed" to the tunnel. Therefore you
Ping tests must also match leftsubnet and rightsubnet, meaning you
must ping from a host in leftsubnet (assuming left=local) to a host
in rightsubnet. If you do not specify leftsubnet and rightsubnet they
default to the value of left and right respectively. To help with
Routing the ipsec gateway to gateway traffic through the tunnel, you
Can add leftsourceip and rightsourceip lines specifying the private
ip addresses within leftsubnet and rightsubnet of each gateway.

The other likely cause is that your firewall is blocking the traffic,
you must allow both the ipsec protocol traffic and also the tunnelled
traffic.

If this explanation is unclear to you, and/or you still cannot get
it working, then send me an ipsec barf > ipsec_barf.txt and the
output of your ping test and a relevant tcpdump at the time of the test.
Be sure to clearly explain the computer from which you are pinging.
Also before you do the ipsec barf and tests, be sure that you have not
set plutodebug or klipsdebug in the ipsec.conf, they flood the logs
making them hard to read.

Peter McGill
IT Systems Analyst
Gra Ham Energy Limited 

> -----Original Message-----
> From: users-bounces at openswan.org 
> [mailto:users-bounces at openswan.org] On Behalf Of Victor Mendez
> Sent: August 22, 2008 12:36 AM
> To: users at openswan.org
> Subject: [Openswan Users] IPsec tunnel with cisco Pix
> 
> Hi , to all. I'm new to openswan and I have problems routing thru a 
> site-2-site  ipsec tunnel to a cisco pix.
> I have gone thru all the doc on the web. I can connect the 
> tunnel but I cannot 
> ping the other side. can someone be kind enough to provide me 
> with some help.
> 
> regartds
> 
> -- 
> --------------------------------------------------------------
> ------------------
> Victor Mendez B.
> 
> mKomm/NetSystems                     Tel: 514.335.0505 ext:5700
> 164 rue Ideale                               Fax: 514.335.0505
> Saint-Eustache,Québec
> CANADA,J7P 1R3
> --------------------------------------------------------------
> ------------------
> "entia non sunt multiplicanda praeter necessitatem"
> William of Ockham (Ockham's Razor) - 14th century
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan: 
> http://www.amazon.com/gp/product/1904811256/104-3099591-294632
> 7?n=283155

More information about the Users mailing list