[Openswan Users] Tunnel says it is established but hosts time out.

[Dan Brown]

I've used OpenVPN before but this is my first excursion with any IPSec
servers/clients and it's been frustrating. 

I've no access to the other side of this connection (a Nortel Contivity
2600) but everything appears ok.  I've learned a couple of things about the
configuration on the other side since the last (basically it's not what they
said it was) message I sent here but it still seems like it's not working
right.

This is the connection and status.

104 "g2c-p" #1: STATE_MAIN_I1: initiate
003 "g2c-p" #1: ignoring unknown Vendor ID payload [424e455300000009]
003 "g2c-p" #1: received Vendor ID payload [Dead Peer Detection]
106 "g2c-p" #1: STATE_MAIN_I2: sent MI2, expecting MR2
108 "g2c-p" #1: STATE_MAIN_I3: sent MI3, expecting MR3
003 "g2c-p" #1: ignoring informational payload, type IPSEC_INITIAL_CONTACT
004 "g2c-p" #1: STATE_MAIN_I4: ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha
group=modp1024}
117 "g2c-p" #2: STATE_QUICK_I1: initiate
004 "g2c-p" #2: STATE_QUICK_I2: sent QI2, IPsec SA established
{ESP=>0x0e9ecec5 <0xf569b869 xfrm=3DES_0-HMAC_SHA1 NATD=none DPD=none}

[root at blackhawk ipsec.d]# /etc/init.d/ipsec status
IPsec running  - pluto pid: 26595
pluto pid 26595
1 tunnels up
some eroutes exist

When I ping or make an https connection I can see packets going out, but
none going in.
With the tunnel down, when I ping I get a
[root at blackhawk ipsec.d]# ping 199.43.146.77

connect: Resource temporarily unavailable

or when ipsec is not running I get a "Destination Host Unreachable" message.


Here's my config.

# /etc/ipsec.conf - Openswan IPsec configuration file
version 2.0     # conforms to second version of ipsec.conf specification

config setup
        plutodebug="all"
        plutoopts="--perpeerlog"
        nat_traversal=no
        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
# OE off
include /etc/ipsec.d/no_oe.conf

# Add connections here
include /etc/ipsec.d/ipsec.gof.conf

# /etc/ipsec.d/ipsec.gof.conf
conn g2c-p
        # connection defs
        pfs=yes
        aggrmode=no
        compress=no
        type=tunnel
        # Phase 1
        auto=add
        authby=secret
        ike=3des-sha1-2
        # Phase 2
        auth=esp
        esp=aes128-hmac_sha1-2,3des-hmac_sha1-2   # openswan wont use aes??
        # connection peers/networks
        left=209.167.162.84
        #leftnexthop=209.167.162.81
        leftsubnet=209.167.162.80/28
        right=207.236.235.99
        rightsubnet=199.43.146.0/24

The server on our end is a single server (also running the ipsec
connection), and we will likely never use it as a gateway for other servers.
Should the subnet really be 209.167.162.84/32?

Incidently, I've also tried strongSwan, KAME (aka raccoon), a couple of
consumer level devices (a Linksys RV042 and a Linksys RVS4000) and none can
connect with the above configuration.  I'm hoping this isn't the Nortel
problem I see lots of people complain about.