[Openswan Users] No traffic across tunnel?

Chris Wood cwood at xmission.com
Fri Feb 8 11:35:38 EST 2008 

Hi all,

I seem to need a bit of guidance.  I've got two Debian linux boxes with 
openswan.  I want to do a host-to-host setup with one being a 
roadwarrior and I followed the book and have the connection coming up 
between the two.  However, can't seem to do anything across the tunnel.

(I've tried to sanitize the info below and I've also tried to keep it as 
brief as possible, hopefully I didn't go overboard.)

Configuration:
Our Main Server --> Netscreen Firewall --> Internet --> Other 
firewall/nat --> Roadwarrior Server

IP Configuration:
Server Private IP --> Our Public IP --> (Internet) --> Public IP/can 
change --> Server Private IP (DHCP)
172.16.40.55 --> 1.2.3.4 --> (Internet) --> 4.3.2.1 --> 10.0.0.55

****Main Server ipsec.conf****
config setup
        nat_traversal=yes
        
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,$v4:!172.16.40.0/24
        nhelpers=0
        interfaces="ipsec0=eth0"
        forwardcontrol=no

conn east-west
   left=172.16.40.10
   leftsubnet=172.16.40.0/24
   leftid=@east-pp1
   right=%any
   rightsubnet=vhost:%no,%priv
   rightid=@westserver1
   type=tunnel
   leftrsasigkey=abc...
   rightrsasigkey=def...
   auto=add

****Road Warrior ipsec.conf****
config setup
        nat_traversal=yes
        nhelpers=0
        interfaces=%defaultroute

conn west-east
        left=%defaultroute
        leftid=@westserver1
        leftnexthop=%defaultroute
        leftrsasigkey=def...
        right=1.2.3.4
        rightid=@east-pp1
        rightrsasigkey=abc...
        auto=start

**** Last Line of ipsec auto --status from main server****
000 #3: "east-west"[1] 4.3.2.1:4500 STATE_MAIN_R3 (sent MR3, ISAKMP SA 
established); EVENT_SA_REPLACE in 1039s; newest ISAKMP; lastdpd=-1s(seq 
in:0 out:0)


****Comments****
The Netscreen firewall has ports 500 (UDP,ESP) and 4500 (UDP) forwarded 
to our main server.

If I do 'route' on the roadwarrior, I see the public IP of the Netscreen 
firewall (1.2.3.4).  If I do 'route' on the main server, I see the 
private IP of the roadwarrior (10.0.0.55).  If I try to ping the private 
IP of the roadwarrior (10.0.0.55) from the main server (172.16.40.10), I 
get a "Destination Host Unreachable" error.

Any ideas on what I'm missing?

C.

More information about the Users mailing list