[Openswan Users] Given up on klips, netkey works (almost)
rcooper at dwford.com
Wed Jul 2 12:39:48 EDT 2008
Ok, since I *must* have the ability to use network shares
from the ipsec/firewall hosts. I have switched to netkey as klips
always kernel panics, on every 2.6 kernel I have tried, when ever
I attempt to mount a share on the host from a remote network (ipsec).
This doesn't happen using netkey, however I have a completely
different issue now. Below is a basic diagram as to how things
are layed out. I have tried openswan 2.4.12/2.4.13/2.6.14.
MachineA can always ping to machineB and vicea/versa
HostA can always ping to HostB and vicea/versa
HostA can always ping machineB
after 2-4 min hostA can still ping machineB but machineB cannot
ping hostA. However if machineB sends 2 pings to HostA every
min machineB can always ping hostA
HostA/HostB are also the firewalls for their respective networks so
the are natting. I have an iptables rule that states
if packet originates from HostA outside IP, SNAT from HostA
inside IP. Have used this for years with KLIPS, otherwise
there are problems with HostA <--> HostB traffice. I have tried
removing this rule and it changes nothing. I have tried an all
pass set of rules for iptables, changes nothing. I have tried
all pass with masq, changes nothing. Have tried all pass, masq, and
above rule, changes nothing.
I have tried routing the network traffic through Host?, and through
Gateway?, changes nothing.
Remember during this issue the two Host? can still talk, any host from
either network and still talk back and forth. Only the machine? to
host? is broken. Nothing in the logs suggest a problem and the tunnels
are obviously up since even though machineB cannot initiate traffic
to hostA, hostA can initiate traffic to machineB (such as ssh).
I wish I could just go back to a 2.4 kernel and reliable openswan but
I can't but I am about at the end of my rope and will have to start
looking at another tunneling method soon.
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the Users