[Openswan Users] Given up on klips, netkey works (almost)

Rick Cooper rcooper at dwford.com
Wed Jul 2 12:39:48 EDT 2008

Ok, since I *must* have the ability to use network shares
from the ipsec/firewall hosts. I have switched to netkey as klips
always kernel panics, on every 2.6 kernel I have tried, when ever
I attempt to mount a share on the host from a remote network (ipsec).
This doesn't happen using netkey, however I have a completely
different issue now. Below is a basic diagram as to how things
are layed out.  I have tried openswan 2.4.12/2.4.13/2.6.14.

    |                                                          |
    |                                                          |
    v                                                          v
machineA                                                    machineB

MachineA can always ping to machineB and vicea/versa
HostA can always ping to HostB and vicea/versa
HostA can always ping machineB
	after 2-4 min hostA can still ping machineB but machineB cannot
	ping hostA. However if machineB sends 2 pings to HostA every
	min machineB can always ping hostA

HostA/HostB are also the firewalls for their respective networks so
the are natting. I have an iptables rule that states
	if packet originates from HostA outside IP, SNAT from HostA
	inside IP. Have used this for years with KLIPS, otherwise
	there are problems with HostA <--> HostB traffice. I have tried
	removing this rule and it changes nothing. I have tried an all
	pass set of rules for iptables, changes nothing. I have tried
	all pass with masq, changes nothing. Have tried all pass, masq, and
	above rule, changes nothing.

	I have tried routing the network traffic through Host?, and through
	Gateway?, changes nothing.

Remember during this issue the two Host? can still talk, any host from
either network and still talk back and forth. Only the machine? to
host? is broken. Nothing in the logs suggest a problem and the tunnels
are obviously up since even though machineB cannot initiate traffic
to hostA, hostA can initiate traffic to machineB (such as ssh).

I wish I could just go back to a 2.4 kernel and reliable openswan but
I can't but I am about at the end of my rope and will have to start
looking at another tunneling method soon.



Rick Cooper

This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the Users mailing list