[Openswan Users] IPSec tunnels OK, but don't work VPN

Tue Mar 4 12:52:54 EST 2008

Hi,

I set up a VPN between 2 Fedora Core 5 (Kernel 2.6.15-1.2054_FC5smp) using
OpenSwan 2.4.4

Tunnels are OK!

# service ipsec status

IPsec running  - pluto pid: 23992

pluto pid 23992

3 tunnels up

If I ping from a machine in LAN A to a machine on the remote LAN (B) it work
OK

# ping 192.168.20.101

PING 192.168.20.101 (192.168.20.101) 56(84) bytes of data.

64 bytes from 192.168.20.101: icmp_seq=1 ttl=126 time=53.1 ms

64 bytes from 192.168.20.101: icmp_seq=2 ttl=126 time=49.9 ms

# tcpdump -nli eth0 proto 50

            14:37:38.939450 IP XXX.XXX.XX.XX > YYY.YYY.YYY.YYY:
ESP(spi=0x3cec758d,seq=0x3), length 132

14:37:38.989187 IP YYY.YYY.YYY.YYY > XXX.XXX.XX.XX:
ESP(spi=0x8a87736f,seq=0x3), length 132

14:37:39.940881 IP XXX.XXX.XX.XX > YYY.YYY.YYY.YYY:
ESP(spi=0x3cec758d,seq=0x4), length 132

14:37:39.992031 IP YYY.YYY.YYY.YYY > XXX.XXX.XX.XX:
ESP(spi=0x8a87736f,seq=0x4), length 132

It see very OK! 
 But when I try any other protocol like SSH, it don’ work
from a machine in LAN A to a remote machine in LAN B

# ssh 192.168.20.101

No ESP traffic is seen in eth0. But I see not encrypted and not NATed
packets in eth0

# tcpdump -nli eth0 | grep 192.168.

14:44:08.752777 IP 192.168.0.222.51379 > 192.168.20.101.ssh: S
1950168007:1950168007(0) win 5840 <mss 1460,sackOK,timestamp 155885933
0,nop,wscale 2>

14:44:11.753190 IP 192.168.0.222.51379 > 192.168.20.101.ssh: S
1950168007:1950168007(0) win 5840 <mss 1460,sackOK,timestamp 155886683
0,nop,wscale 2>

In iptables I have the following rule to NAT at eth0:

-A POSTROUTING -o eth0 !  -d  192.168.0.0/255.255.0.0 -j MASQUERADE

I do exactly the same in WhiteBox and it work fine
 In fedora Core 4 I have
this problem.

Any idea what cause this problem?

Tomas

P.D.: sorry my bad English

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20080304/6ad93283/attachment.html 