[Openswan Users] Packets not passing through Tunnel

Peter McGill petermcgill at goco.net
Wed Mar 12 10:47:55 EDT 2008

You cannot use route add or ip route add with openswan, you
must specify the traffic which uses the tunnel in left/rightsubnet(s).
To clarify where are you pinging/telneting from?
A ping from to and vise-versa should work.
A ping from or will not work because you
have not included them in leftsubnet.
Likewise a ping from or ?.?.?.? to 10.5.. will not work.
Pings to 58... and 202... will work but not encrypted, plain internet.
If you want your gateway to be able to communicate with remote private
also, then change your conn as follows:
    leftsourceip= # gw will use this instead of 58... to talk to rem. priv.
    leftsubnet= # you'll need to change subnet on cisco too
Peter McGill


From: Khan, Hammad Aslam [mailto:raohammad at gmail.com] 
Sent: March 12, 2008 2:11 AM
To: petermcgill at goco.net
Cc: users at openswan.org
Subject: Re: [Openswan Users] Packets not passing through Tunnel

I already have enabled ip forwarding; 
My Setup is like;

my private                                      my gateway           <<public>>      remote gw (cisco vpn 3000)               remote
--------                             -----------------------------------------
-------------------------------                     ----------------------
       |                            |                                        |                             |
|                     |                   |  ===     (eth0)   >>><<<        ?.?.?.? ====    |
       |                             |                                        |                            |
|                     |                   | 
-------                              -----------------------------------------
------------------------------                      ----------------------

My Config file
config setup

conn nattelenor
         authby=secret                   # secret key
         left=             # my external, internet-routable ip address, provided by NAT box=
         right=              # my peer's external, internet-routable ip address=
#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf

My ipsec verify result

Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan U2.4.9/K2.6.18-1.2798.fc6 (netkey)
Checking for IPsec support in kernel                            [OK]
NETKEY detected, testing for disabled ICMP send_redirects       [FAILED]

  Please disable /proc/sys/net/ipv4/conf/*/send_redirects
  or NETKEY will cause the sending of bogus ICMP redirects!

NETKEY detected, testing for disabled ICMP accept_redirects     [FAILED]

  Please disable /proc/sys/net/ipv4/conf/*/accept_redirects
  or NETKEY will accept bogus ICMP redirects!

Checking for RSA private key (/etc/ipsec.secrets)               [OK]
Checking that pluto is running                                  [OK]
Two or more interfaces found, checking IP forwarding            [OK]
Checking NAT and MASQUERADEing                                  [OK]
Checking for 'ip' command                                       [OK]
Checking for 'iptables' command                                 [OK]
Opportunistic Encryption Support                                [DISABLED]


On Tue, Mar 11, 2008 at 10:56 PM, Peter McGill <petermcgill at goco.net> wrote:

Did you add leftsourceip=leftlanip and rightsourceip=rightlanip?
Without them you can only ping hosts other than the ipsec gateway,
on the remote lan, and only from hosts on the local lan not the local
ipsec gateway.
Show us your ipsec.conf and ipsec verify.
Peter McGill


From: users-bounces at openswan.org [mailto:users-bounces at openswan.org] On Behalf Of Khan, Hammad Aslam
Sent: March 11, 2008 1:45 PM
To: users at openswan.org
Subject: [Openswan Users] Packets not passing through Tunnel

Hello everyone,
My tunnel has been successfully established (both ISAKMP and IPSEC are UP);
but when I try to ping/telnet remote end's private network PC i dont get any response.,

Using tcpdump -i eth0 (which is my public interface of GW) it shows that GW is querying internet for remote-private-nw using ARP. No
ESP packets are seen...

I added a route of 
# route add <remote-private-ip> gw <remote-public-ip>
...but still, i see the same result?

Please help.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20080312/b319fdbf/attachment.html 

More information about the Users mailing list