[Openswan Users] Packets not passing through Tunnel

Peter McGill petermcgill at goco.net
Wed Mar 12 10:47:55 EDT 2008 

You cannot use route add or ip route add with openswan, you
must specify the traffic which uses the tunnel in left/rightsubnet(s).
To clarify where are you pinging/telneting from?
A ping from 10.5.125.105 to 10.8.13.113 and vise-versa should work.
A ping from 10.5.125.100 or 58.58.58.58 will not work because you
have not included them in leftsubnet.
Likewise a ping from 202.202.202.202 or ?.?.?.? to 10.5.. will not work.
Pings to 58... and 202... will work but not encrypted, plain internet.
If you want your gateway to be able to communicate with remote private
also, then change your conn as follows:
    leftsourceip=10.5.125.100 # gw will use this instead of 58... to talk to rem. priv.
    leftsubnet=10.5.125.96/28 # you'll need to change subnet on cisco too
 
Peter McGill
 


  _____  

From: Khan, Hammad Aslam [mailto:raohammad at gmail.com] 
Sent: March 12, 2008 2:11 AM
To: petermcgill at goco.net
Cc: users at openswan.org
Subject: Re: [Openswan Users] Packets not passing through Tunnel


I already have enabled ip forwarding; 
My Setup is like;

my private                                      my gateway           <<public>>      remote gw (cisco vpn 3000)               remote
private
--------                             -----------------------------------------
-------------------------------                     ----------------------
       |                            |                                        |                             |
|                     |                   |
   10.5.125.105  === 10.5.125.100(eth1)     (eth0)58.58.58.58   >>><<<   202.202.202.202        ?.?.?.? ==== 10.8.13.113    |
       |                             |                                        |                            |
|                     |                   | 
-------                              -----------------------------------------
------------------------------                      ----------------------


My Config file
config setup
        interfaces="ipsec0=eth0"
        plutodebug="all"
        nat_traversal=yes

conn nattelenor
         type=tunnel
         authby=secret                   # secret key
         auth=esp
         pfs=no
         keylife=28800
         keyingtries=3
         auto=add
         ike=3des-md5-modp1024
         esp=3des-md5
         left=58.58.58.58             # my external, internet-routable ip address, provided by NAT box=
         leftsubnet=10.5.125.105/32
         right=202.202.202.202              # my peer's external, internet-routable ip address=
         rightsubnet=10.8.13.113/32
         
#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf

My ipsec verify result

Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan U2.4.9/K2.6.18-1.2798.fc6 (netkey)
Checking for IPsec support in kernel                            [OK]
NETKEY detected, testing for disabled ICMP send_redirects       [FAILED]

  Please disable /proc/sys/net/ipv4/conf/*/send_redirects
  or NETKEY will cause the sending of bogus ICMP redirects!

NETKEY detected, testing for disabled ICMP accept_redirects     [FAILED]

  Please disable /proc/sys/net/ipv4/conf/*/accept_redirects
  or NETKEY will accept bogus ICMP redirects!

Checking for RSA private key (/etc/ipsec.secrets)               [OK]
Checking that pluto is running                                  [OK]
Two or more interfaces found, checking IP forwarding            [OK]
Checking NAT and MASQUERADEing                                  [OK]
Checking for 'ip' command                                       [OK]
Checking for 'iptables' command                                 [OK]
Opportunistic Encryption Support                                [DISABLED]


Regards,
Hammad



On Tue, Mar 11, 2008 at 10:56 PM, Peter McGill <petermcgill at goco.net> wrote:


Did you add leftsourceip=leftlanip and rightsourceip=rightlanip?
Without them you can only ping hosts other than the ipsec gateway,
on the remote lan, and only from hosts on the local lan not the local
ipsec gateway.
Show us your ipsec.conf and ipsec verify.
 
Peter McGill
 


  _____  

From: users-bounces at openswan.org [mailto:users-bounces at openswan.org] On Behalf Of Khan, Hammad Aslam
Sent: March 11, 2008 1:45 PM
To: users at openswan.org
Subject: [Openswan Users] Packets not passing through Tunnel


Hello everyone,
My tunnel has been successfully established (both ISAKMP and IPSEC are UP);
but when I try to ping/telnet remote end's private network PC i dont get any response.,

Using tcpdump -i eth0 (which is my public interface of GW) it shows that GW is querying internet for remote-private-nw using ARP. No
ESP packets are seen...

I added a route of 
# route add <remote-private-ip> gw <remote-public-ip>
...but still, i see the same result?

Please help.

Regards,
Hammad



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20080312/b319fdbf/attachment.html

More information about the Users mailing list