[Openswan Users] Packets not passing through Tunnel

Khan, Hammad Aslam raohammad at gmail.com
Wed Mar 12 11:47:57 EDT 2008 

ok thanks but if i dont want my gateway to talk to remote private. Instead I
just want to access remote private from my-private; will I be required to
make changes even in that case?

rgds,
Hammad

On Wed, Mar 12, 2008 at 7:47 PM, Peter McGill <petermcgill at goco.net> wrote:

>  You cannot use route add or ip route add with openswan, you
> must specify the traffic which uses the tunnel in left/rightsubnet(s).
> To clarify where are you pinging/telneting from?
> A ping from 10.5.125.105 to 10.8.13.113 and vise-versa should work.
> A ping from 10.5.125.100 or 58.58.58.58 will not work because you
> have not included them in leftsubnet.
> Likewise a ping from 202.202.202.202 or ?.?.?.? to 10.5.. will not work.
> Pings to 58... and 202... will work but not encrypted, plain internet.
> If you want your gateway to be able to communicate with remote private
> also, then change your conn as follows:
>     leftsourceip=10.5.125.100 # gw will use this instead of 58... to talk
> to rem. priv.
>     leftsubnet=10.5.125.96/28 # you'll need to change subnet on cisco too
>
> Peter McGill
>
>
>  ------------------------------
> *From:* Khan, Hammad Aslam [mailto:raohammad at gmail.com]
> *Sent:* March 12, 2008 2:11 AM
> *To:* petermcgill at goco.net
> *Cc:* users at openswan.org
> *Subject:* Re: [Openswan Users] Packets not passing through Tunnel
>
>  I already have enabled ip forwarding;
> My Setup is like;
>
> my private                                      my gateway           <<public>>
> remote gw (cisco vpn 3000)               remote private
> --------
> -----------------------------------------
> -------------------------------                     ----------------------
>        |
> |                                        |
> |                              |                     |                   |
>    10.5.125.105  === 10.5.125.100(eth1)     (eth0)58.58.58.58   >>*><*<<
> 202.202.202.202        ?.?.?.? ==== 10.8.13.113    |
>        |
> |                                        |
> |                              |                     |                   |
> -------
> -----------------------------------------
> ------------------------------                      ----------------------
>
>
> *My Config file*
> config setup
>         interfaces="ipsec0=eth0"
>         plutodebug="all"
>         nat_traversal=yes
>
> conn nattelenor
>          type=tunnel
>          authby=secret                   # secret key
>          auth=esp
>          pfs=no
>          keylife=28800
>          keyingtries=3
>          auto=add
>          ike=3des-md5-modp1024
>          esp=3des-md5
>          left=58.58.58.58             # my external, internet-routable ip
> address, provided by NAT box=
>          leftsubnet=10.5.125.105/32
>          right=202.202.202.202              # my peer's external,
> internet-routable ip address=
>          rightsubnet=10.8.13.113/32
>
> #Disable Opportunistic Encryption
> include /etc/ipsec.d/examples/no_oe.conf
>
> *My ipsec verify result*
>
> Checking your system to see if IPsec got installed and started correctly:
> Version check and ipsec on-path                                 [OK]
> Linux Openswan U2.4.9/K2.6.18-1.2798.fc6 (netkey)
> Checking for IPsec support in kernel                            [OK]
> NETKEY detected, testing for disabled ICMP send_redirects       [FAILED]
>
>   Please disable /proc/sys/net/ipv4/conf/*/send_redirects
>   or NETKEY will cause the sending of bogus ICMP redirects!
>
> NETKEY detected, testing for disabled ICMP accept_redirects     [FAILED]
>
>   Please disable /proc/sys/net/ipv4/conf/*/accept_redirects
>   or NETKEY will accept bogus ICMP redirects!
>
> Checking for RSA private key (/etc/ipsec.secrets)               [OK]
> Checking that pluto is running                                  [OK]
> Two or more interfaces found, checking IP forwarding            [OK]
> Checking NAT and MASQUERADEing                                  [OK]
> Checking for 'ip' command                                       [OK]
> Checking for 'iptables' command                                 [OK]
> Opportunistic Encryption Support                                [DISABLED]
>
>
> Regards,
> Hammad
>
>
> On Tue, Mar 11, 2008 at 10:56 PM, Peter McGill <petermcgill at goco.net>
> wrote:
>
> >  Did you add leftsourceip=leftlanip and rightsourceip=rightlanip?
> > Without them you can only ping hosts other than the ipsec gateway,
> > on the remote lan, and only from hosts on the local lan not the local
> > ipsec gateway.
> > Show us your ipsec.conf and ipsec verify.
> >
> > Peter McGill
> >
> >
> >  ------------------------------
> > *From:* users-bounces at openswan.org [mailto:users-bounces at openswan.org] *On
> > Behalf Of *Khan, Hammad Aslam
> > *Sent:* March 11, 2008 1:45 PM
> > *To:* users at openswan.org
> > *Subject:* [Openswan Users] Packets not passing through Tunnel
> >
> >   Hello everyone,
> > My tunnel has been successfully established (both ISAKMP and IPSEC are
> > UP);
> > but when I try to ping/telnet remote end's private network PC i dont get
> > any response.,
> >
> > Using *tcpdump -i eth0 *(which is my public interface of GW) it shows
> > that GW is querying internet for remote-private-nw using ARP. No ESP packets
> > are seen...
> >
> > I added a route of
> > # route add <remote-private-ip> gw <remote-public-ip>
> > ...but still, i see the same result?
> >
> > Please help.
> >
> > Regards,
> > Hammad
> >
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20080312/eb7119ee/attachment-0001.html

More information about the Users mailing list