[Openswan Users] one way traffic flow through established tunnel

Maxim Gorbachyov maxim.gorbachyov at gmail.com
Tue Apr 28 07:05:29 EDT 2009


Hello All.
I'm stuck with a problem: nodes behind gateways can not ping each
other, but in different ways..
Traffic from one side is going through the tunnel, but one way only:
14:08:20.232684 IP 192.168.12.2.500 > 192.168.12.1.500: isakmp: phase 1 I ident
14:08:20.364495 IP 192.168.12.1.500 > 192.168.12.2.500: isakmp: phase 1 R ident
14:08:20.372441 IP 192.168.12.2.500 > 192.168.12.1.500: isakmp: phase 1 I ident
14:08:20.593069 IP 192.168.12.1.500 > 192.168.12.2.500: isakmp: phase 1 R ident
14:08:20.606983 IP 192.168.12.2.500 > 192.168.12.1.500: isakmp: phase
1 I ident[E]
14:08:20.843314 IP 192.168.12.1.500 > 192.168.12.2.500: isakmp: phase 1 R ident
14:08:20.882112 IP 192.168.12.1 > 192.168.12.2:
ESP(spi=0x6282587d,seq=0x4), length 132
14:08:21.882063 IP 192.168.12.1 > 192.168.12.2:
ESP(spi=0x6282587d,seq=0x5), length 132
14:08:22.880543 ARP, Request who-has 192.168.12.2 tell 192.168.12.1, length 28
14:08:22.880798 ARP, Reply 192.168.12.2 is-at 00:e0:81:47:06:f4, length 46
14:08:22.884354 IP 192.168.12.1 > 192.168.12.2:
ESP(spi=0x6282587d,seq=0x6), length 132
14:08:23.892980 IP 192.168.12.1 > 192.168.12.2:
ESP(spi=0x6282587d,seq=0x7), length 132
14:08:24.900358 IP 192.168.12.1 > 192.168.12.2:
ESP(spi=0x6282587d,seq=0x8), length 132
14:08:25.908386 IP 192.168.12.1 > 192.168.12.2:
ESP(spi=0x6282587d,seq=0x9), length 132
14:08:26.916441 IP 192.168.12.1 > 192.168.12.2:
ESP(spi=0x6282587d,seq=0xa), length 132
14:08:27.924579 IP 192.168.12.1 > 192.168.12.2:
ESP(spi=0x6282587d,seq=0xb), length 132

The node on the other side gets ICMP "network is unreachable" from
it's gateway, no packets go to the tunnel from these attempts.

"ipsec barf" outputs are quite large to be inlined, so see it attached
("depth" and "test" are gateways). In short, I use Debian/unstable and
openswan-2.6.21 (I tried both distro and vanilla versions) on amd64
hosts. Nodes behind gateways route traffic to remote network through
local gateway interfaces, like this:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.13.0    192.168.11.1    255.255.255.0   UG    0      0        0 eth0
192.168.11.0    0.0.0.0         255.255.255.0   U     0      0        0 eth0

(here 192.168.11.1 is local gateway interface, 192.168.13.0/24 is
remote network)

Could you please suggest how to make it work? Let me know if more info
is required.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: barf.depth
Type: application/octet-stream
Size: 1454450 bytes
Desc: not available
Url : http://lists.openswan.org/pipermail/users/attachments/20090428/fecb75c8/attachment-0002.obj 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: barf.test
Type: application/octet-stream
Size: 1956345 bytes
Desc: not available
Url : http://lists.openswan.org/pipermail/users/attachments/20090428/fecb75c8/attachment-0003.obj 


More information about the Users mailing list