[Openswan Users] newbie with 1st setup question

Paul Wouters paul at xelerance.com
Thu May 14 16:43:27 EDT 2009


On Thu, 14 May 2009, Gary Stainburn wrote:

> When I start up the connection, the output in the session window looks okay,
> but the log files on both machines show problems, and I cannot get traffic to
> pass down the VPN.

> [root at groucho ~]# ping 10.1.1.115
> PING 10.1.1.115 (10.1.1.115) 56(84) bytes of data.
> ^C
> --- 10.1.1.115 ping statistics ---
> 5 packets transmitted, 0 received, 100% packet loss, time 4254ms

> conn leeds-to-rmg
>    left=77.86.27.2
>    leftid=@harpo.ringways.co.uk
>    leftsubnet=10.1.0.0/16
>    leftnexthop=%defaultroute
>    leftrsasigkey=[cut]
>    rightnexthop=%defaultroute
>    right=91.85.127.194
>    rightsubnet=10.6.0.0/16
>    rightid=@groucho.ringways.co.uk
>    rightrsasigkey=[cut]
>    auto=start

When you ping, Linux picks the "nearest" IP as source ip. Since this ping is
going out over your default gateway, it picks the public ip. So your ping
now becomes SRC publicIP DST 10.1.1.115.

However, your tunnel policy is for 10.1.0.0/16 <-> 10.6.0.0/16

So your packet does not go via the tunnel and is dropped somewhere.

The easiest way is to add rightsourceip= and leftsourceip= on both ends,
and specify the internal ip there from the subnet you're tunneling.
This will add a special route that will say "if pinging that remote subnet,
do not use the nearest ip, but use this local ip istead".

A second method is to also setup tunnels for publicip->remotesubnet and
localsubnet->remotepublicip

If you use ping -I 10.1.x.y 10.6.1.115, it will also force the packet down
the tunnel. If that also does not work, you have a second problem, usually
related to NATing IPsec traffic or firewall rules blocking ESP or UDP 4500
traffic.

Paul


More information about the Users mailing list