[Openswan Users] newbie with 1st setup question

Paul Wouters paul at xelerance.com
Thu May 14 16:43:27 EDT 2009

On Thu, 14 May 2009, Gary Stainburn wrote:

> When I start up the connection, the output in the session window looks okay,
> but the log files on both machines show problems, and I cannot get traffic to
> pass down the VPN.

> [root at groucho ~]# ping
> PING ( 56(84) bytes of data.
> ^C
> --- ping statistics ---
> 5 packets transmitted, 0 received, 100% packet loss, time 4254ms

> conn leeds-to-rmg
>    left=
>    leftid=@harpo.ringways.co.uk
>    leftsubnet=
>    leftnexthop=%defaultroute
>    leftrsasigkey=[cut]
>    rightnexthop=%defaultroute
>    right=
>    rightsubnet=
>    rightid=@groucho.ringways.co.uk
>    rightrsasigkey=[cut]
>    auto=start

When you ping, Linux picks the "nearest" IP as source ip. Since this ping is
going out over your default gateway, it picks the public ip. So your ping
now becomes SRC publicIP DST

However, your tunnel policy is for <->

So your packet does not go via the tunnel and is dropped somewhere.

The easiest way is to add rightsourceip= and leftsourceip= on both ends,
and specify the internal ip there from the subnet you're tunneling.
This will add a special route that will say "if pinging that remote subnet,
do not use the nearest ip, but use this local ip istead".

A second method is to also setup tunnels for publicip->remotesubnet and

If you use ping -I 10.1.x.y, it will also force the packet down
the tunnel. If that also does not work, you have a second problem, usually
related to NATing IPsec traffic or firewall rules blocking ESP or UDP 4500


More information about the Users mailing list