[Openswan Users] VPN working only one direction
kkizer at lgdpc.com
Fri May 15 16:52:31 EDT 2009
The remote vpn device is a Netgear FVS318 so I can't do a verify....
Here are the verify results on the Main office side as well as the error when trying to ping the remote sites internal interface.
PING 192.168.101.199 (192.168.101.199) from 192.168.100.1 eth1: 56(84) bytes of data.
>From 126.96.36.199 icmp_seq=0 Destination Net Unreachable
>From 188.8.131.52 icmp_seq=8 Destination Net Unreachable
>From 184.108.40.206 icmp_seq=9 Destination Net Unreachable
--- 192.168.101.199 ping statistics ---
16 packets transmitted, 0 received, +3 errors, 100% packet loss, time 14999ms
, pipe 2
[root at mail etc]# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.4.14/K2.6.18-93.cc4 (netkey)
Checking for IPsec support in kernel [OK]
NETKEY detected, testing for disabled ICMP send_redirects [FAILED]
Please disable /proc/sys/net/ipv4/conf/*/send_redirects
or NETKEY will cause the sending of bogus ICMP redirects!
NETKEY detected, testing for disabled ICMP accept_redirects [FAILED]
Please disable /proc/sys/net/ipv4/conf/*/accept_redirects
or NETKEY will accept bogus ICMP redirects!
Checking for RSA private key (/etc/ipsec.secrets) [OK]
Checking that pluto is running [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]
From: Paul Wouters [mailto:paul at xelerance.com]
Sent: Friday, May 15, 2009 3:41 PM
To: Kevin Kizer
Cc: users at openswan.org
Subject: Re: [Openswan Users] VPN working only one direction
On Fri, 15 May 2009, Kevin Kizer wrote:
> I am new to the world of Openswan so please bear with me,
> I have semi successfully setup a network to network IPSEC vpn, the
> connection is up and the remote site can access the LAN at the main
> office. The problem is the main office cannot connect to the remote sites
check both sides with ipsec verify
ensure IPsec destined packets are not NAT'ed
ensure ip forwarding
if ipsec gw is not the default gw, add a route.
More information about the Users