[Openswan Users] VPN working only one direction

Kevin Kizer kkizer at lgdpc.com
Fri May 15 16:52:31 EDT 2009

The remote vpn device is a Netgear FVS318 so I can't do a verify....

Here are the verify results on the Main office side as well as the error when trying to ping the remote sites internal interface.

PING ( from eth1: 56(84) bytes of data.
>From icmp_seq=0 Destination Net Unreachable
>From icmp_seq=8 Destination Net Unreachable
>From icmp_seq=9 Destination Net Unreachable

--- ping statistics ---
16 packets transmitted, 0 received, +3 errors, 100% packet loss, time 14999ms
, pipe 2
[root at mail etc]# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan U2.4.14/K2.6.18-93.cc4 (netkey)
Checking for IPsec support in kernel                            [OK]
NETKEY detected, testing for disabled ICMP send_redirects       [FAILED]

  Please disable /proc/sys/net/ipv4/conf/*/send_redirects
  or NETKEY will cause the sending of bogus ICMP redirects!

NETKEY detected, testing for disabled ICMP accept_redirects     [FAILED]

  Please disable /proc/sys/net/ipv4/conf/*/accept_redirects
  or NETKEY will accept bogus ICMP redirects!

Checking for RSA private key (/etc/ipsec.secrets)               [OK]
Checking that pluto is running                                  [OK]
Two or more interfaces found, checking IP forwarding            [OK]
Checking NAT and MASQUERADEing
Checking for 'ip' command                                       [OK]
Checking for 'iptables' command                                 [OK]
Opportunistic Encryption Support                                [DISABLED]

-----Original Message-----
From: Paul Wouters [mailto:paul at xelerance.com] 
Sent: Friday, May 15, 2009 3:41 PM
To: Kevin Kizer
Cc: users at openswan.org
Subject: Re: [Openswan Users] VPN working only one direction

On Fri, 15 May 2009, Kevin Kizer wrote:

> I am new to the world of Openswan so please bear with me,
> I have semi successfully setup a network to network IPSEC vpn, the
> connection is up  and the remote site can access the LAN at the main
> office. The problem is the main office cannot connect to the remote sites
> LAN.

check both sides with ipsec verify
ensure IPsec destined packets are not NAT'ed
ensure ip forwarding
if ipsec gw is not the default gw, add a route.


More information about the Users mailing list