[Openswan Users] Huge_IPSec_problem

Paul Wouters paul at xelerance.com
Fri Oct 16 09:51:16 EDT 2009


On Fri, 9 Oct 2009, Steven Schlegel wrote:

> client1: 192.168.240.50 ----> vpn-router1: 82.144.x.130 -->|-------TUNNEL-------|<-- vpn-router2: 82.113.x.27 ----> client2: 82.113.x.65
> 
> My vpn-router1 has 3 network-cards:
> 
> eth0 with 10.254.0.1
> eth1 with 10.254.0.2
> eth2 with 82.144.x.130

> Note: I don't have any access on vpn-router2, because it is a router from a different network.
> 
> The Tunnel between vpn-router1 and vpn-router2 is setup correctly, because i'll get an "ISAKMP SA established" - Message.

You need to see "IPsec SA Established". The ISAKMP is just the phase1 part of the ipsec connection.
My guess is that your connection is not establishing at all.

> So i tried to ping from my vpn-router1 to vpn-router2 and it works, BUT as i did a traceroute to vpn-router2, i noticed
> that all the traffic goes through the internet and not through the ipsec-tunnel. I believe this is an routing issue, but i can't figure
> what is going wrong.

Note that traceroute is a bad tool to use for debugging IPsec, as there are no
"hops" between the tunnel, or hop count decrements like you expect, and no
way for middle routers to send icmp messages back. Use tcpdump in combination
with a ping and look for proto esp and/or udp port 4500 packets.

Paul


More information about the Users mailing list