[Openswan Users] routing non-broadcast UDP packets over my VPN is failing

Sat Oct 24 13:49:28 EDT 2009

On Sat, 2009-10-24 at 11:35 -0500, Shane Allen wrote:
> I have two offices, one in the US and one in Argentina. I am trying to
> get IP phones to register back to my PBX in the US from the Argentina
> office over a VPN that I established between my gateways. Here's a
> rough topology:
> 
>  
> 
> 10.1.0.0/24 <-> 10.1.0.1(eth1) [argw] 1.2.3.4(eth0) <-> (internet) <->
> 5.6.7.8(eth0) [txgw] 192.168.0.1(eth1) <-> 192.168.0.0/16
> 
>  
> 
> Both linux boxes are running iptables Masquerading for the associated
> subnets in addition to handling the VPN traffic. The VPN is working --
> I can ping and use TCP protocols (like SSH or HTTP) over the tunnel
> with no problems.
> 
>  
> 
> The IP phones, however, are trying to make an initial connection over
> UDP port 1719, and this is failing to route to the opposite side.
> Here's an example of the TCPdump output I am seeing:
> 
>  
> 
> root at argw:~# tcpdump -i eth1 -p -n ip host 192.168.5.2
> 
> tcpdump: verbose output suppressed, use -v or -vv for full protocol
> decode
> 
> listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
> 
> 19:27:10.993185 IP 10.1.0.96.49302 > 192.168.5.2.1719: UDP, length 65
> 
> 19:27:15.992565 IP 10.1.0.96.49302 > 192.168.5.2.1719: UDP, length 65
> 
>  
> 
> If I do a similar dump on txgw (tcpdump -i eth1 -p -n ip host
> 192.168.5.2 or ip host 10.1.0.96) I get nothing. I've tested this both
> ways.
> 
>  
> 
> I've been searching for workarounds for a few days now and haven't
> gotten anywhere. I tested using a udping binary that contacts a host
> running an echo server, and set up an echo server on the far side. If
> I try local network udpings, they work. If I try udpings over the VPN
> they fail, regardless of packet size (I tried 1, 16, 128 and 256 byte
> packets). This leads me to believe the problem is routing UDP over the
> VPN, but I'm open to other possibilities.
> 
>  
> 
> I've included the (sanitized) output from ipsec barf below. I changed
> IPs and such for security purposes, if anything doesn't make sense due
> to the changes, let me know and I can clarify.
> 
>  
> 
> Thanks in advance for any insight you can offer!
<snip>

Hi, Shane.  I'm afraid I'm under one of those "not slept for two days"
deadlines so I did not digest your barf (ooo - that sounds awful -
reminds me of pelicans!).  We do this all the time and our phones work
just fine.  It's strange that the tunnel is only picking on your UDP
traffic.  The first thought that jumps to mind is an errant firewall
rule - either a filtering or a NAT rule.

When the packets are being lost inside the box, I sometimes find it
helpful to set up logging rules inside of iptables so I can track the
packets process through netfilter to find where it is being dropped.
Good luck and hope this helps - John
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan at opensourcedevel.com

http://www.spiritualoutreach.com
Making Christianity intelligible to secular society