[Openswan Users] Problems routing from left to right, but not in reverse

Paul Wouters paul at xelerance.com
Thu Sep 17 20:05:54 EDT 2009 

On Thu, 17 Sep 2009, Randy Wyatt wrote:

> The IPSEC SA appears to come up, but I am unable to pass traffic through
> to hosts on the right subnet.  I am able to pass traffic from hosts on
> the right subnet to hosts on the left subnet.

> + ip xfrm state
> 
> BusyBox v1.10.4 (2009-08-31 22:21:14 EDT) multi-call binary

The busybox ip command is not good enough for use with openswan. You
need to install the real iproute2 package.

> Usage: hostname [OPTION] [hostname | -F FILE]

Looks like you have a busybox hostname too (not critical but if
you're fixing anyways.....)

> #                      left=10.0.0.1
> #                      leftsubnet=172.16.0.0/24
> #                      leftnexthop=10.22.33.44

Is leftnexthop really the gateway that reachable from left?

> #                      right=10.12.12.1
> #                      rightsubnet=192.168.0.0/24
> #                      rightnexthop=10.101.102.103
> #                      # at startup, uncomment this.
> 
> #                      #auto=start

You should have an auto=add if you just want to load it. The
connection might not be in auto=ignore because you did not
specify any auto= option.

> rmnet1/accept_redirects rmnet1/secure_redirects rmnet1/send_redirects
> rmnet2/accept_redirects rmnet2/secure_redirects rmnet2/send_redirects
> usb0/accept_redirects usb0/secure_redirects usb0/send_redirects
> 
> all/accept_redirects:0
> 
> all/secure_redirects:1
> 
> all/send_redirects:1

you want send redirects off, since netkey confuses it.

> Chain INPUT (policy ACCEPT 2 packets, 656 bytes)
> 
>  pkts bytes target     prot opt in     out     source              
> destination        
> 
> 10598 1096K ACCEPT     all  --  *      *       192.168.1.0/28      
> 0.0.0.0/0          
> 
>  1323  180K ACCEPT     all  --  ppp0   *       0.0.0.0/0           
> 32.177.8.180        state NEW,RELATED,ESTABLISHED

This does not accept ESP packets does it?

> Chain POSTROUTING (policy ACCEPT 1166 packets, 98336 bytes)
> 
>  pkts bytes target     prot opt in     out     source              
> destination        
> 
>    63  9619 MASQUERADE  all  --  *      ppp0    0.0.0.0/0           
> 0.0.0.0/0          
> 
>     0     0 MASQUERADE  all  --  *      ppp0    0.0.0.0/0           
> 0.0.0.0/0          

these do not exlucde IPsec packets, so your ipsec packets will
get NAT'ed and broken.

> # CONFIG_IP_ADVANCED_ROUTER is not set

You need this kernel compile option.

Paul

More information about the Users mailing list