[Openswan Users] Problems with IP routing ctd..

Paul Wouters paul at xelerance.com
Tue Sep 22 13:27:05 EDT 2009


On Mon, 21 Sep 2009, Randy Wyatt wrote:

> We are able to access the left subnet from the right but not vice versa.
>  
> I believe everything except the hostname has been corrected from the previous thread.
> 
> We still have not had any success.
> 
> 
> The barf output is located at http://www.rwwyatt.com/barf.out

I see from it:

hain POSTROUTING (policy ACCEPT 4 packets, 531 bytes)
  pkts bytes target     prot opt in     out     source               destination
    49  3324 MASQUERADE  all  --  *      ppp0    0.0.0.0/0            0.0.0.0/0
     0     0 MASQUERADE  all  --  *      ppp0    0.0.0.0/0            0.0.0.0/0
     0     0 MASQUERADE  all  --  *      ppp0    192.168.1.0/24      !10.0.1.0/24

Note that the lower two MASQUERADE rules will never hit. So the exception for packets
going to 10.0.1.0/24 is never used. Note how it says 0 bytes have hit that rule,
yet 3324 bytes have hit the MASQUERADE rule that breaks IPsec tunnels.

However, you are not htting that problem yet according to your logs:

Sep 21 15:19:37 (none) authpriv.warn pluto[1665]: "att-to-home" #2: STATE_MAIN_I2: sent MI2, expecting MR2

That's the last message of your client. It meeans the responder on the
other end silently dropped your last packet. It will likely log why it
did so. So check the logs on the other end.

Paul


More information about the Users mailing list