[Openswan Users] Problems with IP routing ctd..

Randy Wyatt rwyatt at nvtl.com
Tue Sep 22 13:29:54 EDT 2009

-----Original Message-----
From: Paul Wouters [mailto:paul at xelerance.com] 
Sent: Tuesday, September 22, 2009 10:27 AM
To: Randy Wyatt
Cc: users at openswan.org
Subject: Re: [Openswan Users] Problems with IP routing ctd..

On Mon, 21 Sep 2009, Randy Wyatt wrote:

> We are able to access the left subnet from the right but not vice versa.
> I believe everything except the hostname has been corrected from the previous thread.
> We still have not had any success.
> The barf output is located at http://www.rwwyatt.com/barf.out

I see from it:

hain POSTROUTING (policy ACCEPT 4 packets, 531 bytes)
  pkts bytes target     prot opt in     out     source               destination
    49  3324 MASQUERADE  all  --  *      ppp0  
     0     0 MASQUERADE  all  --  *      ppp0  
     0     0 MASQUERADE  all  --  *      ppp0      !

Note that the lower two MASQUERADE rules will never hit. So the exception for packets
going to is never used. Note how it says 0 bytes have hit that rule,
yet 3324 bytes have hit the MASQUERADE rule that breaks IPsec tunnels.

However, you are not htting that problem yet according to your logs:

Sep 21 15:19:37 (none) authpriv.warn pluto[1665]: "att-to-home" #2: STATE_MAIN_I2: sent MI2, expecting MR2

That's the last message of your client. It meeans the responder on the
other end silently dropped your last packet. It will likely log why it
did so. So check the logs on the other end.

[Randy Wyatt] 

It seems we got around the problem by flushing the NAT tables:
iptables -t nat --flush  and everything works.  Thank you for all of the help.


More information about the Users mailing list