[Openswan Users] OpenSwan won't Encapsulate my Packets
Markus Ewald
cygon at nuclex.org
Wed Dec 8 19:49:12 EST 2010
On 12/9/2010 1:14 AM, Paul Wouters wrote:
> On Thu, 9 Dec 2010, Markus Ewald wrote:
>
>> Connection comes up fine. Remote side can ping me and access local
>> services, but I cannot reach the other end.
>
> Usually a NAT or firewall issue
How can I debug this?
- On the OpenSwan system, ppp0 has the public IP, there's no external
broadband router involved
- My iptables is configured to let *everything* out.
- My NAT rule: iptables -A POSTROUTING -t nat -o ppp0 ! -d
192.168.248.0/24 -j MASQUERADE
>
>> If I do "tcpdump -i ppp0 -n -p udp port 500 or udp port 4500 or ah or
>> esp" and ping the other side, no output is generated.
>> If I do "tcpdump -i ppp0 -p icmp" however, I see the packets being sent,
>> unencapsulated, to my ISP.
>
> If using NETKEY, your tcpdump will not be able to see outgoing encrypted
> packets.
>
How can I find out? I grepped my kernel .config, but neither klips or
netkey appear in it.
Still, if the second tcpdump command prints the packet, that means
they're not being picked up by OpenSwan or am I mistaken here?
> Paul
-Markus-
More information about the Users
mailing list