[Openswan Users] OpenSwan won't Encapsulate my Packets

Markus Ewald cygon at nuclex.org
Wed Dec 8 19:49:12 EST 2010


  On 12/9/2010 1:14 AM, Paul Wouters wrote:
> On Thu, 9 Dec 2010, Markus Ewald wrote:
>
>> Connection comes up fine. Remote side can ping me and access local
>> services, but I cannot reach the other end.
>
> Usually a NAT or firewall issue

How can I debug this?
- On the OpenSwan system, ppp0 has the public IP, there's no external 
broadband router involved
- My iptables is configured to let *everything* out.
- My NAT rule: iptables -A POSTROUTING -t nat -o ppp0 ! -d 
192.168.248.0/24 -j MASQUERADE

>
>> If I do "tcpdump -i ppp0 -n -p udp port 500 or udp port 4500 or ah or
>> esp" and ping the other side, no output is generated.
>> If I do "tcpdump -i ppp0 -p icmp" however, I see the packets being sent,
>> unencapsulated, to my ISP.
>
> If using NETKEY, your tcpdump will not be able to see outgoing encrypted
> packets.
>
How can I find out? I grepped my kernel .config, but neither klips or 
netkey appear in it.
Still, if the second tcpdump command prints the packet, that means 
they're not being picked up by OpenSwan or am I mistaken here?

> Paul

-Markus-



More information about the Users mailing list