[Openswan Users] android client shows public IP when sniffing ipsec0 interface (server routing issue)

Majid Khonji majid at khonji.org
Thu Jul 1 12:01:36 EDT 2010 

I reverted it back to openswan 2.6.27 and the same problem exists.
(Note: Openswan 2.6.27 works fine with multiple ipsec tunnels behind a nat).

Anyways I tried on the server side to run a dummy server: nc -u -l -p 1701
and the behavior is kinda strange. I see android client l2tp packets on
ipsec0  interface but nothing appears on the dummy server except one last
packet. On the other hand, when I run a linux client, all packets seen on
ipsec0 are shown on the dummy server (ofcourse some crypted Ascii).

I don't understand the problem. And don't know how to proceed!



On Thu, Jul 1, 2010 at 6:37 PM, Majid Khonji <majid at khonji.org> wrote:

> One thing more:
> Even though I used iptables and iproute2, still xl2tpd is not happy at all.
> It simply it doesn't like IPsec.
> When I run without ipsec tunnel, it just damn works!!!
>
> Using NETKEY, xl2tpd was pretty happy (but again nooo damn multiple clients
> behind a shitty natttt)
>
>
> On Thu, Jul 1, 2010 at 6:32 PM, Majid Khonji <majid at khonji.org> wrote:
>
>> There is a small mistake in the problem description, let me rewrite it:
>>
>> I am trying to use android 1.6 road-warriors behind nat.
>> using protostack=klips, the android client sends packets to ipsec0
>> successfully ( but source ip = Public ip), However, xl2tpd sends responses
>> back through the physical interface (based on the routing table).
>> On the other hand, when I try a linux client (behind nat as well), the
>> client shows a private IP inside ipsec0, and works with xl2tp just fine
>>
>> My network is:
>>
>> VPN server (public dhcp address) <---> internet <---> nat GW <---> Android
>> roadwarrior
>>
>> I am using kernel 2.6.32 (patched), openswan 2.6.28dr1 (2.6.27 couldn't
>> work with multiple clients behind nat!!)
>>
>>
>>
>> I used the following iptables rules:
>>
>> # iptables -t mangle -A OUTPUT -o eth0 -p udp --sport 1701 -j MARK
>> --set-mark 2
>> # iptables -t mangle -A INPUT -i eth0 -p udp --dport 1701 -j MARK
>> --set-mark 2
>>
>>
>> # ip rule
>> 0: from all lookup local
>> 32764: from all fwmark 0x2 lookup IPSEC
>> 32766: from all lookup main
>> 32767: from all lookup default
>>
>>
>> # ip route show table IPSEC
>> default dev ipsec0
>>
>>
>> Please help guys.
>>
>>
>>
>>
>> On Thu, Jul 1, 2010 at 3:22 AM, Majid Khonji <majid at khonji.org> wrote:
>>
>>> Dear all,
>>>
>>> I am trying to use android 1.6 road-warriors behind nat.
>>> using protostack=klips, the android client sends packets to eth0
>>> successfully (with source ip = Public ip), However, xl2tpd sends responses
>>> back through the physical interface (based on the routing table).
>>> On the other hand, when I try a linux client (behind nat as well), the
>>> client shows a private IP inside ipsec0, and works with xl2tp.
>>>
>>> A dirty solution could be though iptables, but I am feeling lazy reading
>>> man page. If you have some, please give me.
>>>
>>> My network is:
>>>
>>> VPN server (public dhcp address) <---> internet <---> nat GW <--->
>>> Android roadwarrior )
>>>
>>> --
>>> Regards,
>>>
>>> Majid Khonji
>>>
>>>
>>
>>
>> --
>> Regards,
>>
>> Majid Khonji
>>
>>
>
>
> --
> Regards,
>
> Majid Khonji
>
>


-- 
Regards,

Majid Khonji
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20100701/288eb040/attachment.html

More information about the Users mailing list