[Openswan Users] routing problem?

Frank jansen jansen at fumarium.de
Tue Jun 29 05:51:03 EDT 2010 

Hi folks,

we want to build up an vpn connection between two LANs. Our setup is as 
follows:

10.11.220.10/32 (other company LAN) --- 80.148.46.1xx (other company 
gateway) ======= 85.214.66.xx (our company gateway)---- 10.29.161.0/24 
(our company LAN)

 From a machine in our company LAN e.g. 10.29.161.10 i can't ping or 
access any service on the opposite site at 10.11.220.10.

The tunnel seems to up, ipsec status --auto says:
000 #2: "conn1":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); 
EVENT_SA_REPLACE in 85769s; newest IPSEC; eroute owner
000 #2: "lconn1" esp.5cf735a at 80.148.46.xx esp.1317c3fb at 85.214.66.xx 
tun.0 at 80.148.46.xx tun.0 at 85.214.66.xx
000 #1: "conn1":500 STATE_MAIN_I4 (ISAKMP SA established); 
EVENT_SA_REPLACE in 85712s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0)

routing entries also exists:
at our gateway:
Kernel-IP-Routentabelle
Ziel            Router          Genmask         Flags Metric Ref    Use 
Iface
85.214.64.1     0.0.0.0         255.255.255.255 UH    0      0        0 eth0
10.11.220.10    0.0.0.0         255.255.255.255 UH    0      0        0 eth0
10.29.161.0     0.0.0.0         255.255.255.0   U     0      0        0 eth1
0.0.0.0         85.214.64.1     0.0.0.0         UG    0      0        0 eth0

at one LAN machine:
10.11.220.0     10.29.161.12    255.255.255.0   UG    0      0        0 eth1
10.29.161.0     0.0.0.0         255.255.255.0   U     0      0        0 eth1

IPv4 forwarding is enabled on the gateway. If i ping from a LAN machine, 
i can see traffic on the external interface (eth0) at the gateway, but 
it seems to go in the nirvana:
h1694579(neu):/etc# tcpdump -vvv host 10.11.220.10 -i eth0
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 
bytes
11:48:14.391539 arp who-has 10.11.220.10 tell h169xxxx.stratoserver.net
11:48:14.392955 arp reply 10.11.220.10 is-at 00:00:0c:9f:f0:02 (oui Cisco)
11:48:14.392962 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto 
ICMP (1), length 84) 10.29.161.10 > 10.11.220.10: ICMP echo request, id 
24417, seq 1, length 64
11:48:14.392965 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto 
ICMP (1), length 84) 10.29.161.10 > 10.11.220.10: ICMP echo request, id 
24417, seq 2, length 64
11:48:14.392974 arp reply 10.11.220.10 is-at 00:00:0c:9f:f0:02 (oui Cisco)
11:48:15.383045 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto 
ICMP (1), length 84) 10.29.161.10 > 10.11.220.10: ICMP echo request, id 
24417, seq 3, length 64


I am a bit lost, as i can't find the failure in our setup. Any hint or 
help is appreciated :-)

Kind regards,

Frank Jansen



--

More information about the Users mailing list