[Openswan Users] IPSEC routing refuses to go through the tunnel

Greg Scott GregScott at InfraSupportEtc.com
Fri Mar 19 02:51:50 EDT 2010 

Boy am I tired!  And a little embarrassed.  But glad I can get some
sleep now.  

 

Turns out, the problem was a dumb firewalling on my part.  After
dropping my filter rules and trying bazillions of different
combinations, one time I re-ran my rc.firewall script and one ping
happened to sneak through.  My script template sets the default policy
to ACCEPT at the top and then sets it to DROP at the end.  The idea is
to reduce the probability that a typo in a script will force me to jump
in the car and drive somewhere in the middle of the night.  So one ping
was able to sneak through while it was open.  That was maybe 7 or 8
hours ago, I have a hard time remembering.  I should have paid more
attention - this would have saved me lots of grief.  

 

Anyway, after spending all day studying all kinds if ip xfrm commands, I
decided to completely drop **all** firewall rules, including all the NAT
rules.  I did it safely, like this:

 

./allow-all && sleep 10 && ./rc.firewall norestartservices

 

And during those glorious 10 seconds, echo requests and replies made a
round trip.  So it **HAD** to be my rules.  

 

With pings running in one window and watching the counters using
iptables -L -v -n -t nat in another window, I noticed I was
MASQUERADEing about one packet every second.  Hmmmm, about the same rate
as my inbound pings.  

 

Putting in a temporary logging rule to show me everything masqueraded, I
was shocked to find I was masquerading packets coming FROM Rochester and
branch sites.  I had some POSTROUTING rules to ACCEPT everything TO
Rochester, but nothing for packets FROM Rochester.  It all makes sense
now - and maybe this writeup will be helpful for the next person who
stumbles into my mistake and will save 14, count 'em, 14 solid hours of
troubleshooting.  

 

Here is the lesson:  If you're bridging and the network behaves
strangely, for your very first troubleshooting step, log what you
masquerade first and make appropriate adjustments.  This may save you
several hours and prevent a headache.

 

-          Greg Scott

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20100319/d2bdfa9d/attachment.html

More information about the Users mailing list