[Openswan Users] Tunnel up, can't ping!! Help is much appreciated!!

"Ing. Rodrigo Méndez" rodrigomf at bl.com.mx
Tue Nov 23 15:33:21 EST 2010

Hi Paul,

Thank you VERY MUCH for your answer.

This is the result from ipsec verify:

Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                             	[OK]
Linux Openswan U2.6.21/K2.6.18-128.1.10.el5PAE (netkey)
Checking for IPsec support in kernel                        	[OK]
NETKEY detected, testing for disabled ICMP send_redirects   	[OK]
NETKEY detected, testing for disabled ICMP accept_redirects 	[OK]
Checking for RSA private key (/etc/ipsec.secrets)           	[OK]
Checking that pluto is running                              	[OK]
Two or more interfaces found, checking IP forwarding        	[OK]
Checking NAT and MASQUERADEing                              	[OK]
Checking for 'ip' command                                   	[OK]
Checking for 'iptables' command                             	[OK]
Opportunistic Encryption Support                            	[DISABLED]

The people from the Juniper VPN concentrator say they don't see any traffic coming from our IPs, so it would seem there's no traffic coming out from Box 1 (CentOS box). The strange thing is it doesn't work even if iptables is disabled (so no blocking is apparently occurring, or at least it isn't the main problem).

My best guess now is that I'm having a routing problem. 

Any ideas on how to tell Linux to route the packages going to zzz.zzz.zzz.3 through the tunnel?? (I'm using netkey, not KLIPS)

This configuration may be helpful too:
vi /etc/sysctl.conf
#agregado para openswan
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0

#intentar también
net.ipv4.conf.default.rp_filter =0
net.ipv4.ip_forward = 1

This is the result of route -n:

root at bitlab [~]# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
xxx.xxx.xxx.132 UH    0      0        0 eth0
xxx.xxx.xxx.133 UH    0      0        0 eth0
xxx.xxx.xxx.134 UH    0      0        0 eth0
xxx.xxx.xxx.135 UH    0      0        0 eth0 UH    0      0        0 *
xxx.xxx.xxx.131 UH    0      0        0 eth0 UH    0      0        0 *
xxx.xxx.xxx.136 UH    0      0        0 eth0
xxx.xxx.xxx.137 UH    0      0        0 eth0
xxx.xxx.xxx.138 UH    0      0        0 eth0
xxx.xxx.xxx.139 UH    0      0        0 eth0
xxx.xxx.xxx.128 U     0      0        0 eth0     U     0      0        0 eth0         xxx.xxx.xxx.129         UG    0      0        0 eth0

Please note xxx.xxx.xxx.1 (in my examples) = xxx.xxx.xxx.130 (main IP of eth0 and hence not in routing tables)

I can't find any route to yyy.yyy.yyy.2 or zzz.zzz.zzz.3 (the box in the private lan) anywhere in the routing table. I'm not sure if this is OK.

Any ideas?

Again, thank you for your help.

El 23/11/2010, a las 13:11, Paul Wouters escribió:

> On Tue, 23 Nov 2010, "Ing. Rodrigo Méndez" wrote:
>> My Linux CentOS server (openswan) IP: xxx.xxx.xxx.1 ----- VPN Concentrator (Juniper ISG 2000) IP: yyy.yyy.yyy.2 --- Remote box 3 (private IP: zzz.zzz.zzz.3)
>> Boxes 1 and 2 have public IP. Box 3 has private IP (is behind the VPN Concentrator). The goal is to connect box 1 to box 3.
>> My Config is as follows:
> Looks fine.
>> The problem is that the tunnel is UP but there's no way I can connect or ping the other side. An interesting thing is that if I ping the other side from box 1 after I disabled iptables - service iptables stop- I get no response at all, but if iptables is active i get the error message "ping: sendmsg: operation not permitted"
> So your firewall has a problem and needs to allow traffic from/to zzz.zzz.zzz.3
>> Nov 22 20:33:20 bitlab pluto[4690]: "iusacell-bitlab-test" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0xca7636a3 <0x1149928c xfrm=3DES_0-HMAC_SHA1 NATOA=none NATD=none DPD=none}
> Looks good.
> Perhaps the Juniper or the remote box 3 is not allowing your ping to go through?
> Run ipsec verify, do you haev IP forwarding enabled? rp_filter disabled?
> Paul

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20101123/aaedf272/attachment.html 

More information about the Users mailing list