[Openswan Users] IPsec-Setup

Thomas Schweikle tps at vr-web.de
Wed Apr 13 09:02:19 EDT 2011 

Am 13.04.2011 12:15, schrieb Harald Jenny:
> On Wed, Apr 13, 2011 at 10:14:34AM +0200, Thomas Schweikle wrote:
>> Am 12.04.2011 23:58, schrieb Harald Jenny:
>> > Dear Thomas Schweikle,
>> > 
>> > could you please check if IP forwarding is enabled and that your openswan
>> > machines are not natting the traffic which should pass over the VPN?
>> 
>> Both openswan-machines do not nat nor firewall. There is only one
>> nat involved: the dsl-router does nat for the local subnet.
> 
> And one of the openswan server is behind NAT correct?
> 
>> 
>> Both machines have ip-forwarding active as expected by openswan.
> 
> So you have currently two problems? You can't keep the line open without
> pinging and you cannot ping from subnet to subnet correct?

I can't even keep the line open if pinging. I've tried to keep it
open using echo, but even then: one dropout and the line is closed.
It is build up again within seconds by the DSL-router, but openswan
does not reopen it automatically. I have to restart on both sides.

My setup is:

Internal network: 192.168.1.0/24
client: 192.168.1.4
Router: 192.168.1.1

NAT: 192.168.1.x -> ww.xx.yy.zz (this address changes once a day)

Computing Company: 222.66.76.0/23
server: 222.66.76.27
Router: 222.66.76.1

internal network: 192.168.180.0/23
server: 192.168.180.27

If I send a packet from, say host 192.168.1.98 to 192.168.180.30 I'd
await it taking this route:
192.168.1.98 -> 192.168.1.4 -> transparent ipsec-tunnel ->
192.168.180.27 -> 192.168.180.30

The packet does reach the geateway (192.168.1.4), but then it isn't
routed at all.
The tunnel itself is working again, but sending packets from the
gateway to 192.168.180.30 doesn't work. Packets do not cross the
remote gateway. Pinging from the remote gateway to 192.168.180.30 works.

For me it looks like some routing problem, but since
"/proc/sys/net/ipv4/ip_forward" is set to "1", and I have routes:

192.168.1.98 (local system):
192.168.180.0/23 gw 192.168.1.4

192.168.1.4 (local gateway):
192.168.180.27 -> 192.168.1.1
192.168.180.0/23 -> 192.168.1.1

222.66.76.27 (remote gateway):
192.168.180.0/23 -> localnet

The way backwards is in the routing tables too:
192.168.180.30 (remote host):
192.168.1.0/24 -> 192.168.180.27

192.168.180.27 (remote gateway):
192.168.1.4 -> 222.66.76.1
192.168.1.0/24 -> 222.66.76.1

192.168.1.4 (local gateway):
192.168.1.0/24 -> localnet


If I ping from one gateway to the other I only see one hop:
server# traceroute 192.168.1.4
traceroute to 192.168.1.4 (192.168.1.4), 30 hops max, 60 byte
 1  192.168.1.4 (192.168.1.4)  31.450 ms  31.490 ms  31.651 ms

client# traceroute 192.168.180.27
traceroute to 192.168.180.27 (192.168.180.27), 30 hops max, 60 byte
 1  192.168.180.27 (192.168.180.27)  27.980 ms  28.267 ms  28.421 ms

Both gateways just do not forward any packets!


-- 
Thomas

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 219 bytes
Desc: OpenPGP digital signature
Url : http://lists.openswan.org/pipermail/users/attachments/20110413/2de9a689/attachment.bin

More information about the Users mailing list