[Openswan Users] Destination Private Network unreachable but Tunnel is UP

Willie Gillespie wgillespie+openswan at es2eng.com
Mon Aug 1 10:42:00 EDT 2011 

Dunno about your second question, I've never messed with ip xfrm.

There are kind of two parts to most firewalls.  One, what they accept 
directly (in iptables terms that's the INPUT chain) and what they send 
along to other machines (the FORWARD chain).

Obviously since the tunnel is up they have the INPUT portion defined 
correctly.  It may just not be set to allow packets to properly be 
forwarded.

Willie

On 07/30/2011 03:01 AM, Imtiaz Rahi wrote:
> I don't think its not the other side's firewall. If they have firewall
> blocking our side, should we be able to establish the VPN ?
> Also, as part of VPN setup the router on the other side add specific
> routes for us. Will still check with other side to ensure that no
> firewall is blocking me.
>
> any other thoughts or ideas ?
> Also, I need to understand "ip xfdr" but only thing I got is "ip"
> manual. Any other documentation to get better understanding to debug
> the issues here. Please refer me to good doc.
>
> thanks // Imtiaz Rahi
>
>
> On Thu, Jul 28, 2011 at 2:28 AM, Willie Gillespie
> <wgillespie+openswan at es2eng.com>  wrote:
>> If they can ping you and you can't ping them, chances are that it's the
>> firewall on their side.  Obviously you would not be blocking yourself.
>>
>> On 7/27/2011 4:01 AM, Imtiaz Rahi wrote:
>>>
>>> Thanks, for answering Willie.
>>> Tunnel is definitely up and the otherside (router) can ping us but we
>>> can't.
>>> My iptables is empty, only 1 nat rule (MASQ) for private IP.
>>>
>>> Just today learned that IPsec (netkey) add things in "ip xfrm". But I
>>> have no knowledge about XFRM farmework.
>>> Here are the XFRM outputs:
>>>
>>> sudo ip xfrm state
>>> src 203.112.xxx.xx dst 210.4.xx.xxx
>>>         proto esp spi 0x6e7ff7ae reqid 16385 mode tunnel
>>>         replay-window 32
>>>         auth hmac(md5) 0x6ec07b7259a38c05ae759cb5d1de996a
>>>         enc cbc(des3_ede)
>>> 0x3fe779cd9ddb27eabe7d84a12f9f2af8918cc6e94f27fcac
>>>         sel src 0.0.0.0/0 dst 0.0.0.0/0
>>> src 210.4.xx.xxx dst 203.112.xxx.xx
>>>         proto esp spi 0x1c50e944 reqid 16385 mode tunnel
>>>         replay-window 32
>>>         auth hmac(md5) 0x866f8931c93ad884eba2bea0471b5222
>>>         enc cbc(des3_ede)
>>> 0x8e2ecaece87a81612e2a7efb7e64949f739d35810165b827
>>>         sel src 0.0.0.0/0 dst 0.0.0.0/0
>>>
>>> sudo ip xfrm policy
>>> src 172.19.253.0/29 dst 10.1.4.0/24
>>>         dir out priority 2184
>>>         tmpl src 210.4.xx.xxx dst 203.112.xxx.xx
>>>                 proto esp reqid 16385 mode tunnel
>>> src 10.1.4.0/24 dst 172.19.253.0/29
>>>         dir fwd priority 2184
>>>         tmpl src 203.112.xxx.xx dst 210.4.xx.xxx
>>>                 proto esp reqid 16385 mode tunnel
>>> src 10.1.4.0/24 dst 172.19.253.0/29
>>>         dir in priority 2184
>>>         tmpl src 203.112.xxx.xx dst 210.4.xx.xxx
>>>                 proto esp reqid 16385 mode tunnel
>>> src 0.0.0.0/0 dst 0.0.0.0/0
>>>         dir 4 priority 0
>>> .......................... (lots)
>>>
>>> cheers // Imtiaz Rahi
>>>
>>>
>>> On Wed, Jul 27, 2011 at 3:19 PM, Willie Gillespie
>>> <wgillespie+openswan at es2eng.com>    wrote:
>>>>
>>>> If the tunnel is up, it could be a firewall issue.
>>>> Can you test with iptables off?  And try pinging from both sides?
>>>>
>>>> On 7/27/2011 2:50 AM, Imtiaz Rahi wrote:
>>>>>
>>>>> Anyone please respond and help me.
>>>>>
>>>>> cheers // Imtiaz Rahi
>>>>>
>>>>>
>>>>> On Mon, Jul 25, 2011 at 7:19 PM, Imtiaz Rahi<imtiaz.rahi at gmail.com>
>>>>>   wrote:
>>>>>>
>>>>>> Hi People,
>>>>>>
>>>>>> I am a first timer with IPsec VPN and Openswan.
>>>>>> I am setting up an IPsec VPN from a Linux box to Cisco router.
>>>>>> Linux: Ubuntu 10.04 LTS Openswan U2.6.23/K2.6.32-30-server (netkey)
>>>>>> Cisco: Cisco 2821
>>>>>>
>>>>>> Here is the IPsec network diagram
>>>>>> 172.19.253.0/29 === 210.4.xx.xxx --- 210.4.xx.xxx ... 203.112.xxx.xx
>>>>>> --- 203.112.xxx.xx === 10.1.4.0/24;
>>>>>>                                         Linux VPN box
>>>>>>                                                 Cisco router
>>>>>>
>>>>>>
>>>>>> "ipsec status" says my tunnel is up and some eroutes exist. But I can
>>>>>> not reach the destination network.
>>>>>> I am trying to ping 10.1.4.8 like below and unsuccessful;
>>>>>>
>>>>>> ping 10.1.4.8 -I 172.19.253.1
>>>>>> PING 10.1.4.8 (10.1.4.8) from 172.19.253.1 : 56(84) bytes of data.
>>>>>>
>>>>>> ^C
>>>>>> --- 10.1.4.8 ping statistics ---
>>>>>> 14 packets transmitted, 0 received, 100% packet loss, time 13007ms
>>>>>>
>>>>>> Please help me here.
>>>>>>
>>>>>> Cheers // Imtiaz Rahi
>>>>>>
>>>>>>
>>>>>> P.S. Here is the ipsec.conf for reference
>>>>>>
>>>>>> ==================================================
>>>>>> version 2.0
>>>>>>
>>>>>> config setup
>>>>>>          nat_traversal=yes
>>>>>>
>>>>>> virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
>>>>>>          oe=off
>>>>>>          protostack=netkey
>>>>>>          interfaces=%defaultroute
>>>>>>
>>>>>> conn teletalk-vpn
>>>>>>          type=tunnel
>>>>>>          authby=secret
>>>>>>          left=210.4.xx.xxx
>>>>>>          leftnexthop=210.4.xx.xxx
>>>>>>          leftsubnet=172.19.253.1/29
>>>>>>          leftupdown=/usr/lib/ipsec/_updown
>>>>>>          right=203.112.xxx.xx    # Cisco 2821
>>>>>>          rightnexthop=203.112.xxx.xx
>>>>>>          rightsubnet=10.1.4.0/24
>>>>>>          keyexchange=ike
>>>>>>          keylife=1h
>>>>>>          ike=3des-md5-modp1024
>>>>>>          phase2alg=3des-md5
>>>>>>          pfs=no
>>>>>>          auto=start
>>

More information about the Users mailing list