[Openswan Users] klips - tunnel established but can not ping the other end
Curu Wong
prinbra at gmail.com
Tue Feb 1 04:09:49 EST 2011
Finally I figured out why.
1. eroute empty after successful SA.
This is very strange , using openswan v2.6.31 and v2.6.32, if I set
protostack=auto, and modprobe ipsec, the tunnel can be brought up, but
eroute entry will be empty.
set protostack=klips explicitly, and restart ipsec service, then eroute
entry will show up.
2. packet arrive via tunnel but no response come back.
This was caused by kernel Reverse Path Filtering, disable rp_filter, problem
gone.
for i in /proc/sys/net/ipv4/*/rp_filter; do echo 0 > $i; done
or
set
==========================
net.ipv4.conf.default.rp_filter=0
net.ipv4.conf.all.rp_filter=0
=========================
in sysctl.conf
2011/1/31 Curu Wong <prinbra at gmail.com>
> Problem: I create a host to host vpn tunnel, when use the native netkey
> stack, the tunnel works perfectly without any problem, but when I change the
> stack from netkey to klips on one end, the tunnel can be successfully bulit,
> but it can't send packet back to the other end.
>
> Here is my setup:
> hostA(192.168.2.128) ---->GW(192.168.2.129,no
> NAT,10.1.1.1)--->10.1.1.10(hostB)
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20110201/04b9ffb3/attachment.html
More information about the Users
mailing list