[Openswan Users] klips - tunnel established but can not ping the other end
paul at xelerance.com
Tue Feb 1 14:37:12 EST 2011
On Tue, 1 Feb 2011, Curu Wong wrote:
> Finally I figured out why.
> 1. eroute empty after successful SA.
> This is very strange , using openswan v2.6.31 and v2.6.32, if I set protostack=auto, and modprobe
> ipsec, the tunnel can be brought up, but eroute entry will be empty.
> set protostack=klips explicitly, and restart ipsec service, then eroute entry will show up.
You are using mast0 instead of ipsec0. Try protostack=klips
alternatively, run "ipsec policy" instead of "ipsec eroute"
> 2. packet arrive via tunnel but no response come back.
> This was caused by kernel Reverse Path Filtering, disable rp_filter, problem gone.
> for i in /proc/sys/net/ipv4/*/rp_filter; do echo 0 > $i; done
> in sysctl.conf
Note that we have found cases where setting it in sysctl.conf is not good
enough, and we 'd have to run a similar "for" loop shell script like you
did. We think we fixed those cases, but let us know if you still run into
this with 2.6.32+
> 2011/1/31 Curu Wong <prinbra at gmail.com>
> Problem: I create a host to host vpn tunnel, when use the native netkey stack, the tunnel
> works perfectly without any problem, but when I change the stack from netkey to klips on
> one end, the tunnel can be successfully bulit, but it can't send packet back to the other
> Here is my setup:
> hostA(192.168.2.128) ---->GW(192.168.2.129,no NAT,10.1.1.1)--->10.1.1.10(hostB)
More information about the Users