[Openswan Users] klips - tunnel established but can not ping the other end

Paul Wouters paul at xelerance.com
Tue Feb 1 14:37:12 EST 2011

On Tue, 1 Feb 2011, Curu Wong wrote:

> Finally I figured out why.
> 1. eroute empty  after successful SA.
> This is very strange , using openswan v2.6.31 and v2.6.32, if I set protostack=auto, and modprobe
> ipsec, the tunnel can be brought up, but eroute entry  will be empty.
> set protostack=klips explicitly, and restart ipsec service, then eroute entry will show up.

You are using mast0 instead of ipsec0. Try protostack=klips
alternatively, run "ipsec policy" instead of "ipsec eroute"

> 2.  packet arrive via tunnel but no response come back.
> This was caused by kernel Reverse Path Filtering, disable rp_filter, problem gone.
> for i in /proc/sys/net/ipv4/*/rp_filter; do echo 0 > $i; done
> or
> set
> ==========================
> net.ipv4.conf.default.rp_filter=0
> net.ipv4.conf.all.rp_filter=0
> =========================
> in sysctl.conf

Note that we have found cases where setting it in sysctl.conf is not good
enough, and we 'd have to run a similar "for" loop shell script like you
did. We think we fixed those cases, but let us know if you still run into
this with 2.6.32+

> 2011/1/31 Curu Wong <prinbra at gmail.com>
>       Problem: I create a host to host vpn tunnel, when use the native netkey stack, the tunnel
>       works perfectly without any problem, but when I change the stack from netkey to klips on
>       one end, the tunnel can be successfully bulit, but it can't send packet back to the other
>       end.
>       Here is my setup:
>       hostA( ---->GW(,no NAT,>

More information about the Users mailing list