[Openswan Users] Destination Private Network unreachable but Tunnel is UP
Imtiaz Rahi
imtiaz.rahi at gmail.com
Sun Jul 31 01:56:55 EDT 2011
Guys I still need your help. Please help and respond.
Tunnel is definitely up and the otherside (router) can ping us but we can't.
My iptables is empty, only 1 nat rule (MASQ) for private IP. other
side does not have firewall rules blocking us.
I checked mtr ( mtr --address 172.19.253.1 10.1.4.8 ) and it just
tries to go through the default route of the server.
How can I check / ensure that the IPsec tunnel added specific routes ???
Just today learned that IPsec (netkey) add things in "ip xfrm". But I
have no knowledge about XFRM farmework and no other doc found except
for the "man".
Here are the XFRM outputs:
sudo ip xfrm state
src 203.112.xxx.xx dst 210.4.xx.xxx
proto esp spi 0x6e7ff7ae reqid 16385 mode tunnel
replay-window 32
auth hmac(md5) 0x6ec07b7259a38c05ae759cb5d1de996a
enc cbc(des3_ede) 0x3fe779cd9ddb27eabe7d84a12f9f2af8918cc6e94f27fcac
sel src 0.0.0.0/0 dst 0.0.0.0/0
src 210.4.xx.xxx dst 203.112.xxx.xx
proto esp spi 0x1c50e944 reqid 16385 mode tunnel
replay-window 32
auth hmac(md5) 0x866f8931c93ad884eba2bea0471b5222
enc cbc(des3_ede) 0x8e2ecaece87a81612e2a7efb7e64949f739d35810165b827
sel src 0.0.0.0/0 dst 0.0.0.0/0
sudo ip xfrm policy
src 172.19.253.0/29 dst 10.1.4.0/24
dir out priority 2184
tmpl src 210.4.xx.xxx dst 203.112.xxx.xx
proto esp reqid 16385 mode tunnel
src 10.1.4.0/24 dst 172.19.253.0/29
dir fwd priority 2184
tmpl src 203.112.xxx.xx dst 210.4.xx.xxx
proto esp reqid 16385 mode tunnel
src 10.1.4.0/24 dst 172.19.253.0/29
dir in priority 2184
tmpl src 203.112.xxx.xx dst 210.4.xx.xxx
proto esp reqid 16385 mode tunnel
src 0.0.0.0/0 dst 0.0.0.0/0
dir 4 priority 0
.......................... (lots)
cheers // Imtiaz Rahi
On Wed, Jul 27, 2011 at 3:19 PM, Willie Gillespie
<wgillespie+openswan at es2eng.com> wrote:
> If the tunnel is up, it could be a firewall issue.
> Can you test with iptables off? And try pinging from both sides?
>
> On 7/27/2011 2:50 AM, Imtiaz Rahi wrote:
>> Anyone please respond and help me.
>>
>> cheers // Imtiaz Rahi
>>
>>
>> On Mon, Jul 25, 2011 at 7:19 PM, Imtiaz Rahi<imtiaz.rahi at gmail.com> wrote:
>>> Hi People,
>>>
>>> I am a first timer with IPsec VPN and Openswan.
>>> I am setting up an IPsec VPN from a Linux box to Cisco router.
>>> Linux: Ubuntu 10.04 LTS Openswan U2.6.23/K2.6.32-30-server (netkey)
>>> Cisco: Cisco 2821
>>>
>>> Here is the IPsec network diagram
>>> 172.19.253.0/29 === 210.4.xx.xxx --- 210.4.xx.xxx ... 203.112.xxx.xx
>>> --- 203.112.xxx.xx === 10.1.4.0/24;
>>> Linux VPN box
>>> Cisco router
>>>
>>>
>>> "ipsec status" says my tunnel is up and some eroutes exist. But I can
>>> not reach the destination network.
>>> I am trying to ping 10.1.4.8 like below and unsuccessful;
>>>
>>> ping 10.1.4.8 -I 172.19.253.1
>>> PING 10.1.4.8 (10.1.4.8) from 172.19.253.1 : 56(84) bytes of data.
>>>
>>> ^C
>>> --- 10.1.4.8 ping statistics ---
>>> 14 packets transmitted, 0 received, 100% packet loss, time 13007ms
>>>
>>> Please help me here.
>>>
>>> Cheers // Imtiaz Rahi
>>>
>>>
>>> P.S. Here is the ipsec.conf for reference
>>>
>>> ==================================================
>>> version 2.0
>>>
>>> config setup
>>> nat_traversal=yes
>>> virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
>>> oe=off
>>> protostack=netkey
>>> interfaces=%defaultroute
>>>
>>> conn teletalk-vpn
>>> type=tunnel
>>> authby=secret
>>> left=210.4.xx.xxx
>>> leftnexthop=210.4.xx.xxx
>>> leftsubnet=172.19.253.1/29
>>> leftupdown=/usr/lib/ipsec/_updown
>>> right=203.112.xxx.xx # Cisco 2821
>>> rightnexthop=203.112.xxx.xx
>>> rightsubnet=10.1.4.0/24
>>> keyexchange=ike
>>> keylife=1h
>>> ike=3des-md5-modp1024
>>> phase2alg=3des-md5
>>> pfs=no
>>> auto=start
More information about the Users
mailing list