[Openswan Users] Destination Private Network unreachable but Tunnel is UP

Imtiaz Rahi imtiaz.rahi at gmail.com
Sun Jul 31 05:47:26 EDT 2011 

tried both suggestions made below but with no avail. added
leftsourceip, no change in situation. Then removed leftnexthop, no
change.
still can't reach other side private network.

Please suggest more.

cheers // Imtiaz Rahi

On Sun, Jul 31, 2011 at 1:46 PM, Curu Wong <prinbra at gmail.com> wrote:
> add:
> leftsourceip=172.19.253.1
>
> if this still not OK, remove:
>
> leftnexthop=xxx
>
> and try
>
> 2011/7/31 Imtiaz Rahi <imtiaz.rahi at gmail.com>
>>
>> Guys I still need your help. Please help and respond.
>>
>> Tunnel is definitely up and the otherside (router) can ping us but we
>> can't.
>> My iptables is empty, only 1 nat rule (MASQ) for private IP.  other
>> side does not have firewall rules blocking us.
>> I checked mtr ( mtr --address 172.19.253.1 10.1.4.8 ) and it just
>> tries to go through the default route of the server.
>> How can I check / ensure that the IPsec tunnel added specific routes ???
>>
>> Just today learned that IPsec (netkey) add things in "ip xfrm". But I
>> have no knowledge about XFRM farmework and no other doc found except
>> for the "man".
>>
>> Here are the XFRM outputs:
>>
>> sudo ip xfrm state
>> src 203.112.xxx.xx dst 210.4.xx.xxx
>>       proto esp spi 0x6e7ff7ae reqid 16385 mode tunnel
>>       replay-window 32
>>       auth hmac(md5) 0x6ec07b7259a38c05ae759cb5d1de996a
>>       enc cbc(des3_ede) 0x3fe779cd9ddb27eabe7d84a12f9f2af8918cc6e94f27fcac
>>       sel src 0.0.0.0/0 dst 0.0.0.0/0
>> src 210.4.xx.xxx dst 203.112.xxx.xx
>>       proto esp spi 0x1c50e944 reqid 16385 mode tunnel
>>       replay-window 32
>>       auth hmac(md5) 0x866f8931c93ad884eba2bea0471b5222
>>       enc cbc(des3_ede) 0x8e2ecaece87a81612e2a7efb7e64949f739d35810165b827
>>       sel src 0.0.0.0/0 dst 0.0.0.0/0
>>
>> sudo ip xfrm policy
>> src 172.19.253.0/29 dst 10.1.4.0/24
>>       dir out priority 2184
>>       tmpl src 210.4.xx.xxx dst 203.112.xxx.xx
>>               proto esp reqid 16385 mode tunnel
>> src 10.1.4.0/24 dst 172.19.253.0/29
>>       dir fwd priority 2184
>>       tmpl src 203.112.xxx.xx dst 210.4.xx.xxx
>>               proto esp reqid 16385 mode tunnel
>> src 10.1.4.0/24 dst 172.19.253.0/29
>>       dir in priority 2184
>>       tmpl src 203.112.xxx.xx dst 210.4.xx.xxx
>>               proto esp reqid 16385 mode tunnel
>> src 0.0.0.0/0 dst 0.0.0.0/0
>>       dir 4 priority 0
>> .......................... (lots)
>>
>>
>> cheers // Imtiaz Rahi
>>
>>
>> On Wed, Jul 27, 2011 at 3:19 PM, Willie Gillespie
>> <wgillespie+openswan at es2eng.com> wrote:
>> > If the tunnel is up, it could be a firewall issue.
>> > Can you test with iptables off?  And try pinging from both sides?
>> >
>> > On 7/27/2011 2:50 AM, Imtiaz Rahi wrote:
>> >> Anyone please respond and help me.
>> >>
>> >> cheers // Imtiaz Rahi
>> >>
>> >>
>> >> On Mon, Jul 25, 2011 at 7:19 PM, Imtiaz Rahi<imtiaz.rahi at gmail.com>
>> >>  wrote:
>> >>> Hi People,
>> >>>
>> >>> I am a first timer with IPsec VPN and Openswan.
>> >>> I am setting up an IPsec VPN from a Linux box to Cisco router.
>> >>> Linux: Ubuntu 10.04 LTS Openswan U2.6.23/K2.6.32-30-server (netkey)
>> >>> Cisco: Cisco 2821
>> >>>
>> >>> Here is the IPsec network diagram
>> >>> 172.19.253.0/29 === 210.4.xx.xxx --- 210.4.xx.xxx ... 203.112.xxx.xx
>> >>> --- 203.112.xxx.xx === 10.1.4.0/24;
>> >>>                                        Linux VPN box
>> >>>                                                Cisco router
>> >>>
>> >>>
>> >>> "ipsec status" says my tunnel is up and some eroutes exist. But I can
>> >>> not reach the destination network.
>> >>> I am trying to ping 10.1.4.8 like below and unsuccessful;
>> >>>
>> >>> ping 10.1.4.8 -I 172.19.253.1
>> >>> PING 10.1.4.8 (10.1.4.8) from 172.19.253.1 : 56(84) bytes of data.
>> >>>
>> >>> ^C
>> >>> --- 10.1.4.8 ping statistics ---
>> >>> 14 packets transmitted, 0 received, 100% packet loss, time 13007ms
>> >>>
>> >>> Please help me here.
>> >>>
>> >>> Cheers // Imtiaz Rahi
>> >>>
>> >>>
>> >>> P.S. Here is the ipsec.conf for reference
>> >>>
>> >>> ==================================================
>> >>> version 2.0
>> >>>
>> >>> config setup
>> >>>         nat_traversal=yes
>> >>>
>> >>> virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
>> >>>         oe=off
>> >>>         protostack=netkey
>> >>>         interfaces=%defaultroute
>> >>>
>> >>> conn teletalk-vpn
>> >>>         type=tunnel
>> >>>         authby=secret
>> >>>         left=210.4.xx.xxx
>> >>>         leftnexthop=210.4.xx.xxx
>> >>>         leftsubnet=172.19.253.1/29
>> >>>         leftupdown=/usr/lib/ipsec/_updown
>> >>>         right=203.112.xxx.xx    # Cisco 2821
>> >>>         rightnexthop=203.112.xxx.xx
>> >>>         rightsubnet=10.1.4.0/24
>> >>>         keyexchange=ike
>> >>>         keylife=1h
>> >>>         ike=3des-md5-modp1024
>> >>>         phase2alg=3des-md5
>> >>>         pfs=no
>> >>>         auto=start
>> _______________________________________________
>> Users at openswan.org
>> http://lists.openswan.org/mailman/listinfo/users
>> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>> Building and Integrating Virtual Private Networks with Openswan:
>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
>

More information about the Users mailing list