[Openswan Users] OpenSwan Tunnel Established - Communication only passing in one direction

Wed Sep 14 15:52:41 EDT 2011

Hmm, I'm not sure I can help you, but it does seem like an intriguing 
problem.  Is there perhaps some setting in the ASA that would stop 
packets from being forwarded to Host B?

It's also interesting that you don't see the ICMP traffic on the 
OpenSwan server with a tcpdump.  So that could be indicative of a 
routing problem on Host A, like you suspect.

That would be the two areas I would check.

Willie

On 9/9/2011 3:24 PM, Trev Lerks wrote:
> Good Afternoon and I immediately apologize if this has been sent to the
> wrong distribution list -
>
> Currently I have a tunnel up from OpenSwan to an ASA using Nat-T.
>
> Host A (172.20.1.15) --> OpenSwan --> Internet <-- ASA <-- Host B
> (192.168.1.2)
>
> What is working:
> Ping/RDP from Host B to Host A
> Ping from OpenSwan to Host B
>
> What isn't working:
> Ping/RDP from Host A to Host B
>
> I seem to be struggling with the iptables setup on the OpenSwan Server,
> however this is my current setup:
>
> Table: mangle
> Chain PREROUTING (policy ACCEPT)
> num target prot opt source destination
>
> Chain INPUT (policy ACCEPT)
> num target prot opt source destination
>
> Chain FORWARD (policy ACCEPT)
> num target prot opt source destination
> 1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
> 2 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
>
> Chain OUTPUT (policy ACCEPT)
> num target prot opt source destination
>
> Chain POSTROUTING (policy ACCEPT)
> num target prot opt source destination
>
> Table: filter
> Chain INPUT (policy ACCEPT)
> num target prot opt source destination
> 1 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:500 dpt:500
> 2 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:50 dpt:50
> 3 ACCEPT esp -- 0.0.0.0/0 0.0.0.0/0
>
> Chain FORWARD (policy ACCEPT)
> num target prot opt source destination
>
> Chain OUTPUT (policy ACCEPT)
> num target prot opt source destination
> 1 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:500 dpt:500
> 2 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:50 dpt:50
> 3 ACCEPT esp -- 0.0.0.0/0 0.0.0.0/0
>
> Table: nat
> Chain PREROUTING (policy ACCEPT)
> num target prot opt source destination
>
> Chain OUTPUT (policy ACCEPT)
> num target prot opt source destination
>
> Chain POSTROUTING (policy ACCEPT)
> num target prot opt source destination
> 1 MASQUERADE all -- 0.0.0.0/0 !192.168.1.0/24
>
> *And my ipsec.conf:*
>
> config setup
> nat_traversal=yes
> virtual_private=%v4:192.168.1.0/24,%v4:!172.20.1.0/24
> oe=off
> protostack=netkey
> conn os-to-cisco
> connaddrfamily=ipv4
> type=tunnel
> authby=secret
> esp=3DES-SHA1
> ike=3des-sha1
> forceencaps=yes
> pfs=yes
> compress=no
> left=%defaultroute
> leftid=x.x.x.x
> leftsubnet=172.20.1.0/24
> leftnexthop=%defaultroute
> right=x.x.x.x
> rightsubnet=192.168.1.0/24
> rightnexthop=%defaultroute
> auto=add
>
> At this point, I'm not sure if it's a routing issue or a firewall issue.
> When I attempt to ping from Host A to Host B and perform a tcpdump icmp
> on the OpenSwan server, I don't see any traffic coming from Host A
> (however I'm not sure if I should). I have setup a static route on Host
> A pointing all traffic destined to 192.168.1.0 to the OpenSwan server.
> I've been working at this for 2 days now, have read countless forums and
> OpenSwan documentation, and am about out of ideas. Any assistance is
> much appreciated!!!
>
> Thank you!
>
> Trevor
>
>
>
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155