[Openswan Users] IPSec net to net tunnel established with RV042, but ping from one side gives Destination Host Unreachable
Geekman
the1geekman at gmail.com
Mon Sep 26 14:44:55 EDT 2011
Woops, in my half-awake state I sent the reply direct to Paul.
---------- Forwarded message ----------
Hi Paul,
Really appreciate the quick response.
On Tue, Sep 27, 2011 at 3:31 AM, Paul Wouters <paul at xelerance.com> wrote:
> On Mon, 26 Sep 2011, Geekman wrote:
>
>> Neo's LAN IP is 172.16.0.1, and the RV042's LAN IP is 192.168.1.1
>>
>> After the tunnel is established, I begin testing using pings. I can
>> ping from any device behind the RV042 to any device behind Neo, I can
>> even ping from the RV042 itself to Neo using diagnostic tools. Neo is
>> able to give back an ICMP response through the tunnel. Additionally, I
>> was able to setup an apache webserver on a server sitting in Neo's LAN
>> and visit that from the RV042's LAN using the IP 172.16.0.2.
>>
>> However, when I try and ping from Neo, or a server in Neo's LAN, to
>> any IP in the RV042's LAN, I get "From X.X.X.X icmp_seq=2 Destination
>> Host Unreachable". Where X.X.X.X seems to be some hop involved when
>> trying to trace to the LAN IP over the internet. For example, trying
>> to ping 192.168.1.1 from Neo while SSHd in from home, I get:
>
> Is Neo the default gw for those machines. If not, does the default gw
> point to Neo for the 192.168.1.0/24 range?
In my test environment, there's only a single server in the
172.16.0.0/24 subnet behind Neo. I can confirm that it has Neo set to
its default GW.
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
172.16.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
0.0.0.0 172.16.0.1 0.0.0.0 UG 100 0 0 eth1
For completeness, here's Neo's routing table, which points to our
internet gateway (our upstream provider):
Destination Gateway Genmask Flags Metric Ref Use Iface
PUBLIC_IP_SPACE 0.0.0.0 255.255.255.224 U 0 0 0 eth0
172.16.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
0.0.0.0 UPSTREAM_ROUTER 0.0.0.0 UG 100 0 0 eth0
>
> Does the default gw and/or Neo skip NAT/MASQ for packets destined for
> the remote subnet? eg:
>
> iptables -I POSTROUTING -s 172.16.0.0/24 -d 192.168.1.0/24 -j RETURN
>
> Paul
>
Here's the list of iptables currently in effect on Neo; no I don't
think that it would skip Masquerading for any outbound traffic:
root at neo:~# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
root at neo:~# iptables -A FORWARD -i eth0 -o eth1 -m state --state
RELATED,ESTABLISHED -j ACCEPT
root at neo:~# iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
Those are the only rules in effect. The default policy for all chains
is still set to accept for this test setup.
Thanks for your help.
More information about the Users
mailing list