[Openswan Users] IPSec net to net tunnel established with RV042, but ping from one side gives Destination Host Unreachable

Geekman the1geekman at gmail.com
Mon Sep 26 14:44:55 EDT 2011

Woops, in my half-awake state I sent the reply direct to Paul.

---------- Forwarded message ----------

Hi Paul,

Really appreciate the quick response.

On Tue, Sep 27, 2011 at 3:31 AM, Paul Wouters <paul at xelerance.com> wrote:
> On Mon, 26 Sep 2011, Geekman wrote:
>> Neo's LAN IP is, and the RV042's LAN IP is
>> After the tunnel is established, I begin testing using pings. I can
>> ping from any device behind the RV042 to any device behind Neo, I can
>> even ping from the RV042 itself to Neo using diagnostic tools. Neo is
>> able to give back an ICMP response through the tunnel. Additionally, I
>> was able to setup an apache webserver on a server sitting in Neo's LAN
>> and visit that from the RV042's LAN using the IP
>> However, when I try and ping from Neo, or a server in Neo's LAN, to
>> any IP in the RV042's LAN, I get "From X.X.X.X icmp_seq=2 Destination
>> Host Unreachable". Where X.X.X.X seems to be some hop involved when
>> trying to trace to the LAN IP over the internet. For example, trying
>> to ping from Neo while SSHd in from home, I get:
> Is Neo the default gw for those machines. If not, does the default gw
> point to Neo for the range?

In my test environment, there's only a single server in the subnet behind Neo. I can confirm that it has Neo set to
its default GW.

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface   U     0      0        0 eth1         UG    100    0        0 eth1

For completeness, here's Neo's routing table, which points to our
internet gateway (our upstream provider):

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
PUBLIC_IP_SPACE U     0      0        0 eth0   U     0      0        0 eth1         UPSTREAM_ROUTER         UG    100    0        0 eth0

> Does the default gw and/or Neo skip NAT/MASQ for packets destined for
> the remote subnet? eg:
> iptables -I POSTROUTING -s -d -j RETURN
> Paul

Here's the list of iptables currently in effect on Neo; no I don't
think that it would skip Masquerading for any outbound traffic:

root at neo:~# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
root at neo:~# iptables -A FORWARD -i eth0 -o eth1 -m state --state
root at neo:~# iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

Those are the only rules in effect. The default policy for all chains
is still set to accept for this test setup.

Thanks for your help.

More information about the Users mailing list