[Openswan Users] IPSec net to net tunnel established with RV042, but ping from one side gives Destination Host Unreachable

Mon Sep 26 14:44:55 EDT 2011

Woops, in my half-awake state I sent the reply direct to Paul.

---------- Forwarded message ----------

Hi Paul,

Really appreciate the quick response.

On Tue, Sep 27, 2011 at 3:31 AM, Paul Wouters <paul at xelerance.com> wrote:
> On Mon, 26 Sep 2011, Geekman wrote:
>
>> Neo's LAN IP is 172.16.0.1, and the RV042's LAN IP is 192.168.1.1
>>
>> After the tunnel is established, I begin testing using pings. I can
>> ping from any device behind the RV042 to any device behind Neo, I can
>> even ping from the RV042 itself to Neo using diagnostic tools. Neo is
>> able to give back an ICMP response through the tunnel. Additionally, I
>> was able to setup an apache webserver on a server sitting in Neo's LAN
>> and visit that from the RV042's LAN using the IP 172.16.0.2.
>>
>> However, when I try and ping from Neo, or a server in Neo's LAN, to
>> any IP in the RV042's LAN, I get "From X.X.X.X icmp_seq=2 Destination
>> Host Unreachable". Where X.X.X.X seems to be some hop involved when
>> trying to trace to the LAN IP over the internet. For example, trying
>> to ping 192.168.1.1 from Neo while SSHd in from home, I get:
>
> Is Neo the default gw for those machines. If not, does the default gw
> point to Neo for the 192.168.1.0/24 range?

In my test environment, there's only a single server in the
172.16.0.0/24 subnet behind Neo. I can confirm that it has Neo set to
its default GW.

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
172.16.0.0      0.0.0.0         255.255.255.0   U     0      0        0 eth1
0.0.0.0         172.16.0.1      0.0.0.0         UG    100    0        0 eth1

For completeness, here's Neo's routing table, which points to our
internet gateway (our upstream provider):

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
PUBLIC_IP_SPACE   0.0.0.0         255.255.255.224 U     0      0        0 eth0
172.16.0.0      0.0.0.0         255.255.255.0   U     0      0        0 eth1
0.0.0.0         UPSTREAM_ROUTER   0.0.0.0         UG    100    0        0 eth0

>
> Does the default gw and/or Neo skip NAT/MASQ for packets destined for
> the remote subnet? eg:
>
> iptables -I POSTROUTING -s 172.16.0.0/24 -d 192.168.1.0/24 -j RETURN
>
> Paul
>

Here's the list of iptables currently in effect on Neo; no I don't
think that it would skip Masquerading for any outbound traffic:

root at neo:~# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
root at neo:~# iptables -A FORWARD -i eth0 -o eth1 -m state --state
RELATED,ESTABLISHED -j ACCEPT
root at neo:~# iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

Those are the only rules in effect. The default policy for all chains
is still set to accept for this test setup.

Thanks for your help.