[Openswan Users] IPSec net to net tunnel established with RV042, but ping from one side gives Destination Host Unreachable

Geekman the1geekman at gmail.com
Mon Sep 26 18:01:16 EDT 2011

I figured that I should also note that when I do a packet capture of
the unencrypted ICMP packets after leaving Neo, the source address is
correctly showing as Neo's public IP. So I would say this conclusively
proves the traffic is being masqueraded correctly.

19:52:32.703912 IP NEO_IP > ICMP echo request, id
25097, seq 5, length 64

On Tue, Sep 27, 2011 at 3:31 AM, Paul Wouters <paul at xelerance.com> wrote:
> On Mon, 26 Sep 2011, Geekman wrote:
>> Neo's LAN IP is, and the RV042's LAN IP is
>> After the tunnel is established, I begin testing using pings. I can
>> ping from any device behind the RV042 to any device behind Neo, I can
>> even ping from the RV042 itself to Neo using diagnostic tools. Neo is
>> able to give back an ICMP response through the tunnel. Additionally, I
>> was able to setup an apache webserver on a server sitting in Neo's LAN
>> and visit that from the RV042's LAN using the IP
>> However, when I try and ping from Neo, or a server in Neo's LAN, to
>> any IP in the RV042's LAN, I get "From X.X.X.X icmp_seq=2 Destination
>> Host Unreachable". Where X.X.X.X seems to be some hop involved when
>> trying to trace to the LAN IP over the internet. For example, trying
>> to ping from Neo while SSHd in from home, I get:
> Is Neo the default gw for those machines. If not, does the default gw
> point to Neo for the range?
> Does the default gw and/or Neo skip NAT/MASQ for packets destined for
> the remote subnet? eg:
> iptables -I POSTROUTING -s -d -j RETURN
> Paul

