[Openswan Users] IPSec net to net tunnel established with RV042, but ping from one side gives Destination Host Unreachable

Mon Sep 26 22:03:26 EDT 2011

Hi Paul,

I totally misinterpreted your suggestion about masquerading before. I
had originally thought you were checking to make sure I was doing
masquerading, but based on the rule you provided, it makes sense that
you would be ensuring masquerading isn't done so that the source IP
matches the leftsubnet value. Silly me.

I have added in that rule, it worked great when pinging 192.168.1.1
from the server behind Neo. I was also able to access the router
interface via lynx, so that's all great.

I still had to ping using -I 172.16.0.1 from Neo itself to get the
correct source IP. From what I understood, the left/rightsourceip
parameter is meant to remedy this? Although I haven't looked too
closely at this, and I know there's a section in the PackT OpenSwan
book I've purchased regarding this, so I'll take look and get back to
you if there's any problems.

Thanks so much for all your help Paul.

On Tue, Sep 27, 2011 at 8:01 AM, Geekman <the1geekman at gmail.com> wrote:
> I figured that I should also note that when I do a packet capture of
> the unencrypted ICMP packets after leaving Neo, the source address is
> correctly showing as Neo's public IP. So I would say this conclusively
> proves the traffic is being masqueraded correctly.
>
> 19:52:32.703912 IP NEO_IP > 192.168.1.1: ICMP echo request, id
> 25097, seq 5, length 64
>
> On Tue, Sep 27, 2011 at 3:31 AM, Paul Wouters <paul at xelerance.com> wrote:
>> On Mon, 26 Sep 2011, Geekman wrote:
>>
>>> Neo's LAN IP is 172.16.0.1, and the RV042's LAN IP is 192.168.1.1
>>>
>>> After the tunnel is established, I begin testing using pings. I can
>>> ping from any device behind the RV042 to any device behind Neo, I can
>>> even ping from the RV042 itself to Neo using diagnostic tools. Neo is
>>> able to give back an ICMP response through the tunnel. Additionally, I
>>> was able to setup an apache webserver on a server sitting in Neo's LAN
>>> and visit that from the RV042's LAN using the IP 172.16.0.2.
>>>
>>> However, when I try and ping from Neo, or a server in Neo's LAN, to
>>> any IP in the RV042's LAN, I get "From X.X.X.X icmp_seq=2 Destination
>>> Host Unreachable". Where X.X.X.X seems to be some hop involved when
>>> trying to trace to the LAN IP over the internet. For example, trying
>>> to ping 192.168.1.1 from Neo while SSHd in from home, I get:
>>
>> Is Neo the default gw for those machines. If not, does the default gw
>> point to Neo for the 192.168.1.0/24 range?
>>
>> Does the default gw and/or Neo skip NAT/MASQ for packets destined for
>> the remote subnet? eg:
>>
>> iptables -I POSTROUTING -s 172.16.0.0/24 -d 192.168.1.0/24 -j RETURN
>>
>> Paul
>>
>