[Openswan Users] Monitoring connections

[Will Roberts]

Hi,

I have a script that gets run periodically by Nagios to determine 
whether my VPN connections are working properly. The script ensures that 
the ipsec/xl2tp/ppp tunnel is established and then hits a website over 
the tunnel using cURL:

curl -s --interface ppp# http://website/ipCheck.php

This works fine as long as the website I specify is working. I'd love to 
be able to change website to the IP/hostname of the machine checking the 
connections, but if I do that the TCP connection is never established; 
the SYN packet goes from A -> B -> A, and the ACK goes from A -> B -> A, 
but never seems to be accepted by A.

Here's some output from tcpdump, A is 184.154.87.15, B is 199.15.252.141.

21:56:28.772556 IP 184.154.87.12 > 199.15.252.141: 
ESP(spi=0x8840ec86,seq=0xe3), length 116
21:56:28.798553 IP 199.15.252.141.60631 > 184.154.87.15.80: Flags [S], 
seq 1484492853, win 5040, options [mss 1260,sackOK,TS val 136311174 ecr 
0,nop,wscale 5], length 0
21:56:28.798601 IP 184.154.87.15.80 > 199.15.252.141.60631: Flags [S.], 
seq 2675861561, ack 1484492854, win 5792, options [mss 1460,sackOK,TS 
val 136311182 ecr 136311174,nop,wscale 5], length 0
21:56:28.826462 IP 199.15.252.141 > 184.154.87.12: 
ESP(spi=0xfae7732b,seq=0x9b), length 116

and here's the SYN retrans:
21:56:31.768096 IP 184.154.87.12 > 199.15.252.141: 
ESP(spi=0x8840ec86,seq=0xe4), length 116

Is there some sort of networking rule in Linux that would prevent a 
machine from processing a packet sent from its own address over an 
external interface? (which makes some sense now that I write that out)

Thanks,
--Will