[Openswan Users] routing problem

Patrick Naubert patrickn at xelerance.com
Tue Dec 4 18:21:01 EST 2012 

Rescued from the Spam box.  Please remember to subscribe to the mailing list before posting to it.

Begin forwarded message:

> From: Christien Rioux <crioux at gmail.com>
> Subject: routing problem
> Date: 4 December, 2012 11:05:07 AM EST
> To: users at lists.openswan.org
> 
> 
> I'll make this quick:
> 
> 
>  
> 172.16.0.16  ->NAT(1.2.3.4) -> INTERNET <- (4.3.2.1) <- 10.1.0.100
>      ^                                                         
> 172.16.0.50                                               
> 
> 
> I have two networks 172.16.0.0/16 and 10.1.0.0/24 that i want to bridge via site-to-site vpn.
> 
> I have successfully built an IPSEC tunnel with openswan client on fedora on 172.16.0.16 (with a public amazon eip at 1.2.3.4), through to a cisco ASA at 4.3.2.1 
> 
> Machine 172.16.0.16 can ping 10.1.0.100
> Machine 10.1.0.100 can ping 172.16.0.16
> 
> Note this indicates that the ASA at 4.3.2.1 is routing correctly.
> 
> Pings from 10.1.0.100 do not reach 172.16.0.50 despite the fact that:
> 1. tcpdump sees the ping come over ipsec
> 2. ip forwarding is turned on on 172.16.0.16
> 3. latest openswan is in use on 172.16.0.16
> 4. no amount of iptables seem to help, in fact i have completely removed  them from 172.16.0.16 to ensure nothing is getting in the way.
> 5. ip xfrm policy looks 'okay' to me but that stuff is wicked poorly documented.
> 
> So unlike the 4.3.2.1 box, the openswan box is not routing happily.
> 
> A tcpdump on 172.16.0.50 sees no icmp despite 172.16.0.16 seeing it and clearly identifying that it is for 172.16.0.50, it doesn't get sent back out the interface and on to its final destination.
> 
> The reverse also does not work, pinging from 172.16.0.50 to 10.1.0.100. I expect for similar reasons, despite a specific route added to make it go to the right machine.
> 
> Any thoughts on this problem would be greatly appreciated.
> 
> --chris
> 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20121204/f709d906/attachment.html>

More information about the Users mailing list