[Openswan Users] routing problem

Patrick Naubert patrickn at xelerance.com
Tue Dec 4 18:22:02 EST 2012


Rescued from the Spam box.  Please remember to subscribe to the mailing list before posting to it.

Begin forwarded message:

> From: Christien Rioux <crioux at gmail.com>
> Subject: Re: routing problem
> Date: 4 December, 2012 5:23:52 PM EST
> To: users at lists.openswan.org
> 
> 
> 
> The problem was this is all being done on an Amazon VPC and there's a little magic in there that nobody's talked about:
> 
> The problem wasn't my routing table. The problem was the 'gateway' box running the openswan client had "source/dest checking" turned on. Go to the instance in the VPC, right click on it and hit "change source/dest checking" and turn that OFF. Things will NOT ROUTE from TO AND FROM your gateway without it turned OFF.
> 
> This only applies to VPC and not normal EC2 instances, and I doubt anyone knows that this is relevant as it's not discussed in ANY tutorials online.
> 
> --chris
> 
> 
> On Tue, Dec 4, 2012 at 11:05 AM, Christien Rioux <crioux at gmail.com> wrote:
> I'll make this quick:
> 
> 
>  
> 172.16.0.16  ->NAT(1.2.3.4) -> INTERNET <- (4.3.2.1) <- 10.1.0.100
>      ^                                                         
> 172.16.0.50                                               
> 
> 
> I have two networks 172.16.0.0/16 and 10.1.0.0/24 that i want to bridge via site-to-site vpn.
> 
> I have successfully built an IPSEC tunnel with openswan client on fedora on 172.16.0.16 (with a public amazon eip at 1.2.3.4), through to a cisco ASA at 4.3.2.1 
> 
> Machine 172.16.0.16 can ping 10.1.0.100
> Machine 10.1.0.100 can ping 172.16.0.16
> 
> Note this indicates that the ASA at 4.3.2.1 is routing correctly.
> 
> Pings from 10.1.0.100 do not reach 172.16.0.50 despite the fact that:
> 1. tcpdump sees the ping come over ipsec
> 2. ip forwarding is turned on on 172.16.0.16
> 3. latest openswan is in use on 172.16.0.16
> 4. no amount of iptables seem to help, in fact i have completely removed  them from 172.16.0.16 to ensure nothing is getting in the way.
> 5. ip xfrm policy looks 'okay' to me but that stuff is wicked poorly documented.
> 
> So unlike the 4.3.2.1 box, the openswan box is not routing happily.
> 
> A tcpdump on 172.16.0.50 sees no icmp despite 172.16.0.16 seeing it and clearly identifying that it is for 172.16.0.50, it doesn't get sent back out the interface and on to its final destination.
> 
> The reverse also does not work, pinging from 172.16.0.50 to 10.1.0.100. I expect for similar reasons, despite a specific route added to make it go to the right machine.
> 
> Any thoughts on this problem would be greatly appreciated.
> 
> --chris
> 
> 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20121204/727c4783/attachment.html>


More information about the Users mailing list