[Openswan Users] the packets did not traffic under ESP tunnel on openswan
Paul Wouters
paul at nohats.ca
Mon Mar 19 00:52:47 EDT 2012
On Mon, 19 Mar 2012, Ozai wrote:
> It still did not work after adding your suggestions.
> B can ping to A but A can not ping to B even from device itself.
> I captured the packets by wireshark and found the packets from A client
> always did not traffic under ESP tunnel.Do you have any suggestion for
> us
do the clients have the ipsec gateway as default router? If not, they
might need to get a route for the remote subnet via the ipsec gateway.
Paul
>
> A client---------------openswan
> gateway------------------------------ipsec-tool gateway---------------------B
> client
> 192.168.1.2 192.168.1.1 111.243.152.132 111.243.156.217
> 192.168.2.254 192.168.2.1
>
> Best Regards,
> Ozai
> ----- Original Message ----- From: "Paul Wouters" <paul at nohats.ca>
> To: "Ozai" <ozai.tien at gmail.com>
> Cc: <users at openswan.org>
> Sent: Saturday, March 17, 2012 11:01 PM
> Subject: Re: [Openswan Users] the packets did not traffic under ESP tunnel on
> openswan
>
>
>> On Thu, 15 Mar 2012, Ozai wrote:
>>
>>> I merged the openswan(2.6.37) into embedded linux(mips) and tried to make
>>> the connection with another ipsec
>>> system(ipsec-tools).The ESP tunnel can be built successfully.I tried to
>>> ping private client from ipsec-tools to
>>> openswan.It's OK.but from openswan to ipsec-tools,It's failed.I found that
>>> from openswan to ipsec-tools,the packets did
>>> not traffic under ESP tunnel.My settings are as below.Please help me to
>>> correct my procedure.thank's.
>>
>> Did you test from the device itself? Did you ping -I ?
>> Try adding:
>>
>> leftsourceip=111.243.152.132
>> rightsourceip=111.243.156.217
>>
>> Ensure you are not NATing packes for/to the 192.168 ranges.
>> Ensure you have forwarding enabled, and rp_filter disabled
>>
>> (if your embedded system has perl, try "ipsec verify"
>>
>> Paul
More information about the Users
mailing list