[Openswan Users] Tunnel is up but no answer through the tunnel

Bali Zaci zaci.bali at gmail.com
Sat Mar 24 12:29:31 EDT 2012 

Hi All,

I have the following setup:
Server (x.x.x.x) ------INTERNET------- DSL Router (y.y.y.y) -------- Client
(192.168.1.246)

I would like to create a PSK ipsec tunnel between the server and the Client.
On server ipsec.conf:
config setup
        plutodebug="all"
        protostack=netkey
        oe=off
        nat_traversal=yes

conn roadwarrior
        authby=secret
        pfs=no
        auto=add
        rekey=yes
        type=tunnel
        left=x.x.x.x
        leftnexthop=x.x.x.1
        leftid=x.x.x.x
        right=%any

Client ipsec.conf:
config setup
        plutodebug="all"
        protostack=netkey
        oe=off
        nat_traversal=yes

conn roadwarrior
        authby=secret
        pfs=no
        auto=add
        rekey=yes
        type=tunnel
        left=x.x.x.x
        leftnexthop=x.x.x.1
        leftid=x.x.x.x
        right=%defaultroute
        rightnexthop=%defaultroute


It looks the tunnel is workign fine:
Client: # ipsec auto --up roadwarrior
104 "roadwarrior" #1: STATE_MAIN_I1: initiate
003 "roadwarrior" #1: ignoring unknown Vendor ID payload
[4f4568794c64414365636661]
003 "roadwarrior" #1: received Vendor ID payload [Dead Peer Detection]
003 "roadwarrior" #1: received Vendor ID payload [RFC 3947] method set
to=109
106 "roadwarrior" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "roadwarrior" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal):
i am NATed
108 "roadwarrior" #1: STATE_MAIN_I3: sent MI3, expecting MR3
003 "roadwarrior" #1: received Vendor ID payload [CAN-IKEv2]
004 "roadwarrior" #1: STATE_MAIN_I4: ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=aes_128 prf=oakley_sha group=modp2048}
117 "roadwarrior" #2: STATE_QUICK_I1: initiate
004 "roadwarrior" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel
mode {ESP=>0x20e3b86f <0xac7dbe45 xfrm=AES_128-HMAC_SHA1 NATOA=none
NATD=none DPD=none}


But when I am trying to ping the server from the client I see the ESP
packages on the server but it doesn't send any reply.
tcpdump on the server's public interface during the ping:
16:19:44.572732 IP y.y.y.y.4500 > x.x.x.x.4500: UDP-encap:
ESP(spi=0x20e3b86f,seq=0x2), length 148
16:19:44.680605 IP y.y.y.y.4500 > x.x.x.x.4500: UDP-encap:
ESP(spi=0x20e3b86f,seq=0x3), length 196
16:19:44.738490 IP y.y.y.y.4500 > x.x.x.x.4500: UDP-encap:
ESP(spi=0x20e3b86f,seq=0x4), length 148

I have disabled every iptable rule on my Server. Any idea where are my
replies?

Thanks and regards,
B
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.openswan.org/pipermail/users/attachments/20120324/8e5738a9/attachment.html>

More information about the Users mailing list