[Openswan Users] Routing Issue with Openswan Tunnel

Ben Schmeckpeper ben at aisle50.com
Thu Aug 8 16:49:56 UTC 2013 

Hi.

I'm using Openswan to setup a VPN between a server we own (hosted by
Rackspace) and a 3rd party company we're working with.  Our box has an
aliased network device (eth0:0) with a private IP of 192.168.205.10.
That's my "subnet" and the only box that I plan on using to connect to
the 3rd party.  (Technically, we've agreed to use 192.168.205.0/26.)

The tunnel comes up correctly and the 3rd party is able to ping and
SSH into my box, but I'm unable to initiate a connection from my box
to their network.  I'm on the left, they're on the right and the
configuration is:

conn foobar
        authby=secret
        forceencaps=no
        auto=start
        left=%defaultroute
        leftid=192.168.205.10
        leftsourceip=192.168.205.10
        leftsubnet=192.168.205.0/26
        right=X.X.X.X
        rightid=X.X.X.X
        rightsubnet=10.2.1.0/24
        pfs=yes
        salifetime=28800s
        ike=aes256-sha1;modp1536
        phase2alg=aes256-sha1;modp1536

We're not using NAT-T.

When they ping my box, tcpdump shows an ESP packet from their public
IP to my public IP, then an ICMP packet from their private IP to my
private IP, then an ESP packet from my public IP to their public IP:
10:43:25.293020 IP X.X.X.X > Y.Y.Y.Y: ESP(spi=0xdfecf980,seq=0x51a), length 100
10:43:25.293098 IP 10.2.1.253 > 192.168.205.10: ICMP echo request, id
57822, seq 1476, length 40
10:43:25.293140 IP Y.Y.Y.Y > X.X.X.X: ESP(spi=0xc0e556ce,seq=0x527), length 100

When I run 'ping -I eth0:0 -S 192.168.205.10 10.2.1.253' tcpdump shows
sequential ESP packets being sent from my public IP to their public IP
but the packets are not routed correctly on their end.
10:30:53.885175 IP Y.Y.Y.Y > X.X.X.X: ESP(spi=0xc0e558fc,seq=0x2e), length 132
10:30:54.885187 IP Y.Y.Y.Y > X.X.X.X: ESP(spi=0xc0e558fc,seq=0x2f), length 132
10:30:55.885190 IP Y.Y.Y.Y > X.X.X.X: ESP(spi=0xc0e558fc,seq=0x30), length 132

iptables are set to accept everything and my routing table looks like:
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         Y.Y.Y.1            0.0.0.0         UG        0 0          0 eth0
10.2.1.0        0.0.0.0         255.255.255.0   U         0 0          0 eth0

I've run out of ideas on how to proceed.  It seems like there's either
a routing issue on their end (but my replies to their pings seem to
routed correctly) or the source IP is being set incorrectly when I'm
initiating the connection.  Any suggestions on what to check next?

Thanks,
Ben

More information about the Users mailing list