[Openswan Users] Routing Issue with Openswan Tunnel
ben at aisle50.com
Mon Aug 12 18:33:28 UTC 2013
Turns out this wasn't an issue with OpenSwan at all. There was a
routing issue on the other end of the tunnel.
On Thu, Aug 8, 2013 at 11:49 AM, Ben Schmeckpeper <ben at aisle50.com> wrote:
> I'm using Openswan to setup a VPN between a server we own (hosted by
> Rackspace) and a 3rd party company we're working with. Our box has an
> aliased network device (eth0:0) with a private IP of 192.168.205.10.
> That's my "subnet" and the only box that I plan on using to connect to
> the 3rd party. (Technically, we've agreed to use 192.168.205.0/26.)
> The tunnel comes up correctly and the 3rd party is able to ping and
> SSH into my box, but I'm unable to initiate a connection from my box
> to their network. I'm on the left, they're on the right and the
> configuration is:
> conn foobar
> We're not using NAT-T.
> When they ping my box, tcpdump shows an ESP packet from their public
> IP to my public IP, then an ICMP packet from their private IP to my
> private IP, then an ESP packet from my public IP to their public IP:
> 10:43:25.293020 IP X.X.X.X > Y.Y.Y.Y: ESP(spi=0xdfecf980,seq=0x51a), length 100
> 10:43:25.293098 IP 10.2.1.253 > 192.168.205.10: ICMP echo request, id
> 57822, seq 1476, length 40
> 10:43:25.293140 IP Y.Y.Y.Y > X.X.X.X: ESP(spi=0xc0e556ce,seq=0x527), length 100
> When I run 'ping -I eth0:0 -S 192.168.205.10 10.2.1.253' tcpdump shows
> sequential ESP packets being sent from my public IP to their public IP
> but the packets are not routed correctly on their end.
> 10:30:53.885175 IP Y.Y.Y.Y > X.X.X.X: ESP(spi=0xc0e558fc,seq=0x2e), length 132
> 10:30:54.885187 IP Y.Y.Y.Y > X.X.X.X: ESP(spi=0xc0e558fc,seq=0x2f), length 132
> 10:30:55.885190 IP Y.Y.Y.Y > X.X.X.X: ESP(spi=0xc0e558fc,seq=0x30), length 132
> iptables are set to accept everything and my routing table looks like:
> Kernel IP routing table
> Destination Gateway Genmask Flags MSS Window irtt Iface
> 0.0.0.0 Y.Y.Y.1 0.0.0.0 UG 0 0 0 eth0
> 10.2.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
> I've run out of ideas on how to proceed. It seems like there's either
> a routing issue on their end (but my replies to their pings seem to
> routed correctly) or the source IP is being set incorrectly when I'm
> initiating the connection. Any suggestions on what to check next?
More information about the Users