[Openswan Users] Routing Issue with Openswan Tunnel

Ben Schmeckpeper ben at aisle50.com
Mon Aug 12 18:33:28 UTC 2013

Turns out this wasn't an issue with OpenSwan at all.  There was a
routing issue on the other end of the tunnel.


On Thu, Aug 8, 2013 at 11:49 AM, Ben Schmeckpeper <ben at aisle50.com> wrote:
> Hi.
> I'm using Openswan to setup a VPN between a server we own (hosted by
> Rackspace) and a 3rd party company we're working with.  Our box has an
> aliased network device (eth0:0) with a private IP of
> That's my "subnet" and the only box that I plan on using to connect to
> the 3rd party.  (Technically, we've agreed to use
> The tunnel comes up correctly and the 3rd party is able to ping and
> SSH into my box, but I'm unable to initiate a connection from my box
> to their network.  I'm on the left, they're on the right and the
> configuration is:
> conn foobar
>         authby=secret
>         forceencaps=no
>         auto=start
>         left=%defaultroute
>         leftid=
>         leftsourceip=
>         leftsubnet=
>         right=X.X.X.X
>         rightid=X.X.X.X
>         rightsubnet=
>         pfs=yes
>         salifetime=28800s
>         ike=aes256-sha1;modp1536
>         phase2alg=aes256-sha1;modp1536
> We're not using NAT-T.
> When they ping my box, tcpdump shows an ESP packet from their public
> IP to my public IP, then an ICMP packet from their private IP to my
> private IP, then an ESP packet from my public IP to their public IP:
> 10:43:25.293020 IP X.X.X.X > Y.Y.Y.Y: ESP(spi=0xdfecf980,seq=0x51a), length 100
> 10:43:25.293098 IP > ICMP echo request, id
> 57822, seq 1476, length 40
> 10:43:25.293140 IP Y.Y.Y.Y > X.X.X.X: ESP(spi=0xc0e556ce,seq=0x527), length 100
> When I run 'ping -I eth0:0 -S' tcpdump shows
> sequential ESP packets being sent from my public IP to their public IP
> but the packets are not routed correctly on their end.
> 10:30:53.885175 IP Y.Y.Y.Y > X.X.X.X: ESP(spi=0xc0e558fc,seq=0x2e), length 132
> 10:30:54.885187 IP Y.Y.Y.Y > X.X.X.X: ESP(spi=0xc0e558fc,seq=0x2f), length 132
> 10:30:55.885190 IP Y.Y.Y.Y > X.X.X.X: ESP(spi=0xc0e558fc,seq=0x30), length 132
> iptables are set to accept everything and my routing table looks like:
> Kernel IP routing table
> Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
>         Y.Y.Y.1           UG        0 0          0 eth0
>   U         0 0          0 eth0
> I've run out of ideas on how to proceed.  It seems like there's either
> a routing issue on their end (but my replies to their pings seem to
> routed correctly) or the source IP is being set incorrectly when I'm
> initiating the connection.  Any suggestions on what to check next?
> Thanks,
> Ben

More information about the Users mailing list