[Openswan Users] tunnel up , right subnet never routes

Willy Chang changwilly at gmail.com
Fri Aug 23 15:04:39 UTC 2013


Hi Bruce,

 Add following iptables rule to allow data traffic to pass through tunnel.

iptables -A POSTROUTING -t nat -d SSS.SSS.0.0/16 -o <your wan interface> -m
policy --dir out --pol ipsec -j ACCEPT


Willy


On Fri, Aug 23, 2013 at 10:04 AM, Bruce Ferrell <bferrell at gmail.com> wrote:

> Below, I have my configuration (sanitized) and the results of bringing the
> tunnel up
>
> But the route never comes up and hosts on the right subnet aren't
> reachable.
>
> Can anyone make a suggestion as to what may be going on here and how I can
> fix it?  What other information might I provide?
>
> Thanks in advance
>
>
>
> ipsec auto --up xyz
> 104 "xyz" #362: STATE_MAIN_I1: initiate
> 003 "xyz" #362: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-**02_n]
> method set to=106
> 003 "xyz" #362: ignoring Vendor ID payload [FRAGMENTATION c0000000]
> 106 "xyz" #362: STATE_MAIN_I2: sent MI2, expecting MR2
> 003 "xyz" #362: received Vendor ID payload [Cisco-Unity]
> 003 "xyz" #362: received Vendor ID payload [XAUTH]
> 003 "xyz" #362: ignoring unknown Vendor ID payload [**
> 65973bcd15aada87c513d6ef825b9b**96]
> 003 "xyz" #362: ignoring Vendor ID payload [Cisco VPN 3000 Series]
> 003 "xyz" #362: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/
> **03: no NAT detected
> 108 "xyz" #362: STATE_MAIN_I3: sent MI3, expecting MR3
> 003 "xyz" #362: received Vendor ID payload [Dead Peer Detection]
> 004 "xyz" #362: STATE_MAIN_I4: ISAKMP SA established
> {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha
> group=modp1024}
> 117 "xyz" #363: STATE_QUICK_I1: initiate
> 004 "xyz" #363: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode
> {ESP=>0x57616a62 <0x6ac07c19 xfrm=3DES_0-HMAC_SHA1
> NATOA=none NATD=none DPD=none}
>
>
> conn xyz
>         auth=esp
>         authby=secret
>         auto=start
>         esp=3des-sha1
>         ike=3des-sha1
>         keyexchange=ike
>         keyingtries=0
>         left=xxx.xxx.xxx.xxx
>         leftsubnet=192.0.2.46/32
>         pfs=yes
>         right=RRR.RRR.RRR.RRR
>         rightsubnet=SSS.SSS.0.0/16
>         type=tunnel
>
>
> ______________________________**_________________
> Users at lists.openswan.org
> https://lists.openswan.org/**mailman/listinfo/users<https://lists.openswan.org/mailman/listinfo/users>
> Micropayments: https://flattr.com/thing/**38387/IPsec-for-Linux-made-**
> easy <https://flattr.com/thing/38387/IPsec-for-Linux-made-easy>
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/**product/1904811256/104-**
> 3099591-2946327?n=283155<http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20130823/06d7c5e8/attachment.html>


More information about the Users mailing list