[Openswan Users] tunnel up , right subnet never routes

Bruce Ferrell bferrell at gmail.com
Sat Aug 24 01:43:29 UTC 2013


Thanks, but no dice :(

route -n never shows the left subnet added

On 08/23/2013 08:04 AM, Willy Chang wrote:
> Hi Bruce,
>
>  Add following iptables rule to allow data traffic to pass through tunnel.
>
> iptables -A POSTROUTING -t nat -d SSS.SSS.0.0/16 -o <your wan interface> -m policy --dir out --pol ipsec -j ACCEPT
>
>
> Willy
>
>
> On Fri, Aug 23, 2013 at 10:04 AM, Bruce Ferrell <bferrell at gmail.com <mailto:bferrell at gmail.com>> wrote:
>
>     Below, I have my configuration (sanitized) and the results of bringing the tunnel up
>
>     But the route never comes up and hosts on the right subnet aren't reachable.
>
>     Can anyone make a suggestion as to what may be going on here and how I can fix it?  What other information might I provide?
>
>     Thanks in advance
>
>
>
>     ipsec auto --up xyz
>     104 "xyz" #362: STATE_MAIN_I1: initiate
>     003 "xyz" #362: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
>     003 "xyz" #362: ignoring Vendor ID payload [FRAGMENTATION c0000000]
>     106 "xyz" #362: STATE_MAIN_I2: sent MI2, expecting MR2
>     003 "xyz" #362: received Vendor ID payload [Cisco-Unity]
>     003 "xyz" #362: received Vendor ID payload [XAUTH]
>     003 "xyz" #362: ignoring unknown Vendor ID payload [65973bcd15aada87c513d6ef825b9b96]
>     003 "xyz" #362: ignoring Vendor ID payload [Cisco VPN 3000 Series]
>     003 "xyz" #362: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: no NAT detected
>     108 "xyz" #362: STATE_MAIN_I3: sent MI3, expecting MR3
>     003 "xyz" #362: received Vendor ID payload [Dead Peer Detection]
>     004 "xyz" #362: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
>     117 "xyz" #363: STATE_QUICK_I1: initiate
>     004 "xyz" #363: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x57616a62 <0x6ac07c19 xfrm=3DES_0-HMAC_SHA1
>     NATOA=none NATD=none DPD=none}
>
>
>     conn xyz
>             auth=esp
>             authby=secret
>             auto=start
>             esp=3des-sha1
>             ike=3des-sha1
>             keyexchange=ike
>             keyingtries=0
>             left=xxx.xxx.xxx.xxx
>             leftsubnet=192.0.2.46/32 <http://192.0.2.46/32>
>             pfs=yes
>             right=RRR.RRR.RRR.RRR
>             rightsubnet=SSS.SSS.0.0/16
>             type=tunnel
>
>
>     _______________________________________________
>     Users at lists.openswan.org <mailto:Users at lists.openswan.org>
>     https://lists.openswan.org/mailman/listinfo/users
>     Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>     Building and Integrating Virtual Private Networks with Openswan:
>     http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
>



More information about the Users mailing list