[Openswan Users] tunnel up , right subnet never routes
Bruce Ferrell
bferrell at gmail.com
Sat Aug 24 01:43:29 UTC 2013
Thanks, but no dice :(
route -n never shows the left subnet added
On 08/23/2013 08:04 AM, Willy Chang wrote:
> Hi Bruce,
>
> Add following iptables rule to allow data traffic to pass through tunnel.
>
> iptables -A POSTROUTING -t nat -d SSS.SSS.0.0/16 -o <your wan interface> -m policy --dir out --pol ipsec -j ACCEPT
>
>
> Willy
>
>
> On Fri, Aug 23, 2013 at 10:04 AM, Bruce Ferrell <bferrell at gmail.com <mailto:bferrell at gmail.com>> wrote:
>
> Below, I have my configuration (sanitized) and the results of bringing the tunnel up
>
> But the route never comes up and hosts on the right subnet aren't reachable.
>
> Can anyone make a suggestion as to what may be going on here and how I can fix it? What other information might I provide?
>
> Thanks in advance
>
>
>
> ipsec auto --up xyz
> 104 "xyz" #362: STATE_MAIN_I1: initiate
> 003 "xyz" #362: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
> 003 "xyz" #362: ignoring Vendor ID payload [FRAGMENTATION c0000000]
> 106 "xyz" #362: STATE_MAIN_I2: sent MI2, expecting MR2
> 003 "xyz" #362: received Vendor ID payload [Cisco-Unity]
> 003 "xyz" #362: received Vendor ID payload [XAUTH]
> 003 "xyz" #362: ignoring unknown Vendor ID payload [65973bcd15aada87c513d6ef825b9b96]
> 003 "xyz" #362: ignoring Vendor ID payload [Cisco VPN 3000 Series]
> 003 "xyz" #362: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: no NAT detected
> 108 "xyz" #362: STATE_MAIN_I3: sent MI3, expecting MR3
> 003 "xyz" #362: received Vendor ID payload [Dead Peer Detection]
> 004 "xyz" #362: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
> 117 "xyz" #363: STATE_QUICK_I1: initiate
> 004 "xyz" #363: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x57616a62 <0x6ac07c19 xfrm=3DES_0-HMAC_SHA1
> NATOA=none NATD=none DPD=none}
>
>
> conn xyz
> auth=esp
> authby=secret
> auto=start
> esp=3des-sha1
> ike=3des-sha1
> keyexchange=ike
> keyingtries=0
> left=xxx.xxx.xxx.xxx
> leftsubnet=192.0.2.46/32 <http://192.0.2.46/32>
> pfs=yes
> right=RRR.RRR.RRR.RRR
> rightsubnet=SSS.SSS.0.0/16
> type=tunnel
>
>
> _______________________________________________
> Users at lists.openswan.org <mailto:Users at lists.openswan.org>
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
>
More information about the Users
mailing list