[Openswan Users] Problem with net-to-net tunnel with NAT on both endpoints

Rodrigo Borges Pereira rodrigoborgespereira at gmail.com
Tue Dec 17 14:03:54 EST 2013 

Hi all,

Maybe someone can give me a hint here... would appreciate it ;)

I have to work with two old ip-pbx appliances that can do routing and also
have a Openswan based IPSEC function. I say old because Openswan version is
2.4.12, and can not be upgraded. Each of them is geographically apart,  and
both are connected to the Internet NAT'ed behind a router. Each IP-PBX
appliance has two interface, external (WAN) and internal (LAN). The idea is
to have LAN1 talking with LAN2

The scenario is kinda like this:

LAN1 <-> IPPBX1 <-> NATROUTER1 <- INTERNET -> NATROUTER2 <-> IPPBX2 <-> LAN2

Now, I can actually establish a tunnel between IPPBX1 and IPPBX2. Port
forwardings for 4500 and 500 are configured on both NATROUTER's and both
IPPBX's have NAT-T enabled. So far so good.

Problem now is, LAN1 and LAN2 IP's don't talk with each other at all. Not
even between the LAN IP on each IPPBX. However, when I do stuff like ping,
I can see packets flowing on the external interfaces of each IPPBX (with
tcpdump on 4500/UDP), but then they just seem to be blackholed somehow. The
firewall on these appliances logs every dropped packet, but no drop is
showing.

Any suggestion to troubleshoot / understand this? More below is a snip of
the config. I just removed the remote gw public IP address. The
configuration is symmetric on the other endpoint.

Thanks in advance. Rgds.

--- snip ---

version 2

config setup
        interfaces=%defaultroute
        klipsdebug=none
        plutodebug=none
        plutowait=no
        uniqueids=yes
        hidetos=yes
        nat_traversal=yes
        keep_alive=20

conn %default
        keyingtries=0
        disablearrivalcheck=no
        leftrsasigkey=%none
        rightrsasigkey=%none
        authby=secret
        auto=add

include /etc/ipsec.d/examples/no_oe.conf

conn TUNNEL
        leftsourceip=192.168.1.254
        left=192.168.8.2
        esp=3des-md5
        ikelifetime=1h
        pfsgroup=modp1024
        pfs=yes
        aggrmode=yes
        leftsubnet=192.168.1.0/24
        keylife=8h
        rightid=192.168.100.254
        leftid=192.168.1.254
        right=yy.yy.yy.yy
        leftnexthop=192.168.8.1
        auto=start
        rightsubnet=192.168.100.0/24
        ike=3des-md5-modp1024
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20131217/d046e2fd/attachment.html>

More information about the Users mailing list