[Openswan Users] CentOS5 + Draytek 2820 pings only one way

Paul Overton paul at trusted-management.com
Fri Feb 15 11:07:42 EST 2013 

Ah, looks like it.

I have assumed that you are using NetKey on the Centos machine. 

The issue as far as my knowledge of IPsec goes suggests that the sessions starting from your local server are possibly attempting to use the external rather than the internal IP address. 

I know the sourceip works with KLIPS, but even then you can NAT the session to ensure the correct IP is passing down the tunnel.

You could do some tcpdumps to verify what is happening...

Regards Paul

-----Original Message-----
From: users-bounces at lists.openswan.org [mailto:users-bounces at lists.openswan.org] On Behalf Of John Crisp
Sent: 15 February 2013 12:33
To: users at lists.openswan.org
Subject: Re: [Openswan Users] CentOS5 + Draytek 2820 pings only one way

On 15/02/13 12:49, Paul Overton wrote:
> Have you specified the following on your Centos machine?
> 
> leftsourceip
>               the  IP  address  for this host to use when transmitting a packet to the other side of this
>               link. Relevant only locally, the other end need not agree. This option is used to make  the
>               gateway  itself use its internal IP, which is part of the leftsubnet, to communicate to the
>               rightsubnet or right. Otherwise, it will use its nearest IP address, which is its public IP
>               address.  This  option  is mostly used when defining subnet-subnet connections, so that the
>               gateways can talk to each other and the subnet at the other end, without the need to  build
>               additional host-subnet, subnet-host and host-host tunnels.
> 
> I have not tried this with Centos, but you never know.
> 

Hi Paul,

I think I got that right as per the config below :

L.C. is Left CentOS
R.D. is Right Draytek


Config is as below. I am pretty sure it is something to do with the CentOS/OpenSwan box not routing properly, but not sure how to get it right.

The Draytek has it figured out.

I know there are a lot of people using Drayteks and this config. Just me that can't figure it out !

B. Rgds
John


# basic configuration
config setup
	# Debug-logging controls:  "none" for (almost) none, "all" for lots.
	klipsdebug=all
	plutodebug="control parsing"
	interfaces=%defaultroute
	myid=L.C.98.24
	nat_traversal=yes
	oe=no
	protostack=netkey
	syslog=syslog.debug
	virtual_private=%v4:10.0.0.0/24,%v4:192.168.99.0/24

conn net-to-net
	type=tunnel
	connaddrfamily=ipv4
	authby=secret
	auto=start
	compress=no
	ike=3des-sha1,des-md5
	phase2alg=3des-sha1,des-md5
	phase2=esp
	ikelifetime=3600s
	keyexchange=ike
	keylife=28800s
	keyingtries=%forever
	left=%defaultroute
	leftsourceip=192.168.99.1 # Server local address
	leftid=L.C.98.24          # Server public IP
	leftsubnet=192.168.99.0/24
	pfs=no
	dpdaction=restart
	right=R.D.128.243         # Router public IP
	rightid=R.D.128.243       # Router public IP
	rightsourceip=10.0.0.251  # Router local address
	rightsubnet=10.0.0.0/24


_______________________________________________
Users at lists.openswan.org
https://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

--
This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.


-- 
This message has been scanned for viruses and
dangerous content by Trusted Management Limited, and is
believed to be clean.

More information about the Users mailing list