[Openswan Users] CentOS5 + Draytek 2820 pings only one way

Nick Howitt n1ck.h0w1tt at gmail.com
Fri Feb 15 11:45:40 EST 2013

In my firewall, supplied by ClearOS I have an extra rule in the nat 
table which translates to:

Chain POSTROUTING (policy ACCEPT 13046 packets, 2505K bytes)
  pkts bytes target     prot opt in     out source               
     0     0 ACCEPT     all  --  *      *              policy match dir out pol ipsec

You should not need to do anything with protocol 51 as it is not used 
with esp.

I am not sure iptables is the issue. In the 2820 LAN-LAN profile is 
"From first subnet to remote network, you have to do" set to Route or 
NAT. It should be set to Route.

Answering other points, your leftsourceip looks OK. Because it is 
specified you do not need to set a source IP when pinging. It will 
happen anyway. Pings from CentOS will appear from leftsourceip rather 
than L.C.98.24.

BTW, in your config you have a lot of redundant stuff. I would get rid of:

ike and phase2alg will be negotiated to whatever you have set in the 
2820 (and I'd suggest, unless your CentOS Processor is anaemic, you use 
aes256,sha1,group14 and you also enable pfs in the advanced settings). 
The other settings are default or unnecessary. Unless you have changed 
the defaults in the 2820 you also have a mismatch of keylife and 
ikelifetime - they need to be reversed.



On 15/02/2013 12:33, John Crisp wrote:
> On 15/02/13 12:49, Paul Overton wrote:
>> Have you specified the following on your Centos machine?
>> leftsourceip
>>                the  IP  address  for this host to use when transmitting a packet to the other side of this
>>                link. Relevant only locally, the other end need not agree. This option is used to make  the
>>                gateway  itself use its internal IP, which is part of the leftsubnet, to communicate to the
>>                rightsubnet or right. Otherwise, it will use its nearest IP address, which is its public IP
>>                address.  This  option  is mostly used when defining subnet-subnet connections, so that the
>>                gateways can talk to each other and the subnet at the other end, without the need to  build
>>                additional host-subnet, subnet-host and host-host tunnels.
>> I have not tried this with Centos, but you never know.
> Hi Paul,
> I think I got that right as per the config below :
> L.C. is Left CentOS
> R.D. is Right Draytek
> Config is as below. I am pretty sure it is something to do with the
> CentOS/OpenSwan box not routing properly, but not sure how to get it right.
> The Draytek has it figured out.
> I know there are a lot of people using Drayteks and this config. Just
> me that can't figure it out !
> B. Rgds
> John
> # basic configuration
> config setup
> 	# Debug-logging controls:  "none" for (almost) none, "all" for lots.
> 	klipsdebug=all
> 	plutodebug="control parsing"
> 	interfaces=%defaultroute
> 	myid=L.C.98.24
> 	nat_traversal=yes
> 	oe=no
> 	protostack=netkey
> 	syslog=syslog.debug
> 	virtual_private=%v4:,%v4:
> conn net-to-net
> 	type=tunnel
> 	connaddrfamily=ipv4
> 	authby=secret
> 	auto=start
> 	compress=no
> 	ike=3des-sha1,des-md5
> 	phase2alg=3des-sha1,des-md5
> 	phase2=esp
> 	ikelifetime=3600s
> 	keyexchange=ike
> 	keylife=28800s
> 	keyingtries=%forever
> 	left=%defaultroute
> 	leftsourceip= # Server local address
> 	leftid=L.C.98.24          # Server public IP
> 	leftsubnet=
> 	pfs=no
> 	dpdaction=restart
> 	right=R.D.128.243         # Router public IP
> 	rightid=R.D.128.243       # Router public IP
> 	rightsourceip=  # Router local address
> 	rightsubnet=
> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

More information about the Users mailing list