[Openswan Users] CentOS5 + Draytek 2820 pings only one way

John Crisp jcrisp at safeandsoundit.co.uk
Fri Feb 15 12:25:36 EST 2013

Hi Nick,

On 15/02/13 17:45, Nick Howitt wrote:
> In my firewall, supplied by ClearOS I have an extra rule in the nat
> table which translates to:
> Chain POSTROUTING (policy ACCEPT 13046 packets, 2505K bytes)
>  pkts bytes target     prot opt in     out source               destination
>     0     0 ACCEPT     all  --  *      *           
>           policy match dir out pol ipsec

Can you tell me where about does this goes in your masq script ?

> You should not need to do anything with protocol 51 as it is not used
> with esp.

OK - I can remove that

> I am not sure iptables is the issue. In the 2820 LAN-LAN profile is
> "From first subnet to remote network, you have to do" set to Route or
> NAT. It should be set to Route.

It is set to route. I have 4 of these with their own VPNs to each other.
The VPS is the 'odd one out'.

It is odd that the Draytek seems to know where to send packets. It's the
VPS server that has the struggle !

> Answering other points, your leftsourceip looks OK. Because it is
> specified you do not need to set a source IP when pinging. It will
> happen anyway. Pings from CentOS will appear from leftsourceip rather
> than L.C.98.24.
> BTW, in your config you have a lot of redundant stuff. I would get rid of:
> %myid
> leftid
> rightid
> rightsourceip
> nat_traversal
> compress
> connaddrfamily
> ike
> phase2alg
> phase2
> keyexchange
> keyingtries
> ike and phase2alg will be negotiated to whatever you have set in the
> 2820 (and I'd suggest, unless your CentOS Processor is anaemic, you use
> aes256,sha1,group14 and you also enable pfs in the advanced settings).
> The other settings are default or unnecessary. Unless you have changed
> the defaults in the 2820 you also have a mismatch of keylife and
> ikelifetime - they need to be reversed.

Thanks for all that info - I shall clean it up accordingly and up the
encryption level. I managed to find one page that had some settings to
connect to a Draytek and I started from there.

Currently I have the Draytek dialling and connecting to the server. I
presume this is easier than the opposite way round ?

Thanks for the help !

B. Rgds

More information about the Users mailing list