[Openswan Users] Tunnel established but can't ssh or ping

[TheCajun]

> Durwin,
> 
> OK, one more biggie I forgot to ask, since you changed your router: did you make sure that IPSEC passthru has been disabled on the new router? On some models it's not possible to disable it and you will be SOL. You may also have to do port forwarding of IP Proto 50 and UDP ports 4500 and 500 to the OpenSwan box depending on which end initiates the connection.
I could not find any way to disable pass through.  I did add forward
rules for those ports, but I guess it wouldn't work anyway unless pass
through is disabled.

So this Actiontec C1000A is designed for everyday users.  So why do they
even boast it has ipsec pass through if they do not do it right?

Any one have suggestions on a replacement for Actiontec C1000A?  Or even
perhaps a real VPN router? (with reasonable price)

Thank you,

Durwin
> 
> It's like SIP, some routers you can't disable the SIP ALG and it royally screws up all your perfectly correct design as soon as it hits said device. You may have had a very rare router that actually did IPSEC passthru right and changed it for one that doesn't.
> 
> The remote subnet should be listed on p4p1 as long as that interface is the one the remote gateway is contactable on, I don't see a prob with that.
> 
> Further than this I don't think I can offer more help. But please check at both ends of the tunnel (not just the one with the new router) if and kind of IPSEC ALG or passthru or NAT or similar (ad infinitum) is enabled and just turn it off in preference for just port forwarding the correct ports and protocols to your gateways.
> 
> Cheers
> 
> Alex

-- 
reality.sys corrupted. universe halted. reboot (y/n)?

TheCajun <thecajun at nmia.com>