[Openswan Users] site to site ipsec VPN. local endpoint replies with a host unreachable.

Michael Closson openswan-users at closson.ca
Tue Nov 26 01:17:08 UTC 2013

Hey Paul.  Thanks again for your time!

I sent an email earlier but I think I used a wrong sender address,
so it may not have made it onto the mailing list.

I was able to get it working by disabling the iptables masquerade feature
on the public interface. That is,

#-A POSTROUTING -o eth0 -j MASQUERADE  <<== comment out this line.

After making that change, the site to site VPN worked perfectly.
Seems that IP masquerading and openswan site-to-site are not compatible.
I suppose there is a good reason for it.  The code that is responsible for
doing the masquerade will have to be aware of which IP ranges are part of
an openswan tunnel, and not do the address translation on them. Muddies
the otherwise clean separation of responsibilities. Perhaps this is an
advantage of KLIPS over NETKEY.  With KLIPS there is a different interface
for the IP sec packets, so netfilter won't try to NAT those packets.

Thanks for your help.
Michael Closson

On Mon, Nov 25, 2013 at 12:02:44PM -0500, Paul Wouters wrote:
> On Sun, 24 Nov 2013, Michael Closson wrote:
> >After (on a whim) trying host to site VPN rather than site to site VPN, I can
> >confirm that ESP isn't being filtered.  See below for the details.
> >
> >The problem remains that the local VPN endpoint is generating a ICMP host
> >unreachable.
> >
> >Is there anyway I can enable some kernel level debugging?  I'll check and see
> >what google can suggest.
> Try this in /etc/sysctl.conf and run sysctl -p:
> net.ipv4.ip_forward = 1
> net.ipv6.conf.all.forwarding = 1
> #
> net.ipv4.conf.default.rp_filter = 0
> #
> net.ipv4.conf.all.send_redirects = 0
> net.ipv4.conf.default.send_redirects = 0
> net.ipv4.icmp_ignore_bogus_error_responses = 1
> #
> net.ipv4.conf.default.log_martians = 1
> net.ipv4.conf.all.log_martians = 1
> Paul
> -- 
> Libreswan Developer - https://libreswan.org/
> Red Hat Security - http://people.redhat.com/pwouters/
> Personal Blog - https://nohats.ca/

More information about the Users mailing list