[Openswan Users] Testing a proper connection ikeping in both directions ?

[Timo Veith]

Hello openswan users,

I am trying to setup a vpn connection between a host and internal 
subnet. Until yet I had no success and it is puzzling me.

I have tried openswan (RHEL6, openswan-2.6.32-27.el6) on the left and 
strongswan (strongswan-5.1.1-4.fc20) on the right side.

"left" and "right" are in different lan segments, so there is a router 
between them which I have no control over it. The tunnel seems to get 
established fine, but when I icmp ping into the subnet behind "right", I 
get no reply.

I checked the packets with tcpump on the machine that I have icmp 
pinged. The machine sees them, and sends icmp replies back.

The "right" host sees esp packets coming from "left", the it sees it's 
own esp packets which it sends back to "left" and it also sees the icmp 
replies.

The "left" host only sees esp packets going out to "right". So I am not 
sure it this is a routing problem or not.

I found the "ipsec ikeping" command and would like to know, if the 
network connection between the vpn hosts must be ikeping'able in both 
directions or whether it is enough that the "client" side can ikeping 
the "server" side?

I am asking this because it is not possible here at my setup to do this. 
I can ikeping from the client to server but not vice versa. Could this 
be the problem?

As I recognized that, I have setup another "left" host in the same lan 
segment where "right" resides, and then icmp ping into the subnet behind 
worked. So it shouldn't be problem between strongswan <-> openswan.

If not, where else can I look?

I also shut down iptables complety and check the sysctl settings on both 
hosts twice.

Thanks and kind regards
Timo

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4771 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.openswan.org/pipermail/users/attachments/20140219/0b37a7e9/attachment.bin>