[Openswan Users] Testing a proper connection ikeping in both directions ?
timo.veith at uni-tuebingen.de
Wed Feb 19 11:05:15 EST 2014
Hello openswan users,
I am trying to setup a vpn connection between a host and internal
subnet. Until yet I had no success and it is puzzling me.
I have tried openswan (RHEL6, openswan-2.6.32-27.el6) on the left and
strongswan (strongswan-5.1.1-4.fc20) on the right side.
"left" and "right" are in different lan segments, so there is a router
between them which I have no control over it. The tunnel seems to get
established fine, but when I icmp ping into the subnet behind "right", I
get no reply.
I checked the packets with tcpump on the machine that I have icmp
pinged. The machine sees them, and sends icmp replies back.
The "right" host sees esp packets coming from "left", the it sees it's
own esp packets which it sends back to "left" and it also sees the icmp
The "left" host only sees esp packets going out to "right". So I am not
sure it this is a routing problem or not.
I found the "ipsec ikeping" command and would like to know, if the
network connection between the vpn hosts must be ikeping'able in both
directions or whether it is enough that the "client" side can ikeping
the "server" side?
I am asking this because it is not possible here at my setup to do this.
I can ikeping from the client to server but not vice versa. Could this
be the problem?
As I recognized that, I have setup another "left" host in the same lan
segment where "right" resides, and then icmp ping into the subnet behind
worked. So it shouldn't be problem between strongswan <-> openswan.
If not, where else can I look?
I also shut down iptables complety and check the sysctl settings on both
Thanks and kind regards
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 4771 bytes
Desc: S/MIME Cryptographic Signature
More information about the Users