[Openswan Users] Tunnel up - packets sent thru - but no forwarding to target ! routing issue ?

Nick Howitt nick at howitts.co.uk
Fri Nov 21 04:44:05 EST 2014


So what firewall rules do you have in place for your tunnel?

Are you sure about leftsourceip? Should it not be the Openswan LAN IP 
(172.31.6.249?). This setting only affects packets originating from the 
openswan server and not passing through it.

Nick

On 2014-11-21 09:30, Gerhard Reuter wrote:
> Hi,
> 
> after adding "leftsourceip=54.93.190.54" to my /etc/ipsec.conf, I have
> now an advanced routing table
> 
> root at ip-172-31-6-249:~# netstat -rn
> 
> Kernel IP routing table
> 
> Destination Gateway Genmask Flags MSS Window irtt Iface
> 
> 0.0.0.0 0.0.0.0 255.255.255.255 UH 0 0 0 lo
> 
> 0.0.0.0 172.31.0.1 0.0.0.0 UG 0 0 0 eth0
> 
> 10.161.62.59 0.0.0.0 255.255.255.255 UH 0 0 0 eth0
> 
> 172.31.0.0 0.0.0.0 255.255.240.0 U 0 0 0 eth0
> 
> 10.161.62.59 is my client and this line was added now
> 
> Unfortunately the 2 issues are still there:
> 
> 000 "RWConn"[2]:
> 172.31.15.0/24===172.31.6.249<172.31.6.249>[@172.31.6.249,+XS+S=C]:17/1701...212.64.xxx.xxx[@,+MC+XC+S=C]:17/0===10.161.62.59/32;
> erouted; eroute owner: #2
> 
> Ping Packets from server 172.31.15.27 are reaching the Openswan
> (172.31.6.249) but are not sent into the tunnel
> 
> Ping Packets from client 10.161.62.59 are tunneled thru the
> Internet-VPN to the OpenSwan (172.31.6.249) but are not forwarded to
> the server 172.31.15.27
> 
> openswan and the server are located at AWS. I disabled the
> "source/dest checking" for the OpenSwan and the Server and did the
> following settings on the OpenSwan:
> 
> sysctl -p
> 
> net.ipv4.ip_forward = 1
> 
> net.ipv4.conf.all.accept_redirects = 0
> 
> net.ipv4.conf.all.send_redirects = 0
> 
> net.ipv4.conf.default.rp_filter = 0
> 
> net.ipv4.conf.default.accept_source_route = 1
> 
> net.ipv4.conf.all.accept_source_route = 1
> 
> net.ipv4.conf.default.send_redirects = 0
> 
> net.ipv4.icmp_ignore_bogus_error_responses = 1
> 
> root at ip-172-31-6-249:~#
> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155


More information about the Users mailing list