[Openswan Users] Tunnel up - packets sent thru - but no forwarding to target ! routing issue ?

Gerhard Reuter gerhard.reuter at bayer.com
Fri Nov 21 05:17:48 EST 2014 

Hi Nick,

I can successfully "ping" the target-server directly from the Openswan

root at ip-172-31-6-249:~# ping 172.31.15.27
PING 172.31.15.27 (172.31.15.27) 56(84) bytes of data.
64 bytes from 172.31.15.27: icmp_seq=1 ttl=128 time=0.753 ms
64 bytes from 172.31.15.27: icmp_seq=2 ttl=128 time=0.661 ms
^C
--- 172.31.15.27 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 999ms
rtt min/avg/max/mdev = 0.661/0.707/0.753/0.046 ms
root at ip-172-31-6-249:~#

"only" if the source ip is from a "foreign" network (here: 10.161.62.59) the packet is not reaching the destination. I allowed "ping" to the target now for all sources (just for my test). And I disabled "source/dest" checking at AWS.

I will open a ticket at AWS, because I think that these guys will know what I'm doing wrong.

What I still do not know and wanted to ask this community: Do you change the source IPs when the packets drop out of the tunnel at the destination ? Or do you sent them with a different source already ? Or do you leave these IPs unchanged and switch the routing ? Or is there no "best way" and it depends ?


>> Are you sure about leftsourceip? Should it not be the Openswan LAN IP (172.31.6.249?). This setting only affects packets originating from the openswan server and not passing through it.

No, I'm not sure about anything :) - my first openswan-tunnel. I just found this option useful, because w/o this setting my routing table has no entry for 10.161.62.59

# netstat -rv
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
default         ip-172-31-0-1.e 0.0.0.0         UG        0 0          0 eth0
172.31.0.0      *               255.255.240.0   U         0 0          0 eth0

with this option:

netstat -rv
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
default         *               255.255.255.255 UH        0 0          0 lo
default         ip-172-31-0-1.e 0.0.0.0         UG        0 0          0 eth0
ip-10-161-62-59 *               255.255.255.255 UH        0 0          0 eth0
172.31.0.0      *               255.255.240.0   U         0 0          0 eth0

A ping originated from the OpenSwan to my client results in:

root at ip-172-31-6-249:~# ping 10.161.62.59
PING 10.161.62.59 (10.161.62.59) 56(84) bytes of data.
>From 54.93.190.54 icmp_seq=1 Destination Host Unreachable
>From 54.93.190.54 icmp_seq=2 Destination Host Unreachable
>From 54.93.190.54 icmp_seq=3 Destination Host Unreachable
^C



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20141121/388c87ee/attachment-0001.html>

More information about the Users mailing list