[Openswan Users] VPN tunnel up but traffic will not pass
Peter McGill
petermcgill at goco.net
Tue Oct 14 09:52:16 EDT 2014
> Hi guys, I have phase 1 and 2 up on both sides. logs look good. But I
cannot ping from either end.
> One side is openswan, the other is Juniper firewall.
> Traceroute from the juniper to the internal address shows the first hop
failing, traceroute from openswan shows the traffic going out into the
realms of the
> internet. It would appear openswan is not routing the traffic correctly.
Juniper has permit any any rules on all interfaces.
Going out the internet interface would be normal on netkey, which appears to
be what your using.
> conn netconn7
> ...
> auto=add
Are you sure the tunnel is up at the start, are you manually starting it?
Try auto=start to automatically start the tunnel, add simply makes it
available for external or manual initiation.
> Ok update. Seems I can ping in both directions only if I iniate a ping
from the openswan LAN side first. So ipsec sa is showing as up on both ends.
> Contious ping running from juniper LAN side is running and failing as soon
as a single ping from openswan side is run the contipus ping starts to work.
> Any ideas on how to fix it so either side can ping first??
It's your firewall rules (iptables), you're not allowing traffic from the
other LAN.
You need to allow both 192.168.10.0/24 and 192.168.1.0/24 before your deny
all statements.
It works if you ping first from openswan because the outbound ping is not
blocked and the return is matched by established and gets through.
Peter
More information about the Users
mailing list