[Openswan Users] OpenSwan tunnel established but traffic not routing over tunnel

Steve MacDougall smacdougall at bluepay.ca
Wed Aug 3 10:14:45 EDT 2016

I have a tunnel to a remote Cisco router that was working fine up until
 last weekend. On Openswan I can see that the tunnel is established:

000 "***************":
erouted; eroute owner: #124963
000 "***************":     myip=unset; hisip=unset;
000 "***************":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin:
540s; rekey_fuzz: 100%; keyingtries: 0
000 "***************":   policy:
interface: eth0:1;
000 "***************":   newest ISAKMP SA: #124962; newest IPsec SA:
000 "***************":   IKE algorithm newest: 3DES_CBC_192-SHA1-MODP1024
000 "***************":   ESP algorithms wanted: 3DES(3)_000-SHA1(2)_000;
000 "***************":   ESP algorithms loaded: 3DES(3)_192-SHA1(2)_160
000 "***************":   ESP algorithm newest: 3DES_000-HMAC_SHA1;
000 #124963: "***************":500 STATE_QUICK_I2 (sent QI2, IPsec SA
established); EVENT_SA_REPLACE in 27926s; newest IPSEC; eroute owner;
isakmp#124962; idle; import:admin initiate
000 #124963: "***************" esp.bad46993 at xxx.xxx.219.57
esp.70a6776f at xxx.xxx.82.4 tun.0 at xxx.xxx.219.57 tun.0 at xxx.xxx.82.4 ref=0
000 #124962: "***************":500 STATE_MAIN_I4 (ISAKMP SA established);
EVENT_SA_REPLACE in 2925s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0);
idle; import:admin initiate

 Here's some output from 'ip xfrm policy list' One item stands out, the
traffic to dport 11350 is the traffic I'm trying to send over the tunnel.

src xxx.xxx.82.30/32 dst xxx.xxx.221.0/24
dir out priority 2088
tmpl src xxx.xxx.82.4 dst xxx.xxx.219.57
proto esp reqid 38417 mode tunnel
src xxx.xxx.221.0/24 dst xxx.xxx.82.30/32
dir fwd priority 2088
tmpl src  dst xxx.xxx.82.4
proto esp reqid 38417 mode tunnel
src xxx.xxx.221.0/24 dst xxx.xxx.82.30/32
dir in priority 2088
tmpl src xxx.xxx.219.57 dst xxx.xxx.82.4
proto esp reqid 38417 mode tunnel
src xxx.xxx.82.30/32 dst xxx.xxx.221.253/32 proto tcp
dir out priority 2080
src xxx.xxx.82.30/32 dst xxx.xxx.221.253/32 proto tcp sport 42416
*dport 11350 dir out action block priority 2080*

I've been able to confirm that the traffic destined for xxx.xxx.221.253/32
is hitting the default gateway of the VPN server, rather than going through
the tunnel.

I'm guessing this block policy might be the source of my troubles, but
where would it be getting this from? I checked /etc/ipsec.d/policies/block
and this file is blank.


Steve MacDougall

Sr. Systems/Network Administrator

647.258.3704 Direct

289.924.1086 Mobile

smacdougall at bluepay.ca
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20160803/ec3b1424/attachment.html>

More information about the Users mailing list