<div>Hi,</div><div><br></div><div>we have openswan running on our network's gateway and correctly negotiating the tunnels. Here's how we are configuring it:</div><div>conn csq</div><div> type=tunnel</div><div>
left=90.45.241.242 # left is our side</div><div> leftsubnets={<a href="http://90.45.241.242/32,90.45.110.60/32">90.45.241.242/32,90.45.110.60/32</a>}</div><div> right=33.99.102.36</div><div> rightsubnet=<a href="http://192.168.1.6/32">192.168.1.6/32</a></div>
<div> authby=secret</div><div> keyexchange=ike</div><div> ikelifetime=24h</div><div> ike=3des-md5;modp1024</div><div> phase2=esp</div><div> phase2alg=3des-md5;modp1024</div><div>
salifetime=24h</div>
<div> auto=add</div><div><br></div><div>The gateway has two interfaces(90.45.110.1 and 90.45.241.242) configured to do IP forwarding and there are no related iptables rules. All IPs on the network are publicly accessible.</div>
<div><br></div><div>Our problem is that, while we can ping the machine on the other side from our gateway just fine, the other machine in our subnet(90.45.110.60) is apparently not being routed through one of the established tunnels but is instead provoking the negotiation of a new tunnel in it's name. This fails because on the other side, only the gateway is authorized to be an IKE peer. What could be wrong in our configuration?</div>
<div><br></div><div>I'm attaching some outputs that might be useful:</div><div><br></div><div>This is the output from tcpdump on the gateway's external interface when we start a ping from our other machine:</div>
<div>
<br></div><div>09:41:07.444918 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto UDP (17), length 292)</div><div> 90.45.110.60.isakmp > 33.99.102.36.isakmp: [udp sum ok] isakmp 1.0 msgid 00000000 cookie 9ac0140efc0921e3->0000000000000000: phase 1 I agg:</div>
<div> (sa: doi=ipsec situation=identity</div><div> (p: #1 protoid=isakmp transform=1</div><div> (t: #1 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=3des)(type=auth value=preshared)(type=hash value=sha1)(type=group desc value=modp1024))))</div>
<div> (ke: key len=128)</div><div> (nonce: n len=16 data=(aff2b8326d0e86135e40...00000014afcad71368a1f1c96b8696fc77570100))</div><div> (id: idtype=IPv4 protoid=udp port=500 len=4 90.45.110.60)</div><div> (vid: len=16)</div>
<div>09:41:07.511314 IP (tos 0x0, ttl 239, id 19841, offset 0, flags [none], proto UDP (17), length 376)</div><div> 33.99.102.36.isakmp > 90.45.110.60.isakmp: [udp sum ok] isakmp 1.0 msgid 00000000 cookie 9ac0140efc0921e3->3c7cc2a83564f6d4: phase 1 R agg:</div>
<div> (sa: doi=ipsec situation=identity</div><div> (p: #1 protoid=isakmp transform=1</div><div> (t: #1 id=ike (type=enc value=3des)(type=hash value=sha1)(type=group desc value=modp1024)(type=auth value=preshared)(type=lifetype value=sec)(type=lifeduration value=7080))))</div>
<div> (ke: key len=128)</div><div> (nonce: n len=20 data=(860c9a70bf2268a936be...000000141f07f70eaa6514d3b0fa96542a500100))</div><div> (id: idtype=IPv4 protoid=udp port=0 len=4 33.99.102.36)</div><div> (hash: len=20)</div>
<div> (vid: len=16)</div><div> (vid: len=8)</div><div> (vid: len=20)</div><div> (vid: len=16)</div><div>09:41:07.518286 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto UDP (17), length 96)</div><div> 90.45.110.60.isakmp > 33.99.102.36.isakmp: [udp sum ok] isakmp 1.0 msgid bf1cb318 cookie 9ac0140efc0921e3->3c7cc2a83564f6d4: phase 2/others I inf[E]: [encrypted hash]</div>
<div><br></div><div>The next packet is again like the first one.</div><div><br></div><div># ip xfrm policy</div><div>src <a href="http://90.45.241.242/32">90.45.241.242/32</a> dst <a href="http://192.168.1.6/32">192.168.1.6/32</a> </div>
<div><span class="Apple-tab-span" style="white-space:pre"> </span>dir out priority 2080 ptype main </div><div><span class="Apple-tab-span" style="white-space:pre"> </span>tmpl src 90.45.241.242 dst 33.99.102.36</div><div>
<span class="Apple-tab-span" style="white-space:pre"> </span>proto esp reqid 16385 mode tunnel</div><div>src <a href="http://90.45.110.60/32">90.45.110.60/32</a> dst <a href="http://192.168.1.6/32">192.168.1.6/32</a> </div>
<div><span class="Apple-tab-span" style="white-space:pre"> </span>dir out priority 2080 ptype main </div><div><span class="Apple-tab-span" style="white-space:pre"> </span>tmpl src 90.45.241.242 dst 33.99.102.36</div><div>
<span class="Apple-tab-span" style="white-space:pre"> </span>proto esp reqid 16389 mode tunnel</div><div>src <a href="http://192.168.1.6/32">192.168.1.6/32</a> dst <a href="http://90.45.241.242/32">90.45.241.242/32</a> </div>
<div><span class="Apple-tab-span" style="white-space:pre"> </span>dir fwd priority 2080 ptype main </div><div><span class="Apple-tab-span" style="white-space:pre"> </span>tmpl src 33.99.102.36 dst 90.45.241.242</div><div>
<span class="Apple-tab-span" style="white-space:pre"> </span>proto esp reqid 16385 mode tunnel</div><div>src <a href="http://192.168.1.6/32">192.168.1.6/32</a> dst <a href="http://90.45.241.242/32">90.45.241.242/32</a> </div>
<div><span class="Apple-tab-span" style="white-space:pre"> </span>dir in priority 2080 ptype main </div><div><span class="Apple-tab-span" style="white-space:pre"> </span>tmpl src 33.99.102.36 dst 90.45.241.242</div><div>
<span class="Apple-tab-span" style="white-space:pre"> </span>proto esp reqid 16385 mode tunnel</div>
<div>src <a href="http://192.168.1.6/32">192.168.1.6/32</a> dst <a href="http://90.45.110.60/32">90.45.110.60/32</a> </div><div><span class="Apple-tab-span" style="white-space:pre"> </span>dir fwd priority 2080 ptype main </div>
<div><span class="Apple-tab-span" style="white-space:pre"> </span>tmpl src 33.99.102.36 dst 90.45.241.242</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>proto esp reqid 16389 mode tunnel</div><div>
src <a href="http://192.168.1.6/32">192.168.1.6/32</a> dst <a href="http://90.45.110.60/32">90.45.110.60/32</a> </div><div><span class="Apple-tab-span" style="white-space:pre"> </span>dir in priority 2080 ptype main </div>
<div><span class="Apple-tab-span" style="white-space:pre"> </span>tmpl src 33.99.102.36 dst 90.45.241.242</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>proto esp reqid 16389 mode tunnel</div><div>
<br></div>