ipsec-tools/racoon/ipsec routing problem

james at jamesmcdonald.id.au james at jamesmcdonald.id.au
Mon Jul 28 05:08:43 PDT 2008 

> On Sat, Jul 19, 2008, James McDonald wrote:
>> Bill Campbell wrote:
>>> I have been trying to get ipsec connecting various CentOS 5.1
>>> systems, and gotten things working -- almost with some help from
>>> people on a CentOS mailing list.  The issue I have now is that it
>>> appears that the tunnel between the systems is complete, and I
>>> can ping and connect with ssh from one machine to the other, but
>>> not the other way around.
>>>
> ...
>>> Can anybody on this august list shed some light on this?
> ..
>> Bill, I have just been through this whole thing myself. I had to insert
>> some nat rules to stop the NAT working for the source and destination
>> subnets.
>>
> FWIW, I appreciate the help on this, but these things did not
> help.  I tried several options earlier this week, and can see
> IPSec traffic with tcpdump, but it just disappears into the
> kernel never to reappear.
>
> I suspect this may have something to do with one side being a
> machine running VMware virtual machines as I was able to get it
> half-way working between a couple of machines which did not have
> VMware on them.  There was still a problem on that one, but it
> may have been a routing conflict with the OpenVPN that was
> running on one side of the connection.

I found the whole process of getting IPSec working frustrating.

I spent alot of time running setkey, tcpdump -i eth0 -n host <hostname>
and iptables -t X -L -n and trying to understand what was happening. I,
like you, found the disappear into kernel thing *&*()& annoying.

The routing is weird aswell, seems as soon as you set the setkey policies
it automagically knows how to forward things from the local LAN to the
remote LAN... but to get the IPSec gateway itself to forward packets to
the remote LAN you need to specify that any packets from the gateway
headed to the remote LAN are to be forwarded via the gateways internal
interface otherwise the policy isn't triggered and you get disappearing
packets.

I think you are right. VMWare or anything that does kernel boo-hickery
will probably bork the setup.

More information about the Linux-users mailing list