openSwan VPN is up can't ping remote subnet

Question

When I run the command ipsec auto status i get the following output:

......           
172.16.255.1/32===104.131.13.155<104.131.13.155>:17/1701...41.203.65.124<41.203.    65.124>===10.100.108.51/32; erouted; eroute owner: #13
.......
000 #13: "globacom-vpn":500 STATE_QUICK_I2 (sent QI2, IPsec SA established);     EVENT_SA_REPLACE in 2243s; newest IPSEC; eroute owner; isakmp#10; idle; import:admin initiate
000 #13: "globacom-vpn" esp.e5adc724@41.203.65.124 esp.7b33a369@104.131.13.155 tun.0@41.203.65.124 tun.0@104.131.13.155 ref=0 refhim=4294901761
000 #10: "globacom-vpn":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 79407s; newest ISAKMP; lastdpd=10s(seq in:15699 out:0); idle; import:admin initiate
000

service ipsec status

IPsec running  - pluto pid: 14150
pluto pid 14150
1 tunnels up
some eroutes exist

ip xfrm policy

src 172.16.255.1/32 dst 10.100.108.51/32 proto udp sport 1701
    dir out priority 2080
    tmpl src 104.131.13.155 dst 41.203.65.124
            proto esp reqid 16405 mode tunnel
src 10.100.108.51/32 dst 172.16.255.1/32 proto udp dport 1701
    dir fwd priority 2080
    tmpl src 41.203.65.124 dst 104.131.13.155
            proto esp reqid 16405 mode tunnel
src 10.100.108.51/32 dst 172.16.255.1/32 proto udp dport 1701
    dir in priority 2080
    tmpl src 41.203.65.124 dst 104.131.13.155
            proto esp reqid 16405 mode tunnel
src ::/0 dst ::/0
    socket out priority 0
src ::/0 dst ::/0
    socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
    socket out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
    socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
    socket out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
    socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
    socket out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
    socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
    socket out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
    socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
    socket out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
    socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
    socket out priority 0

ping 10.100.108.51

PING 10.100.108.51 (10.100.108.51) 56(84) bytes of data.
From 104.131.13.155 icmp_seq=1 Destination Host Unreachable
From 104.131.13.155 icmp_seq=2 Destination Host Unreachable
From 104.131.13.155 icmp_seq=3 Destination Host Unreachable

What am I doing wrong?

score 1 · Accepted Answer · answered Apr 29 '16 at 15:00

Finally fixed this issue.

Here's what I did:

In the ipsec.conf file, I had to comment out the leftprotoport which was set to
```
leftprotoport=17/1701
```
This essentially limits the vpn connection to L2TP using UDP port 1701. Checking ip xfrm policy shows that the source and dest ports were set to 1701. This means I could not send any traffic via TCP. The only traffic allowed was from UDP port 1701.
I noticed there were some udp checksum errors when i ran a tcpdump on eth0. Apparently this was a result of debian set to use Hardware TCP/UDP checksum offloading. The following commands disabled it.
```
$ ethtool --offload  eth0  rx off  tx off
$ ethtool -K eth0 gso off
```

Now when I run a traceroute to the remote host/network I see only one hop as against 11 when the wrong ipsec policy was configured. I also see ESP(spi=0XXXX, seq=xxxx) packets as part of the output from tcpdump to the remote host while sending traffic in the form of a ping/telnet.

openSwan VPN is up can't ping remote subnet

1 Answers1