Hi,

I'm trying to setup a VPN between a WRT54G running OpenWRT with Openswan and a BEFVP41.
I can setup the tunnel succesfull. I see ISAKMP packages flying by. Both ends can setup the connection.
But once established, no traffic between subnets is possible and I also don't see and ESP packages going by.

I followed the guidelines on openswan.org and freeswan.org for setting up a net-2-net vpn. Added the iptables thing, but nothing.

Anybody an idea?

try enabling proxy arp on some or all of the interfaces on the wrt. I got stuck trying to set up OpenVPN until enabling it. I forget the switch but its somewhere in /proc. something like:

echo 1 > /proc/sys/net/...... /proxy_arp

firewall, NAT (have a real good look at this one...make sure you exclude NAT for the remote end's subnet), FORWARD rules, routing. Everything is suspect. Important is; do both ends agree an IPsec SA is established?

Never heard of proxy arp. Will look into it.

I added a line to iptables like this one in the FreeSwan net-2-net docu:
iptables -t nat -A POSTROUTING -o eth0 -s 10.0.0.0/24 -d \! 192.0.2.128/29 -j MASQUERADE

According to this docu (and others) behind the '-s' you provide the remote subnet. Is this correct since you want to disable masquerade from the local subnet to the remote subnet ?
I tried both these commands (*.9.0 is my local subnet,*.123.0 is the remote subnet):

iptables -t nat -A POSTROUTING -o vlan1 -s 192.168.9.0/24 -d \! 192.168.123.0/24 -j MASQUERADE
iptables -t nat -A POSTROUTING -o vlan1 -s 192.168.123.0/24 -d \! 192.168.9.0/24 -j MASQUERADE

But it didn't solve anything.
Is the POSTROUTING rule correct for OpenWRT ? Or should this be INPUT or OUTPUT or FORWARD?

My VPN network setup is :

Local subnet  <====> OpenWRT <===> Livebox <===== internet =====> remove VPN router  <====> remote subnet
(192.168.9.0/24)    192.168.9.3/          (internal ip)/                                   (remote inet ip)                       192.168.123.0/24
                                   (internal ip)          (my inet ip)

Do I have to add a 'leftnexthop' to the ipsec config because I'm behind a livebox and not directly connected to the internet? I read somewhere that IPSEC traffic doesn't like to be NAT.

Hi joostdenboer,

I have the same problem: vpn tunnel established but no traffic.

Could you manage it in the meantime? What did you do?

Andreas

(Last edited by ALuedtke on 9 Jan 2006, 09:52)

OpenSwan version 2.4.4 as being used on OpenWRT supports NAT-T. If you're behind yet another router, you have two choices:

- The router needs to support forwarding of ESP frames (AH won't work with NAT anyways)
- set nat_traversal=yes in the config setup section (I'm not sure how OpenSwan was compiled, this might even be the default).

In case NAT-T is being used, the traffic won't be native ESP anymore, but UDP packets on port 4500. You will have to change
your firewall settings to allow this port in addition to ISAKMP (UDP 500).