Hi All,

Im newbie to this thread and also for linux. I have little knowledge on linux and trying setup ipsec tunnel using openSwan on centos. My problem is, tunnel is established but not traffic going through. Can someone please help on this. Im trying this now for several days but
no luck. my server is a VPS which has two IPs. one is public and other one is private. both ips are assigned same interface as below
Here are some info.

ip add result. :

ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
inet 162.x.x.x/19 brd 162.x.x.x scope global eth0
inet 172.19.25.194/30 brd 172.19.25.195 scope global eth0:cp1
inet6 x::x:x:x:x/64 scope link
valid_lft forever preferred_lft forever

When I telnet to remote private IP it gives following error :

telnet 202.x.x.x 5016
Trying 202.x.x.x...
telnet: connect to address 202.x.x.x: No route to host

If you have any idea on this please help me. Thank you. If you need more info let me know. I'll send you.

can someone light me up please?

If a tunnel is "up," in that you can successfully "ping" both sides, then the problem is most likely that traffic is not being routed through it.

For instance, use the traceroute ip_address command to try to reach an IP-address that you know that you should be able to reach. This command will try to explore that route, "hop" by "hop," both "there and back again." Does it, in fact, know the route? (If you see the output de-evolve into "a string of asterisks," it means that the packet could not return.)

All VPN solutions basically work as "network appliances" (routers, or sometimes bridges) "implemented in software." But the basic requirement of routing still holds: "given an IP destination-address, such as 202.x.x.x," each computer must know where and how to send it. Either the packet will be sent to a particular NIC, or it will be sent to a gateway that will be responsible for getting it to where it needs to go. Your VPN "router," like all routers, is such a gateway.

Although I do most of my work these days with OpenVPN, rather than Swan, the principles are generally the same: "the software-device acts as a router." Given that you have succeeded in getting the two sides to talk to each other ("Yay!!"), what's left to you is "a TCP/IP routing problem."

Quite a few tutorials out there tend to focus on "getting the damned thing to connect!" (Which is why I said, "Yay!") They're not-so-good at explaining the routing. Here's a good one.

But here's one important question: "Is the machine that's trying to talk, the same machine that's running the VPN? Or are they separate machines, such that 'the machine that is running the VPN' is simply functioning 'as a router?'" In the latter case, you're strictly dealing with "a routing issue" that would be the same if encryption were not a part of it at all ... that would be the same if 'the router' were quite-literally a box.

Thank you very much for your reply.
Here I attached the my scenario in JPG. MY server is a bluehost VPS. openSwan and the application both running on same server.When I put a trace route without tunnel its going to destination from long path through internet. But when I put it after establishing the tunnel its stop at servers External IP.

Without tunnel


TraceRoute with tunnel


Can it be blocking from bluehost side?

Attached Thumbnails

 

Thread being moved to Linux Networking to give the question some better exposure.

Thank you. Im still trying to find some path. still I couldn't identify the point.

Is anyone their for help please ?

1) start tunnel
1a) check if tun is up and working (if not start tun manually first before setting up tunnel)
2) adjust default gateway
3) adjust resolv.conf

this works for stunnel/vpn. I would think that that is all you need.for openswan/ipsec too.

in addition CentOS may have another quirks I don't know about. e.g. the above works in Slackware, funtoo, devuan or FreeBSD but openindiana/solaris require some extra adjustments.

Thank Aeterna. I will check this and let you know. There is no tun interface when I check ip add. so which means I need to create it manually right.

Well, first you need a kernel that has tun module. I hope that CentOS mostly used as server has tun enabled in kernel.
When you establish ipsec connection
check for tun:
lsmod | grep tun

if you see tun module listed, just configure default gateway and resolv.conf
on the other hand, if you do not see tun module, then run
sudo modprobe tun
and try to connect ipsec again.
at this point you should loose connectivity and to restore it you will have to change default gateway and nameserver. That is all.

hope that this will help

Hi, This is what I get when I run the tun command.
And also the default gateway should be the external IP of my server right(which is use to create the tunnel)? And when I check the resolve.conf It include "search bluehost.com" . What should be in resolve.conf.
Please forgive me if its a foolish question. My knowledge is limited in this area. Highly appreciate your help . Thank you

tun 17094 0 <- ok

search bluehost.com
change to or delete altogether, this will get recreated by DHCP next time.
#search bluehost.com
also
#nameserver_from_your_isp_provider
but
nameserver_of_your_tunnel/ipsec_provider


gateway is not their server ip address, you should get their gateway address from their site. I am not sure how this should be set for tunnel/ipsec but because now you are connected to their local network it will be probably 10.xxx.xxx.xxx
You may need to consult their site.

Thanks. I will check this one.

Hi All,
Sorry for late reply. Unfortunately this couldn't investigate further, Cuz client decided to go with AWS. How ever thank you very much for the support
you given.