Openswan 2.6.37
Symptom: OpenSwan to Cisco ASA Site to Site Tunnel has one way traffic.
Description: The Ipsec Tunnel builds, both the openswan host and the ASA show the tunnel up but traffic only flows from the ASA into Openswan, traffic does not flow back from openswan. No errors were shown in the auth.log.
Solution: It turns out that the issue was related to the openswan ipsec conf file for this connection. The Leftid and rightid were setup as shown here in the problematic conf file:
conn tunnel-to-HQ left=10.1.0.50 leftid=@openswan leftsubnet=10.1.0.0/24 right=PUBLIC.IP.OF.ASA rightid=@asa rightsubnet=10.2.0.0/24 . . auto=add
This conf file would would just fin for an Openswan to Openswan IPSEC tunnel. But for an ASA to Openswan tunnel, it failed to pass two way traffic.
The simple fix was to replace the leftid and rightid with the IP addresses of the 2 peers as shown below:
conn tunnel-to-HQ left=10.1.0.50 leftid=10.1.0.50 leftsubnet=10.1.0.0/24 right=PUBLIC.IP.OF.ASA rightid=PUBLIC.IP.OF.ASA rightsubnet=10.2.0.0/24 . . auto=add
The secrets file should reflect the IP addresses in the conf for this PSK setup:
10.1.0.50 PUBLIC.IP.OF.ASA: PSK "123456789"
Restart the tunnel and traffic flowed normally.