I think you should try to ping a (live) host in the 10.20.1.200/16 subnet and run the same tcpdump (tcpdump host 194.250.x.x).<br><br>You should see some ESP packets, if SA are correctly established, logs says they are :p<br><br>i think you can check the status of the SA by entering "ipsec auto --status".<br><br>A plus<br><br>JC<br><br><b><i>Didine <didinux@gmail.com></i></b> a écrit :<blockquote class="replbq" style="border-left: 2px solid rgb(16, 16, 255); margin-left: 5px; padding-left: 5px;"> > Hello,<br><br>Salut Jean-Charles,<br><br>> According to the logs phase 1 and phase 2 are established.<br>> Is 194.250.x.x the address of the Juniper or a host address behind the Juniper ?<br><br>yep it's the address of the juniper.<br><br>> If it is the Juniper address it is normal that you see packets in clear but if it is a host address defined in your "lt85_to_centre" connection configuration, you may have to check the "leftsubnet=" line.<br><br>my
connexion configuration is :<br><br>conn lt85_to_centre<br> #<br> #lt85<br> #<br> left=212.121.x.x<br> leftsubnet=10.24.0.0/16<br> leftnexthop=212.121.x.x<br> #<br> #destination<br> #<br> right=194.250.x.x<br> rightsubnet=10.20.1.200/16<br> auto=start<br> #type=tunnel<br> authby=secret<br> esp=aes128-sha1<br> #esp=3des-sha1<br> #keyexchange=ike<br> #ike=3des-sha1<br> #ike=aes128-sha-modp1024<br> ikelifetime=60s<br> keylife=120s<br> rekeymargin=10s<br> #pfs=no<br> #aggrmode=no<br> #spi=0x500<br> #esp=3des-md5-96<br><br><br><br>><br>> As you use netkey, as far as I remember, doing a "tcpdump host xxx" will show you only decrypted packets incoming/coming back to your gateway, for example you will see only replies to ping initiated from your openswan gateway... It is a netkey behavior
:s<br>><br><br>Okay :)<br><br>> Anyway... What is the original question ? :)<br><br>My question is how can i setup the connexion between my openswan box<br>and the juniper :) and why my config doesn't work :)<br><br>> Cheers,<br><br>Thank you :)<br><br>> JC<br><br>-- <br>Didine<br><br>><br>> Didine <didinux@gmail.com> a écrit :<br>><br>> Hello,<br>> I'm a new user of openswan.<br>> I try to set up a connexion between openswan (Linux Openswan U2.4.7/K2.6.18-1.2798.fc6 (netkey)) and a Juniper ns208.<br>> When i try to setup the link i have the folowing messages.<br>><br>> =====================================================================<br>> [root@lt85 ~]# ipsec auto --verbose --up lt85_to_centre<br>> 002 "lt85_to_centre" #11: initiating Main Mode<br>> 104 "lt85_to_centre" #11: STATE_MAIN_I1: initiate<br>> 003 "lt85_to_centre" #11: ignoring unknown Vendor ID payload
[166f932d55eb64d8e4df4fd37e2313f0d0fd84510000000000000000]<br>> 003 "lt85_to_centre" #11: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106<br>> 003 "lt85_to_centre" #11: received Vendor ID payload [Dead Peer Detection]<br>> 003 "lt85_to_centre" #11: ignoring Vendor ID payload [HeartBeat Notify 386b0100]<br>> 002 "lt85_to_centre" #11: enabling possible NAT-traversal with method draft-ietf-ipsec-nat-t-ike-02/03<br>> 002 "lt85_to_centre" #11: discarding packet received during asynchronous work (DNS or crypto) in STATE_MAIN_I1<br>> 002 "lt85_to_centre" #11: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2<br>> 106 "lt85_to_centre" #11: STATE_MAIN_I2: sent MI2, expecting MR2<br>> 003 "lt85_to_centre" #11: discarding duplicate packet; already STATE_MAIN_I2<br>> 002 "lt85_to_centre" #11: I did not send a certificate because I do not have one.<br>> 003 "lt85_to_centre" #11: NAT-Traversal: Result using
draft-ietf-ipsec-nat-t-ike-02/03: no NAT detected<br>> 002 "lt85_to_centre" #11: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3<br>> 108 "lt85_to_centre" #11: STATE_MAIN_I3: sent MI3, expecting MR3<br>> 003 "lt85_to_centre" #11: discarding duplicate packet; already STATE_MAIN_I3<br>> 002 "lt85_to_centre" #11: Main mode peer ID is ID_IPV4_ADDR: '194.250.x.x'<br>> 002 "lt85_to_centre" #11: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4<br>> 004 "lt85_to_centre" #11: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}<br>> 002 "lt85_to_centre" #12: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#11}<br>> 117 "lt85_to_centre" #12: STATE_QUICK_I1: initiate<br>> 002 "lt85_to_centre" #12: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2<br>> 004 "lt85_to_centre" #12: STATE_QUICK_I2: sent QI2, IPsec SA established
{ESP=>0x7593622b <0x6859dbc5 xfrm=AES_128-HMAC_SHA1 NATD=none DPD=none}<br>> =====================================================================<br>> IPsec SA established ?!<br>><br>> A made a test by sending a ping to the 194.250.x.x.<br>> A tcpdump shows the following (no ESP msg):<br>><br>> =====================================================================<br>> [root@lt85 ~]# tcpdump host 194.250.x.x<br>> 19:48:37.441373 IP lt85.xxx.xxx > 194.250.x.x : ICMP echo request, id 1024, seq 55960, length 24<br>> =====================================================================<br>><br>> Any help is appreciated.<br>> Thanks a lot.<br>><br>> --<br>> Didine _______________________________________________<br>> Users@openswan.org<br>> http://lists.openswan.org/mailman/listinfo/users<br>> Building and Integrating Virtual Private Networks with Openswan:<br>>
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155<br>><br>><br>><br>> ________________________________<br> Yahoo! Mail réinvente le mail ! Découvrez le nouveau Yahoo! Mail et<br>son interface révolutionnaire.<br>><br>><br>> _______________________________________________<br>> Users@openswan.org<br>> http://lists.openswan.org/mailman/listinfo/users<br>> Building and Integrating Virtual Private Networks with Openswan:<br>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155<br>><br>><br>><br></didinux@gmail.com></blockquote><br><p> 
<hr size="1">
Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions !
Profitez des connaissances, des opinions et des expériences des internautes sur <a href="http://fr.rd.yahoo.com/evt=42054/*http://fr.answers.yahoo.com">Yahoo! Questions/Réponses</a>.