Hello. I have two gateways which have Openswan installed on them. My <span style="font-weight: bold;">config file</span> is like this:<br><br><span style="font-style: italic;"># basic configuration</span><br style="font-style: italic;">
<span style="font-style: italic;">config setup</span><br style="font-style: italic;"><span style="font-style: italic;"> # plutodebug / klipsdebug = "all", "none" or a combation from below:</span>
<br style="font-style: italic;"><span style="font-style: italic;"> # "raw crypt parsing emitting control klips pfkey natt x509 private"</span><br style="font-style: italic;"><span style="font-style: italic;">
# eg:</span><br style="font-style: italic;"><span style="font-style: italic;"> # plutodebug="control parsing"</span><br style="font-style: italic;"><span style="font-style: italic;"> #</span>
<br style="font-style: italic;"><span style="font-style: italic;"> # Only enable klipsdebug=all if you are a developer</span><br style="font-style: italic;"><span style="font-style: italic;"> #</span><br style="font-style: italic;">
<span style="font-style: italic;"> # NAT-TRAVERSAL support, see README.NAT-Traversal</span><br style="font-style: italic;"><span style="font-style: italic;"> nat_traversal=yes</span><br style="font-style: italic;">
<span style="font-style: italic;"> virtual_private=%v4:<a href="http://10.0.0.0/8,%25v4:192.168.0.0/16,%25v4:172.16.0.0/12" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
</a></span><br style="font-style: italic;"><span style="font-style: italic;">
#</span><br style="font-style: italic;"><span style="font-style: italic;"> # enable this if you see "failed to find any available worker"</span><br style="font-style: italic;"><span style="font-style: italic;">
nhelpers=0</span><br style="font-style: italic;"><br style="font-style: italic;"><span style="font-style: italic;"># Add connections here</span><br style="font-style: italic;"><span style="font-style: italic;">conn gda-war
</span><br style="font-style: italic;"><span style="font-style: italic;"> left=<a href="http://192.168.2.133/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">192.168.2.133</a></span><br style="font-style: italic;">
<span style="font-style: italic;"> leftsubnet=
<a href="http://172.16.1.0/24" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">172.16.1.0/24</a></span><br style="font-style: italic;"><span style="font-style: italic;"> leftid=@vpn2</span><br style="font-style: italic;">
<span style="font-style: italic;"> leftrsasigkey=0sAQ...
</span><br style="font-style: italic;"><span style="font-style: italic;"> leftnexthop=%defaultroute</span><br style="font-style: italic;"><span style="font-style: italic;"> #leftnexthop=<a href="http://172.16.2.1/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
172.16.2.1</a></span><br style="font-style: italic;"><span style="font-style: italic;"> right=<a href="http://192.168.2.183/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">192.168.2.183</a>
</span><br style="font-style: italic;"><span style="font-style: italic;">
rightsubnet=<a href="http://172.16.2.0/24" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">172.16.2.0/24</a></span><br style="font-style: italic;"><span style="font-style: italic;"> rightid=@vpn1
</span><br style="font-style: italic;"><span style="font-style: italic;">
rightrsasigkey=0sAQ...</span><br style="font-style: italic;"><span style="font-style: italic;"> rightnexthop=%defaultroute</span><br style="font-style: italic;"><span style="font-style: italic;"> #rightnexthop=
<a href="http://172.16.1.1/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">172.16.1.1</a></span><br style="font-style: italic;"><span style="font-style: italic;"> keyingtries=2</span><br style="font-style: italic;">
<span style="font-style: italic;"> auto=start
</span><br style="font-style: italic;"><span style="font-style: italic;"># sample VPN connections, see /etc/ipsec.d/examples/</span><br style="font-style: italic;"><br style="font-style: italic;"><span style="font-style: italic;">
#Disable Opportunistic Encryption</span><br style="font-style: italic;"><span style="font-style: italic;">include /etc/ipsec.d/examples/no_oe.conf<br><br></span>Gateway 1 (vpn1): eth0: <a href="http://192.168.2.183/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
192.168.2.183
</a> eth1: <a href="http://172.16.1.1/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">172.16.1.1</a> laptop-connected-to-eth0: <a href="http://172.16.1.2/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
172.16.1.2</a><br>Gateway 2 (vpn2): eth0: <a href="http://192.168.2.133/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">192.168.2.133</a> eth1: <a href="http://172.16.2.1/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
172.16.2.1</a> laptop-connected-to-eth0: <a href="http://172.16.2.2/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">172.16.2.2</a><br>Output of command <span style="font-style: italic;"><span style="font-weight: bold;">
ipsec verify</span>:<br><br>Checking your system to see if IPsec got installed and started correctly:
<br>Version check and ipsec on-path [OK]<br>Linux Openswan U2.4.6/K2.6.18-4-686 (netkey)<br>Checking for IPsec support in kernel [OK]<br>NETKEY detected, testing for disabled ICMP send_redirects [OK]
<br>NETKEY detected, testing for disabled ICMP accept_redirects [OK]<br>Checking for RSA private key (/etc/ipsec.secrets) [OK]<br>Checking that pluto is running [OK]<br>
Two or more interfaces found, checking IP forwarding [OK]
<br>Checking NAT and MASQUERADEing <br>Checking for 'ip' command [OK]<br>Checking for 'iptables' command [OK]
<br>Opportunistic Encryption Support [DISABLED]<br><span style="font-style: italic;"><br><span style="font-style: italic;"><span style="font-style: italic;"><span style="font-style: italic;">
</span></span></span></span></span>Output of command <span style="font-style: italic;"><span style="font-weight: bold;">ipsec auto --up gda-war</span>:<br><span style="font-style: italic;"><br><span style="font-style: italic;">
<span style="font-style: italic;"><span style="font-style: italic;"></span></span></span>vpn2:/usr/share/doc/openswan/doc# ipsec auto --up gda-war<br>117 "gda-war" #3: STATE_QUICK_I1: initiate<br>004
"gda-war" #3: STATE_QUICK_I2: sent QI2, IPsec SA established
{ESP=>0xae5372fe <0xb05cebcf xfrm=AES_0-HMAC_SHA1 NATD=none
DPD=none}
<br>vpn2:/usr/share/doc/openswan/doc#<br><br><span style="font-style: italic;"></span></span></span>Output of command <span style="font-style: italic;">route:<br><br>vpn2:/etc/apt# route<br>Kernel IP routing table<br>Destination Gateway Genmask Flags Metric Ref Use Iface
<br><a href="http://172.16.2.0/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">172.16.2.0</a> tygrys.olimp.dg <a href="http://255.255.255.0/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
255.255.255.0</a> UG 0 0 0 eth0<br><a href="http://192.168.2.0/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">192.168.2.0</a> * <a href="http://255.255.255.0/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
255.255.255.0</a> U 0 0 0 eth0<br><a href="http://172.16.1.0/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">172.16.1.0</a> * <a href="http://255.255.255.0/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
255.255.255.0</a> U 0 0 0 eth1<br>default tygrys.olimp.dg
<a href="http://0.0.0.0/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">0.0.0.0</a> UG 0 0 0 eth0<br>vpn2:/etc/apt#<br><br></span>The problem is that two laptops connected to eth1 interfaces on both gateways can't ping each other. When i use
<span style="font-style: italic;">tcpdump -n -i eth0 </span>there are no ESP packets in the output despite the fact that the ping command is active all the time.<br><br>Laptop 1 (<a href="http://172.16.2.2/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
172.16.2.2</a>
, Win2K): <span style="font-style: italic;">ping -t <a href="http://172.16.1.2/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">172.16.1.2</a><br></span>Laptop 2 (<a href="http://172.16.1.2/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
172.16.1.2</a>, Win2K): <span style="font-style: italic;">ping -t <a href="http://172.16.2.2/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
172.16.2.2</a><br><br></span>I tried many things but can't find the bug. Every help will be greatly appreciated;-)