<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD><TITLE></TITLE>
<META http-equiv=Content-Type content=text/html;charset=ISO-8859-1>
<META content="MSHTML 6.00.6000.16544" name=GENERATOR></HEAD>
<BODY text=#000000 bgColor=#ffffff>
<DIV dir=ltr align=left><SPAN class=961423613-15102007><FONT face=Arial
color=#0000ff size=2>The TTY and PWD are irrelevant they're from sudo not
openswan, completely unrelated.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=961423613-15102007><FONT face=Arial
color=#0000ff size=2>Hmm, your iptables firewall rules, ipsec.conf, log files,
ipsec verify all looked good to me.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=961423613-15102007><FONT face=Arial
color=#0000ff size=2>None of your openswan switches are behind a NAT router are
they?</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=961423613-15102007><FONT face=Arial
color=#0000ff size=2>They all have direct internet
connections?</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=961423613-15102007><FONT face=Arial
color=#0000ff size=2>What does your config setup section in ipsec.conf look
like?</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=961423613-15102007><FONT face=Arial
color=#0000ff size=2>Try tcpdumping your public interface then ping during the
tcpdump and watch the results.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=961423613-15102007><FONT face=Arial
color=#0000ff size=2>ie)</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=961423613-15102007><FONT face=Arial
color=#0000ff size=2>tcpdump -i ppp0 host besho.gotdns.org</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=961423613-15102007><FONT face=Arial
color=#0000ff size=2>Maybe that will contain a hint to your
problem.</FONT></SPAN></DIV>
<DIV><FONT face=Arial color=#0000ff size=2></FONT> </DIV>
<DIV align=left><FONT face=Arial size=2>Peter McGill</FONT></DIV>
<DIV> </DIV><BR>
<BLOCKQUOTE
style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #0000ff 2px solid; MARGIN-RIGHT: 0px">
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> Martin Eramus [mailto:martin@onyx.co.za]
<BR><B>Sent:</B> October 13, 2007 2:16 AM<BR><B>To:</B>
petermcgill@goco.net<BR><B>Cc:</B> users@openswan.org<BR><B>Subject:</B> Re:
[Openswan Users] Link established no data going through<BR></FONT><BR></DIV>
<DIV></DIV>I have tried pinging from from a computer in the local lan to a
computer in the remote lan, from remote openswan server to local
openswan server.<BR><BR>when I ping from anther remote openswan server to
local openswan server.it works <BR><BR>here is the pluto log<BR><BR>Oct 13
07:54:13 natal ipsec__plutorun: Starting Pluto subsystem...<BR>Oct 13 07:54:13
natal pluto[19045]: Starting Pluto (Openswan Version 2.1.5 X.509-1.4.8-1
PLUTO_USES_KEYRR)<BR>Oct 13 07:54:13 natal pluto[19045]: including
NAT-Traversal patch (Version 0.6c) [disabled]<BR>Oct 13 07:54:13 natal
pluto[19045]: Using Linux 2.6 IPsec interface code<BR>Oct 13 07:54:14 natal
pluto[19045]: Changing to directory '/etc/ipsec.d/cacerts'<BR>Oct 13 07:54:14
natal pluto[19045]: Warning: empty directory<BR>Oct 13 07:54:14
natal pluto[19045]: Changing to directory '/etc/ipsec.d/crls'<BR>Oct 13
07:54:14 natal pluto[19045]: Warning: empty directory<BR>Oct 13
07:54:14 natal pluto[19045]: added connection description
"besho-besntl"<BR>Oct 13 07:54:14 natal pluto[19045]: listening for IKE
messages<BR>Oct 13 07:54:14 natal pluto[19045]: adding interface ppp0/ppp0
41.240.44.24<BR>Oct 13 07:54:14 natal pluto[19045]: adding interface eth1/eth1
192.168.4.1<BR>Oct 13 07:54:14 natal pluto[19045]: adding interface eth0/eth0
10.0.0.1<BR>Oct 13 07:54:14 natal pluto[19045]: adding interface lo/lo
127.0.0.1<BR>Oct 13 07:54:14 natal pluto[19045]: adding interface lo/lo
::1<BR>Oct 13 07:54:14 natal pluto[19045]: loading secrets from
"/etc/ipsec.secrets"<BR>Oct 13 07:54:18 natal sudo: besmac :
TTY=unknown ; PWD=/home/besmac ; USER=root ; COMMAND=/usr/sbin/ipsec auto --up
besho-besntl<BR>Oct 13 07:54:18 natal pluto[19045]: "besho-besntl" #1:
initiating Main Mode<BR>Oct 13 07:54:18 natal pluto[19045]: "besho-besntl" #1:
ignoring Vendor ID payload [4f455a7e4261425d...]<BR>Oct 13 07:54:18 natal
pluto[19045]: "besho-besntl" #1: ignoring Vendor ID payload [Dead Peer
Detection]<BR>Oct 13 07:54:18 natal pluto[19045]: "besho-besntl" #1:
transition from state STATE_MAIN_I1 to state STATE_MAIN_I2<BR>Oct 13 07:54:19
natal pluto[19045]: "besho-besntl" #1: transition from state STATE_MAIN_I2 to
state STATE_MAIN_I3<BR>Oct 13 07:54:19 natal pluto[19045]: "besho-besntl" #1:
Peer ID is ID_IPV4_ADDR: '41.243.162.65'<BR>Oct 13 07:54:19 natal
pluto[19045]: "besho-besntl" #1: transition from state STATE_MAIN_I3 to state
STATE_MAIN_I4<BR>Oct 13 07:54:19 natal pluto[19045]: "besho-besntl" #1: ISAKMP
SA established<BR>Oct 13 07:54:19 natal pluto[19045]: "besho-besntl" #2:
initiating Quick Mode PSK+RSASIG+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1}<BR>Oct
13 07:54:19 natal pluto[19045]: "besho-besntl" #2: transition from state
STATE_QUICK_I1 to state STATE_QUICK_I2<BR>Oct 13 07:54:19 natal pluto[19045]:
"besho-besntl" #2: sent QI2, IPsec SA established {ESP=>0xa63eeebb
<0x2f4c0736}<BR>Oct 13 07:54:19 natal sudo: besmac :
TTY=unknown ; PWD=/home/besmac ; USER=root ; COMMAND=/sbin/route add -net
192.168.0.0 netmask 255.255.255.0 eth1<BR><BR>I have compared it to the other
remote server and the only difference is the TTY and the PWD how do I change
this or is it not necessary?<BR><BR>Thanks<BR><BR>Martin<BR><BR>Peter McGill
wrote:
<BLOCKQUOTE cite=mid:000901c80ce5$755359e0$350315ac@ghport3 type="cite"><PRE wrap="">Hmm, ipsec verify looks ok.
I don't see any problems in your iptables firewall rules, they look ok.
How are you doing your ping tests, from a computer in the local lan to
A computer in the remote lan? Or openswan server to openswan server?
If server to server your subnets are not setup for that, use lan pc to lan pc.
Do you know where fc puts log files, most Linuxes put in /var/log.
Openswan logs with process name pluto.
Generally grep 'pluto' /var/log/* should find your logs.
Peter McGill
</PRE>
<BLOCKQUOTE type="cite"><PRE wrap="">-----Original Message-----
From: Martin Erasmus [<A class=moz-txt-link-freetext href="mailto:martin@onyx.co.za">mailto:martin@onyx.co.za</A>]
Sent: October 12, 2007 11:02 AM
To: <A class=moz-txt-link-abbreviated href="mailto:petermcgill@goco.net">petermcgill@goco.net</A>
Cc: <A class=moz-txt-link-abbreviated href="mailto:martin@onyx.co.za">martin@onyx.co.za</A>; <A class=moz-txt-link-abbreviated href="mailto:users@openswan.org">users@openswan.org</A>
Subject: RE: [Openswan Users] Link established no data going through
</PRE>
<BLOCKQUOTE type="cite"><PRE wrap="">Could be a firewall issue, is the subnet for that connection in a
different private range then the others?
</PRE></BLOCKQUOTE><PRE wrap="">Yes all the locations have their own subnets
</PRE>
<BLOCKQUOTE type="cite"><PRE wrap="">Check your iptables rules to make sure the traffic is accepted.
Do your ping tests match your subnet definitions, the only
</PRE></BLOCKQUOTE><PRE wrap="">traffic to
</PRE>
<BLOCKQUOTE type="cite"><PRE wrap="">traverse the tunnel is what matches the subnets.
</PRE></BLOCKQUOTE><PRE wrap="">It was working till I had to reinstall to fc7, all the
systems have the
same fire wall configeration it is only the local subnet that
is different
</PRE>
<BLOCKQUOTE type="cite"><PRE wrap="">Additional info would be helpful...
Ie)
iptables -t filter -L -v -n
iptables -t nat -L -v -n
iptables -t mangle -L -v -n
iptables -t raw -L -v -n
</PRE></BLOCKQUOTE><PRE wrap="">See attached log files
</PRE>
<BLOCKQUOTE type="cite"><PRE wrap="">ipsec version
</PRE></BLOCKQUOTE><PRE wrap="">fc2 with U2.1.5/K2.6.8-1.521smp
</PRE>
<BLOCKQUOTE type="cite"><PRE wrap="">The relavent sections of your ipsec.conf:
The global parts (ie. config setup, conn %default, include
</PRE></BLOCKQUOTE><PRE wrap="">.../no_oe.conf)
</PRE>
<BLOCKQUOTE type="cite"><PRE wrap="">And any conn sections relavent to the connection.
</PRE></BLOCKQUOTE><PRE wrap="">conn besho-besntl
type=tunnel
left=besho.gotdns.org
leftsubnet=192.168.0.0/24
leftnexthop=165.165.128.1
right=%defaultroute
rightsubnet=192.168.4.0/24
rightnexthop=
rightid=@besntl
auto=add
authby=secret|rsasig
leftrsasigkey=
#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf
</PRE>
<BLOCKQUOTE type="cite"><PRE wrap="">Restart openswan (ipsec restart), do your ping tests, then use the
following to get the logs:
egrep -h -e 'Oct 12 09.*pluto' /var/log/*
Change the date and time to match your restart and test.
</PRE></BLOCKQUOTE><PRE wrap="">This did not give me a result
</PRE>
<BLOCKQUOTE type="cite"><PRE wrap="">Peter McGill
</PRE>
<BLOCKQUOTE type="cite"><PRE wrap="">-----Original Message-----
From: <A class=moz-txt-link-abbreviated href="mailto:users-bounces@openswan.org">users-bounces@openswan.org</A>
[<A class=moz-txt-link-freetext href="mailto:users-bounces@openswan.org">mailto:users-bounces@openswan.org</A>] On Behalf Of Martin Erasmus
Sent: October 12, 2007 6:15 AM
To: <A class=moz-txt-link-abbreviated href="mailto:users@openswan.org">users@openswan.org</A>
Subject: [Openswan Users] Link established no data going through
Hi All
I was running fc2 on all my servers, 5 systems, 4 external
servers linking
to the main server at head office. I have a hard drive crash
on my main
server, I have now had to install fc7.
The 4 external servers are running fc2 with
</PRE></BLOCKQUOTE></BLOCKQUOTE><PRE wrap="">U2.1.5/K2.6.8-1.521smp...
</PRE>
<BLOCKQUOTE type="cite">
<BLOCKQUOTE type="cite"><PRE wrap="">The main Server is running fc7 with U2.4.7/K2.6.21-1.3194.fc7
3 of the external servers link and work no problem the last
one seems to
link but no data travels thought the link
when I start the link I get the following
ipsec_setup: Starting Openswan IPsec U2.1.5/K2.6.8-1.521smp...
104 "besho-besntl" #1: STATE_MAIN_I1: initiate
003 "besho-besntl" #1: ignoring Vendor ID payload
[4f455a7e4261425d...]
003 "besho-besntl" #1: ignoring Vendor ID payload [Dead Peer
Detection]
106 "besho-besntl" #1: STATE_MAIN_I2: sent MI2, expecting MR2
108 "besho-besntl" #1: STATE_MAIN_I3: sent MI3, expecting MR3
004 "besho-besntl" #1: STATE_MAIN_I4: ISAKMP SA established
112 "besho-besntl" #2: STATE_QUICK_I1: initiate
004 "besho-besntl" #2: STATE_QUICK_I2: sent QI2, IPsec SA
</PRE></BLOCKQUOTE></BLOCKQUOTE><PRE wrap="">established
</PRE>
<BLOCKQUOTE type="cite">
<BLOCKQUOTE type="cite"><PRE wrap="">{ESP=>0x2f9d6b26 <0xed6cf187 IPCOMP=>0x00003e3e <0x00009a08}
but nothing travels through no ping nothing from both sides
any Ideas
Thanks
Martin
_______________________________________________
<A class=moz-txt-link-abbreviated href="mailto:Users@openswan.org">Users@openswan.org</A>
<A class=moz-txt-link-freetext href="http://lists.openswan.org/mailman/listinfo/users">http://lists.openswan.org/mailman/listinfo/users</A>
Building and Integrating Virtual Private Networks with Openswan:
<A class=moz-txt-link-freetext href="http://www.amazon.com/gp/product/1904811256/104-3099591-294632">http://www.amazon.com/gp/product/1904811256/104-3099591-294632</A>
7?n=283155
</PRE></BLOCKQUOTE></BLOCKQUOTE></BLOCKQUOTE><PRE wrap=""><!---->
</PRE></BLOCKQUOTE><BR></BLOCKQUOTE></BODY></HTML>