<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
<title></title>
</head>
<body bgcolor="#ffffff" text="#000000">
Hi<br>
After hours of looking at log file, I compared the ipsec.conf to a
working system and found that the only difference was that I had
compress=yes was in the file on the system that was not working.I
deleted this line and it worked<br>
<br>
thanks for all your help<br>
<br>
Marti<br>
Peter McGill wrote:
<blockquote cite="mid:004701c80f32$454a0740$350115ac@ghport3"
type="cite">
<title></title>
<meta http-equiv="Content-Type" content="text/html;charset=ISO-8859-1">
<meta content="MSHTML 6.00.6000.16544" name="GENERATOR">
<div dir="ltr" align="left"><span class="961423613-15102007"><font
color="#0000ff" face="Arial" size="2">The TTY and PWD are irrelevant
they're from sudo not openswan, completely unrelated.</font></span></div>
<div dir="ltr" align="left"><span class="961423613-15102007"><font
color="#0000ff" face="Arial" size="2">Hmm, your iptables firewall
rules, ipsec.conf, log files, ipsec verify all looked good to me.</font></span></div>
<div dir="ltr" align="left"><span class="961423613-15102007"><font
color="#0000ff" face="Arial" size="2">None of your openswan switches
are behind a NAT router are they?</font></span></div>
<div dir="ltr" align="left"><span class="961423613-15102007"><font
color="#0000ff" face="Arial" size="2">They all have direct internet
connections?</font></span></div>
<div dir="ltr" align="left"><span class="961423613-15102007"><font
color="#0000ff" face="Arial" size="2">What does your config setup
section in ipsec.conf look like?</font></span></div>
<div dir="ltr" align="left"><span class="961423613-15102007"><font
color="#0000ff" face="Arial" size="2">Try tcpdumping your public
interface then ping during the tcpdump and watch the results.</font></span></div>
<div dir="ltr" align="left"><span class="961423613-15102007"><font
color="#0000ff" face="Arial" size="2">ie)</font></span></div>
<div dir="ltr" align="left"><span class="961423613-15102007"><font
color="#0000ff" face="Arial" size="2">tcpdump -i ppp0 host
besho.gotdns.org</font></span></div>
<div dir="ltr" align="left"><span class="961423613-15102007"><font
color="#0000ff" face="Arial" size="2">Maybe that will contain a hint
to your problem.</font></span></div>
<div> </div>
<div align="left"><font face="Arial" size="2">Peter McGill</font></div>
<div> </div>
<br>
<blockquote
style="border-left: 2px solid rgb(0, 0, 255); padding-left: 5px; margin-left: 5px; margin-right: 0px;">
<div class="OutlookMessageHeader" dir="ltr" align="left"
lang="en-us">
<hr tabindex="-1"> <font face="Tahoma" size="2"><b>From:</b>
Martin Eramus [<a class="moz-txt-link-freetext" href="mailto:martin@onyx.co.za">mailto:martin@onyx.co.za</a>] <br>
<b>Sent:</b> October 13, 2007 2:16 AM<br>
<b>To:</b> <a class="moz-txt-link-abbreviated" href="mailto:petermcgill@goco.net">petermcgill@goco.net</a><br>
<b>Cc:</b> <a class="moz-txt-link-abbreviated" href="mailto:users@openswan.org">users@openswan.org</a><br>
<b>Subject:</b> Re: [Openswan Users] Link established no data going
through<br>
</font><br>
</div>
I have tried pinging from from a computer in the local lan to a
computer in the remote lan, from remote openswan server to local
openswan server.<br>
<br>
when I ping from anther remote openswan server to local openswan
server.it works <br>
<br>
here is the pluto log<br>
<br>
Oct 13 07:54:13 natal ipsec__plutorun: Starting Pluto subsystem...<br>
Oct 13 07:54:13 natal pluto[19045]: Starting Pluto (Openswan Version
2.1.5 X.509-1.4.8-1 PLUTO_USES_KEYRR)<br>
Oct 13 07:54:13 natal pluto[19045]: including NAT-Traversal patch
(Version 0.6c) [disabled]<br>
Oct 13 07:54:13 natal pluto[19045]: Using Linux 2.6 IPsec interface code<br>
Oct 13 07:54:14 natal pluto[19045]: Changing to directory
'/etc/ipsec.d/cacerts'<br>
Oct 13 07:54:14 natal pluto[19045]: Warning: empty directory<br>
Oct 13 07:54:14 natal pluto[19045]: Changing to directory
'/etc/ipsec.d/crls'<br>
Oct 13 07:54:14 natal pluto[19045]: Warning: empty directory<br>
Oct 13 07:54:14 natal pluto[19045]: added connection description
"besho-besntl"<br>
Oct 13 07:54:14 natal pluto[19045]: listening for IKE messages<br>
Oct 13 07:54:14 natal pluto[19045]: adding interface ppp0/ppp0
41.240.44.24<br>
Oct 13 07:54:14 natal pluto[19045]: adding interface eth1/eth1
192.168.4.1<br>
Oct 13 07:54:14 natal pluto[19045]: adding interface eth0/eth0 10.0.0.1<br>
Oct 13 07:54:14 natal pluto[19045]: adding interface lo/lo 127.0.0.1<br>
Oct 13 07:54:14 natal pluto[19045]: adding interface lo/lo ::1<br>
Oct 13 07:54:14 natal pluto[19045]: loading secrets from
"/etc/ipsec.secrets"<br>
Oct 13 07:54:18 natal sudo: besmac : TTY=unknown ; PWD=/home/besmac ;
USER=root ; COMMAND=/usr/sbin/ipsec auto --up besho-besntl<br>
Oct 13 07:54:18 natal pluto[19045]: "besho-besntl" #1: initiating Main
Mode<br>
Oct 13 07:54:18 natal pluto[19045]: "besho-besntl" #1: ignoring Vendor
ID payload [4f455a7e4261425d...]<br>
Oct 13 07:54:18 natal pluto[19045]: "besho-besntl" #1: ignoring Vendor
ID payload [Dead Peer Detection]<br>
Oct 13 07:54:18 natal pluto[19045]: "besho-besntl" #1: transition from
state STATE_MAIN_I1 to state STATE_MAIN_I2<br>
Oct 13 07:54:19 natal pluto[19045]: "besho-besntl" #1: transition from
state STATE_MAIN_I2 to state STATE_MAIN_I3<br>
Oct 13 07:54:19 natal pluto[19045]: "besho-besntl" #1: Peer ID is
ID_IPV4_ADDR: '41.243.162.65'<br>
Oct 13 07:54:19 natal pluto[19045]: "besho-besntl" #1: transition from
state STATE_MAIN_I3 to state STATE_MAIN_I4<br>
Oct 13 07:54:19 natal pluto[19045]: "besho-besntl" #1: ISAKMP SA
established<br>
Oct 13 07:54:19 natal pluto[19045]: "besho-besntl" #2: initiating Quick
Mode PSK+RSASIG+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1}<br>
Oct 13 07:54:19 natal pluto[19045]: "besho-besntl" #2: transition from
state STATE_QUICK_I1 to state STATE_QUICK_I2<br>
Oct 13 07:54:19 natal pluto[19045]: "besho-besntl" #2: sent QI2, IPsec
SA established {ESP=>0xa63eeebb <0x2f4c0736}<br>
Oct 13 07:54:19 natal sudo: besmac : TTY=unknown ; PWD=/home/besmac ;
USER=root ; COMMAND=/sbin/route add -net 192.168.0.0 netmask
255.255.255.0 eth1<br>
<br>
I have compared it to the other remote server and the only difference
is the TTY and the PWD how do I change this or is it not necessary?<br>
<br>
Thanks<br>
<br>
Martin<br>
<br>
Peter McGill wrote:
<blockquote cite="mid:000901c80ce5$755359e0$350315ac@ghport3"
type="cite">
<pre wrap="">Hmm, ipsec verify looks ok.
I don't see any problems in your iptables firewall rules, they look ok.
How are you doing your ping tests, from a computer in the local lan to
A computer in the remote lan? Or openswan server to openswan server?
If server to server your subnets are not setup for that, use lan pc to lan pc.
Do you know where fc puts log files, most Linuxes put in /var/log.
Openswan logs with process name pluto.
Generally grep 'pluto' /var/log/* should find your logs.
Peter McGill
</pre>
<blockquote type="cite">
<pre wrap="">-----Original Message-----
From: Martin Erasmus [<a moz-do-not-send="true"
class="moz-txt-link-freetext" href="mailto:martin@onyx.co.za">mailto:martin@onyx.co.za</a>]
Sent: October 12, 2007 11:02 AM
To: <a moz-do-not-send="true" class="moz-txt-link-abbreviated"
href="mailto:petermcgill@goco.net">petermcgill@goco.net</a>
Cc: <a moz-do-not-send="true" class="moz-txt-link-abbreviated"
href="mailto:martin@onyx.co.za">martin@onyx.co.za</a>; <a
moz-do-not-send="true" class="moz-txt-link-abbreviated"
href="mailto:users@openswan.org">users@openswan.org</a>
Subject: RE: [Openswan Users] Link established no data going through
</pre>
<blockquote type="cite">
<pre wrap="">Could be a firewall issue, is the subnet for that connection in a
different private range then the others?
</pre>
</blockquote>
<pre wrap="">Yes all the locations have their own subnets
</pre>
<blockquote type="cite">
<pre wrap="">Check your iptables rules to make sure the traffic is accepted.
Do your ping tests match your subnet definitions, the only
</pre>
</blockquote>
<pre wrap="">traffic to
</pre>
<blockquote type="cite">
<pre wrap="">traverse the tunnel is what matches the subnets.
</pre>
</blockquote>
<pre wrap="">It was working till I had to reinstall to fc7, all the
systems have the
same fire wall configeration it is only the local subnet that
is different
</pre>
<blockquote type="cite">
<pre wrap="">Additional info would be helpful...
Ie)
iptables -t filter -L -v -n
iptables -t nat -L -v -n
iptables -t mangle -L -v -n
iptables -t raw -L -v -n
</pre>
</blockquote>
<pre wrap="">See attached log files
</pre>
<blockquote type="cite">
<pre wrap="">ipsec version
</pre>
</blockquote>
<pre wrap="">fc2 with U2.1.5/K2.6.8-1.521smp
</pre>
<blockquote type="cite">
<pre wrap="">The relavent sections of your ipsec.conf:
The global parts (ie. config setup, conn %default, include
</pre>
</blockquote>
<pre wrap="">.../no_oe.conf)
</pre>
<blockquote type="cite">
<pre wrap="">And any conn sections relavent to the connection.
</pre>
</blockquote>
<pre wrap="">conn besho-besntl
type=tunnel
left=besho.gotdns.org
leftsubnet=192.168.0.0/24
leftnexthop=165.165.128.1
right=%defaultroute
rightsubnet=192.168.4.0/24
rightnexthop=
rightid=@besntl
auto=add
authby=secret|rsasig
leftrsasigkey=
#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf
</pre>
<blockquote type="cite">
<pre wrap="">Restart openswan (ipsec restart), do your ping tests, then use the
following to get the logs:
egrep -h -e 'Oct 12 09.*pluto' /var/log/*
Change the date and time to match your restart and test.
</pre>
</blockquote>
<pre wrap="">This did not give me a result
</pre>
<blockquote type="cite">
<pre wrap="">Peter McGill
</pre>
<blockquote type="cite">
<pre wrap="">-----Original Message-----
From: <a moz-do-not-send="true" class="moz-txt-link-abbreviated"
href="mailto:users-bounces@openswan.org">users-bounces@openswan.org</a>
[<a moz-do-not-send="true" class="moz-txt-link-freetext"
href="mailto:users-bounces@openswan.org">mailto:users-bounces@openswan.org</a>] On Behalf Of Martin Erasmus
Sent: October 12, 2007 6:15 AM
To: <a moz-do-not-send="true" class="moz-txt-link-abbreviated"
href="mailto:users@openswan.org">users@openswan.org</a>
Subject: [Openswan Users] Link established no data going through
Hi All
I was running fc2 on all my servers, 5 systems, 4 external
servers linking
to the main server at head office. I have a hard drive crash
on my main
server, I have now had to install fc7.
The 4 external servers are running fc2 with
</pre>
</blockquote>
</blockquote>
<pre wrap="">U2.1.5/K2.6.8-1.521smp...
</pre>
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">The main Server is running fc7 with U2.4.7/K2.6.21-1.3194.fc7
3 of the external servers link and work no problem the last
one seems to
link but no data travels thought the link
when I start the link I get the following
ipsec_setup: Starting Openswan IPsec U2.1.5/K2.6.8-1.521smp...
104 "besho-besntl" #1: STATE_MAIN_I1: initiate
003 "besho-besntl" #1: ignoring Vendor ID payload
[4f455a7e4261425d...]
003 "besho-besntl" #1: ignoring Vendor ID payload [Dead Peer
Detection]
106 "besho-besntl" #1: STATE_MAIN_I2: sent MI2, expecting MR2
108 "besho-besntl" #1: STATE_MAIN_I3: sent MI3, expecting MR3
004 "besho-besntl" #1: STATE_MAIN_I4: ISAKMP SA established
112 "besho-besntl" #2: STATE_QUICK_I1: initiate
004 "besho-besntl" #2: STATE_QUICK_I2: sent QI2, IPsec SA
</pre>
</blockquote>
</blockquote>
<pre wrap="">established
</pre>
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">{ESP=>0x2f9d6b26 <0xed6cf187 IPCOMP=>0x00003e3e <0x00009a08}
but nothing travels through no ping nothing from both sides
any Ideas
Thanks
Martin
_______________________________________________
<a moz-do-not-send="true" class="moz-txt-link-abbreviated"
href="mailto:Users@openswan.org">Users@openswan.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext"
href="http://lists.openswan.org/mailman/listinfo/users">http://lists.openswan.org/mailman/listinfo/users</a>
Building and Integrating Virtual Private Networks with Openswan:
<a moz-do-not-send="true" class="moz-txt-link-freetext"
href="http://www.amazon.com/gp/product/1904811256/104-3099591-294632">http://www.amazon.com/gp/product/1904811256/104-3099591-294632</a>
7?n=283155
</pre>
</blockquote>
</blockquote>
</blockquote>
<pre wrap=""><!---->
</pre>
</blockquote>
<br>
</blockquote>
</blockquote>
<br>
</body>
</html>