<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
</head>
<body bgcolor="#ffffff" text="#000000">
<font size="-1"><font face="Trebuchet MS">Hello!<br>
<br>
I'm new in OpenSwan, and i'm trying to get connection a Linux Box
(pppoe as leftid) and Netscreen on the other side<br>
<br>
Phase 1 and Phase 2 seems to be allright<br>
<br>
wells ~ # ipsec auto --up myconn<br>
112 "myconn" #1: STATE_AGGR_I1: initiate<br>
003 "myconn" #1: ignoring unknown Vendor ID payload
[85f41d68c72215a39fdc9358a3a3fbfae48d09690000000e00000500]<br>
003 "myconn" #1: ignoring Vendor ID payload [HeartBeat Notify 386b0100]<br>
004 "myconn" #1: STATE_AGGR_I2: sent AI2, ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha
group=modp1024}<br>
117 "myconn" #2: STATE_QUICK_I1: initiate<br>
003 "myconn" #2: ignoring informational payload, type
IPSEC_RESPONDER_LIFETIME<br>
004 "myconn" #2: STATE_QUICK_I2: sent QI2, IPsec SA established
{ESP=>0x7d72da83 <0x304bd4a9 xfrm=3DES_0-HMAC_SHA1 NATD=none
DPD=none}<br>
<br>
Here is my configuration:<br>
<br>
conn myconn<br>
auto=add<br>
left=88.YYY.YYY.95<br>
leftid=88.YYY.YYY.95<br>
leftsubnet=192.168.1.0/24<br>
right=XXX.143.XXX.XXX<br>
rightid=XXX.143.XXX.XXX<br>
rightsubnet=192.168.8.4/32<br>
type=tunnel<br>
# phase1<br>
authby=secret<br>
ike=3des-sha1-modp1024<br>
# phase2<br>
esp=3des-sha1<br>
rekey=yes<br>
pfs=yes<br>
aggrmode=yes<br>
compress=no<br>
</font></font><font size="-1"><font face="Trebuchet MS"><br>
When i do "ping" to rightid: </font></font><font size="-1"><font
face="Trebuchet MS">192.168.8.4/32<br>
<br>
wells ~ # ping </font></font><font size="-1"><font face="Trebuchet MS">192.168.8.4</font></font><br>
<font size="-1"><font face="Trebuchet MS">PING </font></font><font
size="-1"><font face="Trebuchet MS">192.168.8.4</font></font><font
size="-1"><font face="Trebuchet MS"> (</font></font><font size="-1"><font
face="Trebuchet MS">192.168.8.4</font></font><font size="-1"><font
face="Trebuchet MS">) 56(84) bytes of data.<br>
>From 192.168.153.1 icmp_seq=1 Packet filtered<br>
>From 192.168.153.1 icmp_seq=2 Packet filtered<br>
<br>
And tcpdump -i ppp0 shows ICMP traffic<br>
<br>
As you see... its no using IPSec tunnel, and ISP drop ClassB traffic<br>
<br>
Do I have forgotten any step? As there's no ipsec0 device (linux 2.6
kernel, </font></font><font size="-1"><font face="Trebuchet MS">netkey)</font></font><font
size="-1"><font face="Trebuchet MS">... how to get routing traffic
throw IPSec? Routes are managed from "route" / "ip route" or i should
use "ipsec eroute"? In config setup i have an
"interfaces="ipsec0=ppp0"" line</font></font><font size="-1"><font
face="Trebuchet MS"><br>
Thanks in advance<br>
<br>
Best Regards!<br>
<br>
Pd. <br>
</font></font><font size="-1"><font face="Trebuchet MS">==========<br>
Kernel IP routing table<br>
Destination Gateway Genmask Flags Metric Ref Use
Iface<br>
172.XXX.8.XXX 192.168.79.1 255.255.255.255 UGH 0 0 0
eth1<br>
172.XXX.6.XXX 192.168.79.1 255.255.255.255 UGH 0 0 0
eth1<br>
</font></font><font size="-1"><font face="Trebuchet MS">192.168.8.4</font></font><font
size="-1"><font face="Trebuchet MS"> 0.0.0.0 255.255.255.255
UH 0 0 0 ppp0<br>
172.XXX.6.XXX 192.168.79.1 255.255.255.255 UGH 0 0 0
eth1<br>
192.168.71.0 0.0.0.0 255.255.255.0 U 0 0 0
eth2<br>
192.168.79.0 0.0.0.0 255.255.255.0 U 0 0 0
eth1<br>
192.168.218.0 0.0.0.0 255.255.255.0 U 0 0 0
eth0<br>
191.100.0.0 0.0.0.0 255.255.0.0 U 0 0 0
eth0<br>
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0
lo<br>
0.0.0.0 </font></font><font size="-1"><font face="Trebuchet MS">88.YYY.YYY.95</font></font><font
size="-1"><font face="Trebuchet MS"> 0.0.0.0 UG 0
0 0 ppp0</font></font><br>
<font size="-1"><font face="Trebuchet MS"><br>
<br>
==========<br>
wells ~ # ipsec verify<br>
Checking your system to see if IPsec got installed and started
correctly:<br>
Version check and ipsec on-path [OK]<br>
Linux Openswan U2.4.9/K2.6.22-Wells04 (netkey)<br>
Checking for IPsec support in kernel [OK]<br>
NETKEY detected, testing for disabled ICMP send_redirects [OK]<br>
NETKEY detected, testing for disabled ICMP accept_redirects [OK]<br>
Checking for RSA private key (/etc/ipsec/ipsec.secrets)
[DISABLED]<br>
ipsec showhostkey: no default key in "/etc/ipsec/ipsec.secrets"<br>
Checking that pluto is running [OK]<br>
Two or more interfaces found, checking IP forwarding [OK]<br>
Checking NAT and MASQUERADEing<br>
Checking for 'ip' command [OK]<br>
Checking for 'iptables' command [OK]<br>
Opportunistic Encryption Support
[DISABLED]<br>
</font></font>
<br>
<div class="moz-signature">-- <br>
<hr>
<table width="500">
<tbody>
<tr style="vertical-align: middle;">
<td><img src="cid:part1.00080903.08060303@telecyl.com"></td>
<td
style="font-size: 12px; font-family: Trebuchet MS; text-align: right;">Patrocinador
Oficial: </td>
<td
style="font-size: 12px; font-family: Trebuchet MS; text-align: right;"><img
src="cid:part2.01010202.00090205@telecyl.com"></td>
</tr>
</tbody>
</table>
<table>
<tbody>
<tr>
<td style="font-size: 10px;"> </td>
</tr>
<tr style="vertical-align: top;">
<td style="font-size: 12px; font-family: Trebuchet MS;"
width="50%"> <b> Alejandro Alfonso Fernandez <br>
Responsable Área Corporativa </b>
</td>
<td style="font-size: 12px; font-family: Trebuchet MS;"
width="50%"> <a href="mailto:alejandro.alfonso@telecyl.com">alejandro.alfonso@telecyl.com</a>
<br>
<a href="http://www.telecyl.com/">http://www.telecyl.com/</a>
</td>
</tr>
<tr>
<td style="font-size: 10px;"> </td>
</tr>
<tr style="vertical-align: top;">
<td style="font-size: 12px; font-family: Trebuchet MS;"
width="50%"> Proción 7, Portales 1-2 Edificio América II <br>
28023 Madrid <br>
Tfn: 902 60 25 55 - Fax: 91 452 18 08
</td>
<td style="font-size: 12px; font-family: Trebuchet MS;"
width="50%"> Juan García Hortelano, 43 Edificio Telecyl <br>
47014 Valladolid <br>
Tfn: 902 60 25 55 - Fax: 983 428 223
</td>
</tr>
</tbody>
</table>
<hr>
</div>
<br>
</body>
</html>