<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 6.00.6000.16587" name=GENERATOR></HEAD>
<BODY text=#000000 bgColor=#ffffff>
<DIV dir=ltr align=left><SPAN class=940051219-31012008><FONT face=Arial
color=#0000ff size=2>Linux may not be getting the source ip right on the ping
packet.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=940051219-31012008><FONT face=Arial
color=#0000ff size=2>Try adding this to conn...</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=940051219-31012008> <FONT
face=Arial color=#0000ff size=2>leftsourceip=192.168.1.x # lan
ip</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=940051219-31012008><FONT face=Arial
color=#0000ff size=2>and/or using...</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=940051219-31012008><FONT face=Arial
color=#0000ff size=2>ping -I 192.168.1.x 192.168.8.4</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=940051219-31012008><FONT face=Arial
color=#0000ff size=2>and/or pinging from one of the 192.168.1.0/24 subnet
hosts.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=940051219-31012008><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=940051219-31012008><FONT face=Arial
color=#0000ff size=2>To answer the routing part, you don't route packets into
the tunnel openswan handles automatically.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=940051219-31012008><FONT face=Arial
color=#0000ff size=2>You just assign left/rightsubnet values and packets
matching them go into the tunnel.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=940051219-31012008><FONT face=Arial
color=#0000ff size=2>If you need additional subnets then add additional conn
sections for them.</FONT></SPAN></DIV>
<DIV> </DIV>
<DIV align=left><FONT face=Arial size=2>Peter McGill</FONT></DIV>
<DIV> </DIV><BR>
<BLOCKQUOTE
style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #0000ff 2px solid; MARGIN-RIGHT: 0px">
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> users-bounces@openswan.org
[mailto:users-bounces@openswan.org] <B>On Behalf Of </B>Alejandro
Alfonso<BR><B>Sent:</B> January 30, 2008 10:31 AM<BR><B>To:</B>
users@lists.openswan.org<BR><B>Subject:</B> [Openswan Users]
Openswan+NetScreen - No route - Traffic filteredin ISP<BR></FONT><BR></DIV>
<DIV></DIV><FONT size=-1><FONT face="Trebuchet MS">Hello!<BR><BR>I'm new in
OpenSwan, and i'm trying to get connection a Linux Box (pppoe as leftid) and
Netscreen on the other side<BR><BR>Phase 1 and Phase 2 seems to be
allright<BR><BR>wells ~ # ipsec auto --up myconn<BR>112 "myconn" #1:
STATE_AGGR_I1: initiate<BR>003 "myconn" #1: ignoring unknown Vendor ID payload
[85f41d68c72215a39fdc9358a3a3fbfae48d09690000000e00000500]<BR>003 "myconn" #1:
ignoring Vendor ID payload [HeartBeat Notify 386b0100]<BR>004 "myconn" #1:
STATE_AGGR_I2: sent AI2, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}<BR>117 "myconn" #2:
STATE_QUICK_I1: initiate<BR>003 "myconn" #2: ignoring informational payload,
type IPSEC_RESPONDER_LIFETIME<BR>004 "myconn" #2: STATE_QUICK_I2: sent QI2,
IPsec SA established {ESP=>0x7d72da83 <0x304bd4a9 xfrm=3DES_0-HMAC_SHA1
NATD=none DPD=none}<BR><BR>Here is my configuration:<BR><BR>conn
myconn<BR>
auto=add<BR>
left=88.YYY.YYY.95<BR>
leftid=88.YYY.YYY.95<BR>
leftsubnet=192.168.1.0/24<BR>
right=XXX.143.XXX.XXX<BR>
rightid=XXX.143.XXX.XXX<BR>
rightsubnet=192.168.8.4/32<BR>
type=tunnel<BR> #
phase1<BR>
authby=secret<BR>
ike=3des-sha1-modp1024<BR> #
phase2<BR>
esp=3des-sha1<BR>
rekey=yes<BR>
pfs=yes<BR>
aggrmode=yes<BR>
compress=no<BR></FONT></FONT><FONT size=-1><FONT face="Trebuchet MS"><BR>When
i do "ping" to rightid: </FONT></FONT><FONT size=-1><FONT
face="Trebuchet MS">192.168.8.4/32<BR><BR>wells ~ # ping </FONT></FONT><FONT
size=-1><FONT face="Trebuchet MS">192.168.8.4</FONT></FONT><BR><FONT
size=-1><FONT face="Trebuchet MS">PING </FONT></FONT><FONT size=-1><FONT
face="Trebuchet MS">192.168.8.4</FONT></FONT><FONT size=-1><FONT
face="Trebuchet MS"> (</FONT></FONT><FONT size=-1><FONT
face="Trebuchet MS">192.168.8.4</FONT></FONT><FONT size=-1><FONT
face="Trebuchet MS">) 56(84) bytes of data.<BR>>From 192.168.153.1
icmp_seq=1 Packet filtered<BR>>From 192.168.153.1 icmp_seq=2 Packet
filtered<BR><BR>And tcpdump -i ppp0 shows ICMP traffic<BR><BR>As you see...
its no using IPSec tunnel, and ISP drop ClassB traffic<BR><BR>Do I have
forgotten any step? As there's no ipsec0 device (linux 2.6 kernel,
</FONT></FONT><FONT size=-1><FONT
face="Trebuchet MS">netkey)</FONT></FONT><FONT size=-1><FONT
face="Trebuchet MS">... how to get routing traffic throw IPSec? Routes are
managed from "route" / "ip route" or i should use "ipsec eroute"? In
config setup i have an "interfaces="ipsec0=ppp0""
line</FONT></FONT><FONT size=-1><FONT face="Trebuchet MS"><BR>Thanks in
advance<BR><BR>Best Regards!<BR><BR>Pd. <BR></FONT></FONT><FONT size=-1><FONT
face="Trebuchet MS">==========<BR>Kernel IP routing
table<BR>Destination
Gateway
Genmask Flags Metric
Ref Use Iface<BR>172.XXX.8.XXX
192.168.79.1 255.255.255.255 UGH
0 0 0
eth1<BR>172.XXX.6.XXX 192.168.79.1
255.255.255.255 UGH 0
0 0 eth1<BR></FONT></FONT><FONT
size=-1><FONT face="Trebuchet MS">192.168.8.4</FONT></FONT><FONT size=-1><FONT
face="Trebuchet MS">
0.0.0.0 255.255.255.255
UH 0
0 0
ppp0<BR>172.XXX.6.XXX 192.168.79.1
255.255.255.255 UGH 0
0 0
eth1<BR>192.168.71.0
0.0.0.0
255.255.255.0 U
0 0 0
eth2<BR>192.168.79.0
0.0.0.0
255.255.255.0 U
0 0 0
eth1<BR>192.168.218.0
0.0.0.0
255.255.255.0 U
0 0 0
eth0<BR>191.100.0.0
0.0.0.0
255.255.0.0 U
0 0 0
eth0<BR>127.0.0.0
0.0.0.0
255.0.0.0 U
0 0 0
lo<BR>0.0.0.0
</FONT></FONT><FONT size=-1><FONT
face="Trebuchet MS">88.YYY.YYY.95</FONT></FONT><FONT size=-1><FONT
face="Trebuchet MS">
0.0.0.0 UG
0 0 0
ppp0</FONT></FONT><BR><FONT size=-1><FONT
face="Trebuchet MS"><BR><BR>==========<BR>wells ~ # ipsec verify<BR>Checking
your system to see if IPsec got installed and started correctly:<BR>Version
check and ipsec
on-path
[OK]<BR>Linux Openswan U2.4.9/K2.6.22-Wells04 (netkey)<BR>Checking for IPsec
support in
kernel
[OK]<BR>NETKEY detected, testing for disabled ICMP
send_redirects [OK]<BR>NETKEY detected,
testing for disabled ICMP accept_redirects
[OK]<BR>Checking for RSA private key
(/etc/ipsec/ipsec.secrets)
[DISABLED]<BR> ipsec showhostkey: no default key in
"/etc/ipsec/ipsec.secrets"<BR>Checking that pluto is
running
[OK]<BR>Two or more interfaces found, checking IP
forwarding
[OK]<BR>Checking NAT and MASQUERADEing<BR>Checking for 'ip'
command
[OK]<BR>Checking for 'iptables'
command
[OK]<BR>Opportunistic Encryption
Support
[DISABLED]<BR></FONT></FONT><BR>
<DIV class=moz-signature>-- <BR>
<HR>
<TABLE width=500>
<TBODY>
<TR style="VERTICAL-ALIGN: middle">
<TD><IMG src="cid:940051219@31012008-06EB"></TD>
<TD
style="FONT-SIZE: 12px; FONT-FAMILY: Trebuchet MS; TEXT-ALIGN: right">Patrocinador
Oficial: </TD>
<TD
style="FONT-SIZE: 12px; FONT-FAMILY: Trebuchet MS; TEXT-ALIGN: right"><IMG
src="cid:940051219@31012008-06F2"></TD></TR></TBODY></TABLE>
<TABLE>
<TBODY>
<TR>
<TD style="FONT-SIZE: 10px"> </TD></TR>
<TR style="VERTICAL-ALIGN: top">
<TD style="FONT-SIZE: 12px; FONT-FAMILY: Trebuchet MS"
width="50%"><B> Alejandro Alfonso Fernandez
<BR> Responsable Área Corporativa </B></TD>
<TD style="FONT-SIZE: 12px; FONT-FAMILY: Trebuchet MS" width="50%"><A
href="mailto:alejandro.alfonso@telecyl.com">alejandro.alfonso@telecyl.com</A>
<BR><A href="http://www.telecyl.com/">http://www.telecyl.com/</A> </TD></TR>
<TR>
<TD style="FONT-SIZE: 10px"> </TD></TR>
<TR style="VERTICAL-ALIGN: top">
<TD style="FONT-SIZE: 12px; FONT-FAMILY: Trebuchet MS"
width="50%">Proción 7, Portales 1-2 Edificio América II <BR>28023 Madrid
<BR>Tfn: 902 60 25 55 - Fax: 91 452 18 08 </TD>
<TD style="FONT-SIZE: 12px; FONT-FAMILY: Trebuchet MS" width="50%">Juan
García Hortelano, 43 Edificio Telecyl <BR>47014 Valladolid <BR>Tfn: 902
60 25 55 - Fax: 983 428 223 </TD></TR></TBODY></TABLE>
<HR>
</DIV><BR></BLOCKQUOTE></BODY></HTML>