<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 6.00.6000.16608" name=GENERATOR></HEAD>
<BODY>
<DIV dir=ltr align=left><SPAN class=842365315-12032008><FONT face=Arial
color=#0000ff size=2>No, that should be working if ISAKMP SA and IPSec SA
established.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=842365315-12032008><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=842365315-12032008><FONT face=Arial
color=#0000ff size=2>> <SPAN><FONT face=Arial color=#0000ff size=2>A ping
from <A href="http://10.5.125.105/" target=_blank>10.5.125.105</A> to <A
href="http://10.8.13.113/" target=_blank>10.8.13.113</A> and vise-versa should
work.</FONT></SPAN></FONT></SPAN></DIV>
<DIV><FONT face=Arial color=#0000ff size=2></FONT> </DIV>
<DIV align=left><FONT face=Arial size=2>Peter McGill</FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2></FONT> </DIV><FONT face=Arial
size=2></FONT><BR>
<BLOCKQUOTE
style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #0000ff 2px solid; MARGIN-RIGHT: 0px">
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> Khan, Hammad Aslam
[mailto:raohammad@gmail.com] <BR><B>Sent:</B> March 12, 2008 11:48
AM<BR><B>To:</B> petermcgill@goco.net<BR><B>Cc:</B>
users@openswan.org<BR><B>Subject:</B> Re: [Openswan Users] Packets not passing
through Tunnel<BR></FONT><BR></DIV>
<DIV></DIV>ok thanks but if i dont want my gateway to talk to remote private.
Instead I just want to access remote private from my-private; will I be
required to make changes even in that case?<BR><BR>rgds,<BR>Hammad<BR><BR>
<DIV class=gmail_quote>On Wed, Mar 12, 2008 at 7:47 PM, Peter McGill <<A
href="mailto:petermcgill@goco.net">petermcgill@goco.net</A>> wrote:<BR>
<BLOCKQUOTE class=gmail_quote
style="PADDING-LEFT: 1ex; MARGIN: 0pt 0pt 0pt 0.8ex; BORDER-LEFT: rgb(204,204,204) 1px solid">
<DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff size=2>You
cannot use route add or ip route add with openswan, you</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff size=2>must
specify the traffic which uses the tunnel in
left/rightsubnet(s).</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff size=2>To
clarify where are you pinging/telneting from?</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff size=2>A ping
from <A href="http://10.5.125.105" target=_blank>10.5.125.105</A> to <A
href="http://10.8.13.113" target=_blank>10.8.13.113</A> and vise-versa
should work.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff size=2>A ping
from <A href="http://10.5.125.100" target=_blank>10.5.125.100</A> or <A
href="http://58.58.58.58" target=_blank>58.58.58.58</A> will not work
because you</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff size=2>have not
included them in leftsubnet.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff size=2>Likewise
a ping from <A href="http://202.202.202.202"
target=_blank>202.202.202.202</A> or ?.?.?.? to 10.5.. will not
work.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff size=2>Pings to
58... and 202... will work but not encrypted, plain
internet.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff size=2>If you
want your gateway to be able to communicate with remote
private</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff size=2>also,
then change your conn as follows:</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN> <FONT face=Arial
color=#0000ff size=2>leftsourceip=<A href="http://10.5.125.100"
target=_blank>10.5.125.100</A> # gw will use this instead of 58... to talk
to rem. priv.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN> <FONT face=Arial
color=#0000ff size=2>leftsubnet=<A href="http://10.5.125.96/28"
target=_blank>10.5.125.96/28</A> # you'll need to change subnet on
cisco too</FONT></SPAN></DIV>
<DIV><FONT face=Arial color=#0000ff size=2></FONT> </DIV>
<DIV align=left><FONT face=Arial size=2>Peter McGill</FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2></FONT> </DIV><FONT
face=Arial size=2></FONT><BR>
<BLOCKQUOTE
style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: rgb(0,0,255) 2px solid; MARGIN-RIGHT: 0px">
<DIV lang=en-us dir=ltr align=left>
<HR>
<FONT face=Tahoma size=2><B>From:</B> Khan, Hammad Aslam [mailto:<A
href="mailto:raohammad@gmail.com" target=_blank>raohammad@gmail.com</A>]
<BR><B>Sent:</B> March 12, 2008 2:11 AM<BR><B>To:</B> <A
href="mailto:petermcgill@goco.net"
target=_blank>petermcgill@goco.net</A><BR><B>Cc:</B> <A
href="mailto:users@openswan.org"
target=_blank>users@openswan.org</A><BR><B>Subject:</B> Re: [Openswan
Users] Packets not passing through Tunnel<BR></FONT><BR></DIV>
<DIV>
<DIV></DIV>
<DIV class=Wj3C7c>
<DIV></DIV>
<DIV>I already have enabled ip forwarding; </DIV>
<DIV>My Setup is like;<BR><BR><SPAN style="COLOR: rgb(102,0,204)"><SPAN
style="COLOR: rgb(255,102,0)">my
private
my gateway
<<pub</SPAN>lic>> remote gw
(cisco vpn
3000)
remote private</SPAN><BR style="COLOR: rgb(102,0,204)"><SPAN
style="COLOR: rgb(102,0,204)"><SPAN
style="COLOR: rgb(255,102,0)">--------
-----------------------------------------</SPAN>
-------------------------------
----------------------</SPAN><BR style="COLOR: rgb(102,0,204)"><SPAN
style="COLOR: rgb(102,0,204)"><SPAN
style="COLOR: rgb(255,102,0)">
|
|
| </SPAN>
|
|
|
|</SPAN><BR style="COLOR: rgb(102,0,204)"><SPAN
style="COLOR: rgb(255,102,0)"> <A href="http://10.5.125.105"
target=_blank>10.5.125.105</A> === 10.5.125.100(eth1)
(eth0)58.58.58.58 >></SPAN><B
style="COLOR: rgb(102,0,204)"><SPAN
style="COLOR: rgb(255,102,0)">></SPAN><</B><SPAN
style="COLOR: rgb(102,0,204)"><< <A
href="http://202.202.202.202"
target=_blank>202.202.202.202</A>
?.?.?.? ==== <A href="http://10.8.13.113"
target=_blank>10.8.13.113</A> |</SPAN><BR
style="COLOR: rgb(102,0,204)"><SPAN
style="COLOR: rgb(102,0,204)"> <SPAN
style="COLOR: rgb(255,102,0)">
|
|
| </SPAN>
|
|
|
| </SPAN><BR style="COLOR: rgb(102,0,204)"><SPAN
style="COLOR: rgb(102,0,204)"><SPAN
style="COLOR: rgb(255,102,0)">-------
----------------------------------------- </SPAN>
------------------------------
----------------------</SPAN><BR
style="COLOR: rgb(102,0,204)"><BR><BR><B>My Config file</B><BR>config
setup<BR>
interfaces="ipsec0=eth0"<BR>
plutodebug="all"<BR>
nat_traversal=yes<BR><BR>conn
nattelenor<BR>
type=tunnel<BR>
authby=secret
# secret key<BR>
auth=esp<BR>
pfs=no<BR>
keylife=28800<BR>
keyingtries=3<BR>
auto=add<BR>
ike=3des-md5-modp1024<BR>
esp=3des-md5<BR> left=<A
href="http://58.58.58.58" target=_blank>58.58.58.58</A>
# my
external, internet-routable ip address, provided by NAT
box=<BR> leftsubnet=<A
href="http://10.5.125.105/32"
target=_blank>10.5.125.105/32</A><BR>
right=<A href="http://202.202.202.202" target=_blank>202.202.202.202</A>
#
my peer's external, internet-routable ip
address=<BR>
rightsubnet=<A href="http://10.8.13.113/32"
target=_blank>10.8.13.113/32</A><BR>
<BR>#Disable Opportunistic Encryption<BR>include
/etc/ipsec.d/examples/no_oe.conf<BR><BR><B>My ipsec verify
result</B><BR><BR>Checking your system to see if IPsec got installed and
started correctly:<BR>Version check and ipsec
on-path
[OK]<BR>Linux Openswan U2.4.9/K2.6.18-1.2798.fc6 (netkey)<BR>Checking for
IPsec support in
kernel
[OK]<BR>NETKEY detected, testing for disabled ICMP
send_redirects [FAILED]<BR><BR>
Please disable /proc/sys/net/ipv4/conf/*/send_redirects<BR> or
NETKEY will cause the sending of bogus ICMP redirects!<BR><BR>NETKEY
detected, testing for disabled ICMP
accept_redirects [FAILED]<BR><BR> Please
disable /proc/sys/net/ipv4/conf/*/accept_redirects<BR> or NETKEY
will accept bogus ICMP redirects!<BR><BR>Checking for RSA private key
(/etc/ipsec.secrets)
[OK]<BR>Checking that pluto is
running
[OK]<BR>Two or more interfaces found, checking IP
forwarding
[OK]<BR>Checking NAT and
MASQUERADEing
[OK]<BR>Checking for 'ip'
command
[OK]<BR>Checking for 'iptables'
command
[OK]<BR>Opportunistic Encryption
Support
[DISABLED]<BR><BR><BR>Regards,<BR>Hammad<BR><BR><BR></DIV>
<DIV class=gmail_quote>On Tue, Mar 11, 2008 at 10:56 PM, Peter McGill
<<A href="mailto:petermcgill@goco.net"
target=_blank>petermcgill@goco.net</A>> wrote:<BR>
<BLOCKQUOTE class=gmail_quote
style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: rgb(204,204,204) 1px solid">
<DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff size=2>Did
you add leftsourceip=leftlanip and
rightsourceip=rightlanip?</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff
size=2>Without them you can only ping hosts other than the ipsec
gateway,</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff size=2>on
the remote lan, and only from hosts on the local lan not the
local</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff
size=2>ipsec gateway.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN><FONT face=Arial color=#0000ff size=2>Show
us your ipsec.conf and ipsec verify.</FONT></SPAN></DIV>
<DIV> </DIV>
<DIV align=left><FONT face=Arial size=2>Peter McGill</FONT></DIV>
<DIV> </DIV><BR>
<BLOCKQUOTE
style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: rgb(0,0,255) 2px solid; MARGIN-RIGHT: 0px">
<DIV lang=en-us dir=ltr align=left>
<HR>
<FONT face=Tahoma size=2><B>From:</B> <A
href="mailto:users-bounces@openswan.org"
target=_blank>users-bounces@openswan.org</A> [mailto:<A
href="mailto:users-bounces@openswan.org"
target=_blank>users-bounces@openswan.org</A>] <B>On Behalf Of
</B>Khan, Hammad Aslam<BR><B>Sent:</B> March 11, 2008 1:45
PM<BR><B>To:</B> <A href="mailto:users@openswan.org"
target=_blank>users@openswan.org</A><BR><B>Subject:</B> [Openswan
Users] Packets not passing through Tunnel<BR></FONT><BR></DIV>
<DIV>
<DIV></DIV>
<DIV>
<DIV></DIV>Hello everyone,<BR>My tunnel has been successfully
established (both ISAKMP and IPSEC are UP);<BR>but when I try to
ping/telnet remote end's private network PC i dont get any
response.,<BR><BR>Using <B>tcpdump -i eth0 </B>(which is my public
interface of GW) it shows that GW is querying internet for
remote-private-nw using ARP. No ESP packets are seen...<BR><BR>I added
a route of <BR># route add <remote-private-ip> gw
<remote-public-ip><BR>...but still, i see the same
result?<BR><BR>Please
help.<BR><BR>Regards,<BR>Hammad<BR></DIV></DIV></BLOCKQUOTE></DIV></BLOCKQUOTE></DIV><BR></DIV></DIV></BLOCKQUOTE></DIV></BLOCKQUOTE></DIV><BR></BLOCKQUOTE></BODY></HTML>