<div class="moz-text-plain" style="font-family: -moz-fixed; font-size: 12px;" lang="x-western"><pre>On Tue, 9 Jun 2009, Joćo Kuchnier wrote:<br><span class="moz-txt-citetags"><br>> </span>Both tunnels establish, so my guess is this is a firewalling or<br>
<span class="moz-txt-citetags">> </span>routing issues. Are you excluding packets that are going to be<br><span class="moz-txt-citetags">> </span>tunneled from getting NAT'ed?<br><span class="moz-txt-citetags">> </span>--> Like I said on the first e-mail (I lost it too), I have a firewall with two zones, tunnels an hosts to both subnets on that end. <br>
<span class="moz-txt-citetags">> </span>Everythin coming from or going to that end is accepted on firewall an nat'ed to the DMZ Openswan server.<br><span class="moz-txt-citetags">> </span><br><span class="moz-txt-citetags">> </span>--> On the Openswan server there is another firewall (shorewall to) nat'ing some specific packages for two other servers on DMZ.<br>
<span class="moz-txt-citetags">> </span>--> /etc/shorewall/rules is like this: DNAT net <a class="moz-txt-link-freetext" href="net:192.168.1.x">net:192.168.1.x</a> tcp 2xxx<br></pre><pre><br>But you might not be excluding all NAT ranges you are trying to tunnel?<br>
<br>--> I don't think so, but I will try to figure it out with the shorewall users list. </pre><blockquote type="cite"><pre><span class="moz-txt-citetags">> </span>--> maybe this is the problem at all<br><span class="moz-txt-citetags">> </span>Jun 5 16:03:43 conn2 ipsec_setup: Starting Openswan IPsec 2.4.9...<br>
<span class="moz-txt-citetags">> </span>Could use an update to openswan 2.4.14.<br><span class="moz-txt-citetags">> </span>--> I'm using an Ubuntu Server 8.10. This version is the newest on available in repositories...<br>
</pre></blockquote><pre><br>Debian/ubuntu needs to learn not to ship ancient versions. I suggest you<br>upgrade to 2.4.14.<br><br>--> I downloaded the 2.6.21 version...</pre><blockquote type="cite"><pre><span class="moz-txt-citetags">> </span>What does 'ipsec verify' say?<br>
<span class="moz-txt-citetags">> </span>--> ipsec verify<br><span class="moz-txt-citetags">> </span>Checking your system to see if IPsec got installed and started correctly:<br><span class="moz-txt-citetags">> </span>Version check and ipsec on-path [OK]<br>
<span class="moz-txt-citetags">> </span><br><span class="moz-txt-citetags">> </span>Linux Openswan U2.4.9/K2.6.24-19-server (netkey)<br><span class="moz-txt-citetags">> </span>Checking for IPsec support in kernel [OK]<br>
<span class="moz-txt-citetags">> </span>NETKEY detected, testing for disabled ICMP send_redirects [FAILED]<br><span class="moz-txt-citetags">> </span> Please disable <i class="moz-txt-slash"><span class="moz-txt-tag">/</span>proc/sys/net/ipv4/conf<span class="moz-txt-tag">/</span></i>*/send_redirects<br>
<span class="moz-txt-citetags">></span><br><span class="moz-txt-citetags">> </span> or NETKEY will cause the sending of bogus ICMP redirects!<br><span class="moz-txt-citetags">> </span>NETKEY detected, testing for disabled ICMP accept_redirects [FAILED]<br>
<span class="moz-txt-citetags">> </span> Please disable <i class="moz-txt-slash"><span class="moz-txt-tag">/</span>proc/sys/net/ipv4/conf<span class="moz-txt-tag">/</span></i>*/accept_redirects<br><span class="moz-txt-citetags">> </span> or NETKEY will accept bogus ICMP redirects!<br>
</pre></blockquote><pre><br>Fix those. grab a recent openswan-2.6.x release and check programs/examples/<a href="http://sysctl.conf.in">sysctl.conf.in</a><br>to see the entries you need to have.<br><br>--> OK, but I encountered this errors while compiling...<br>
<br>#make programs install<br><br>#In file included from /home/administrador/openswan-2.6.21/include/certs.h:23,<br># from /home/administrador/openswan-2.6.21/lib/libopenswan/id.c:40:<br>#/home/administrador/openswan-2.6.21/include/secrets.h:19:41: error: gmp.h: No such file or directory<br>
#In file included from /home/administrador/openswan-2.6.21/include/certs.h:23,<br># from /home/administrador/openswan-2.6.21/lib/libopenswan/id.c:40:<br>#/home/administrador/openswan-2.6.21/include/secrets.h:37: error: expected specifier-qualifier-list before MP_INT<br>
#/home/administrador/openswan-2.6.21/include/secrets.h:45: error: expected specifier-qualifier-list before MP_INT<br>#make[3]: *** [id.o] Error 1<br>#make[3]: Leaving directory `/home/administrador/openswan-2.6.21/OBJ.linux.i386/lib/libopenswan'<br>
#make[2]: *** [programs] Error 1<br>#make[2]: Leaving directory `/home/administrador/openswan-2.6.21/OBJ.linux.i386/lib'<br>#make[1]: *** [programs] Error 1<br>#make[1]: Leaving directory `/home/administrador/openswan-2.6.21/OBJ.linux.i386'<br>
#make: *** [programs] Error 2<br><br>--> I find out that I need to install gmp development package. I installed, but I'm still getting the same error...<br><br>Joćo K.<br>_______________________________________________<br>
<a class="moz-txt-link-abbreviated" href="mailto:Users@openswan.org">Users@openswan.org</a><br><a class="moz-txt-link-freetext" href="http://lists.openswan.org/mailman/listinfo/users">http://lists.openswan.org/mailman/listinfo/users</a><br>
Building and Integrating Virtual Private Networks with Openswan: <br><a class="moz-txt-link-freetext" href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a><br>
<br></pre></div>