Hello,<br> Here is what it says when I do "ipsec verify"<br>---------------------------<br>Checking your system to see if IPsec got installed and started correctly:<br>Version check and ipsec on-path [OK]<br>
Linux Openswan U2.6.16/K2.6.27.19-5-pae (netkey)<br>Checking for IPsec support in kernel [OK]<br>NETKEY detected, testing for disabled ICMP send_redirects [FAILED]<br><br> Please disable /proc/sys/net/ipv4/conf/*/send_redirects<br>
or NETKEY will cause the sending of bogus ICMP redirects!<br><br>NETKEY detected, testing for disabled ICMP accept_redirects [FAILED]<br><br> Please disable /proc/sys/net/ipv4/conf/*/accept_redirects<br> or NETKEY will accept bogus ICMP redirects!<br>
<br>Checking for RSA private key (/etc/ipsec.secrets) [OK]<br>Checking that pluto is running [OK]<br>Two or more interfaces found, checking IP forwarding [OK]<br>
Checking NAT and MASQUERADEing [N/A]<br>
Checking for 'ip' command [OK]<br>Checking for 'iptables' command [OK]<br><br>Opportunistic Encryption DNS checks:<br> Looking for TXT in forward dns zone: DNSZONE [MISSING]<br>
Does the machine have at least one non-private address? [OK]<br> Looking for TXT in reverse dns zone: 98.x.x.x.in-addr.arpa. [MISSING]<br> Looking for TXT in reverse dns zone: 202.x.x.x.in-addr.arpa. [MISSING]<br>
----------------------------------<br clear="all">Not sure what that means so any help is appreciated. Any additional thoughts related or unrelated to this? Thanks!<br><br>Sincerely, <br><br>Jay<br><br><br>
<br><br><div class="gmail_quote">On Tue, Nov 3, 2009 at 1:45 PM, Paul Wouters <span dir="ltr"><<a href="mailto:paul@xelerance.com">paul@xelerance.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div class="im">On Tue, 3 Nov 2009, Jay Smith wrote:<br>
<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Greetings fellow travellers. I have an interesting problem that I<br>
hope someone can help illuminate.<br>
We have a 'working' tunnel. The remote site (192.168.50.xx, Cisco<br>
ASA 3000 series) is able to ping the local gateway box (Suse<br>
Enterprise Linux 11, kernel 2.6.27.19-5-pae) at 172.38.xx.xxx, but<br>
nothing beyond the gateway on the local side;<br>
</blockquote>
<br></div>
Usually that means forwarding is disabled, or some accidental NAT is happening.<br>
What does "ipsec verify" say?<br>
There might also be issues if the ipsec gateway is not the default gateway,<br>
and return packets never reach it due to a missing route back to the ipsec server.<br><font color="#888888">
<br>
Paul<br>
</font></blockquote></div><br>