<html><head></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">Hi Paul,<div><br></div><div>Thank you VERY MUCH for your answer.</div><div><br></div><div>This is the result from ipsec verify:</div><div><br></div><div><div>Checking your system to see if IPsec got installed and started correctly:</div><div>Version check and ipsec on-path <span class="Apple-tab-span" style="white-space:pre"> </span>[OK]</div><div>Linux Openswan U2.6.21/K2.6.18-128.1.10.el5PAE (netkey)</div><div>Checking for IPsec support in kernel <span class="Apple-tab-span" style="white-space:pre"> </span>[OK]</div><div>NETKEY detected, testing for disabled ICMP send_redirects <span class="Apple-tab-span" style="white-space:pre"> </span>[OK]</div><div>NETKEY detected, testing for disabled ICMP accept_redirects <span class="Apple-tab-span" style="white-space:pre"> </span>[OK]</div><div>Checking for RSA private key (/etc/ipsec.secrets) <span class="Apple-tab-span" style="white-space:pre"> </span>[OK]</div><div>Checking that pluto is running <span class="Apple-tab-span" style="white-space:pre"> </span>[OK]</div><div>Two or more interfaces found, checking IP forwarding <span class="Apple-tab-span" style="white-space:pre"> </span>[OK]</div><div>Checking NAT and MASQUERADEing <span class="Apple-tab-span" style="white-space:pre"> </span>[OK]</div><div>Checking for 'ip' command <span class="Apple-tab-span" style="white-space:pre"> </span>[OK]</div><div>Checking for 'iptables' command <span class="Apple-tab-span" style="white-space:pre"> </span>[OK]</div><div>Opportunistic Encryption Support <span class="Apple-tab-span" style="white-space:pre"> </span>[DISABLED]</div></div><div><br></div><div>The people from the Juniper VPN concentrator say they don't see any traffic coming from our IPs, so it would seem there's no traffic coming out from Box 1 (CentOS box). The strange thing is it doesn't work even if iptables is disabled (so no blocking is apparently occurring, or at least it isn't the main problem).</div><div><br></div><div>My best guess now is that I'm having a routing problem. </div><div><br></div><div>Any ideas on how to tell Linux to route the packages going to zzz.zzz.zzz.3 through the tunnel?? (I'm using netkey, not KLIPS)</div><div><br></div><div>This configuration may be helpful too:</div><div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal 12px/normal Helvetica; ">vi /etc/sysctl.conf</div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal 13px/normal Courier; ">#agregado para openswan</div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal 13px/normal Courier; ">net.ipv4.conf.all.accept_redirects = 0</div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal 13px/normal Courier; ">net.ipv4.conf.default.accept_redirects=0</div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal 13px/normal Courier; ">net.ipv4.conf.all.send_redirects = 0</div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal 13px/normal Courier; ">net.ipv4.conf.default.send_redirects = 0</div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal 13px/normal Courier; min-height: 16px; "><br></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal 13px/normal Courier; ">#intentar también</div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal 13px/normal Courier; ">net.ipv4.conf.default.rp_filter =0</div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal 13px/normal Courier; ">net.ipv4.ip_forward = 1</div></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal 13px/normal Courier; "><br></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal 13px/normal Courier; "><br></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal 13px/normal Courier; "><br></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal 13px/normal Courier; ">This is the result of route -n:</div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal 13px/normal Courier; "><br></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal 13px/normal Courier; "><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal 13px/normal Courier; ">root@bitlab [~]# route -n</div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal 13px/normal Courier; ">Kernel IP routing table</div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal 13px/normal Courier; ">Destination Gateway Genmask Flags Metric Ref Use Iface</div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal 13px/normal Courier; ">xxx.xxx.xxx.132 0.0.0.0 255.255.255.255 UH 0 0 0 eth0</div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal 13px/normal Courier; ">xxx.xxx.xxx.133 0.0.0.0 255.255.255.255 UH 0 0 0 eth0</div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal 13px/normal Courier; ">xxx.xxx.xxx.134 0.0.0.0 255.255.255.255 UH 0 0 0 eth0</div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal 13px/normal Courier; ">xxx.xxx.xxx.135 0.0.0.0 255.255.255.255 UH 0 0 0 eth0</div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal 13px/normal Courier; ">201.161.57.184 0.0.0.0 255.255.255.255 UH 0 0 0 *</div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal 13px/normal Courier; ">xxx.xxx.xxx.131 0.0.0.0 255.255.255.255 UH 0 0 0 eth0</div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal 13px/normal Courier; ">201.161.26.81 0.0.0.0 255.255.255.255 UH 0 0 0 *</div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal 13px/normal Courier; ">xxx.xxx.xxx.136 0.0.0.0 255.255.255.255 UH 0 0 0 eth0</div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal 13px/normal Courier; ">xxx.xxx.xxx.137 0.0.0.0 255.255.255.255 UH 0 0 0 eth0</div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal 13px/normal Courier; ">xxx.xxx.xxx.138 0.0.0.0 255.255.255.255 UH 0 0 0 eth0</div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal 13px/normal Courier; ">xxx.xxx.xxx.139 0.0.0.0 255.255.255.255 UH 0 0 0 eth0</div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal 13px/normal Courier; ">xxx.xxx.xxx.128 0.0.0.0 255.255.255.240 U 0 0 0 eth0</div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal 13px/normal Courier; ">169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0</div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal 13px/normal Courier; ">0.0.0.0 xxx.xxx.xxx.129 0.0.0.0 UG 0 0 0 eth0</div><div><br></div><div>Please note xxx.xxx.xxx.1 (in my examples) = xxx.xxx.xxx.130 (main IP of eth0 and hence not in routing tables)</div><div><br></div><div>I can't find any route to yyy.yyy.yyy.2 or zzz.zzz.zzz.3 (the box in the private lan) anywhere in the routing table. I'm not sure if this is OK.</div><div><br></div><div>Any ideas?</div><div><br></div><div>Again, thank you for your help.</div><div>Rodrigo</div></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal 13px/normal Courier; "><br></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal 13px/normal Courier; "><br></div><div><br><div><div>El 23/11/2010, a las 13:11, Paul Wouters escribió:</div><br class="Apple-interchange-newline"><blockquote type="cite"><div>On Tue, 23 Nov 2010, "Ing. Rodrigo Méndez" wrote:<br><br><blockquote type="cite">My Linux CentOS server (openswan) IP: xxx.xxx.xxx.1 ----- VPN Concentrator (Juniper ISG 2000) IP: yyy.yyy.yyy.2 --- Remote box 3 (private IP: zzz.zzz.zzz.3)<br></blockquote><blockquote type="cite">Boxes 1 and 2 have public IP. Box 3 has private IP (is behind the VPN Concentrator). The goal is to connect box 1 to box 3.<br></blockquote><br><blockquote type="cite">My Config is as follows:<br></blockquote><br>Looks fine.<br><br><blockquote type="cite">The problem is that the tunnel is UP but there's no way I can connect or ping the other side. An interesting thing is that if I ping the other side from box 1 after I disabled iptables - service iptables stop- I get no response at all, but if iptables is active i get the error message "ping: sendmsg: operation not permitted"<br></blockquote><br>So your firewall has a problem and needs to allow traffic from/to zzz.zzz.zzz.3<br><br><blockquote type="cite">Nov 22 20:33:20 bitlab pluto[4690]: "iusacell-bitlab-test" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0xca7636a3 <0x1149928c xfrm=3DES_0-HMAC_SHA1 NATOA=none NATD=none DPD=none}<br></blockquote><br>Looks good.<br><br>Perhaps the Juniper or the remote box 3 is not allowing your ping to go through?<br><br>Run ipsec verify, do you haev IP forwarding enabled? rp_filter disabled?<br><br>Paul<br><br></div></blockquote></div><br><div>
<div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div><br></div></div>
</div>
<br></div></body></html>