[Openswan dev] [Openswan Users] Ipsec configuration Lucent VPN Gateway with OpenSwan or others (Lucent IPSec Client 9.2.0 in Windows XP)

Michael H. Warfield mhw at WittsEnd.com
Thu Feb 25 14:08:30 EST 2010

On Thu, 2010-02-25 at 11:51 -0500, Michael H. Warfield wrote: 
> Paul, et al.

> Ok...  Adding the dev at openswan.org list to this one at this point.

And of course NOW I see there was a patch posted to this list for that
exact problem back in January...  Got it.

> I've finally isolated the problem down with OpenSwan 2.6.23 and 2.6.24
> failing to talk with the Cisco ASA 3000.  Symptoms are the connection
> comes up but we can't ping across the tunnel and there are no tunnel
> related addresses or routes in the tables.  Debugging "_updown.netkey"
> revealed that it was failing to add the addresses and routes with "ip
> addr replace" and "ip route replace" both returning "RTNETLINK:
> Operation not permitted".  Disabling selinux didn't help so I went
> hunting down anything to do with capabilities and found that there had
> been some changes in 2.6.23 to do with LIBCAP_NG.  Found that Fedora has
> "%define USE_LIBCAP_NG 1" in the spec file for building the rpms.
> Changed that to "%define USE_LIBCAP_NG 0" and rebuild and it now works.
> So something appears to be broken in dropping capabilities in pluto at
> this time.  Code looked right to me but it's definitely no workie and
> making that change to not do that fixed the problem I was seeing where
> 2.6.22 worked on Ubuntu and 2.6.23/4 failed on Fedora.

Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
Url : http://lists.openswan.org/pipermail/dev/attachments/20100225/80fbe917/attachment.bin 

More information about the Dev mailing list