[Openswan Users] help request - traffic not going through IPsectunnel

David Forbis DL at forbis.org
Wed Apr 14 09:20:21 CEST 2004 

Thanks for the tips, Paul.  Unfortuantely, I've still seen
the same problems.  New ipsec barfs (with and without shorewall
enabled are posted:

http://www.forbis.org/ipsecbarf2.txt
http://www.forbis.org/ipsecbarf_swclear.txt

I went through your suggestions one by one:

>
>From the barf I saw:
>
> all/rp_filter:0
> default/rp_filter:1
> eth0/rp_filter:1
> eth1/rp_filter:1
>
> I'd recommend disabling all of rp_filter in /etc/sysctl.conf

Did that, all of the above now come up as "0"

> I'm not convinced that your NAT is not causing problems. It looks a bit
> complex, and I do
> not see the nat exclusion for packets. You seem to match them for source
> first, and then
> hand them down a chain and skip masq only for destination.

Hmm.  I'll revisit my shorewall configurations.  Wouldn't the fact that I
have the same symptoms while running "shorewall clear" indicate that while
my NAT may be another problem, it isn't the primary one?

> # CONFIG_IP_ADVANCED_ROUTER is not set
>
> I am not sure if this is still optional or mandatory. It won't hurt, and I
> recommend enabling
> the advanced router features.

I had this enabled a week ago, then tried disabling it a few days ago -
did not see a difference either way.  I've re-enabled it in my current
kernel build.

> CONFIG_INET_IPCOMP=y
>
> There are some interop issues between native 2.6 pfkey (and KAME) and
> Openswan/Freeswan KLIPS code.
> Depending on the other end of the connection (eg if it is klips) then you
> might have problems too.
> Freeswan/Openswan does not yet allow for disabling compression (only the
> disabling of advertising it).
> So either you need to ensure that compression isn't asked for at the other
> end (which it cannot if it is
> KLIPS), or you are better of leaving this out of your kernel for now.

OK, I've turned this option off.

> I am not sure if you have af_key or xfrm_user. We need to adjust the barf
> to catch those as well, but
> I assume you do, since you do get conns going and no pf_write failures.

I have XFRM_USER enabled, but did not find an "af_key" - I assume you mean
PF_KEY, which I've got turned on.

> Note that dforbis-common is not loaded as a seperate conn, which I think
> you intended to do. You
> probably got a warning about a double auto= line in dforbis-vpn1
>
> Do something like:
>
> conn dforbis-host
> 	also=dforbis-base
> 	auto=start
> conn dforbis-vpn1
> 	also=dforbis-base
> 	rightsubnet=10.90.101.0/24
> 	auto=start
> conn dforbis-base
> 	...
>
> This way, both will start.
>
> Perhaps that is the mixture of packets you are seeing, the difference
> between the host and the
> subnet conn?

In an effort to simplify things, I've gotton rid of my "dforbis-common"
connection...  I'm really only trying to define one connection (to my
understanding), so I don't think there's a need to have that.

Referring to my barfs, does the error message "could not start conn
"dforbis-vpn1"" mean anything, despite the fact that the tunnel appear to
be established?

Are there any kernel debugging options I can enable to help track this down?

Thanks very much for your time,
Dave

More information about the Users mailing list