RES: [Openswan Users] IPSec SA Established, Problem with pinging and other traffic

Giovani Moda - MR Informática giovani at mrinformatica.com.br
Fri Dec 10 18:29:46 CET 2004 

Martin,

It's been a long time since I (luckly) made a Windows XP SP1 box work as
a roadwarrior with openswan. As Jacco mentioned, Nate Carlson's page
(http://www.natecarlson.com/linux/ipsec-x509.php) helped me A LOT.

As far as I can recall, after a few weeks of almost insanity trying to
make the damn thing work, I found out that the Windows XP box wouldn't
tunnel up because it was waiting for a specific package from the
Openswan box that, by default, was not being sent. I'm not sure if this
is your case, but my work around was to add the line
"leftsendcert=always" at the OpenSwan ipsec.conf, by the roadwarrior
section.

After that, the tunnel went up, and everything worked. 

Anyway, I kinda dropped these tests, and last time I tryed to set up a
roadwarrior with WXP and OpenSwan, I couldn't make it work again. Guess
I ran out of luck.

Hope it helps.

Giovani

-----Mensagem original-----
De: users-bounces at openswan.org [mailto:users-bounces at openswan.org] Em
nome de Martin Goldstone
Enviada em: sexta-feira, 10 de dezembro de 2004 12:22
Para: users at openswan.org
Assunto: [Openswan Users] IPSec SA Established, Problem with pinging and
other traffic




Hi All,

I'm currently in the middle of setting up an IPSec connection which will

have a road warrior (running Windows XP) connecting to a Suse 9.1 box 
(kernel 2.6.5, openswan 2.2.0) which is NATed.

Network wise it looks like this:

Road warrior --- Internet --- NAT Device (broadband router) --- Suse Box

I've had to put the Suse box in the DMZ of the broadband router,
otherwise I 
cannot even establish an IPSec SA (infact, the output of tcpdump shows
no 
traffic arriving at the Suse box on udp/500 or udp/4500 even though
those 
have been set up in the broadband router to be forwarded to the Suse
box, 
I'm guessing this is because the Windows XP box is not updated (it cant
be 
because its not had SP1 or SP2 applied), or the broadband router is
playing 
up).

I've set up the IPSec connection using the snap-in in MMC (I'd like to
do 
the l2tp connection eventually, but just using the add network
connection 
wizard did not work). When I ping from the Windows box, it shows 
"Negotiating IP Security", followed by request timed out. It doesn't
matter 
how long I try, I keep getting request timed out. That is until I ping
the 
Windows box from the Suse box. At this point, pings in both directions
work 
properly.

To start with, I'd like to avoid this need to manually ping the Windows
box. 
This is mainly because its IP address is assigned by DHCP (although in 
practice it seems to be static).

There are a few points on top of this. Currently, I'm using SSH to view 
logs/change config options etc on the Suse box from the Windows box
(port 22 
is forwarded on the broadband router for this purpose).  However, once I

establish the tunnel, I can no longer access the Suse box through
anything 
other than pinging it (I've tried through both the public address of the

broadband router, which is what I currently use, and through the private

address of the Suse box, which is used for the pinging, and which in my 
understanding would send the traffic through the tunnel).  After I
un-assign 
the IPSec policy in the MMC snap-in, I can connect through the public 
address like I did before. This also applies to http requests to
Apache2. I 
got round the problem with SSH by using the leftprotoport and
rightprotoport 
options in ipsec.conf and their counterparts in windows to restrict the 
IPSec tunnel to ICMP, but this is obviously useless, as then the only
secure 
packets sent will be ping packets and the like.  As soon as I go back to

using 0/0 as the protocol/port settings, I get locked out again. Even if
I 
start pinging the windows box from the suse box before I initiate the
ping 
on the windows box to bring up the tunnel, I still get no joy. I receive

replies on the windows box, and from the windows side everything seems
up, 
but SSH, http requests and I assume everything else, still do not
function.

I hope some one out there will have suggestions on solving this, as I'm 
beginning to tear my hair out.

Thanks in advance,

Mart


_______________________________________________
Users mailing list
Users at openswan.org http://lists.openswan.org/mailman/listinfo/users

More information about the Users mailing list