[Openswan Users]
Paul Wouters
paul at xelerance.com
Sun Dec 19 22:35:25 CET 2004
On Sun, 19 Dec 2004, Martin Temmink wrote:
[ please, next time post a URL to your barf. It doesn't make much sense to send
a 500kb email to every list subscriber ]
> The tunnel established correct, but I cannot ping anything on the othersite.
> My packets shows up in TCPDUMP as clear text and are not going through the
> tunnel.
> Linux Openswan U2.3.0dr4/K2.6.8-24.5-default (native)
You are using NETKEY from the 2.6 kernel. You just think it leaves in plaintext,
beause you are observing from an IPsec endpoint machine. Sniff the traffic
from a machine between the two endpoints, and you will see that traffic is
encrypted.
> conn net-to-net
> left=xx.xx.x.217
> leftsubnet=192.168.0.0/24
> leftnexthop=xx.xx.x.1
> leftsourceip=xx.xx.x.217
> leftid=@xxxx
> leftrsasigkey=dasfsdfsadfasdfasf
> right=yy.yy.yy.227
> rightsubnet=192.168.1.0/24
> rightnexthop=yy.yy.yy.1
> rightid=@linux
> rightrsasigkey=dasfdasfsdfaf
> auto=start
> rp_filter= 1
This might bite you. You should disable rp_filter, since it's simplistic
in-build anti-spoofing rules have no idea about IPsec.
> pfs=no
for openswan-openswan, you should always use pfs=yes (the default)
> + egrep '^' all/rp_filter default/rp_filter eth0/rp_filter eth1/rp_filter
> lo/rp_filter
>
> all/rp_filter:1
>
> default/rp_filter:1
>
> eth0/rp_filter:1
>
> eth1/rp_filter:1
>
> lo/rp_filter:1
Definately, changfe that rp_filter value.
Are you sure you are not pinging from teh gateway without -I 192.168.x.1 ?
Are you sure your firewall rules are not blocking traffic?
Are you sure nothing is NATing packets?
Paul
More information about the Users
mailing list