[Openswan Users] IPSEC problems between 2.6 kernels...

Sven Schuster schuster.sven at gmx.de
Mon May 31 19:42:29 CEST 2004

Hi everybody,

I'm currently testing setting up vpns between different machines.
I've got two machines, one RH9 ( with kernel 2.6.6 and
openswan 2.1.2 freshly compiled and installed, the other FC2
(kernel 2.6.6-1.391, with ipsec-tools 0.2.5-2 (the FC2
rpm package). Please note that the 192.168 ip adresses are not the
primary IPs on the systems, I have added them via ip addr add to
eth1. Basically, it seems to work, as both pluto and racoon tell me
that the IPSEC-SA is established:

(sorry for long lines, cut'n'pasted from logs)
May 31 18:03:35 zion pluto[13508]: "sample" #1: ISAKMP SA established
May 31 18:03:35 zion pluto[13508]: "sample" #2: initiating Quick Mode PSK+ENCRYPT+PFS {using isakmp#1}
May 31 18:03:35 zion pluto[13508]: "sample" #1: ignoring informational payload, type IPSEC_INITIAL_CONTACT
May 31 18:03:35 zion pluto[13508]: "sample" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
May 31 18:03:35 zion pluto[13508]: "sample" #2: sent QI2, IPsec SA established {ESP=>0x097e9858 <0x7aaa1e62}

2004-05-31 18:03:36: INFO: pfkey.c:1127:pk_recvupdate(): IPsec-SA established: ESP/Transport> spi=159291480(0x97e9858)
2004-05-31 18:03:36: INFO: pfkey.c:1348:pk_recvadd(): IPsec-SA established: ESP/Transport> spi=2057969250(0x7aaa1e62)

But when I ping from one machine to the other, I don't get a echo reply.
The strange thing is, when I ping from RH9 to FC2, I see one ESP packet
arriving at the FC2 machine with tcpdump and one (probably the echo
reply) going back to the RH9 machine:

18:07:36.186890 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], proto 50, length: 120) > ESP(spi=0x097e9858,seq=0x2)
18:07:36.189427 IP (tos 0x0, ttl  64, id 52838, offset 0, flags [none], proto 50, length: 120) > ESP(spi=0x7aaa1e62,seq=0x2)

When I ping from the FC2 to RH9, I just see one ESP packet arriving
at the RH9 machine, but none leaving to FC2.

Does anyone have a clue what the problem might be??

Here's my ipsec.conf:
config setup
        # klipsdebug=all
        # plutodebug=dns

#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf

conn sample

I also tested OpenSWAN 2.1.2 on the FC2 side, but this did not change
anything. Now I switched to kernel 2.6.7-rc2 on the RH9 machine,
still no change in behaviour.

Thanks for any hints!! If more config info is needed (setkey, racoon),
I'll post it here.


Linux zion 2.6.7-rc2 #1 Mon May 31 00:42:33 CEST 2004 i686 athlon i386 GNU/Linux
 18:41:04  up 8 min,  2 users,  load average: 0.08, 0.39, 0.27
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.openswan.org/pipermail/users/attachments/20040531/26b75811/attachment.bin

More information about the Users mailing list