[Openswan Users] IPSEC problems between 2.6 kernels...

Sven Schuster schuster.sven at gmx.de
Mon May 31 19:42:29 CEST 2004 

Hi everybody,

I'm currently testing setting up vpns between different machines.
I've got two machines, one RH9 (192.168.0.2) with kernel 2.6.6 and
openswan 2.1.2 freshly compiled and installed, the other FC2
(kernel 2.6.6-1.391, 192.168.0.1) with ipsec-tools 0.2.5-2 (the FC2
rpm package). Please note that the 192.168 ip adresses are not the
primary IPs on the systems, I have added them via ip addr add to
eth1. Basically, it seems to work, as both pluto and racoon tell me
that the IPSEC-SA is established:

(sorry for long lines, cut'n'pasted from logs)
RH9/pluto:
May 31 18:03:35 zion pluto[13508]: "sample" #1: ISAKMP SA established
May 31 18:03:35 zion pluto[13508]: "sample" #2: initiating Quick Mode PSK+ENCRYPT+PFS {using isakmp#1}
May 31 18:03:35 zion pluto[13508]: "sample" #1: ignoring informational payload, type IPSEC_INITIAL_CONTACT
May 31 18:03:35 zion pluto[13508]: "sample" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
May 31 18:03:35 zion pluto[13508]: "sample" #2: sent QI2, IPsec SA established {ESP=>0x097e9858 <0x7aaa1e62}

FC2/racoon:
2004-05-31 18:03:36: INFO: pfkey.c:1127:pk_recvupdate(): IPsec-SA established: ESP/Transport 192.168.0.2->192.168.0.1 spi=159291480(0x97e9858)
2004-05-31 18:03:36: INFO: pfkey.c:1348:pk_recvadd(): IPsec-SA established: ESP/Transport 192.168.0.1->192.168.0.2 spi=2057969250(0x7aaa1e62)

But when I ping from one machine to the other, I don't get a echo reply.
The strange thing is, when I ping from RH9 to FC2, I see one ESP packet
arriving at the FC2 machine with tcpdump and one (probably the echo
reply) going back to the RH9 machine:

18:07:36.186890 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], proto 50, length: 120) 192.168.0.2 > 192.168.0.1: ESP(spi=0x097e9858,seq=0x2)
18:07:36.189427 IP (tos 0x0, ttl  64, id 52838, offset 0, flags [none], proto 50, length: 120) 192.168.0.1 > 192.168.0.2: ESP(spi=0x7aaa1e62,seq=0x2)

When I ping from the FC2 to RH9, I just see one ESP packet arriving
at the RH9 machine, but none leaving to FC2.

Does anyone have a clue what the problem might be??

Here's my ipsec.conf:
config setup
        # klipsdebug=all
        # plutodebug=dns

#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf

conn sample
        type=transport
        authby=secret
        compress=no
        left=192.168.0.1
        right=192.168.0.2
        auto=route

I also tested OpenSWAN 2.1.2 on the FC2 side, but this did not change
anything. Now I switched to kernel 2.6.7-rc2 on the RH9 machine,
still no change in behaviour.

Thanks for any hints!! If more config info is needed (setkey, racoon),
I'll post it here.


Sven

-- 
Linux zion 2.6.7-rc2 #1 Mon May 31 00:42:33 CEST 2004 i686 athlon i386 GNU/Linux
 18:41:04  up 8 min,  2 users,  load average: 0.08, 0.39, 0.27
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.openswan.org/pipermail/users/attachments/20040531/26b75811/attachment.bin

More information about the Users mailing list