[Openswan Users] Trying to run IPsec over a single service (port 3000) between two hosts

Shaheen Ali sali at camiant.com
Wed Nov 17 14:03:30 CET 2004


I have slogged through the documents and studied the open bug reports
and I cannot get IPsec to work over just one service mapped to one TCP
protocol port (TCP/3000).

 

My config is thus:

 

Ipsec -version

Linux Openswan U1.0.3/K1.0.7

 

My OS is RH9.0: uname -a

Linux rh1-1 2.4.27 #4 SMP Nov 16 12:58:25 EST 2004 i686 i686 i386
GNU/Linux

 

This is machine 192.168.1.1.  The other machine configured similarly is
192.168.1.2.

 

I send a SYN out from 192.168.1.1/any -> 192.168.1.2/tcp:3000 and it
connects just fine.  If I send a ping or an ssh request from 192.168.1.1
it does not leave the box.  I confirmed this with a tcpdump running on
192.168.1.2.

 

Any help would be greatly appreciated,

 

Shaheen Ali

 

This is /etc/ipsec.conf:

# /etc/ipsec.conf - Openswan IPsec configuration file

 

# More elaborate and more varied sample configurations can be found

# in Openswan's doc/examples file, in the HTML documentation, and online

# at http://www.openswan.org/docs/

 

# basic configuration

config setup

            # THIS SETTING MUST BE CORRECT or almost nothing will work;

            # %defaultroute is okay for most simple cases.

            interfaces=%defaultroute

            # Debug-logging controls:  "none" for (almost) none, "all"
for lots.

            #klipsdebug=all

            klipsdebug=none

            #plutodebug=all

            plutodebug=none

            # Use auto= parameters in conn descriptions to control
startup actions.

            plutoload=%search

            plutostart=%search

            # Don't wait for pluto to complete every plutostart before
continuing

            plutowait=no

            # Close down old connection when new one using same ID shows
up.

            uniqueids=yes

            # Enable NAT-Traversal

            #nat_traversal=yes

            # RFC1918 networks

 
#virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16

 

 

# Defaults for all connection descriptions

conn %default

            keyingtries=0

            disablearrivalcheck=no

            dpdaction=hold

            dpddelay=30

            dpdtimeout=120

            leftrsasigkey=%dnsondemand

            rightrsasigkey=%dnsondemand

            authby=rsasig

            #type=passthrough

            auto=add

 

 

conn fed3-2-3919

            auto=start

            #auth=ah

            leftprotoport=6/3000

            left=192.168.1.1

            rightprotoport=6

            right=192.168.1.2

            keyexchange=ike

            esp=3des-sha1-96

            type=transport

            disablearrivalcheck=no

            ah=hmac-md5

            authby=secret

            pfs=yes

            keyingtries=5

 

conn rh1-1-3919

            #auth=ah

            auto=start

            leftprotoport=6

            left=192.168.1.1

            rightprotoport=6/3000

            right=192.168.1.2

            keyexchange=ike

            esp=3des-sha1-96

            type=transport

            disablearrivalcheck=no

            ah=hmac-md5

            authby=secret

            pfs=yes

            keyingtries=5

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20041117/2045f57a/attachment.htm


More information about the Users mailing list