[Openswan Users] Trying to run IPsec over a single service (port
3000) between two hosts
Ted Kaczmarek
tedkaz at optonline.net
Wed Nov 17 21:01:39 CET 2004
On Wed, 2004-11-17 at 14:03 -0500, Shaheen Ali wrote:
> I have slogged through the documents and studied the open bug reports
> and I cannot get IPsec to work over just one service mapped to one TCP
> protocol port (TCP/3000).
>
>
>
> My config is thus:
>
>
>
> Ipsec –version
>
> Linux Openswan U1.0.3/K1.0.7
>
>
>
> My OS is RH9.0: uname –a
>
> Linux rh1-1 2.4.27 #4 SMP Nov 16 12:58:25 EST 2004 i686 i686 i386
> GNU/Linux
>
>
>
> This is machine 192.168.1.1. The other machine configured similarly
> is 192.168.1.2.
>
>
>
> I send a SYN out from 192.168.1.1/any -> 192.168.1.2/tcp:3000 and it
> connects just fine. If I send a ping or an ssh request from
> 192.168.1.1 it does not leave the box. I confirmed this with a
> tcpdump running on 192.168.1.2.
>
>
>
> Any help would be greatly appreciated,
>
>
>
> Shaheen Ali
>
>
>
> This is /etc/ipsec.conf:
>
> # /etc/ipsec.conf - Openswan IPsec configuration file
>
>
>
> # More elaborate and more varied sample configurations can be found
>
> # in Openswan's doc/examples file, in the HTML documentation, and
> online
>
> # at http://www.openswan.org/docs/
>
>
>
> # basic configuration
>
> config setup
>
> # THIS SETTING MUST BE CORRECT or almost nothing will
> work;
>
> # %defaultroute is okay for most simple cases.
>
> interfaces=%defaultroute
>
> # Debug-logging controls: "none" for (almost) none, "all"
> for lots.
>
> #klipsdebug=all
>
> klipsdebug=none
>
> #plutodebug=all
>
> plutodebug=none
>
> # Use auto= parameters in conn descriptions to control
> startup actions.
>
> plutoload=%search
>
> plutostart=%search
>
> # Don't wait for pluto to complete every plutostart before
> continuing
>
> plutowait=no
>
> # Close down old connection when new one using same ID
> shows up.
>
> uniqueids=yes
>
> # Enable NAT-Traversal
>
> #nat_traversal=yes
>
> # RFC1918 networks
>
> #virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%
> v4:192.168.0.0/16
>
>
>
>
>
> # Defaults for all connection descriptions
>
> conn %default
>
> keyingtries=0
>
> disablearrivalcheck=no
>
> dpdaction=hold
>
> dpddelay=30
>
> dpdtimeout=120
>
> leftrsasigkey=%dnsondemand
>
> rightrsasigkey=%dnsondemand
>
> authby=rsasig
>
> #type=passthrough
>
> auto=add
>
>
>
>
>
> conn fed3-2-3919
>
> auto=start
>
> #auth=ah
>
> leftprotoport=6/3000
>
> left=192.168.1.1
>
> rightprotoport=6
>
> right=192.168.1.2
>
> keyexchange=ike
>
> esp=3des-sha1-96
>
> type=transport
>
> disablearrivalcheck=no
>
> ah=hmac-md5
>
> authby=secret
>
> pfs=yes
>
> keyingtries=5
>
>
>
> conn rh1-1-3919
>
> #auth=ah
>
> auto=start
>
> leftprotoport=6
>
> left=192.168.1.1
>
> rightprotoport=6/3000
>
> right=192.168.1.2
>
> keyexchange=ike
>
> esp=3des-sha1-96
>
> type=transport
>
> disablearrivalcheck=no
>
> ah=hmac-md5
>
> authby=secret
>
> pfs=yes
>
> keyingtries=5
>
>
>
>
Check your firewall rules, your routing etc.
ipsec barf would be most helpful if that does not solve it for you, but
routing/firewall is probably it.
Ted
More information about the Users
mailing list