[Openswan Users] Connectiing Freeswan 2.06 on FC! with Openswan 2.2 on FC2?

Jerry R. Keene jkeene at scsengineers.com
Thu Oct 28 07:30:40 CEST 2004 

Dear Users:


We rolled out a new Fedora Core 2 server with a 2.6 kernel. Since Freeswan
is not longer in development, we downloaded an FC2 rpm binary, version
2.2-0-17 of openswan. Installation of the binary went fine.

We then set up the following connections in ipsec.conf on the FC2 openswan
server, the style of which had worked as expected under freeswan 2.06. The
other side of the connections was a FC1 server with freeswan 2.06.

After starting ipsec on both sides we have

FC2-subnet---FC2(eth1)----GW1(eth0) >>>>> GW2(eth0)--FC1(eth1)---FC1-subnet

>From the FC1 server (freeswan), workstations on the FC1-subnet can ping
workstations on FC2-subnet, but workstations on FC2-subnet cannot ping
workstation on the FC1-subnet.

GW1(eth0) and GW2(eth0) cannot ping each other.

FC2(eth1) cannot ping itself, and, more importantly, cannot be reached by
workstations on its directly attached subnet, although it allows
passthrough traffic from those subnet workstations.

I'd appreciate some clues to leap this hurdle/s? I acknowledge that I'm
probably doing something dumb here, but can't see it after some genuine
effort, including search of list archives. I realize openswan has some
design changes that are likely causing my woes, but I'm not clear on how
to compensate for those.

Thanks very much for the lists' help with this!


***********************************************
# /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.13 2004/03/24 04:14:39 ken Exp $

# This file:  /usr/share/doc/openswan/ipsec.conf-sample
#
# Manual:     ipsec.conf.5


version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        # Debug-logging controls:  "none" for (almost) none, "all" for lots.
        # klipsdebug=none
        # plutodebug="control parsing"
# Add connections here

#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf
#############
conn VA-Ca
        left=192.168.98.131
        leftsubnet=10.0.0.0/8
        leftnexthop=192.168.98.129
        right=172.125.9.12
        rightsubnet=10.11.1.0/24
        rightnexthop=172.125.9.9
        auto=start
        leftrsasigkey=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
        rightrsasigkey=yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy
conn VAGate-CA
        left=192.168.98.131
        leftsubnet=192.168.98.128/27
        leftnexthop=65.168.98.129
        right=172.125.9.12
        rightsubnet=10.11.1.0/24
        rightnexthop=172.125.9.9
        auto=start
        leftrsasigkey=xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
        rightrsasigkey=yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy
conn VAGate-CAGate
        left=192.168.98.131
        leftsubnet=192.168.98.128/27
        leftnexthop=192.168.98.129
        right=172.125.9.12
        rightnexthop=172.125.9.9
        auto=start
        leftrsasigkey=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
        rightrsasigkey=yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy
conn VA-CAGate
        left=192.168.98.131
        leftsubnet=10.0.0.0/8
        leftnexthop=192.168.98.129
        right=172.125.9.12
        rightnexthop=172.125.9.9
        auto=start
        leftrsasigkey=xxxxxxxxxxxxxxxxxxxxx
        rightrsasigkey=yyyyyyyyyyyyyyyyyyyyyyy

More information about the Users mailing list