[Openswan Users] Rhel 3 with natt patch?

Nicole Hähnel nicole.haehnel at epost.de
Tue Sep 14 10:12:55 CEST 2004 

Hi,

I ping with option -I for the interface,
and it's not working.
Connection is still established.
I can see with ipsec look.

ipsec verify on the server behind the router:


Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                   [OK]
Linux Openswan 2.1.5 (klips)
Checking for IPsec support in kernel                              [OK]
Checking for RSA private key (/etc/ipsec.secrets)             [FAILED]
ipsec showhostkey: no default key in "/etc/ipsec.secrets"
Checking that pluto is running                                    [OK]
Two or more interfaces found, checking IP forwarding              [OK]
Checking NAT and MASQUERADEing                                   [N/A]
Checking for 'ip' command                                         [OK]
Checking for 'iptables' command                                   [OK]

Opportunistic Encryption DNS checks:
    Looking for TXT in forward dns zone: VPN-GW-DBBAU         [MISSING]
    Does the machine have at least one non-private address?    [FAILED]

-------------------------------------------------------------------------

ipsec verify on the main vpn-gateway:

Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                    [OK]
Linux Openswan 2.1.5 (klips)
Checking for IPsec support in kernel                               [OK]
Checking for RSA private key (/etc/ipsec.secrets)                  [OK]
Checking that pluto is running                                     [OK]
Two or more interfaces found, checking IP forwarding               [OK]
Checking NAT and MASQUERADEing
Checking tun0x1059 at xx.xx.xx.xx from xx.xx.xx.xx/24 to xx.xx.xx.xx/21 
[FAILED]
SNAT from xx.xx.xx.xx to xx.xx.xx.xx/xx kills tunnel xx.xx.xx.xx -> 
xx.xx.xx.xx/21        [FAILED]
... much more of these lines ...
Checking for 'ip' command                                          [OK]
Checking for 'iptables' command                                    [OK]

Opportunistic Encryption DNS checks:
    Looking for TXT in forward dns zone: VPN-GW-FFM             [MISSING]
    Does the machine have at least one non-private address?      [FAILED]


I activated port forwarding on the router for all ports to the vpn 
server behind.

What else can I do?


Thanks!

Nicole


Paul Wouters wrote:
> On Mon, 13 Sep 2004, Nicole Hähnel wrote:
> 
>> Sep 13 16:01:13 VPN pluto[1351]: "lan1-lan2" #2: sent QI2, IPsec SA 
>> established {ESP=>0xa3b89be5 <0x58332b28}
>>
>>
>> But I can't ping or something else.
>> There are no errors.
> 
> 
> - run ipsec verify on both ends to check for potential problems
> - dont use ping as debugging tool from the gateway without the -s
>   option to specify the internal lan ip.
> 
> Paul

More information about the Users mailing list