[Openswan Users] Migration from RedHat 7 to SuSE 9.2 problematic

Bram Bouwens bbouwens at xs4all.nl
Sat Apr 16 17:33:53 CEST 2005 

I've been running an IPSEC connection between my home and the office
for years, really brilliant. Using RedHat 7.0 on one and 7.3 at the
other side with FreeS/WAN 2.06.

Now for various reasons it's time to upgrade my home gateway, and
I thought SuSE 9.2 would be nice. I also plugged in a DSL card modem.
All seems to go smooth, with almost no changes to the configuration,
Openswan U2.2.0/K2.6.8-24.14-default looks similar, except that I
see no ipsec0 device appearing, so I'm a little puzzled by the
routing.

I DO seem to get an SA between the 2 sites, see
http://www.bouwens.biz/pluto29125.txt for logging messages,
http://www.bouwens.biz/ipsec.conf for configuration

But then: no traffic.

# ip route
195.190.249.13 dev dsl0  proto kernel  scope link  src 80.126.5.18
192.168.37.0/24 dev eth0  proto kernel  scope link  src 192.168.37.1
192.168.0.0/24 dev dsl0  scope link
169.254.0.0/16 dev eth0  scope link
127.0.0.0/8 dev lo  scope link
default via 195.190.249.13 dev dsl0

The firewall shouldn't be a problem I think:

# iptables --list
Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     ah   --  a82-94-15-138.adsl.xs4all.nl 
a80-126-5-18.adsl.xs4all.nl
ACCEPT     esp  --  a82-94-15-138.adsl.xs4all.nl 
a80-126-5-18.adsl.xs4all.nl
ACCEPT     udp  --  a82-94-15-138.adsl.xs4all.nl 
a80-126-5-18.adsl.xs4all.nl udp spt:isakmp dpt:isakmp
....

Chain FORWARD (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  192.168.0.0/24       192.168.37.0/24
ACCEPT     all  --  192.168.37.0/24      192.168.0.0/24
ACCEPT     all  --  192.168.37.0/24      a82-94-15-138.adsl.xs4all.nl
ACCEPT     all  --  a82-94-15-138.adsl.xs4all.nl  192.168.37.0/24
...

Chain OUTPUT (policy DROP)
target     prot opt source               destination
ACCEPT     ah   --  a80-126-5-18.adsl.xs4all.nl 
a82-94-15-138.adsl.xs4all.nl
ACCEPT     esp  --  a80-126-5-18.adsl.xs4all.nl 
a82-94-15-138.adsl.xs4all.nl
ACCEPT     udp  --  a80-126-5-18.adsl.xs4all.nl 
a82-94-15-138.adsl.xs4all.nl udp spt:isakmp dpt:isakmp
....


No when I try to ssh from 192.168.37.5 to 192.168.0.17 I do see
packets arriving at the gateway machine, but nothing going out.

Would it be easier to use Racoon/Setkey/.. whatever? I don't
want to change the setup at the other end of the connection yet,
some people would start shouting at me :)


Thanks for any hints,

Bram

More information about the Users mailing list