[Openswan Users] Migration from RedHat 7 to SuSE 9.2 problematic

Alexander Samad alex at samad.com.au
Sun Apr 17 09:12:36 CEST 2005


On Sat, Apr 16, 2005 at 04:33:53PM +0200, Bram Bouwens wrote:
> I've been running an IPSEC connection between my home and the office
> for years, really brilliant. Using RedHat 7.0 on one and 7.3 at the
> other side with FreeS/WAN 2.06.
> 
> Now for various reasons it's time to upgrade my home gateway, and
> I thought SuSE 9.2 would be nice. I also plugged in a DSL card modem.
> All seems to go smooth, with almost no changes to the configuration,
> Openswan U2.2.0/K2.6.8-24.14-default looks similar, except that I
> see no ipsec0 device appearing, so I'm a little puzzled by the
> routing.

ipsec interfaces dissapeared in the 2.6 implementation, using the native
ipsec stack.  I believe you can still build klips for the 2.6 kernel
which will giv eyou back the ipsecX interfaces, but they are not needed

> 
> I DO seem to get an SA between the 2 sites, see
> http://www.bouwens.biz/pluto29125.txt for logging messages,
> http://www.bouwens.biz/ipsec.conf for configuration
> 
> But then: no traffic.
> 
> # ip route
> 195.190.249.13 dev dsl0  proto kernel  scope link  src 80.126.5.18
> 192.168.37.0/24 dev eth0  proto kernel  scope link  src 192.168.37.1
> 192.168.0.0/24 dev dsl0  scope link
> 169.254.0.0/16 dev eth0  scope link
> 127.0.0.0/8 dev lo  scope link
> default via 195.190.249.13 dev dsl0
> 
> The firewall shouldn't be a problem I think:

you will have to change your firewall, ipsec packets go through the
netfilter chain twice once as an esp packet and once as a decrypted
packet.  Which mean you might have to attached a script to your ipsec
config to automatically update your firewall to allow the unencrypted
packets through.  or mark them in mangle (the esp packets) and then
allow them through in the filter table.



> 
> # iptables --list
> Chain INPUT (policy DROP)
> target     prot opt source               destination
> ACCEPT     ah   --  a82-94-15-138.adsl.xs4all.nl 
> a80-126-5-18.adsl.xs4all.nl
> ACCEPT     esp  --  a82-94-15-138.adsl.xs4all.nl 
> a80-126-5-18.adsl.xs4all.nl
> ACCEPT     udp  --  a82-94-15-138.adsl.xs4all.nl 
> a80-126-5-18.adsl.xs4all.nl udp spt:isakmp dpt:isakmp
> ....
> 
> Chain FORWARD (policy DROP)
> target     prot opt source               destination
> ACCEPT     all  --  192.168.0.0/24       192.168.37.0/24
> ACCEPT     all  --  192.168.37.0/24      192.168.0.0/24
> ACCEPT     all  --  192.168.37.0/24      a82-94-15-138.adsl.xs4all.nl
> ACCEPT     all  --  a82-94-15-138.adsl.xs4all.nl  192.168.37.0/24
> ...
> 
> Chain OUTPUT (policy DROP)
> target     prot opt source               destination
> ACCEPT     ah   --  a80-126-5-18.adsl.xs4all.nl 
> a82-94-15-138.adsl.xs4all.nl
> ACCEPT     esp  --  a80-126-5-18.adsl.xs4all.nl 
> a82-94-15-138.adsl.xs4all.nl
> ACCEPT     udp  --  a80-126-5-18.adsl.xs4all.nl 
> a82-94-15-138.adsl.xs4all.nl udp spt:isakmp dpt:isakmp
> ....
> 
> 
> No when I try to ssh from 192.168.37.5 to 192.168.0.17 I do see
> packets arriving at the gateway machine, but nothing going out.
> 
> Would it be easier to use Racoon/Setkey/.. whatever? I don't
> want to change the setup at the other end of the connection yet,
> some people would start shouting at me :)
> 
> 
> Thanks for any hints,
> 
> Bram
> _______________________________________________
> Users mailing list
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.openswan.org/pipermail/users/attachments/20050417/34413d4d/attachment.bin


More information about the Users mailing list