[Openswan Users] IP packets does not use IP-sec
StefanLüthje
stefan+list at luethje.ch
Wed Aug 10 13:24:35 CEST 2005
Hello,
I'm upgrading from freeswan (kernel 2.4.x) to openswan 2.2 (kernel
2.6.12-4), but I run into some trouble: All IP packets, which should run
through the tunnel, are not encrypted. The connection is estableshed.
Where is my mistake?
# tcpdump -ni ppp0 host 10.1.1.1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ppp0, link-type LINUX_SLL (Linux cooked), capture size 96
bytes 11:54:52.672916 IP 21x.18x.14x.9x > 10.1.1.1: ICMP echo request seq
2048, length 64
11:54:53.674696 IP 21x.18x.14x.9x > 10.1.1.1: ICMP echo request seq 2304,
length 64
11:54:54.676508 IP 21x.18x.14x.9x > 10.1.1.1: ICMP echo request seq 2560,
length 64
11:54:55.678306 IP 21x.18x.14x.9x > 10.1.1.1: ICMP echo request seq 2816,
length 64
11:54:56.680111 IP 21x.18x.14x.9x > 10.1.1.1: ICMP echo request seq 3072,
length 64
11:54:57.681918 IP 21x.18x.14x.9x > 10.1.1.1: ICMP echo request seq 3328,
length 64
11:54:58.683723 IP 21x.18x.14x.9x > 10.1.1.1: ICMP echo request seq 3584,
length 64
11:54:59.685524 IP 21x.18x.14x.9x > 10.1.1.1: ICMP echo request seq 3840,
length 64
11:55:00.687327 IP 21x.18x.14x.9x > 10.1.1.1: ICMP echo request seq 4096,
length 64
9 packets captured
18 packets received by filter
0 packets dropped by kernel
# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use
Iface ...
21x.18x.12x.1x 0.0.0.0 255.255.255.255 UH 0 0 0
ppp0 ...
10.1.1.0 21x.18x.12x.1x 255.255.255.0 UG 0 0 0
ppp0 ...
0.0.0.0 21x.18x.12x.1x 0.0.0.0 UG 0 0 0 ppp0
# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path
[OK] Linux Openswan U2.2.0/K2.6.12.4+mppe (native)
Checking for IPsec support in kernel
[OK] Checking for RSA private key (/etc/ipsec.secrets)
[OK] Checking that pluto is running
[OK] Two or more interfaces found, checking IP forwarding
[OK] Checking NAT and MASQUERADEing
[OK] Checking for 'ip' command
[OK] Checking for 'iptables' command
[OK] Checking for 'setkey' command for native IPsec stack
support [OK]
Opportunistic Encryption DNS checks:
Looking for TXT in forward dns zone: internet-gw
[MISSING]
Does the machine have at least one non-private address?
[OK] Looking for TXT in reverse dns zone: 99.141.189.213.in-addr.arpa.
[MISSING]
Looking for TXT in reverse dns zone: 98.141.189.213.in-addr.arpa.
[MISSING]
Connection:
104 "me-to-cica" #3: STATE_MAIN_I1: initiate
003 "me-to-cica" #3: ignoring Vendor ID payload
[b858d1addd08c1e8adafea150608aa4497aa6cc8]
106 "me-to-cica" #3: STATE_MAIN_I2: sent MI2, expecting MR2
108 "me-to-cica" #3: STATE_MAIN_I3: sent MI3, expecting MR3
003 "me-to-cica" #3: ignoring informational payload, type
IPSEC_INITIAL_CONTACT
004 "me-to-cica" #3: STATE_MAIN_I4: ISAKMP SA established
112 "me-to-cica" #4: STATE_QUICK_I1: initiate
003 "me-to-cica" #4: ignoring informational payload, type
IPSEC_RESPONDER_LIFETIME
004 "me-to-cica" #4: STATE_QUICK_I2: sent QI2, IPsec SA established
{ESP=>0x7bdc8ae3 <0x08994f1c}
ipsec.conf:
version 2.0
config setup
conn %default
authby=secret
pfs=no
rekey=yes
conn me-to-cica
leftsubnet=192.168.4.1/32
left=%defaultroute
right=gw-cica.clavisklw.ch
rightsubnet=10.1.1.0/24
rightnexthop=%defaultroute
auto=start
include /etc/ipsec.d/examples/no_oe.conf
Best Regards
Stefan Luethje
More information about the Users
mailing list