[Openswan Users] IP packets does not use IP-sec

[StefanLüthje]

Hello,

I'm upgrading from freeswan (kernel 2.4.x) to openswan 2.2 (kernel
2.6.12-4), but I run into some trouble: All IP packets, which should run
through the tunnel, are not encrypted. The connection is estableshed.
Where is my mistake?

# tcpdump -ni ppp0 host 10.1.1.1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ppp0, link-type LINUX_SLL (Linux cooked), capture size 96
bytes 11:54:52.672916 IP 21x.18x.14x.9x > 10.1.1.1: ICMP echo request seq
2048, length 64
11:54:53.674696 IP 21x.18x.14x.9x > 10.1.1.1: ICMP echo request seq 2304,
length 64
11:54:54.676508 IP 21x.18x.14x.9x > 10.1.1.1: ICMP echo request seq 2560,
length 64
11:54:55.678306 IP 21x.18x.14x.9x > 10.1.1.1: ICMP echo request seq 2816,
length 64
11:54:56.680111 IP 21x.18x.14x.9x > 10.1.1.1: ICMP echo request seq 3072,
length 64
11:54:57.681918 IP 21x.18x.14x.9x > 10.1.1.1: ICMP echo request seq 3328,
length 64
11:54:58.683723 IP 21x.18x.14x.9x > 10.1.1.1: ICMP echo request seq 3584,
length 64
11:54:59.685524 IP 21x.18x.14x.9x > 10.1.1.1: ICMP echo request seq 3840,
length 64
11:55:00.687327 IP 21x.18x.14x.9x > 10.1.1.1: ICMP echo request seq 4096,
length 64

9 packets captured
18 packets received by filter
0 packets dropped by kernel

# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use
Iface ...
21x.18x.12x.1x  0.0.0.0         255.255.255.255 UH    0      0        0
ppp0 ...
10.1.1.0        21x.18x.12x.1x  255.255.255.0   UG    0      0        0
ppp0 ...
0.0.0.0         21x.18x.12x.1x  0.0.0.0         UG    0      0        0 ppp0

# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                        
[OK] Linux Openswan U2.2.0/K2.6.12.4+mppe (native)
Checking for IPsec support in kernel                                   
[OK] Checking for RSA private key (/etc/ipsec.secrets)                    
  [OK] Checking that pluto is running                                     
    [OK] Two or more interfaces found, checking IP forwarding             
      [OK] Checking NAT and MASQUERADEing                                 
        [OK] Checking for 'ip' command                                    
          [OK] Checking for 'iptables' command                            
            [OK] Checking for 'setkey' command for native IPsec stack
support            [OK]

Opportunistic Encryption DNS checks:
  Looking for TXT in forward dns zone: internet-gw
[MISSING]
  Does the machine have at least one non-private address?             
[OK] Looking for TXT in reverse dns zone: 99.141.189.213.in-addr.arpa.
[MISSING]
  Looking for TXT in reverse dns zone: 98.141.189.213.in-addr.arpa.
[MISSING]


Connection:
104 "me-to-cica" #3: STATE_MAIN_I1: initiate
003 "me-to-cica" #3: ignoring Vendor ID payload
[b858d1addd08c1e8adafea150608aa4497aa6cc8]
106 "me-to-cica" #3: STATE_MAIN_I2: sent MI2, expecting MR2
108 "me-to-cica" #3: STATE_MAIN_I3: sent MI3, expecting MR3
003 "me-to-cica" #3: ignoring informational payload, type
IPSEC_INITIAL_CONTACT
004 "me-to-cica" #3: STATE_MAIN_I4: ISAKMP SA established
112 "me-to-cica" #4: STATE_QUICK_I1: initiate
003 "me-to-cica" #4: ignoring informational payload, type
IPSEC_RESPONDER_LIFETIME
004 "me-to-cica" #4: STATE_QUICK_I2: sent QI2, IPsec SA established
{ESP=>0x7bdc8ae3 <0x08994f1c}

ipsec.conf:

version 2.0
config setup
conn %default
        authby=secret
        pfs=no
        rekey=yes
conn me-to-cica
        leftsubnet=192.168.4.1/32
        left=%defaultroute
        right=gw-cica.clavisklw.ch
        rightsubnet=10.1.1.0/24
        rightnexthop=%defaultroute
        auto=start
include /etc/ipsec.d/examples/no_oe.conf

Best Regards

        Stefan Luethje