[Openswan Users] Just 2 questions
Vincent Schultz
vincent.schultz at wanadoo.fr
Mon Aug 22 16:11:44 CEST 2005
Hello,
I have 2 questions : The first one is about pluto : when I start
openswan to create Ipsec Tunnel between 2 LAN, I have such log
in /var/log/messages :
Aug 22 14:02:23 swg1 ipsec__plutorun: 104 "sgw1-sgw2" #1: STATE_MAIN_I1:
initiate
Aug 22 14:02:23 sgw1 ipsec__plutorun: ...could not start conn
"sgw1-sgw2"
But If I ping the client in the second LAN form the first LAN, it works
and I have only ESP traffic between the 2 secure gateways. So what does
"could not start sgw1-sgw2" mean ?
The second question is about iptables. I did a script and I drop
everything on the filter table. After flushing all the rules in all the
tables, I autorize on the gateway :
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# ISAKMP
iptables -t filter -A OUTPUT -o eth0 -s 152.18.31.45 -d 152.18.31.74 -p
udp --sport 500 --dport 500 -j ACCEPT
iptables -t filter -A INPUT -i eth0 -s 152.18.31.74 -d 152.18.31.45 -p
udp --sport 500 --dport 500 -j ACCEPT
# ESP
iptables -t filter -A INPUT -i eth0 -s 152.18.31.74 -p esp -j ACCEPT
# Allow ICMP
iptables -A FORWARD -i vmnet1 -o eth0 -p icmp -s 10.10.45.0/24 -d
172.30.15.0/24 -j ACCEPT
iptables -A FORWARD -i eth0 -o vmnet1 -p icmp -s 172.30.15.0/24 -d
10.10.45.0/24 -j ACCEPT
Why do I have not to set ESP OUTPUT ? only INPUT ? I don't understand
that point and the iptables logs don't show anything ...
Can someone help me to understand ?
Thank you,
Vincent
PS my ipsec.conf for openswan-2.3.1-1 on a Fedora Core 4 running a
2.6.12 kernel
# more /etc/ipsec.conf
version 2.0
config setup
interfaces="ipsec0=eth0"
klipsdebug=none
plutodebug=none
conn sgw1-sgw2
type=tunnel
authby=secret
left=152.18.31.74
leftsubnet=172.30.15.0/24
leftnexthop=%direct
right=152.18.31.45
rightsubnet=10.10.45.0/24
rightnexthop=%direct
auto=start
include /etc/ipsec.d/examples/no_oe.conf
More information about the Users
mailing list