[Openswan Users] Just 2 questions

[Vincent Schultz]

Hello,

I have 2 questions : The first one is about pluto : when I start
openswan to create Ipsec Tunnel between 2 LAN, I have such log
in /var/log/messages :

Aug 22 14:02:23 swg1 ipsec__plutorun: 104 "sgw1-sgw2" #1: STATE_MAIN_I1:
initiate
Aug 22 14:02:23 sgw1 ipsec__plutorun: ...could not start conn
"sgw1-sgw2"

But If I ping the client in the second LAN form the first LAN, it works
and I have only ESP traffic between the 2 secure gateways. So what does
"could not start sgw1-sgw2" mean ?

The second question is about iptables. I did a script and I drop
everything on the filter table. After flushing all the rules in all the
tables, I autorize on the gateway :

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# ISAKMP
iptables -t filter -A OUTPUT -o eth0 -s 152.18.31.45 -d 152.18.31.74 -p
udp --sport 500 --dport 500 -j ACCEPT
iptables -t filter -A INPUT  -i eth0 -s 152.18.31.74 -d 152.18.31.45 -p
udp --sport 500 --dport 500 -j ACCEPT

# ESP
iptables -t filter -A INPUT  -i eth0 -s 152.18.31.74 -p esp -j ACCEPT

# Allow ICMP
iptables -A FORWARD -i vmnet1 -o eth0 -p icmp -s 10.10.45.0/24 -d
172.30.15.0/24 -j ACCEPT
iptables -A FORWARD -i eth0 -o vmnet1 -p icmp -s 172.30.15.0/24 -d
10.10.45.0/24 -j ACCEPT

Why do I have not to set ESP OUTPUT ? only INPUT ? I don't understand
that point and the iptables logs don't show anything ...

Can someone help me to understand ?

Thank you, 

Vincent

PS my ipsec.conf for openswan-2.3.1-1 on a Fedora Core 4 running a
2.6.12 kernel

# more /etc/ipsec.conf
version 2.0     
config setup
        interfaces="ipsec0=eth0"
        klipsdebug=none
        plutodebug=none

conn sgw1-sgw2
        type=tunnel
        authby=secret
        left=152.18.31.74
        leftsubnet=172.30.15.0/24
        leftnexthop=%direct
        right=152.18.31.45
        rightsubnet=10.10.45.0/24
        rightnexthop=%direct
        auto=start

include /etc/ipsec.d/examples/no_oe.conf