[Openswan Users] VPN is up but won't pass data ????
Shane Drinkwater
Shane_Drinkwater at pa-ucl.com
Thu Mar 24 11:03:08 CET 2005
Hello,
My name is Shane Drinkwater. I was running FreeSwan for a long time. During
that time if I saw
000 #2: "ucl-shanevpn"[1] 69.128.209.149 STATE_QUICK_R2 (IPsec SA
established); EVENT_SA_REPLACE in 2908s; newest IPSEC; eroute owner
000 #2: "ucl-shanevpn"[1] 69.128.209.149 esp.a7e67b44 at 69.128.209.149
esp.e486ada4 at 65.103.83.11 tun.0 at 69.128.209.149 tun.0 at 65.103.83.11
000 #1: "ucl-shanevpn"[1] 69.128.209.149 STATE_MAIN_R3 (sent MR3, ISAKMP SA
established); EVENT_SA_REPLACE in 2908s; newest ISAKMP; lastdpd=62s
(seq in:0 out:0)
I could transfer data to and from the remote system. Ever since I have
switched to OpenSwan I have seen the above connection
but I can't transmit any data. My setup is like this I have one server
running Fedora Core 3. Running Kernel 2.6 with OpenSwan ver 2.3.0. I only
compiled the user land programs( using the built in ipsec modules for Kernel
2.6). My Server Config looks like this.
# basic configuration
config setup
# Debug-logging controls: "none" for (almost) none, "all" for lots.
# klipsdebug=none
# plutodebug="control parsing"
overridemtu = 1200
# defaults for subsequent connection descriptions
# (these defaults will soon go away)
conn %default
disablearrivalcheck=no
keyingtries=3
keylife=70m
authby=rsasig
#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf
conn ucl-steveshouse
leftcert=freeswan-cert.pem
rightcert=steveshouse-cert.pem
leftsubnet=172.27.1.0/24
rightsubnet=172.27.105.0/24
left=65.103.83.11
pfs=yes
right=%any
auto=add
conn ucl-gary
leftcert=freeswan-cert.pem
rightcert=gary-cert.pem
leftsubnet=172.27.1.0/24
rightsubnet=172.27.100.0/24
left=65.103.83.11
pfs=yes
right=%any
ikelifetime=1090
auto=add
conn ucl-shanevpn
leftcert=freeswan-cert.pem
rightcert=shanevpn-cert.pem
leftsubnet=172.27.1.0/24
rightsubnet=172.27.120.0/24
left=65.103.83.11
pfs=yes
right=%any
auto=add
On the client side I have another Linux box running Fedora Core 3, 2.6
kernel, OpenSwan 2.3.0 ( compiled only with user programs). The remote
clients are protected by a Linksys BEFSR41 Router ver 3.
conn ucl-gary is a DSL connection that uses DHCP
conn ucl-steve is a Cable modem using DHCP.
conn ucl-shanevpn is a DSL with pppoe with reconnect turned on....
My client config is
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
# Debug-logging controls: "none" for (almost) none, "all" for lots.
klipsdebug=none
plutodebug=none
uniqueids=yes
overridemtu=1360
conn %default
keyingtries=0
keylife=60m
dpddelay=120
dpdtimeout=370
dpdaction=clear
disablearrivalcheck=no
authby=rsasig
rightrsasigkey=%cert
leftcert=freeswan-cert.pem
leftsubnet = 172.27.1.0/24
conn block
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear-or-private
auto=ignore
conn clear
auto=ignore
conn packetdefault
auto=ignore
conn shanevpn-ucl
leftcert=/etc/ipsec.d/freeswan-cert.pem
rightcert=/etc/ipsec.d/steveshouse-cert.pem
leftsubnet=172.27.1.0/24
rightsubnet=172.27.105.0/24
left=65.103.83.11
leftnexthop=65.103.83.14
pfs=yes
right=%defaultroute
auto=start
If I do a tcpdump on the internet interface on the server I see esp packets
being sent but no returns. Also at my house I have keyingtries=0 which I
thought mean keep trying forever. When I get up in the morning to connection
I started the previous night is down??? If I leave a ping running durring
the night the connection stays active. Any ideas what is wrong... thank you
for your time.....
More information about the Users
mailing list