[Openswan Users] HELP Needed !! Opeswan 2.4 and FortiClient on XP

Yannick GUILLOUX yannick.guilloux at laposte.net
Wed Nov 9 19:33:04 CET 2005


Hello

I am trying to implement Openswan for a client. I actually succeeded in 
creating some tunnels but I never has been able to send anything trought 
them !!!

Here is the target configuration :

XP FortiClient x.y.z.123 (public) <= Internet => a.b.c.187 (public) 
Firewall 172.17.17.19 ..OVPN Box...  172.17.18.0/24

The OVPN box is running rhel 3, ipsec verify is correct and rotue seems 
fine also.

my /etc/ipsec.conf :
---------------------------------------------
config setup
        interfaces=%defaultroute
        forwardcontrol=no
        nat_traversal=no
        #plutodebug=all
        virtual_private=%v4:10.0.0.0/8,%v4:172.17.18.0/24,%v4:192.168.0.0/24

conn %default
        keyingtries=3
        compress=no
        disablearrivalcheck=no
        auth=esp
        authby=secret
        type=tunnel
        keyexchange=ike
        ikelifetime=240m
        keylife=60m
        ike=3DES-MD5
        esp=3DES-MD5
        pfs=no

conn vpn-yann
        auto=start
        left=%defaultroute
        leftsubnet=172.17.18.0/24
        right=x.y.z.123

conn block
    auto=ignore

conn private
    auto=ignore

conn private-or-clear
    auto=ignore

conn clear-or-private
    auto=ignore

conn clear
    auto=ignore

conn packetdefault
    auto=ignore
---------------------------------------------
The tunnel seems to be built correctly..... :

Nov  9 21:16:58 aspvpn001 pluto[31666]: "vpn-yan" #11: responding to 
Main Mode
Nov  9 21:16:58 aspvpn001 pluto[31666]: "vpn-yan" #11: transition from 
state STATE_MAIN_R0 to state STATE_MAIN_R1
Nov  9 21:16:58 aspvpn001 pluto[31666]: "vpn-yan" #11: STATE_MAIN_R1: 
sent MR1, expecting MI2
Nov  9 21:16:58 aspvpn001 pluto[31666]: "vpn-yan" #11: transition from 
state STATE_MAIN_R1 to state STATE_MAIN_R2
Nov  9 21:16:58 aspvpn001 pluto[31666]: "vpn-yan" #11: STATE_MAIN_R2: 
sent MR2, expecting MI3
Nov  9 21:16:58 aspvpn001 pluto[31666]: "vpn-yan" #11: Main mode peer ID 
is ID_IPV4_ADDR: '82.234.25.123'
Nov  9 21:16:58 aspvpn001 pluto[31666]: "vpn-yan" #11: I did not send a 
certificate because I do not have one.
Nov  9 21:16:58 aspvpn001 pluto[31666]: "vpn-yan" #11: transition from 
state STATE_MAIN_R2 to state STATE_MAIN_R3
Nov  9 21:16:58 aspvpn001 pluto[31666]: "vpn-yan" #11: STATE_MAIN_R3: 
sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY 
cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1024}
Nov  9 21:16:58 aspvpn001 pluto[31666]: "vpn-yan" #12: responding to 
Quick Mode {msgid:ad9c3558}
Nov  9 21:16:58 aspvpn001 pluto[31666]: "vpn-yan" #12: transition from 
state STATE_QUICK_R0 to state STATE_QUICK_R1
Nov  9 21:16:58 aspvpn001 pluto[31666]: "vpn-yan" #12: STATE_QUICK_R1: 
sent QR1, inbound IPsec SA installed, expecting QI2
Nov  9 21:16:58 aspvpn001 pluto[31666]: "vpn-yan" #12: transition from 
state STATE_QUICK_R1 to state STATE_QUICK_R2
Nov  9 21:16:58 aspvpn001 pluto[31666]: "vpn-yan" #12: STATE_QUICK_R2: 
IPsec SA established {ESP=>0x5f5ab59a <0x633ba904 xfrm=3DES_0-HMAC_MD5 
NATD=none DPD=none}
N

But actually, when I ping a 172.17.18.x adress, the packets seems to go 
through the tunne (the Forticlient shows outgoing packets), but nothing 
appends on the other side (tcpdump -n -s 1500 esp shows nothing).

HELP ! any advice is welcome


More information about the Users mailing list