[Openswan Users] IPSec SA estabished but no traffic goes out?
Martin Hillier
martin.hillier at nyquist-solutions.com
Sat Nov 26 16:53:14 CET 2005
Thanks for the reply Paul....
I fixed the fowarding
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.4.5dr2/K2.6.11.12 (netkey)
Checking for IPsec support in kernel [OK]
Checking for RSA private key (/etc/ipsec.secrets) [FAILED]
ipsec showhostkey: no default key in "/etc/ipsec.secrets"
Checking that pluto is running [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing [N/A]
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Checking for 'setkey' command for NETKEY IPsec stack support [OK]
Opportunistic Encryption Support [DISABLED]
When ipsec is stopped i get
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use
Iface
10.255.255.1 0.0.0.0 255.255.255.255 UH 0 0 0 eth0
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
0.0.0.0 10.255.255.1 0.0.0.0 UG 0 0 0 eth0
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
16:49:08.338453 IP ???????.pureserver.info > 172.16.0.1: icmp 64: echo
request seq 0
16:49:09.338203 IP ???????.pureserver.info > 172.16.0.1: icmp 64: echo
request seq 1
16:49:10.337976 IP ???????.pureserver.info > 172.16.0.1: icmp 64: echo
request seq 2
and when started...
Destination Gateway Genmask Flags Metric Ref Use
Iface
10.255.255.1 0.0.0.0 255.255.255.255 UH 0 0 0 eth0
172.16.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
0.0.0.0 10.255.255.1 0.0.0.0 UG 0 0 0 eth0
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
16:48:38.647945 arp who-has 172.16.0.1 tell ???????.pureserver.info
16:48:39.647722 arp who-has 172.16.0.1 tell ???????.pureserver.info
16:48:40.647502 arp who-has 172.16.0.1 tell ???????.pureserver.info
eth0 has an public ip of 212.227.xxx.xxx
172.16.0.0/24 should only be behind right, i cant see any way that its on
the LAN?
Thanks....
> On Fri, 25 Nov 2005, Martin Hillier wrote:
>
>> tcpdump -i eth0
>>
>> 19:48:37.115393 arp who-has 172.16.0.1 tell ??????.pureserver.info
>> 19:48:38.115174 arp who-has 172.16.0.1 tell ??????.pureserver.info
>>
>> tcpdump host [right vpn ip]
>>
>> tcpdump: verbose output suppressed, use -v or -vv for full protocol
>> decode
>> listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
>> 19:50:00.461380 IP [right vpn ip] > ???????.pureserver.info:
>> ESP(spi=0x50a0c52c,seq=0x54)
>> 19:50:00.461380 IP [right vpn ip] > ???????.pureserver.info: icmp 24:
>> echo request seq 24328
>>
>> But no extra ESP packets when i ping 172.16.0.1
>
> Notice the arp for 172.16.0.1. Your machine believes 172.16.0.1 is in its
> local LAN.
>
>> Kernel IP routing table
>> Destination Gateway Genmask Flags MSS Window irtt
>> Iface
>> 10.255.255.1 0.0.0.0 255.255.255.255 UH 0 0 0
>> eth0
>> 172.16.0.0 0.0.0.0 255.255.255.0 U 0 0 0
>> eth0
>
> Seems you're in the 172.16.0.0/24
>
>> Two or more interfaces found, checking IP forwarding [FAILED]
>
> that needs fixing too. Check /etc/sysctl.conf
>
>> # nat_traversal=yes
>> #
>> virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%4:172.16.0.0/12
>>
>> conn mobius
>> left=[Left IP]
>> leftsubnet=192.168.0.0/24
>> right=[Right IP]
>> rightsubnet=172.16.0.0/24
>> authby=secret
>> auto=route
>
> so where does 172.16.0.0/24 live? Off of eth0 or behind right= ? It cannot
> be
> at both.
>
> Paul
>
More information about the Users
mailing list