[Openswan Users] Openswan 2.4.7 and juniper ns208

Didine didinux at gmail.com
Thu Dec 7 13:18:02 EST 2006


Here is my ipsec verify.

[root at lt85 ~]# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan U2.4.7/K2.6.18-1.2798.fc6 (netkey)
Checking for IPsec support in kernel                            [OK]
Testing against enforced SElinux mode                           [OK]
Hardware RNG detected, testing if used properly                 [FAILED]

  Hardware RNG is present but 'rngd' is not running.
  No harware random used!

NETKEY detected, testing for disabled ICMP send_redirects       [OK]
NETKEY detected, testing for disabled ICMP accept_redirects     [OK]
Checking for RSA private key (/etc/ipsec.secrets)               [OK]
Checking that pluto is running                                  [OK]
Two or more interfaces found, checking IP forwarding            [OK]
Checking NAT and MASQUERADEing                                  [OK]
Checking for 'ip' command                                       [OK]
Checking for 'iptables' command                                 [OK]

Opportunistic Encryption DNS checks:
   Looking for TXT in forward dns zone: lt85.xxxxxx.xxx      [MISSING]
   Does the machine have at least one non-private address?      [FAILED]




On 12/7/06, Paul Wouters <paul at xelerance.com> wrote:
>
> On Thu, 7 Dec 2006, Didine wrote:
>
> > I try to set up a connexion between openswan (Linux Openswan U2.4.7
> /K2.6.18-
> > 1.2798.fc6 (netkey)) and a Juniper ns208.
>
> > 004 "lt85_to_centre" #12: STATE_QUICK_I2: sent QI2, IPsec SA established
> > {ESP=>0x7593622b <0x6859dbc5 xfrm=AES_128-HMAC_SHA1 NATD=none DPD=none}
>
> So the tunnel is established.
>
> > A tcpdump shows the following (no ESP msg):
> >
> > =====================================================================
> > [root at lt85 ~]# tcpdump host 194.250.x.x
> > 19:48:37.441373 IP lt85.xxx.xxx > 194.250.x.x : ICMP echo request, id
> 1024,
> > seq 55960, length 24
>
> that's normal for netkey. The packets get encrypted after tcpdump can see
> them. It's annoying.
>
> Run ipsec verify. See if you have bogus redirects, rp_filter or
> ip_forwarding
> misconfigured. Checkfirewall dfor NAT rules (dont NAT ipsec packets).
>
> Paul
>



-- 
Didine
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20061207/c945057c/attachment-0001.html 


More information about the Users mailing list