RE [Openswan Users] Anyone try to install openswan-2.4.4 on L inux -2.6.14.4

Sherman Chan Sherman.Chan at world.net
Thu Feb 23 08:49:24 CET 2006


Hi Paul
Thank you for your feed back

These is what I see with openswan 2.4.5rc5 on linux-2.6.14.4, since I'm not
using NAT Travelsal, so I ignore the error, or I should not

Version check and ipsec on-path                                 [OK]
Linux Openswan 2.4.5rc5 (klips)
Checking for IPsec support in kernel                            [OK]
KLIPS detected, checking for NAT Traversal support              [FAILED]
Checking for RSA private key (/etc/ipsec.secrets)               [OK]
Checking that pluto is running                                  [OK]
Two or more interfaces found, checking IP forwarding            [OK]
Checking NAT and MASQUERADEing                              
Checking for 'ip' command                                       [OK]
Checking for 'iptables' command                                 [OK]
Opportunistic Encryption Support                                [DISABLED]


On client
ipsec auto --up my-access

104 "my-access" #704: STATE_MAIN_I1: initiate
003 "my-access" #704: ignoring unknown Vendor ID payload
[4f456940764f52536662627a]
003 "my-access" #704: received Vendor ID payload [Dead Peer Detection]
106 "my-access" #704: STATE_MAIN_I2: sent MI2, expecting MR2
108 "my-access" #704: STATE_MAIN_I3: sent MI3, expecting MR3
004 "my-access" #704: STATE_MAIN_I4: ISAKMP SA established
{auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_md5
group=modp1536}
117 "my-access" #705: STATE_QUICK_I1: initiate
004 "my-access" #705: STATE_QUICK_I2: sent QI2, IPsec SA established
{ESP=>0x56fa544f <0xcbe4c4c8 xfrm=AES_0-HMAC_SHA1 NATD=none DPD=none}


On ipsec gateway 
ipsec auto --status

000 "my-access":
192.168.xx.0/24===1.2.3.4---1.2.3.5...9.8.7.6[@xyz.zzz.pri]===192.168.yy.0/2
4; erouted; eroute owner: #2
000 "my-access":     srcip=unset; dstip=unset; srcup=ipsec _updown;
dstup=ipsec _updown;
000 "my-access":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s;
rekey_fuzz: 100%; keyingtries: 0
000 "my-access":   policy: RSASIG+ENCRYPT+TUNNEL+PFS; prio: 24,24;
interface: eth0; 
000 "my-access":   newest ISAKMP SA: #1; newest IPsec SA: #2; 
000 "my-access":   IKE algorithm newest: 3DES_CBC_192-MD5-MODP1536
000  
000 #2: "my-access":500 STATE_QUICK_R2 (IPsec SA established);
EVENT_SA_REPLACE in 28323s; newest IPSEC; eroute owner
000 #2: "my-access" esp.cbe4c4c7 at 9.8.7.6 esp.56fa544e at 1.2.3.4
tun.10029 at 9.8.7.6 tun.1001 at 1.2.3.4
000 #1: "my-access":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established);
EVENT_SA_REPLACE in 3122s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0)


When I do ping, I got time out, and with tcpdump

I see the following 2 keeping repeating itself
11:39:42.109197 9.8.7.6 > 1.2.3.4: ESP(spi=0x56fa544f,seq=0x34)
11:39:43.110076 1.2.3.4 > 9.8.7.6: ESP(spi=0xcbe4c4c8,seq=0x37)

PS if I switch it to netkey instead of klip, it seems works except I got
another issue, pmtu, session get "hung" randomly

Any idea what I should do next?


Thanks


-----Original Message-----
From: users-bounces at openswan.org [mailto:users-bounces at openswan.org] On
Behalf Of Paul Wouters
Sent: Thursday, 23 February 2006 2:29 AM
To: Sherman Chan
Cc: 'users at openswan.org'
Subject: Re: RE [Openswan Users] Anyone try to install openswan-2.4.4 on
Linux -2.6.14.4

On Wed, 22 Feb 2006, Sherman Chan wrote:

> I wonder anyone has successfully install openswan-2.4.4 on 
> Linux-2.6.14.4 with native klips

Not on 2.4.4

> I also tired openswan-2.4.5rcx, x = 1 to 5, all compiled ok and able 
> to establish VPN session, ipsec auto --up xxxx, but I can not ping, or 
> access remote site.

Those should work.

> However the same openswan configuration works ok on openwan-2.4.4 with 
> linux-2.4.3x, reason I move to linux-2.6.14.4 is I got a box out there 
> is using 2.6.14.x and I would like to have openswan been installed

Looks like you are running into other issues. Check with ipsec verify?

Paul
_______________________________________________
Users at openswan.org
http://lists.openswan.org/mailman/listinfo/users
Building and Integrating Virtual Private Networks with Openswan: 
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155


More information about the Users mailing list