RE [Openswan Users] Anyone try to install openswan-2.4.4 on L
inux -2.6.14.4
Sherman Chan
Sherman.Chan at world.net
Thu Feb 23 08:49:24 CET 2006
Hi Paul
Thank you for your feed back
These is what I see with openswan 2.4.5rc5 on linux-2.6.14.4, since I'm not
using NAT Travelsal, so I ignore the error, or I should not
Version check and ipsec on-path [OK]
Linux Openswan 2.4.5rc5 (klips)
Checking for IPsec support in kernel [OK]
KLIPS detected, checking for NAT Traversal support [FAILED]
Checking for RSA private key (/etc/ipsec.secrets) [OK]
Checking that pluto is running [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]
On client
ipsec auto --up my-access
104 "my-access" #704: STATE_MAIN_I1: initiate
003 "my-access" #704: ignoring unknown Vendor ID payload
[4f456940764f52536662627a]
003 "my-access" #704: received Vendor ID payload [Dead Peer Detection]
106 "my-access" #704: STATE_MAIN_I2: sent MI2, expecting MR2
108 "my-access" #704: STATE_MAIN_I3: sent MI3, expecting MR3
004 "my-access" #704: STATE_MAIN_I4: ISAKMP SA established
{auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_md5
group=modp1536}
117 "my-access" #705: STATE_QUICK_I1: initiate
004 "my-access" #705: STATE_QUICK_I2: sent QI2, IPsec SA established
{ESP=>0x56fa544f <0xcbe4c4c8 xfrm=AES_0-HMAC_SHA1 NATD=none DPD=none}
On ipsec gateway
ipsec auto --status
000 "my-access":
192.168.xx.0/24===1.2.3.4---1.2.3.5...9.8.7.6[@xyz.zzz.pri]===192.168.yy.0/2
4; erouted; eroute owner: #2
000 "my-access": srcip=unset; dstip=unset; srcup=ipsec _updown;
dstup=ipsec _updown;
000 "my-access": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s;
rekey_fuzz: 100%; keyingtries: 0
000 "my-access": policy: RSASIG+ENCRYPT+TUNNEL+PFS; prio: 24,24;
interface: eth0;
000 "my-access": newest ISAKMP SA: #1; newest IPsec SA: #2;
000 "my-access": IKE algorithm newest: 3DES_CBC_192-MD5-MODP1536
000
000 #2: "my-access":500 STATE_QUICK_R2 (IPsec SA established);
EVENT_SA_REPLACE in 28323s; newest IPSEC; eroute owner
000 #2: "my-access" esp.cbe4c4c7 at 9.8.7.6 esp.56fa544e at 1.2.3.4
tun.10029 at 9.8.7.6 tun.1001 at 1.2.3.4
000 #1: "my-access":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established);
EVENT_SA_REPLACE in 3122s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0)
When I do ping, I got time out, and with tcpdump
I see the following 2 keeping repeating itself
11:39:42.109197 9.8.7.6 > 1.2.3.4: ESP(spi=0x56fa544f,seq=0x34)
11:39:43.110076 1.2.3.4 > 9.8.7.6: ESP(spi=0xcbe4c4c8,seq=0x37)
PS if I switch it to netkey instead of klip, it seems works except I got
another issue, pmtu, session get "hung" randomly
Any idea what I should do next?
Thanks
-----Original Message-----
From: users-bounces at openswan.org [mailto:users-bounces at openswan.org] On
Behalf Of Paul Wouters
Sent: Thursday, 23 February 2006 2:29 AM
To: Sherman Chan
Cc: 'users at openswan.org'
Subject: Re: RE [Openswan Users] Anyone try to install openswan-2.4.4 on
Linux -2.6.14.4
On Wed, 22 Feb 2006, Sherman Chan wrote:
> I wonder anyone has successfully install openswan-2.4.4 on
> Linux-2.6.14.4 with native klips
Not on 2.4.4
> I also tired openswan-2.4.5rcx, x = 1 to 5, all compiled ok and able
> to establish VPN session, ipsec auto --up xxxx, but I can not ping, or
> access remote site.
Those should work.
> However the same openswan configuration works ok on openwan-2.4.4 with
> linux-2.4.3x, reason I move to linux-2.6.14.4 is I got a box out there
> is using 2.6.14.x and I would like to have openswan been installed
Looks like you are running into other issues. Check with ipsec verify?
Paul
_______________________________________________
Users at openswan.org
http://lists.openswan.org/mailman/listinfo/users
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
More information about the Users
mailing list