RE [Openswan Users] Anyone try to install openswan-2.4.4 on L inux -2.6.14.4

Sherman Chan Sherman.Chan at world.net
Thu Feb 23 10:55:53 CET 2006


Hi Paul,

The same firewall rule and rp_filter, which been set to 0, I used on
openswan-2.4.4 with linux-2,4,3x and working ok.  

Do I need to set it to 1 on openswan 2.4.5rc with linux 2.6.14.4?



The firewall rule basically
-A INPUT -p all -s xxx/24 -j ACCEPT
And 
-A FORWARD -p all -s xxx/24 -j ACCETP

So I do not think it is a firewall rule issue

Sherman

-----Original Message-----
From: Paul Wouters [mailto:paul at xelerance.com] 
Sent: Thursday, 23 February 2006 12:46 PM
To: Sherman Chan
Cc: 'users at openswan.org'
Subject: RE: RE [Openswan Users] Anyone try to install openswan-2.4.4 on L
inux -2.6.14.4

On Thu, 23 Feb 2006, Sherman Chan wrote:

> These is what I see with openswan 2.4.5rc5 on linux-2.6.14.4, since 
> I'm not using NAT Travelsal, so I ignore the error, or I should not
>
> Version check and ipsec on-path                                 [OK]
> Linux Openswan 2.4.5rc5 (klips)
> Checking for IPsec support in kernel                            [OK]
> KLIPS detected, checking for NAT Traversal support              [FAILED]
> Checking for RSA private key (/etc/ipsec.secrets)               [OK]
> Checking that pluto is running                                  [OK]
> Two or more interfaces found, checking IP forwarding            [OK]
> Checking NAT and MASQUERADEing
> Checking for 'ip' command                                       [OK]
> Checking for 'iptables' command                                 [OK]
> Opportunistic Encryption Support                                [DISABLED]

Looks good.

> 004 "my-access" #705: STATE_QUICK_I2: sent QI2, IPsec SA established 
> {ESP=>0x56fa544f <0xcbe4c4c8 xfrm=AES_0-HMAC_SHA1 NATD=none DPD=none}

Looks good.

> When I do ping, I got time out, and with tcpdump
>
> I see the following 2 keeping repeating itself
> 11:39:42.109197 9.8.7.6 > 1.2.3.4: ESP(spi=0x56fa544f,seq=0x34)
> 11:39:43.110076 1.2.3.4 > 9.8.7.6: ESP(spi=0xcbe4c4c8,seq=0x37)

Those are your encrypted pings

Are there firewall rules or perhaps rp_filter that might block the packets?

Paul


More information about the Users mailing list