RE [Openswan Users] Anyone try to install openswan-2.4.4 on L

Paul Wouters paul at xelerance.com
Thu Feb 23 04:46:05 CET 2006 

On Thu, 23 Feb 2006, Sherman Chan wrote:

> Hi Paul,
>
> The same firewall rule and rp_filter, which been set to 0, I used on
> openswan-2.4.4 with linux-2,4,3x and working ok.
>
> Do I need to set it to 1 on openswan 2.4.5rc with linux 2.6.14.4?

no no.

So you have a conn that works on 2.4.3 but not 2.4.4?
Did you try a userland 2.4.3 with klips 2.4.4 and/or
a userland 2.4.4 and a klips 2.4.3?

Another bug work around for 2.4.4 was to set fragicmp=no. But
for 2.4.5.rcX that should no longer be needed.

Paul

>
> The firewall rule basically
> -A INPUT -p all -s xxx/24 -j ACCEPT
> And
> -A FORWARD -p all -s xxx/24 -j ACCETP
>
> So I do not think it is a firewall rule issue
>
> Sherman
>
> -----Original Message-----
> From: Paul Wouters [mailto:paul at xelerance.com]
> Sent: Thursday, 23 February 2006 12:46 PM
> To: Sherman Chan
> Cc: 'users at openswan.org'
> Subject: RE: RE [Openswan Users] Anyone try to install openswan-2.4.4 on L
> inux -2.6.14.4
>
> On Thu, 23 Feb 2006, Sherman Chan wrote:
>
> > These is what I see with openswan 2.4.5rc5 on linux-2.6.14.4, since
> > I'm not using NAT Travelsal, so I ignore the error, or I should not
> >
> > Version check and ipsec on-path                                 [OK]
> > Linux Openswan 2.4.5rc5 (klips)
> > Checking for IPsec support in kernel                            [OK]
> > KLIPS detected, checking for NAT Traversal support              [FAILED]
> > Checking for RSA private key (/etc/ipsec.secrets)               [OK]
> > Checking that pluto is running                                  [OK]
> > Two or more interfaces found, checking IP forwarding            [OK]
> > Checking NAT and MASQUERADEing
> > Checking for 'ip' command                                       [OK]
> > Checking for 'iptables' command                                 [OK]
> > Opportunistic Encryption Support                                [DISABLED]
>
> Looks good.
>
> > 004 "my-access" #705: STATE_QUICK_I2: sent QI2, IPsec SA established
> > {ESP=>0x56fa544f <0xcbe4c4c8 xfrm=AES_0-HMAC_SHA1 NATD=none DPD=none}
>
> Looks good.
>
> > When I do ping, I got time out, and with tcpdump
> >
> > I see the following 2 keeping repeating itself
> > 11:39:42.109197 9.8.7.6 > 1.2.3.4: ESP(spi=0x56fa544f,seq=0x34)
> > 11:39:43.110076 1.2.3.4 > 9.8.7.6: ESP(spi=0xcbe4c4c8,seq=0x37)
>
> Those are your encrypted pings
>
> Are there firewall rules or perhaps rp_filter that might block the packets?
>
> Paul
>

-- 

"Happiness is never grand"

	--- Mustapha Mond, World Controller (Brave New World)

More information about the Users mailing list