RE [Openswan Users] Anyone try to install openswan-2.4.4 on L

Sherman Chan Sherman.Chan at world.net
Thu Feb 23 12:05:46 CET 2006 

Hi Paul 

BTW I only see this on WAN interface eth0, but I see nothing on LAN
interface eth1

11:39:42.109197 9.8.7.6 > 1.2.3.4: ESP(spi=0x56fa544f,seq=0x34)
11:39:43.110076 1.2.3.4 > 9.8.7.6: ESP(spi=0xcbe4c4c8,seq=0x37) 

Thanks
Sherman


-----Original Message-----
From: users-bounces at openswan.org [mailto:users-bounces at openswan.org] On
Behalf Of Paul Wouters
Sent: Thursday, 23 February 2006 2:46 PM
To: Sherman Chan
Cc: 'users at openswan.org'
Subject: RE: RE [Openswan Users] Anyone try to install openswan-2.4.4 on L

On Thu, 23 Feb 2006, Sherman Chan wrote:

> Hi Paul,
>
> The same firewall rule and rp_filter, which been set to 0, I used on
> openswan-2.4.4 with linux-2,4,3x and working ok.
>
> Do I need to set it to 1 on openswan 2.4.5rc with linux 2.6.14.4?

no no.

So you have a conn that works on 2.4.3 but not 2.4.4?
Did you try a userland 2.4.3 with klips 2.4.4 and/or a userland 2.4.4 and a
klips 2.4.3?

Another bug work around for 2.4.4 was to set fragicmp=no. But for 2.4.5.rcX
that should no longer be needed.

Paul

>
> The firewall rule basically
> -A INPUT -p all -s xxx/24 -j ACCEPT
> And
> -A FORWARD -p all -s xxx/24 -j ACCETP
>
> So I do not think it is a firewall rule issue
>
> Sherman
>
> -----Original Message-----
> From: Paul Wouters [mailto:paul at xelerance.com]
> Sent: Thursday, 23 February 2006 12:46 PM
> To: Sherman Chan
> Cc: 'users at openswan.org'
> Subject: RE: RE [Openswan Users] Anyone try to install openswan-2.4.4 
> on L inux -2.6.14.4
>
> On Thu, 23 Feb 2006, Sherman Chan wrote:
>
> > These is what I see with openswan 2.4.5rc5 on linux-2.6.14.4, since 
> > I'm not using NAT Travelsal, so I ignore the error, or I should not
> >
> > Version check and ipsec on-path                                 [OK]
> > Linux Openswan 2.4.5rc5 (klips)
> > Checking for IPsec support in kernel                            [OK]
> > KLIPS detected, checking for NAT Traversal support              [FAILED]
> > Checking for RSA private key (/etc/ipsec.secrets)               [OK]
> > Checking that pluto is running                                  [OK]
> > Two or more interfaces found, checking IP forwarding            [OK]
> > Checking NAT and MASQUERADEing
> > Checking for 'ip' command                                       [OK]
> > Checking for 'iptables' command                                 [OK]
> > Opportunistic Encryption Support
[DISABLED]
>
> Looks good.
>
> > 004 "my-access" #705: STATE_QUICK_I2: sent QI2, IPsec SA established 
> > {ESP=>0x56fa544f <0xcbe4c4c8 xfrm=AES_0-HMAC_SHA1 NATD=none 
> > DPD=none}
>
> Looks good.
>
> > When I do ping, I got time out, and with tcpdump
> >
> > I see the following 2 keeping repeating itself
> > 11:39:42.109197 9.8.7.6 > 1.2.3.4: ESP(spi=0x56fa544f,seq=0x34)
> > 11:39:43.110076 1.2.3.4 > 9.8.7.6: ESP(spi=0xcbe4c4c8,seq=0x37)
>
> Those are your encrypted pings
>
> Are there firewall rules or perhaps rp_filter that might block the
packets?
>
> Paul
>

-- 

"Happiness is never grand"

	--- Mustapha Mond, World Controller (Brave New World)
_______________________________________________
Users at openswan.org
http://lists.openswan.org/mailman/listinfo/users
Building and Integrating Virtual Private Networks with Openswan: 
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

More information about the Users mailing list