RE [Openswan Users] Anyone try to install openswan-2.4.4 on L
Sherman Chan
Sherman.Chan at world.net
Fri Feb 24 09:40:13 CET 2006
Hi Paul,
As my English not very good, I think this will help to understand what
happen
Here is how it setup
On 1.2.3.4
It has installed openswan-2.4.5rc5 with KLIP on linux-2.6.14.4
When I do ping behind it, I found the following on WAN interface
11:39:42.109197 9.8.7.6 > 1.2.3.4: ESP(spi=0x56fa544f,seq=0x34)
11:39:43.110076 1.2.3.4 > 9.8.7.6: ESP(spi=0xcbe4c4c8,seq=0x37)
On 9.8.7.6
It has installed openswan-2.4.4 with KLIP on linux-2.4.32
When I do ping behind it, I only found the following on WAN interface, got
no reply from 1.2.3.4
9.8.7.6 > 1.2.3.4: ESP(spi=0x56fa544f,seq=0x34)
I have VPN on this box, connected to other openswan-2.4.4 box for more than
1 years, and find no problem.
If I change the box, 1.2.3.4, to have same installation as 9.8.7.6,
openswan-2.4.4 with KLIP on linux-2.4.32 and keep the ipsec.conf the same, I
have no problem to access to either side.
I have set the firewall on both end to allow ips to access each other end
without any restriction.
What I can see somehow packets get dropped on 1.2.3.4 when its
openswan-2.4.5rc5 with linux-2.6.14.4
Any suggestion I can play with on 1.2.3.4 end to resolve the issue
Thanks
Sherman
-----Original Message-----
From: Sherman Chan
Sent: Thursday, 23 February 2006 3:06 PM
To: 'Paul Wouters'; Sherman Chan
Cc: 'users at openswan.org'
Subject: RE: RE [Openswan Users] Anyone try to install openswan-2.4.4 on L
Hi Paul
BTW I only see this on WAN interface eth0, but I see nothing on LAN
interface eth1
11:39:42.109197 9.8.7.6 > 1.2.3.4: ESP(spi=0x56fa544f,seq=0x34)
11:39:43.110076 1.2.3.4 > 9.8.7.6: ESP(spi=0xcbe4c4c8,seq=0x37)
Thanks
Sherman
-----Original Message-----
From: users-bounces at openswan.org [mailto:users-bounces at openswan.org] On
Behalf Of Paul Wouters
Sent: Thursday, 23 February 2006 2:46 PM
To: Sherman Chan
Cc: 'users at openswan.org'
Subject: RE: RE [Openswan Users] Anyone try to install openswan-2.4.4 on L
On Thu, 23 Feb 2006, Sherman Chan wrote:
> Hi Paul,
>
> The same firewall rule and rp_filter, which been set to 0, I used on
> openswan-2.4.4 with linux-2,4,3x and working ok.
>
> Do I need to set it to 1 on openswan 2.4.5rc with linux 2.6.14.4?
no no.
So you have a conn that works on 2.4.3 but not 2.4.4?
Did you try a userland 2.4.3 with klips 2.4.4 and/or a userland 2.4.4 and a
klips 2.4.3?
Another bug work around for 2.4.4 was to set fragicmp=no. But for 2.4.5.rcX
that should no longer be needed.
Paul
>
> The firewall rule basically
> -A INPUT -p all -s xxx/24 -j ACCEPT
> And
> -A FORWARD -p all -s xxx/24 -j ACCETP
>
> So I do not think it is a firewall rule issue
>
> Sherman
>
> -----Original Message-----
> From: Paul Wouters [mailto:paul at xelerance.com]
> Sent: Thursday, 23 February 2006 12:46 PM
> To: Sherman Chan
> Cc: 'users at openswan.org'
> Subject: RE: RE [Openswan Users] Anyone try to install openswan-2.4.4
> on L inux -2.6.14.4
>
> On Thu, 23 Feb 2006, Sherman Chan wrote:
>
> > These is what I see with openswan 2.4.5rc5 on linux-2.6.14.4, since
> > I'm not using NAT Travelsal, so I ignore the error, or I should not
> >
> > Version check and ipsec on-path [OK]
> > Linux Openswan 2.4.5rc5 (klips)
> > Checking for IPsec support in kernel [OK]
> > KLIPS detected, checking for NAT Traversal support [FAILED]
> > Checking for RSA private key (/etc/ipsec.secrets) [OK]
> > Checking that pluto is running [OK]
> > Two or more interfaces found, checking IP forwarding [OK]
> > Checking NAT and MASQUERADEing
> > Checking for 'ip' command [OK]
> > Checking for 'iptables' command [OK]
> > Opportunistic Encryption Support
[DISABLED]
>
> Looks good.
>
> > 004 "my-access" #705: STATE_QUICK_I2: sent QI2, IPsec SA established
> > {ESP=>0x56fa544f <0xcbe4c4c8 xfrm=AES_0-HMAC_SHA1 NATD=none
> > DPD=none}
>
> Looks good.
>
> > When I do ping, I got time out, and with tcpdump
> >
> > I see the following 2 keeping repeating itself
> > 11:39:42.109197 9.8.7.6 > 1.2.3.4: ESP(spi=0x56fa544f,seq=0x34)
> > 11:39:43.110076 1.2.3.4 > 9.8.7.6: ESP(spi=0xcbe4c4c8,seq=0x37)
>
> Those are your encrypted pings
>
> Are there firewall rules or perhaps rp_filter that might block the
packets?
>
> Paul
>
--
"Happiness is never grand"
--- Mustapha Mond, World Controller (Brave New World)
_______________________________________________
Users at openswan.org
http://lists.openswan.org/mailman/listinfo/users
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
More information about the Users
mailing list