RE [Openswan Users] Anyone try to install openswan-2.4.4 on L

Sherman Chan Sherman.Chan at world.net
Fri Feb 24 09:40:13 CET 2006 

Hi Paul,

As my English not very good, I think this will help to understand what
happen

Here is how it setup

On 1.2.3.4
It has installed openswan-2.4.5rc5 with KLIP on linux-2.6.14.4
When I do ping behind it, I found the following on WAN interface

11:39:42.109197 9.8.7.6 > 1.2.3.4: ESP(spi=0x56fa544f,seq=0x34)
11:39:43.110076 1.2.3.4 > 9.8.7.6: ESP(spi=0xcbe4c4c8,seq=0x37) 

On 9.8.7.6
It has installed openswan-2.4.4 with KLIP on linux-2.4.32
When I do ping behind it, I only found the following on WAN interface, got
no reply from 1.2.3.4

9.8.7.6 > 1.2.3.4: ESP(spi=0x56fa544f,seq=0x34)

I have VPN on this box, connected to other openswan-2.4.4 box for more than
1 years, and find no problem.


 
If I change the box, 1.2.3.4, to have same installation as 9.8.7.6,
openswan-2.4.4 with KLIP on linux-2.4.32 and keep the ipsec.conf the same, I
have no problem to access to either side.

I have set the firewall on both end to allow ips to access each other end
without any restriction.

What I can see somehow packets get dropped on 1.2.3.4 when its
openswan-2.4.5rc5 with linux-2.6.14.4

Any suggestion I can play with on 1.2.3.4 end to resolve the issue


Thanks
Sherman



-----Original Message-----
From: Sherman Chan 
Sent: Thursday, 23 February 2006 3:06 PM
To: 'Paul Wouters'; Sherman Chan
Cc: 'users at openswan.org'
Subject: RE: RE [Openswan Users] Anyone try to install openswan-2.4.4 on L

Hi Paul 

BTW I only see this on WAN interface eth0, but I see nothing on LAN
interface eth1

11:39:42.109197 9.8.7.6 > 1.2.3.4: ESP(spi=0x56fa544f,seq=0x34)
11:39:43.110076 1.2.3.4 > 9.8.7.6: ESP(spi=0xcbe4c4c8,seq=0x37) 

Thanks
Sherman


-----Original Message-----
From: users-bounces at openswan.org [mailto:users-bounces at openswan.org] On
Behalf Of Paul Wouters
Sent: Thursday, 23 February 2006 2:46 PM
To: Sherman Chan
Cc: 'users at openswan.org'
Subject: RE: RE [Openswan Users] Anyone try to install openswan-2.4.4 on L

On Thu, 23 Feb 2006, Sherman Chan wrote:

> Hi Paul,
>
> The same firewall rule and rp_filter, which been set to 0, I used on
> openswan-2.4.4 with linux-2,4,3x and working ok.
>
> Do I need to set it to 1 on openswan 2.4.5rc with linux 2.6.14.4?

no no.

So you have a conn that works on 2.4.3 but not 2.4.4?
Did you try a userland 2.4.3 with klips 2.4.4 and/or a userland 2.4.4 and a
klips 2.4.3?

Another bug work around for 2.4.4 was to set fragicmp=no. But for 2.4.5.rcX
that should no longer be needed.

Paul

>
> The firewall rule basically
> -A INPUT -p all -s xxx/24 -j ACCEPT
> And
> -A FORWARD -p all -s xxx/24 -j ACCETP
>
> So I do not think it is a firewall rule issue
>
> Sherman
>
> -----Original Message-----
> From: Paul Wouters [mailto:paul at xelerance.com]
> Sent: Thursday, 23 February 2006 12:46 PM
> To: Sherman Chan
> Cc: 'users at openswan.org'
> Subject: RE: RE [Openswan Users] Anyone try to install openswan-2.4.4 
> on L inux -2.6.14.4
>
> On Thu, 23 Feb 2006, Sherman Chan wrote:
>
> > These is what I see with openswan 2.4.5rc5 on linux-2.6.14.4, since 
> > I'm not using NAT Travelsal, so I ignore the error, or I should not
> >
> > Version check and ipsec on-path                                 [OK]
> > Linux Openswan 2.4.5rc5 (klips)
> > Checking for IPsec support in kernel                            [OK]
> > KLIPS detected, checking for NAT Traversal support              [FAILED]
> > Checking for RSA private key (/etc/ipsec.secrets)               [OK]
> > Checking that pluto is running                                  [OK]
> > Two or more interfaces found, checking IP forwarding            [OK]
> > Checking NAT and MASQUERADEing
> > Checking for 'ip' command                                       [OK]
> > Checking for 'iptables' command                                 [OK]
> > Opportunistic Encryption Support
[DISABLED]
>
> Looks good.
>
> > 004 "my-access" #705: STATE_QUICK_I2: sent QI2, IPsec SA established 
> > {ESP=>0x56fa544f <0xcbe4c4c8 xfrm=AES_0-HMAC_SHA1 NATD=none 
> > DPD=none}
>
> Looks good.
>
> > When I do ping, I got time out, and with tcpdump
> >
> > I see the following 2 keeping repeating itself
> > 11:39:42.109197 9.8.7.6 > 1.2.3.4: ESP(spi=0x56fa544f,seq=0x34)
> > 11:39:43.110076 1.2.3.4 > 9.8.7.6: ESP(spi=0xcbe4c4c8,seq=0x37)
>
> Those are your encrypted pings
>
> Are there firewall rules or perhaps rp_filter that might block the
packets?
>
> Paul
>

-- 

"Happiness is never grand"

	--- Mustapha Mond, World Controller (Brave New World)
_______________________________________________
Users at openswan.org
http://lists.openswan.org/mailman/listinfo/users
Building and Integrating Virtual Private Networks with Openswan: 
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

More information about the Users mailing list