[Openswan Users] Re: No ipsec0 interfaces in routeing table are they supposed to bethere like freeswan 1.99?

Peter McGill petermcgill at goco.net
Wed Jul 5 10:22:38 CEST 2006

> I've been using freeswan 1.99 for years and I've decided
> to upgrade to openswan 2.4.6 on kernel 2.6.17.
> I fairly certain I'm getting connected to my peer
> (a checkpoint 4.1 firewall) as ipsec auto --status gives
> me a message "500 STATE_MAIN_I4 (ISAKMP SA established)"
> among other things (but nothing that sicks out a problem.
> I can't connect to a host on the remote end.
> On thing that I find odd is the routing table does not include
> routes for the network behind the peer that I am trying to connect
> to using ipsec0 as the interface.

This is not so much of a change in Openswan, as in the 2.6 kernel.
On kernel 2.6, Openswan will use the built-in kernel IPSec stack by
default (NETKEY). NETKEY does not use ipsec0, etc... interfaces
for encrypted packets, the packets remain on your usual public
interface, eth1, ppp0, etc...
I suggest checking your firewall rules. You will probably need to mark
incoming IPSec packets, so that later you can test the mark to allow
the packets. Otherwise your firewall may be blocking the packets.
Where your firewall in the past may have been something like this:
iptables -A INPUT -i eth1 -p udp --dport isakmp -j ACCEPT
iptables -A INPUT -i eth1 -p esp -j ACCEPT
iptables -A INPUT -i eth1 -p ah -j ACCEPT
iptables -A INPUT -i ipsec0 -j ACCEPT
You will probably need to change to something like this:
iptables -A INPUT -i eth1 -p udp --dport isakmp -j CONNMARK --set-mark 1
iptables -A INPUT -i eth1 -p esp -j CONNMARK --set-mark 1
iptables -A INPUT -i eth1 -p ah -j CONNMARK --set-mark 1
iptables -A INPUT -i eth1 --mark 1 -j ACCEPT

Peter McGill
Software Developer / Network Administrator
Gra Ham Energy Limited

More information about the Users mailing list