GregScott at InfraSupportEtc.com
Sun Jul 23 00:48:46 CEST 2006
The problem was the kernel!!!!!!!!!!!
I must have done something wrong when I built the 184.108.40.206 kernel from
kernel.org. I still had the old 2.6.15.whater-it-was that came stock
with fc5. I booted that kernel and now tcpdump is showing me esp
packets. I do have some incorrect firewall rules but I can fix that.
My senders are sending esp now!!!!!
I'll bet I forgot to put in the crypto stuff when I built that
kernel.org kernel. I'll go grab the latest fc5 kernel update and try it
now. By now it's probably newer than the 220.127.116.11 I was using anyway.
From: users-bounces at openswan.org [mailto:users-bounces at openswan.org] On
Behalf Of Greg Scott
Sent: Saturday, July 22, 2006 9:56 PM
To: Cameron Davidson; users at openswan.org
Subject: RE: [Openswan Users]
Comparing an ipsec.conf from a known good working tunnel config using
2.4.27 and KLIPS, versus my problem tunnel with fc5 and 18.104.22.168 and
netkey, the only real difference I see is nat_traversal=yes. Even
though I am not doing any NAT-T, I commented that line out, but no
change in behavior. I don't specify type=tunnel - but this is supposed
to be default behavior. Could there be some new default behavior that
sends packets in the clear now, unless some policy says otherwise? I
noticed a bunch of template .conf files in /etc/ipsec.d with some conn
definitions in no_oe.conf refering to essentially blank files in
/etc/ipsec.d/policies. Paul's Openswan book says these are for OE - and
I'm not doing OE so they shouldn't be relevant. But still....
Another thought - what if I built this kernel wrong? But if I built
the kernel wrong, I would not see those SA established messages in
/var/log/secure, right? Still, I will try this later on with the
original fc5 kernel and see if any change in behavior.
Users at openswan.org
Building and Integrating Virtual Private Networks with Openswan:
More information about the Users