[Openswan Users]

Greg Scott GregScott at InfraSupportEtc.com
Sun Jul 23 00:48:46 CEST 2006

The problem was the kernel!!!!!!!!!!!

I must have done something wrong when I built the kernel from
kernel.org.  I still had the old 2.6.15.whater-it-was that came stock
with fc5.  I booted that kernel and now tcpdump is showing me esp
packets.  I do have some incorrect firewall rules but I can fix that.
My senders are sending esp now!!!!!

I'll bet I forgot to put in the crypto stuff when I built that
kernel.org kernel.  I'll go grab the latest fc5 kernel update and try it
now.  By now it's probably newer than the I was using anyway.

- Greg

-----Original Message-----
From: users-bounces at openswan.org [mailto:users-bounces at openswan.org] On
Behalf Of Greg Scott
Sent: Saturday, July 22, 2006 9:56 PM
To: Cameron Davidson; users at openswan.org
Subject: RE: [Openswan Users]

Comparing an ipsec.conf from a known good working tunnel config using
2.4.27 and KLIPS, versus my problem tunnel with fc5 and and
netkey, the only real difference I see is nat_traversal=yes.  Even
though I am not doing any NAT-T, I commented that line out, but no
change in behavior.  I don't specify type=tunnel - but this is supposed
to be default behavior.  Could there be some new default behavior that
sends packets in the clear now, unless some policy says otherwise?  I
noticed a bunch of template .conf files in /etc/ipsec.d with some conn
definitions in no_oe.conf refering to essentially blank files in
/etc/ipsec.d/policies.  Paul's Openswan book says these are for OE - and
I'm not doing OE so they shouldn't be relevant.  But still....

Another thought - what if I built this kernel wrong?   But if I built
the kernel wrong, I would not see those SA established messages in
/var/log/secure, right?  Still, I will try this later on with the
original fc5 kernel and see if any change in behavior.  

- Greg
Users at openswan.org
Building and Integrating Virtual Private Networks with Openswan: 

More information about the Users mailing list