[Openswan Users] FreeSwan IPSEC + IPTABLES + Linksys BEFSX41

James Murchison james at un.net.au
Tue Jun 6 19:27:12 CEST 2006 

Hi All,

Seriously hoping someone can help me as I am struggling.

I have a requirement to link three sites together. (A) being the Head
office and B&C being the remote offices.

Site A Has the following config.

Internet
     |
Cisco837
     |
Firewall
     |
  LAN

The site uses IPTABLES to NAT all LAN requests, in addition the Firewall
box provides IPSEC end point for the remote sites (B&C). 

Site B has a Linksys BEFSX41

Internet
    |
BEFSX41
    |
  LAN

Site C has a Linksys BEFSX41

Internet
    |
BEFSX41
    |
  LAN

I have managed to establish a connection from B to A abd C to A, but
cannot transfer and data. When I check the interface stats I receive the
following.

ipsec0    Link encap:Ethernet  HWaddr 00:10:DC:FB:8C:29
          inet addr:203.xx.xx.xx  Mask:255.255.255.240
          UP RUNNING NOARP  MTU:16260  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:49 overruns:0 carrier:0
          collisions:0 txqueuelen:10
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

I have tried debugging KLIPS, but do not have the skills to make sense
of the debug. I receive the following when I try and ping.

Jun  6 14:23:00 mail kernel: klips_debug:ipsec_xmit_strip_hard_header:
>>> skb->len=98 hard_header_len:14
00:10:dc:fb:8c:29:00:10:dc:fb:8c:29:08:00
Jun  6 14:23:00 mail kernel: klips_debug:   IP: ihl:20 ver:4 tos:0
tlen:84 id:0 DF frag_off:0 ttl:64 proto:1 (ICMP) chk:48046
saddr:203.xx.xx.18 daddr:192.168.9.20 type:code=8:0
Jun  6 14:23:00 mail kernel: klips_debug:ipsec_xmit_strip_hard_header:
Original head,tailroom: 2,28
Jun  6 14:23:00 mail kernel: klips_debug:ipsec_findroute:
203.xx.xx.18->192.168.9.20
Jun  6 14:23:00 mail kernel: klips_debug:rj_match: * See if we match
exactly as a host destination
Jun  6 14:23:00 mail kernel: klips_debug:rj_match: ** try to match a
leaf, t=0pdd95f780
Jun  6 14:23:00 mail kernel: klips_debug:rj_match: *** start searching
up the tree, t=0pdd95f780
Jun  6 14:23:00 mail kernel: klips_debug:rj_match: **** t=0pdd95f798
Jun  6 14:23:00 mail kernel: klips_debug:rj_match: **** t=0pdd95f198
Jun  6 14:23:00 mail kernel: klips_debug:rj_match: **** t=0pdd1dc9e0
Jun  6 14:23:00 mail kernel: klips_debug:rj_match: ***** cp2=0pdd76d878
cp3=0pdd76dd90
Jun  6 14:23:00 mail kernel: klips_debug:rj_match: ***** not found.
Jun  6 14:23:00 mail kernel: klips_debug:ipsec_xmit_SAlookup: checking
for local udp/500 IKE packet or local DNS saddr=cb2bea12, er=0p00000000,
daddr=c0a80914, er_dst=0, proto=1 sport=0 dport=0
Jun  6 14:23:00 mail kernel: klips_debug:ipsec_xmit_encap_bundle: shunt
SA of DROP or no eroute: dropping.
Jun  6 14:23:00 mail kernel: klips_debug:ipsec_tunnel_start_xmit:
encap_bundle failed: 2

Ipsec eroute output

0          192.168.1.0/24     -> 192.168.4.0/24     =>
tun0x101c at 169.xxx.xxx.152
0          192.168.1.0/24     -> 192.168.9.0/24     =>
tun0x101b at 169.xxx.xxx.159


Just don't know where to go from here ! HELP.


James.

More information about the Users mailing list