[Openswan Users]
IPsec established but cannot ping nor route packets
Gbenga
stjames08 at yahoo.co.uk
Tue Jun 13 17:06:15 CEST 2006
Hi all,
I have successfully compiled, installed and configured openswan (version 2.4.5). Everything seems to be going well except for one minor issue. In my auth.log file, I can see IPSec SA established, also when I did ipsec eroute, I can see the route displayed, however I cannot ping from either end nor can I route any packet to either ends.
I read form the book, list and generally from the Internet that I have to ping to bring up the tunnel. In the output of my netstat -nr, I cannot find the route on ipsec0.
I know I am almost there, so if someone coild please lend a hand to resolve this I will be very grateful.
The relevant outputs are display below. Apologise for the length of the email.
Rgds,
Gbenga
---- auth.log -----
Jun 13 16:13:20 aparo pluto[15664]: packet from 193.95.x.x:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY
00000004]
Jun 13 16:13:20 aparo pluto[15664]: packet from 193.95.x.x:500: ignoring Vendor ID payload [FRAGMENTATION]
Jun 13 16:13:20 aparo pluto[15664]: packet from 193.95.x.x:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
Jun 13 16:13:20 aparo pluto[15664]: packet from 193.95.x.x:500: ignoring Vendor ID payload [Vid-Initial-Contact]
Jun 13 16:13:20 aparo pluto[15664]: "syseng" #9: responding to Main Mode
Jun 13 16:13:20 aparo pluto[15664]: "syseng" #9: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Jun 13 16:13:20 aparo pluto[15664]: "syseng" #9: STATE_MAIN_R1: sent MR1, expecting MI2
Jun 13 16:13:20 aparo pluto[15664]: "syseng" #9: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: i am
NATed
Jun 13 16:13:20 aparo pluto[15664]: "syseng" #9: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Jun 13 16:13:20 aparo pluto[15664]: "syseng" #9: STATE_MAIN_R2: sent MR2, expecting MI3
Jun 13 16:13:20 aparo pluto[15664]: "syseng" #9: Main mode peer ID is ID_IPV4_ADDR: '193.95.x.x'
Jun 13 16:13:20 aparo pluto[15664]: "syseng" #9: I did not send a certificate because I do not have one.
Jun 13 16:13:20 aparo pluto[15664]: "syseng" #9: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Jun 13 16:13:20 aparo pluto[15664]: | NAT-T: new mapping 193.95.x.x:500/4500)
Jun 13 16:13:20 aparo pluto[15664]: "syseng" #9: STATE_MAIN_R3: sent MR3, ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
Jun 13 16:13:20 aparo pluto[15664]: "syseng" #10: responding to Quick Mode {msgid:1a035977}
Jun 13 16:13:20 aparo pluto[15664]: "syseng" #10: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Jun 13 16:13:20 aparo pluto[15664]: "syseng" #10: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Jun 13 16:13:20 aparo pluto[15664]: "syseng" #10: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Jun 13 16:13:20 aparo pluto[15664]: "syseng" #10: STATE_QUICK_R2: IPsec SA established {ESP=>0x61fc5e31 <0xef3d7935
xfrm=3DES_0-HMAC_MD5 NATD=193.95.x.x:4500 DPD=none}
--------- ipsec eroute ------------
0 10.10.1.57/32 -> 193.95.x.x/32 => tun0x1010 at 193.95.x.x
--------- ipsec.conf ---------------
# Specify the version of Openswan we are running
version 2
# Global configuration section:
config setup
nat_traversal=yes
interfaces="ipsec0=eth1"
# virtual_private=%v4:10.10.0.0/16
# General connection section:
conn %default
authby=secret
keyingtries=1
#authby=secret|rsasig
# Systems Engineering vpn connection definition:
conn syseng
left=10.10.1.57
leftsubnet=10.10.1.57/32
type=tunnel
right=193.95.x.x
leftnexthop=193.95.x.x
pfs=yes
auto=add
# rekey=no
# rightid=@gbenga
# forceencaps=yes
conn block
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear
auto=ignore
conn packetdefault
auto=ignore
include /etc/ipsec.d/examples/no_oe.conf
More information about the Users
mailing list