[Openswan Users] IPsec established but cannot ping nor route packets

Gbenga stjames08 at yahoo.co.uk
Tue Jun 13 17:06:15 CEST 2006


Hi all,
 
I have successfully compiled, installed and configured openswan (version 2.4.5). Everything seems to be going well except for one minor issue. In my auth.log file, I can see IPSec SA established, also when I did ipsec eroute, I can see the route displayed, however I cannot ping from either end nor can I route any packet to either ends.
 
I read form the book, list and generally from the Internet that I have to ping to bring up the tunnel. In the output of my netstat -nr, I cannot find the route on ipsec0.
 
I know I am almost there, so if someone coild please lend a hand to resolve this I will be very grateful.
 
The relevant outputs are display below. Apologise for the length of the email.
 
Rgds,
Gbenga
 
---- auth.log -----
Jun 13 16:13:20 aparo pluto[15664]: packet from 193.95.x.x:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 
00000004]
Jun 13 16:13:20 aparo pluto[15664]: packet from 193.95.x.x:500: ignoring Vendor ID payload [FRAGMENTATION]
Jun 13 16:13:20 aparo pluto[15664]: packet from 193.95.x.x:500: received Vendor ID payload 
[draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
Jun 13 16:13:20 aparo pluto[15664]: packet from 193.95.x.x:500: ignoring Vendor ID payload [Vid-Initial-Contact]
Jun 13 16:13:20 aparo pluto[15664]: "syseng" #9: responding to Main Mode
Jun 13 16:13:20 aparo pluto[15664]: "syseng" #9: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Jun 13 16:13:20 aparo pluto[15664]: "syseng" #9: STATE_MAIN_R1: sent MR1, expecting MI2
Jun 13 16:13:20 aparo pluto[15664]: "syseng" #9: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: i am 
NATed
Jun 13 16:13:20 aparo pluto[15664]: "syseng" #9: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Jun 13 16:13:20 aparo pluto[15664]: "syseng" #9: STATE_MAIN_R2: sent MR2, expecting MI3
Jun 13 16:13:20 aparo pluto[15664]: "syseng" #9: Main mode peer ID is ID_IPV4_ADDR: '193.95.x.x'
Jun 13 16:13:20 aparo pluto[15664]: "syseng" #9: I did not send a certificate because I do not have one.
Jun 13 16:13:20 aparo pluto[15664]: "syseng" #9: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Jun 13 16:13:20 aparo pluto[15664]: | NAT-T: new mapping 193.95.x.x:500/4500)
Jun 13 16:13:20 aparo pluto[15664]: "syseng" #9: STATE_MAIN_R3: sent MR3, ISAKMP SA established 
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
Jun 13 16:13:20 aparo pluto[15664]: "syseng" #10: responding to Quick Mode {msgid:1a035977}
Jun 13 16:13:20 aparo pluto[15664]: "syseng" #10: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Jun 13 16:13:20 aparo pluto[15664]: "syseng" #10: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Jun 13 16:13:20 aparo pluto[15664]: "syseng" #10: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Jun 13 16:13:20 aparo pluto[15664]: "syseng" #10: STATE_QUICK_R2: IPsec SA established {ESP=>0x61fc5e31 <0xef3d7935 
xfrm=3DES_0-HMAC_MD5 NATD=193.95.x.x:4500 DPD=none}
 
--------- ipsec eroute ------------
0          10.10.1.57/32      -> 193.95.x.x/32  => tun0x1010 at 193.95.x.x
 
--------- ipsec.conf ---------------
# Specify the version of Openswan we are running
version 2
# Global configuration section:
config setup
        nat_traversal=yes
        interfaces="ipsec0=eth1"
#       virtual_private=%v4:10.10.0.0/16
# General connection section:
conn %default
        authby=secret
        keyingtries=1
        #authby=secret|rsasig
# Systems Engineering vpn connection definition:
conn syseng
        left=10.10.1.57
        leftsubnet=10.10.1.57/32
        type=tunnel
        right=193.95.x.x
        leftnexthop=193.95.x.x
        pfs=yes
        auto=add
#       rekey=no
#       rightid=@gbenga
#       forceencaps=yes
conn block
         auto=ignore
conn private
         auto=ignore
conn private-or-clear
         auto=ignore
conn clear
         auto=ignore
conn packetdefault
         auto=ignore
include /etc/ipsec.d/examples/no_oe.conf

 


More information about the Users mailing list