[Openswan Users] KLIPS, x509, nat-t, cannot ping remote subnet

Peter Fuggle pfuggle at ph.unimelb.edu.au
Mon Sep 11 05:08:24 EDT 2006

Hi All,

I have had to upgrade a RedHat9 box since the os is soon EOL. The old box 
had Openswan with KLIPS, nat-t and x509 certs and worked fine for 
roadwarrior connections from behind nat devices. The firewall is 

Anyway, I have upgraded to Debian Stable, built a 2.4.27 with the 
linux-patch-openswan package so that I now have a 2.4.27 kernel with klips 
and nat-t. I think I am close to getting this working again since the SA 
is established:

Sep 11 18:31:08 localhost pluto[4808]: "vpntracker-cert-darren"[6] #13: IPsec SA established {ESP=>0x087f0f71 <0x7adc4548 

The client is vpntracker on Mac OS X and it logs the following:

Resolving connection "connection":
Router: (00:09:f3:73:77:d4)
Local Endpoint:
Remote Endpoint: x.x.x.x
Local Network:   none
Remote Network:
Starting IKE daemon...
2006-09-11 18:31:05: INFO: main.c:177:main(): @(#)package version 
2006-09-11 18:31:05: INFO: main.c:179:main(): @(#)internal version 
20001216 sakane at kame.net
2006-09-11 18:31:05: INFO: main.c:180:main(): @(#)This product linked 
OpenSSL 0.9.6l 04 Nov 2003 (http://www.openssl.org/)
2006-09-11 18:31:06: INFO: licensing: Licensed to Darren.
2006-09-11 18:31:06: INFO: isakmp.c:2083:isakmp_post_acquire(): IPsec-SA 
request for x.x.x.x queued due to no phase1 found. Starting 
2006-09-11 18:31:06: INFO: isakmp.c:1038:isakmp_ph1begin_i(): initiate new 
phase 1 negotiation:[500]<=>x.x.x.x[500]
2006-09-11 18:31:06: INFO: isakmp.c:1043:isakmp_ph1begin_i(): begin Main 
2006-09-11 18:31:07: INFO: isakmp_ident.c:525:ident_i3recv(): detected 
NAT, switching to port 4500 for x.x.x.x[500]
2006-09-11 18:31:08: ERROR: isakmp.c:703:isakmp_main(): no phase 1 for 
Informational exchange exists.
2006-09-11 18:31:08: INFO: isakmp.c:2884:log_ph1established(): ISAKMP-SA 
established[4500]-x.x.x.x[4500] spi:
2006-09-11 18:31:09: INFO: isakmp.c:1207:isakmp_ph2begin_i(): initiate new 
phase 2 negotiation:[0]<=>x.x.x.x[0] (sequence: 6) 
2006-09-11 18:31:10: INFO: pfkey.c:1409:pk_sendadd(): NAT-T (new) enabled
2006-09-11 18:31:10: INFO: pfkey.c:1417:pk_sendadd(): NAT-T keepalive 
2006-09-11 18:31:10: INFO: pfkey.c:661:pfkey2ipsecdoi_mode(): IPsec-SA 
established: ESP/Tunnel x.x.x.x-> ( spi=142544753(0x87f0f71)
2006-09-11 18:31:10: INFO: pfkey.c:661:pfkey2ipsecdoi_mode(): IPsec-SA 
established: ESP/Tunnel>x.x.x.x ( spi=2061256008(0x7adc4548)

Which all looks good to me except the client cannot ping anything in I suspect the problem is firewalling but I have 
migrated a working firewall config. I have a firewall zone called vpn1 
which maps to any address on ipsec0 and am allowing all traffic from that 
zone into

There are also interfaces ipsec1, ipsec2 and ipsec3. These seem to be 
unconfigured whereas ipsec0 is configured with the external address of the 
openswan box, x.x.x.x. Do I have to add firewall zones for these? What are 
they for?

Can anyone help? Am I correct in thinking that the ipsec stuff is good but 
that the routing/firewalling is the problem?



More information about the Users mailing list