[Openswan Users] KLIPS, x509, nat-t, cannot ping remote subnet
Peter Fuggle
pfuggle at ph.unimelb.edu.au
Mon Sep 11 05:08:24 EDT 2006
Hi All,
I have had to upgrade a RedHat9 box since the os is soon EOL. The old box
had Openswan with KLIPS, nat-t and x509 certs and worked fine for
roadwarrior connections from behind nat devices. The firewall is
Shorewall.
Anyway, I have upgraded to Debian Stable, built a 2.4.27 with the
linux-patch-openswan package so that I now have a 2.4.27 kernel with klips
and nat-t. I think I am close to getting this working again since the SA
is established:
Sep 11 18:31:08 localhost pluto[4808]: "vpntracker-cert-darren"[6]
202.45.116.20:4500 #13: IPsec SA established {ESP=>0x087f0f71 <0x7adc4548
NATOA=0.0.0.0}
The client is vpntracker on Mac OS X and it logs the following:
Resolving connection "connection":
Router: 192.168.0.1 (00:09:f3:73:77:d4)
Local Endpoint: 192.168.0.88
Remote Endpoint: x.x.x.x
Local Network: none
Remote Network: 192.168.200.0/24
Starting IKE daemon...
2006-09-11 18:31:05: INFO: main.c:177:main(): @(#)package version
VPN-Tracker-4.7(2B12)
2006-09-11 18:31:05: INFO: main.c:179:main(): @(#)internal version
20001216 sakane at kame.net
2006-09-11 18:31:05: INFO: main.c:180:main(): @(#)This product linked
OpenSSL 0.9.6l 04 Nov 2003 (http://www.openssl.org/)
2006-09-11 18:31:06: INFO: licensing: Licensed to Darren.
2006-09-11 18:31:06: INFO: isakmp.c:2083:isakmp_post_acquire(): IPsec-SA
request for x.x.x.x queued due to no phase1 found. Starting
phase1...
2006-09-11 18:31:06: INFO: isakmp.c:1038:isakmp_ph1begin_i(): initiate new
phase 1 negotiation: 192.168.0.88[500]<=>x.x.x.x[500]
2006-09-11 18:31:06: INFO: isakmp.c:1043:isakmp_ph1begin_i(): begin Main
mode.
2006-09-11 18:31:07: INFO: isakmp_ident.c:525:ident_i3recv(): detected
NAT, switching to port 4500 for x.x.x.x[500]
2006-09-11 18:31:08: ERROR: isakmp.c:703:isakmp_main(): no phase 1 for
Informational exchange exists.
2006-09-11 18:31:08: INFO: isakmp.c:2884:log_ph1established(): ISAKMP-SA
established 192.168.0.88[4500]-x.x.x.x[4500] spi:
3d9d021237d8f9a9:2621392174fae1ed
2006-09-11 18:31:09: INFO: isakmp.c:1207:isakmp_ph2begin_i(): initiate new
phase 2 negotiation: 192.168.0.88[0]<=>x.x.x.x[0] (sequence: 6)
(sainfo:
192.168.0.88/32 192.168.200.0/24)
2006-09-11 18:31:10: INFO: pfkey.c:1409:pk_sendadd(): NAT-T (new) enabled
2006-09-11 18:31:10: INFO: pfkey.c:1417:pk_sendadd(): NAT-T keepalive
enabled
2006-09-11 18:31:10: INFO: pfkey.c:661:pfkey2ipsecdoi_mode(): IPsec-SA
established: ESP/Tunnel x.x.x.x->192.168.0.88 (192.168.0.88/32
192.168.200.0/24) spi=142544753(0x87f0f71)
2006-09-11 18:31:10: INFO: pfkey.c:661:pfkey2ipsecdoi_mode(): IPsec-SA
established: ESP/Tunnel 192.168.0.88->x.x.x.x (192.168.0.88/32
192.168.200.0/24) spi=2061256008(0x7adc4548)
Which all looks good to me except the client cannot ping anything in
192.168.200.0/24. I suspect the problem is firewalling but I have
migrated a working firewall config. I have a firewall zone called vpn1
which maps to any address on ipsec0 and am allowing all traffic from that
zone into 192.168.200.0/24.
There are also interfaces ipsec1, ipsec2 and ipsec3. These seem to be
unconfigured whereas ipsec0 is configured with the external address of the
openswan box, x.x.x.x. Do I have to add firewall zones for these? What are
they for?
Can anyone help? Am I correct in thinking that the ipsec stuff is good but
that the routing/firewalling is the problem?
TIA,
Pete
More information about the Users
mailing list