[Openswan Users] KLIPS, x509, nat-t, cannot ping remote subnet

Peter Fuggle pfuggle at ph.unimelb.edu.au
Mon Sep 11 05:08:24 EDT 2006


Hi All,

I have had to upgrade a RedHat9 box since the os is soon EOL. The old box 
had Openswan with KLIPS, nat-t and x509 certs and worked fine for 
roadwarrior connections from behind nat devices. The firewall is 
Shorewall.

Anyway, I have upgraded to Debian Stable, built a 2.4.27 with the 
linux-patch-openswan package so that I now have a 2.4.27 kernel with klips 
and nat-t. I think I am close to getting this working again since the SA 
is established:

Sep 11 18:31:08 localhost pluto[4808]: "vpntracker-cert-darren"[6] 
202.45.116.20:4500 #13: IPsec SA established {ESP=>0x087f0f71 <0x7adc4548 
NATOA=0.0.0.0}

The client is vpntracker on Mac OS X and it logs the following:

Resolving connection "connection":
Router:          192.168.0.1 (00:09:f3:73:77:d4)
Local Endpoint:  192.168.0.88
Remote Endpoint: x.x.x.x
Local Network:   none
Remote Network:  192.168.200.0/24
Starting IKE daemon...
2006-09-11 18:31:05: INFO: main.c:177:main(): @(#)package version 
VPN-Tracker-4.7(2B12)
2006-09-11 18:31:05: INFO: main.c:179:main(): @(#)internal version 
20001216 sakane at kame.net
2006-09-11 18:31:05: INFO: main.c:180:main(): @(#)This product linked 
OpenSSL 0.9.6l 04 Nov 2003 (http://www.openssl.org/)
2006-09-11 18:31:06: INFO: licensing: Licensed to Darren.
2006-09-11 18:31:06: INFO: isakmp.c:2083:isakmp_post_acquire(): IPsec-SA 
request for x.x.x.x queued due to no phase1 found. Starting 
phase1...
2006-09-11 18:31:06: INFO: isakmp.c:1038:isakmp_ph1begin_i(): initiate new 
phase 1 negotiation: 192.168.0.88[500]<=>x.x.x.x[500]
2006-09-11 18:31:06: INFO: isakmp.c:1043:isakmp_ph1begin_i(): begin Main 
mode.
2006-09-11 18:31:07: INFO: isakmp_ident.c:525:ident_i3recv(): detected 
NAT, switching to port 4500 for x.x.x.x[500]
2006-09-11 18:31:08: ERROR: isakmp.c:703:isakmp_main(): no phase 1 for 
Informational exchange exists.
2006-09-11 18:31:08: INFO: isakmp.c:2884:log_ph1established(): ISAKMP-SA 
established 192.168.0.88[4500]-x.x.x.x[4500] spi:
3d9d021237d8f9a9:2621392174fae1ed
2006-09-11 18:31:09: INFO: isakmp.c:1207:isakmp_ph2begin_i(): initiate new 
phase 2 negotiation: 192.168.0.88[0]<=>x.x.x.x[0] (sequence: 6) 
(sainfo:
192.168.0.88/32 192.168.200.0/24)
2006-09-11 18:31:10: INFO: pfkey.c:1409:pk_sendadd(): NAT-T (new) enabled
2006-09-11 18:31:10: INFO: pfkey.c:1417:pk_sendadd(): NAT-T keepalive 
enabled
2006-09-11 18:31:10: INFO: pfkey.c:661:pfkey2ipsecdoi_mode(): IPsec-SA 
established: ESP/Tunnel x.x.x.x->192.168.0.88 (192.168.0.88/32
192.168.200.0/24) spi=142544753(0x87f0f71)
2006-09-11 18:31:10: INFO: pfkey.c:661:pfkey2ipsecdoi_mode(): IPsec-SA 
established: ESP/Tunnel 192.168.0.88->x.x.x.x (192.168.0.88/32
192.168.200.0/24) spi=2061256008(0x7adc4548)

Which all looks good to me except the client cannot ping anything in 
192.168.200.0/24. I suspect the problem is firewalling but I have 
migrated a working firewall config. I have a firewall zone called vpn1 
which maps to any address on ipsec0 and am allowing all traffic from that 
zone into 192.168.200.0/24.

There are also interfaces ipsec1, ipsec2 and ipsec3. These seem to be 
unconfigured whereas ipsec0 is configured with the external address of the 
openswan box, x.x.x.x. Do I have to add firewall zones for these? What are 
they for?

Can anyone help? Am I correct in thinking that the ipsec stuff is good but 
that the routing/firewalling is the problem?

TIA,

Pete


More information about the Users mailing list