[Openswan Users] Unknown parameter name "ike"

Peter McGill petermcgill at goco.net
Thu Apr 26 10:47:56 EDT 2007 

Alright,

The subnet's we're discussing please double check that this
Is correct:
172.18.112.0/20 Your lan subnet?
172.20.210.48/29 The subnet your connecting to far away?
172.25.8.8/29 The subnet assigned to you by the far away,
Admin to access their lan/subnet?
Which computer is running the openswan setup we've discussed,
Your laptop or your lan internet gateway?

Unfortunately, getting a ipsec (openswan) connection and
Actually getting traffic to flow through it are not always
The same thing, your connection setup appears to be good,
As your getting a connection, so we should not need to change
Any more openswan settings, but we may need to change some
More settings on your openswan box, to allow traffic flow.

Assuming the above subnet descriptions are correct:
You'll need firewall rules to allow the traffic.
Since the connection works, you must already have some rules.
If openswan is on your gateway and assuming eth1 is your public
Internet interface.
iptables -t mangle -A INPUT -i eth1 -p esp -j MARK --set-mark 1
iptables -t mangle -A OUTPUT -o eth1 -p esp -j MARK --set-mark 1
iptables -t mangle -A INPUT -i eth1 -p udp --dport isakmp -j MARK --set-mark 1
iptables -t mangle -A OUTPUT -o eth1 -p udp --sport isakmp -j MARK --set-mark 1
iptables -t mangle -A INPUT -i eth1 -p udp --dport 4500 -j MARK --set-mark 1
iptables -t mangle -A OUTPUT -o eth1 -p udp --sport 4500 -j MARK --set-mark 1
iptables -t filter -A INPUT -m mark --mark 1/1 -j ACCEPT
iptables -t filter -A OUTPUT -m mark --mark 1/1 -j ACCEPT
iptables -t filter -A FORWARD -m mark --mark 1/1 -j ACCEPT
If openswan is on your laptop then use your lan interface, probably eth0.
This will allow not only the ipsec traffic for the tunnel, but also the
Traffic inside the tunnel, you need to allow both.

You will also need a NAT rule to convert your real ip address(es) to the
Virtual ones assigned by the far away admin for your access.
If openswan is on your gateway and assuming eth0 is your lan interface then use this:
iptables -t nat -A PREROUTING -i eth0 -s <your laptop lan ip> -d 172.20.210.48/29 -j SNAT --to 172.25.8.9
If openswan is on your laptop, then use this:
iptables -t nat -A OUTPUT -d 172.20.210.48/29 -j SNAT --to 172.25.8.9

When this is done, your should be able to ping/access the remote lan from your laptop.

Peter McGill
 

> -----Original Message-----
> From: steve.morard at epfl.ch [mailto:steve.morard at epfl.ch] 
> Sent: April 26, 2007 2:46 AM
> To: petermcgill at goco.net
> Subject: RE: [Openswan Users] Unknown parameter name "ike"
> 
> In fact my situation is as follows. I'm using a laptop in a 
> LAN and I need to
> open an IPSec tunnel from this laptop to a remote gateway.
> Now I can establish the SA with the remote gateway, but I 
> don't know what I need
> to do in order to be able to use this IPSec tunnel from my 
> laptop. In fact, I
> have to use only this laptop.
> Do you have any idea what I should do in order to make it works ?
> 
> Thank you again for your help
>

More information about the Users mailing list