[Openswan Users] [Fwd: Tunnel established, no traffic]
Paul Wouters
paul at xelerance.com
Mon Aug 20 10:12:30 EDT 2007
On Mon, 20 Aug 2007, Ralf Guenthner wrote:
> I've sent the question below to the list twice but it didn't show up
> each time. I also wrote to the list owner's address and asked why, but
> got no response.
It might be stuck in the moderator queue. Or you are on one of the SBL
blacklists, or you are using an RFC-incompliant bernstien based email
server (eg qmail)
> I need to connect an Openswan gateway with an older gateway, which is
> based on SuperFreeSwan (quite obsolete I know, but necessary at present)
> running under a 2.4 kernel.
Should work fine
> In both cases a tunnel is established successfully eg. msg. "IPsec SA
> established" in the logs. But the packets won't get out of the tunnel on
> either side and I don't know why.
> Tcpdump on both ends shows that ESP packets are being exchanged in the
> rhythm of pings done from either end.
Then the packets are dropped because of bad crypto. Usually this means
some NAT is happening to the packets. With netkey there is no way to
see that With klips, you can run for a few packets with klipsdebug
enabled (ipsec klipsdebug --all, send a few pings, then run ipsec klipsdebug
--none) to see why packets were being dropped.
> Are these two flavors of *Swan hopelessly incompatible, because too much
> has changed? I'd appreciate any hints as to how to resolve this problem.
No, they both implement RFC's.
Paul
More information about the Users
mailing list