[Openswan Users] Ping problem

Paul Wouters paul at xelerance.com
Wed Feb 7 11:39:17 EST 2007


On Wed, 7 Feb 2007, huarito huaritex wrote:

> Subject: [Openswan Users] Ping problem
>
> Hi guys:
>
> At this time i have installed:
>
> - openswan-2.4.5-2.1
> - Server A Linux FC6 with openswan, Public IP-A
> - Server B Linux FC6 with openswan, Public IP-B
> - Topology net-to-net, connecting two LAN subnets, as follow:
>
>                                    IP-A                 IP-B
> 112.168.100.7/14 subnet-->[Server A]-->======INTERNET=====[Server B]<--- 10.0.0.17/26
> subnet
>
> My problems are:
> a)
> when i type:
> #service ipsec status
> IPsec running  - pluto pid: 4796
> pluto pid 4796
> 1 tunnels up
> #cat /var/log/secure
> i see the follow line:  #6: I did not send a certificate because I do not have one
> How do i solve this?

If you are not using certificates, then ignore the message. If you are using certificates,
then you did something wrong and the cert has not been defined in a leftcert/rightcert
statement, or it failed to load, in which case the log will tell you why.

> b)
> i cannot make a ping between two subnets.

What does ipsec verify say?

> #ping 112.168.100.7
> My iptables rules are:
> /sbin/iptables -A INPUT -p udp --sport 500 --dport 500 -j ACCEPT
> /sbin/iptables -A OUTPUT -p udp --sport 500 --dport 500 -j ACCEPT
>
> /sbin/iptables -A INPUT -p udp --sport 50 --dport 50 -j ACCEPT
> /sbin/iptables -A OUTPUT -p udp --sport 50 --dport 50 -j ACCEPT

udp port 50 is wrong. delete thes etwo rules.

> /sbin/iptables -A INPUT -p 50 -j ACCEPT
> /sbin/iptables -A OUTPUT -p 50 -j ACCEPT
>
> /sbin/iptables -A INPUT -p udp --sport 51 --dport 51 -j ACCEPT
> /sbin/iptables -A OUTPUT -p udp --sport 51 --dport 51 -j ACCEPT

same here

> /sbin/iptables -A INPUT -p udp --sport 4500 --dport 4500 -j ACCEPT
> /sbin/iptables -A OUTPUT -p udp --sport 4500 --dport 4500 -j ACCEPT
>
>
> /sbin/iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
> /sbin/iptables -A FORWARD -i eth0 -o eht1 -j ACCEPT

You'll have to show more of the standard logs to see what is going wrong.
But to not enable plutodebug or klipsdebug.

Paul


More information about the Users mailing list