[Openswan Users] should I trust ipsec verify or is something still wrong

Kevin kevin at sepit.com.au
Sat Mar 17 09:27:31 EDT 2007


Hi All,

I am new to using Openswan and have just spent a couple of days setting 
up my first tunnel that is now working.  Most of the time was spent 
either reading doc's or log files and changing firewalls.  I eventually 
changed firewalls completely from a hand written iptables script to 
shorewall.  The biggest problem was convincing the firewall not to 
masquerade the packets destined for the other end of the vpn.

I am running two CentOS 4.4 Gateway/Firewall  servers with 
2.6.9-42.0.10.plus.c4smp Kernels and Openswan 2.4.7 with the KLIPS 
module installed.  I think the basic tunnel was working without the 
KLIPS module installed but without the ipsec0 interface I couldn't work 
out how verify what was happening to the traffic as the tunnel appeared 
to come up ok.

That's the background now my question is that the output from ipsec 
verify is

[root at ims ~]# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan 2.4.7 (klips)
Checking for IPsec support in kernel                            [OK]
Checking for RSA private key (/etc/ipsec.secrets)               [OK]
Checking that pluto is running                                  [OK]
Two or more interfaces found, checking IP forwarding            [OK]
Checking NAT and MASQUERADEing
Checking tun0x1002 at 218.214.20.117 from 192.168.20.0/24 to 
192.168.21.0/24      [FAILED]
  ppp0_masq from 0.0.0.0/0 to 0.0.0.0/0 kills tunnel 0.0.0.0/0 -> 
192.168.21.0/24
Checking for 'ip' command                                       [OK]
Checking for 'iptables' command                                 [OK]
Opportunistic Encryption Support                                [DISABLED]

Should the Checking NAT and MASQUERADEing be failing i.e is this normal? 
Or is there something I should be doing to rectify this?

I had come to beleive that this was reporting the cause of my problem 
and only found out by accident that all was working (after a final 
firewall change I think).

I tried searching the list archives and doing the usual google searches 
but found no mention of the above with a solution.

Please advise.

Best Regards
Kevin

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.



More information about the Users mailing list