[Openswan Users] should I trust ipsec verify or is something still wrong
kevin at sepit.com.au
Sat Mar 17 09:27:31 EDT 2007
I am new to using Openswan and have just spent a couple of days setting
up my first tunnel that is now working. Most of the time was spent
either reading doc's or log files and changing firewalls. I eventually
changed firewalls completely from a hand written iptables script to
shorewall. The biggest problem was convincing the firewall not to
masquerade the packets destined for the other end of the vpn.
I am running two CentOS 4.4 Gateway/Firewall servers with
2.6.9-42.0.10.plus.c4smp Kernels and Openswan 2.4.7 with the KLIPS
module installed. I think the basic tunnel was working without the
KLIPS module installed but without the ipsec0 interface I couldn't work
out how verify what was happening to the traffic as the tunnel appeared
to come up ok.
That's the background now my question is that the output from ipsec
[root at ims ~]# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan 2.4.7 (klips)
Checking for IPsec support in kernel [OK]
Checking for RSA private key (/etc/ipsec.secrets) [OK]
Checking that pluto is running [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing
Checking tun0x1002 at 18.104.22.168 from 192.168.20.0/24 to
ppp0_masq from 0.0.0.0/0 to 0.0.0.0/0 kills tunnel 0.0.0.0/0 ->
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]
Should the Checking NAT and MASQUERADEing be failing i.e is this normal?
Or is there something I should be doing to rectify this?
I had come to beleive that this was reporting the cause of my problem
and only found out by accident that all was working (after a final
firewall change I think).
I tried searching the list archives and doing the usual google searches
but found no mention of the above with a solution.
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the Users