[Openswan Users] Link established no data going through

Peter McGill petermcgill at goco.net
Fri Oct 12 11:35:03 EDT 2007 

Hmm, ipsec verify looks ok.
I don't see any problems in your iptables firewall rules, they look ok.

How are you doing your ping tests, from a computer in the local lan to
A computer in the remote lan? Or openswan server to openswan server?
If server to server your subnets are not setup for that, use lan pc to lan pc.

Do you know where fc puts log files, most Linuxes put in /var/log.
Openswan logs with process name pluto.
Generally grep 'pluto' /var/log/* should find your logs.

Peter McGill
 

> -----Original Message-----
> From: Martin Erasmus [mailto:martin at onyx.co.za] 
> Sent: October 12, 2007 11:02 AM
> To: petermcgill at goco.net
> Cc: martin at onyx.co.za; users at openswan.org
> Subject: RE: [Openswan Users] Link established no data going through
> 
> > Could be a firewall issue, is the subnet for that connection in a
> > different private range then the others?
> 
> Yes all the locations have their own subnets
> 
> > Check your iptables rules to make sure the traffic is accepted.
> > Do your ping tests match your subnet definitions, the only 
> traffic to
> > traverse the tunnel is what matches the subnets.
> 
> It was working till I had to reinstall to fc7, all the 
> systems have the
> same fire wall configeration it is only the local subnet that 
> is different
> 
> > Additional info would be helpful...
> > Ie)
> > iptables -t filter -L -v -n
> > iptables -t nat -L -v -n
> > iptables -t mangle -L -v -n
> > iptables -t raw -L -v -n
> 
> See attached log files
> > ipsec version
> 
> fc2 with U2.1.5/K2.6.8-1.521smp
> 
> > The relavent sections of your ipsec.conf:
> > The global parts (ie. config setup, conn %default, include 
> .../no_oe.conf)
> > And any conn sections relavent to the connection.
> 
> conn besho-besntl
>  type=tunnel
>  left=besho.gotdns.org
>  leftsubnet=192.168.0.0/24
>  leftnexthop=165.165.128.1
>  right=%defaultroute
>  rightsubnet=192.168.4.0/24
>  rightnexthop=
>  rightid=@besntl
>  auto=add
>  authby=secret|rsasig
>  leftrsasigkey=
> 
> #Disable Opportunistic Encryption
> include /etc/ipsec.d/examples/no_oe.conf
> 
> 
> > Restart openswan (ipsec restart), do your ping tests, then use the
> > following to get the logs:
> > egrep -h -e 'Oct 12 09.*pluto' /var/log/*
> > Change the date and time to match your restart and test.
> 
> This did not give me a result
> 
> >
> > Peter McGill
> >
> >
> >> -----Original Message-----
> >> From: users-bounces at openswan.org
> >> [mailto:users-bounces at openswan.org] On Behalf Of Martin Erasmus
> >> Sent: October 12, 2007 6:15 AM
> >> To: users at openswan.org
> >> Subject: [Openswan Users] Link established no data going through
> >>
> >> Hi All
> >>
> >> I was running fc2 on all my servers, 5 systems, 4 external
> >> servers linking
> >> to the main server at head office. I have a hard drive crash
> >> on my main
> >> server, I have now had to install fc7.
> >>
> >> The 4 external servers are running fc2 with 
> U2.1.5/K2.6.8-1.521smp...
> >> The main Server is running fc7 with U2.4.7/K2.6.21-1.3194.fc7
> >>
> >>
> >> 3 of the external servers link and work no problem the last
> >> one seems to
> >> link but no data travels thought the link
> >>
> >> when I start the link I get the following
> >>
> >> ipsec_setup: Starting Openswan IPsec U2.1.5/K2.6.8-1.521smp...
> >> 104 "besho-besntl" #1: STATE_MAIN_I1: initiate
> >> 003 "besho-besntl" #1: ignoring Vendor ID payload
> >> [4f455a7e4261425d...]
> >> 003 "besho-besntl" #1: ignoring Vendor ID payload [Dead Peer
> >> Detection]
> >> 106 "besho-besntl" #1: STATE_MAIN_I2: sent MI2, expecting MR2
> >> 108 "besho-besntl" #1: STATE_MAIN_I3: sent MI3, expecting MR3
> >> 004 "besho-besntl" #1: STATE_MAIN_I4: ISAKMP SA established
> >> 112 "besho-besntl" #2: STATE_QUICK_I1: initiate
> >> 004 "besho-besntl" #2: STATE_QUICK_I2: sent QI2, IPsec SA 
> established
> >> {ESP=>0x2f9d6b26 <0xed6cf187 IPCOMP=>0x00003e3e <0x00009a08}
> >>
> >> but nothing travels through no ping nothing from both sides
> >>
> >> any Ideas
> >>
> >> Thanks
> >> Martin
> >> _______________________________________________
> >> Users at openswan.org
> >> http://lists.openswan.org/mailman/listinfo/users
> >> Building and Integrating Virtual Private Networks with Openswan:
> >> http://www.amazon.com/gp/product/1904811256/104-3099591-294632
> >> 7?n=283155
> >
>

More information about the Users mailing list