[Openswan Users] Link established no data going through

Martin Eramus martin at onyx.co.za
Sat Oct 13 02:15:59 EDT 2007


I have tried pinging from from a computer in the local lan to a computer 
in the remote lan,  from remote openswan server to local openswan server.

when I ping from anther remote openswan server to local openswan 
server.it works

here is the pluto log

Oct 13 07:54:13 natal ipsec__plutorun: Starting Pluto subsystem...
Oct 13 07:54:13 natal pluto[19045]: Starting Pluto (Openswan Version 
2.1.5 X.509-1.4.8-1 PLUTO_USES_KEYRR)
Oct 13 07:54:13 natal pluto[19045]:   including NAT-Traversal patch 
(Version 0.6c) [disabled]
Oct 13 07:54:13 natal pluto[19045]: Using Linux 2.6 IPsec interface code
Oct 13 07:54:14 natal pluto[19045]: Changing to directory 
'/etc/ipsec.d/cacerts'
Oct 13 07:54:14 natal pluto[19045]:   Warning: empty directory
Oct 13 07:54:14 natal pluto[19045]: Changing to directory 
'/etc/ipsec.d/crls'
Oct 13 07:54:14 natal pluto[19045]:   Warning: empty directory
Oct 13 07:54:14 natal pluto[19045]: added connection description 
"besho-besntl"
Oct 13 07:54:14 natal pluto[19045]: listening for IKE messages
Oct 13 07:54:14 natal pluto[19045]: adding interface ppp0/ppp0 41.240.44.24
Oct 13 07:54:14 natal pluto[19045]: adding interface eth1/eth1 192.168.4.1
Oct 13 07:54:14 natal pluto[19045]: adding interface eth0/eth0 10.0.0.1
Oct 13 07:54:14 natal pluto[19045]: adding interface lo/lo 127.0.0.1
Oct 13 07:54:14 natal pluto[19045]: adding interface lo/lo ::1
Oct 13 07:54:14 natal pluto[19045]: loading secrets from 
"/etc/ipsec.secrets"
Oct 13 07:54:18 natal sudo:   besmac : TTY=unknown ; PWD=/home/besmac ; 
USER=root ; COMMAND=/usr/sbin/ipsec auto --up besho-besntl
Oct 13 07:54:18 natal pluto[19045]: "besho-besntl" #1: initiating Main Mode
Oct 13 07:54:18 natal pluto[19045]: "besho-besntl" #1: ignoring Vendor 
ID payload [4f455a7e4261425d...]
Oct 13 07:54:18 natal pluto[19045]: "besho-besntl" #1: ignoring Vendor 
ID payload [Dead Peer Detection]
Oct 13 07:54:18 natal pluto[19045]: "besho-besntl" #1: transition from 
state STATE_MAIN_I1 to state STATE_MAIN_I2
Oct 13 07:54:19 natal pluto[19045]: "besho-besntl" #1: transition from 
state STATE_MAIN_I2 to state STATE_MAIN_I3
Oct 13 07:54:19 natal pluto[19045]: "besho-besntl" #1: Peer ID is 
ID_IPV4_ADDR: '41.243.162.65'
Oct 13 07:54:19 natal pluto[19045]: "besho-besntl" #1: transition from 
state STATE_MAIN_I3 to state STATE_MAIN_I4
Oct 13 07:54:19 natal pluto[19045]: "besho-besntl" #1: ISAKMP SA established
Oct 13 07:54:19 natal pluto[19045]: "besho-besntl" #2: initiating Quick 
Mode PSK+RSASIG+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1}
Oct 13 07:54:19 natal pluto[19045]: "besho-besntl" #2: transition from 
state STATE_QUICK_I1 to state STATE_QUICK_I2
Oct 13 07:54:19 natal pluto[19045]: "besho-besntl" #2: sent QI2, IPsec 
SA established {ESP=>0xa63eeebb <0x2f4c0736}
Oct 13 07:54:19 natal sudo:   besmac : TTY=unknown ; PWD=/home/besmac ; 
USER=root ; COMMAND=/sbin/route add -net 192.168.0.0 netmask 
255.255.255.0 eth1

I have compared it to the other remote server and the only difference is 
the TTY and the PWD how do I change this or is it not necessary?

Thanks

Martin

Peter McGill wrote:
> Hmm, ipsec verify looks ok.
> I don't see any problems in your iptables firewall rules, they look ok.
>
> How are you doing your ping tests, from a computer in the local lan to
> A computer in the remote lan? Or openswan server to openswan server?
> If server to server your subnets are not setup for that, use lan pc to lan pc.
>
> Do you know where fc puts log files, most Linuxes put in /var/log.
> Openswan logs with process name pluto.
> Generally grep 'pluto' /var/log/* should find your logs.
>
> Peter McGill
>  
>
>   
>> -----Original Message-----
>> From: Martin Erasmus [mailto:martin at onyx.co.za] 
>> Sent: October 12, 2007 11:02 AM
>> To: petermcgill at goco.net
>> Cc: martin at onyx.co.za; users at openswan.org
>> Subject: RE: [Openswan Users] Link established no data going through
>>
>>     
>>> Could be a firewall issue, is the subnet for that connection in a
>>> different private range then the others?
>>>       
>> Yes all the locations have their own subnets
>>
>>     
>>> Check your iptables rules to make sure the traffic is accepted.
>>> Do your ping tests match your subnet definitions, the only 
>>>       
>> traffic to
>>     
>>> traverse the tunnel is what matches the subnets.
>>>       
>> It was working till I had to reinstall to fc7, all the 
>> systems have the
>> same fire wall configeration it is only the local subnet that 
>> is different
>>
>>     
>>> Additional info would be helpful...
>>> Ie)
>>> iptables -t filter -L -v -n
>>> iptables -t nat -L -v -n
>>> iptables -t mangle -L -v -n
>>> iptables -t raw -L -v -n
>>>       
>> See attached log files
>>     
>>> ipsec version
>>>       
>> fc2 with U2.1.5/K2.6.8-1.521smp
>>
>>     
>>> The relavent sections of your ipsec.conf:
>>> The global parts (ie. config setup, conn %default, include 
>>>       
>> .../no_oe.conf)
>>     
>>> And any conn sections relavent to the connection.
>>>       
>> conn besho-besntl
>>  type=tunnel
>>  left=besho.gotdns.org
>>  leftsubnet=192.168.0.0/24
>>  leftnexthop=165.165.128.1
>>  right=%defaultroute
>>  rightsubnet=192.168.4.0/24
>>  rightnexthop=
>>  rightid=@besntl
>>  auto=add
>>  authby=secret|rsasig
>>  leftrsasigkey=
>>
>> #Disable Opportunistic Encryption
>> include /etc/ipsec.d/examples/no_oe.conf
>>
>>
>>     
>>> Restart openswan (ipsec restart), do your ping tests, then use the
>>> following to get the logs:
>>> egrep -h -e 'Oct 12 09.*pluto' /var/log/*
>>> Change the date and time to match your restart and test.
>>>       
>> This did not give me a result
>>
>>     
>>> Peter McGill
>>>
>>>
>>>       
>>>> -----Original Message-----
>>>> From: users-bounces at openswan.org
>>>> [mailto:users-bounces at openswan.org] On Behalf Of Martin Erasmus
>>>> Sent: October 12, 2007 6:15 AM
>>>> To: users at openswan.org
>>>> Subject: [Openswan Users] Link established no data going through
>>>>
>>>> Hi All
>>>>
>>>> I was running fc2 on all my servers, 5 systems, 4 external
>>>> servers linking
>>>> to the main server at head office. I have a hard drive crash
>>>> on my main
>>>> server, I have now had to install fc7.
>>>>
>>>> The 4 external servers are running fc2 with 
>>>>         
>> U2.1.5/K2.6.8-1.521smp...
>>     
>>>> The main Server is running fc7 with U2.4.7/K2.6.21-1.3194.fc7
>>>>
>>>>
>>>> 3 of the external servers link and work no problem the last
>>>> one seems to
>>>> link but no data travels thought the link
>>>>
>>>> when I start the link I get the following
>>>>
>>>> ipsec_setup: Starting Openswan IPsec U2.1.5/K2.6.8-1.521smp...
>>>> 104 "besho-besntl" #1: STATE_MAIN_I1: initiate
>>>> 003 "besho-besntl" #1: ignoring Vendor ID payload
>>>> [4f455a7e4261425d...]
>>>> 003 "besho-besntl" #1: ignoring Vendor ID payload [Dead Peer
>>>> Detection]
>>>> 106 "besho-besntl" #1: STATE_MAIN_I2: sent MI2, expecting MR2
>>>> 108 "besho-besntl" #1: STATE_MAIN_I3: sent MI3, expecting MR3
>>>> 004 "besho-besntl" #1: STATE_MAIN_I4: ISAKMP SA established
>>>> 112 "besho-besntl" #2: STATE_QUICK_I1: initiate
>>>> 004 "besho-besntl" #2: STATE_QUICK_I2: sent QI2, IPsec SA 
>>>>         
>> established
>>     
>>>> {ESP=>0x2f9d6b26 <0xed6cf187 IPCOMP=>0x00003e3e <0x00009a08}
>>>>
>>>> but nothing travels through no ping nothing from both sides
>>>>
>>>> any Ideas
>>>>
>>>> Thanks
>>>> Martin
>>>> _______________________________________________
>>>> Users at openswan.org
>>>> http://lists.openswan.org/mailman/listinfo/users
>>>> Building and Integrating Virtual Private Networks with Openswan:
>>>> http://www.amazon.com/gp/product/1904811256/104-3099591-294632
>>>> 7?n=283155
>>>>         
>
>   

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20071013/445c0f85/attachment.html 


More information about the Users mailing list