[Openswan Users] Link established no data going through

Mon Oct 15 09:49:56 EDT 2007

The TTY and PWD are irrelevant they're from sudo not openswan, completely unrelated.
Hmm, your iptables firewall rules, ipsec.conf, log files, ipsec verify all looked good to me.
None of your openswan switches are behind a NAT router are they?
They all have direct internet connections?
What does your config setup section in ipsec.conf look like?
Try tcpdumping your public interface then ping during the tcpdump and watch the results.
ie)
tcpdump -i ppp0 host besho.gotdns.org
Maybe that will contain a hint to your problem.

Peter McGill

  _____  

From: Martin Eramus [mailto:martin at onyx.co.za] 
Sent: October 13, 2007 2:16 AM
To: petermcgill at goco.net
Cc: users at openswan.org
Subject: Re: [Openswan Users] Link established no data going through

I have tried pinging from from a computer in the local lan to a computer in the remote lan,  from remote openswan server to local
openswan server.

when I ping from anther remote openswan server to local openswan server.it works 

here is the pluto log

Oct 13 07:54:13 natal ipsec__plutorun: Starting Pluto subsystem...
Oct 13 07:54:13 natal pluto[19045]: Starting Pluto (Openswan Version 2.1.5 X.509-1.4.8-1 PLUTO_USES_KEYRR)
Oct 13 07:54:13 natal pluto[19045]:   including NAT-Traversal patch (Version 0.6c) [disabled]
Oct 13 07:54:13 natal pluto[19045]: Using Linux 2.6 IPsec interface code
Oct 13 07:54:14 natal pluto[19045]: Changing to directory '/etc/ipsec.d/cacerts'
Oct 13 07:54:14 natal pluto[19045]:   Warning: empty directory
Oct 13 07:54:14 natal pluto[19045]: Changing to directory '/etc/ipsec.d/crls'
Oct 13 07:54:14 natal pluto[19045]:   Warning: empty directory
Oct 13 07:54:14 natal pluto[19045]: added connection description "besho-besntl"
Oct 13 07:54:14 natal pluto[19045]: listening for IKE messages
Oct 13 07:54:14 natal pluto[19045]: adding interface ppp0/ppp0 41.240.44.24
Oct 13 07:54:14 natal pluto[19045]: adding interface eth1/eth1 192.168.4.1
Oct 13 07:54:14 natal pluto[19045]: adding interface eth0/eth0 10.0.0.1
Oct 13 07:54:14 natal pluto[19045]: adding interface lo/lo 127.0.0.1
Oct 13 07:54:14 natal pluto[19045]: adding interface lo/lo ::1
Oct 13 07:54:14 natal pluto[19045]: loading secrets from "/etc/ipsec.secrets"
Oct 13 07:54:18 natal sudo:   besmac : TTY=unknown ; PWD=/home/besmac ; USER=root ; COMMAND=/usr/sbin/ipsec auto --up besho-besntl
Oct 13 07:54:18 natal pluto[19045]: "besho-besntl" #1: initiating Main Mode
Oct 13 07:54:18 natal pluto[19045]: "besho-besntl" #1: ignoring Vendor ID payload [4f455a7e4261425d...]
Oct 13 07:54:18 natal pluto[19045]: "besho-besntl" #1: ignoring Vendor ID payload [Dead Peer Detection]
Oct 13 07:54:18 natal pluto[19045]: "besho-besntl" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
Oct 13 07:54:19 natal pluto[19045]: "besho-besntl" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Oct 13 07:54:19 natal pluto[19045]: "besho-besntl" #1: Peer ID is ID_IPV4_ADDR: '41.243.162.65'
Oct 13 07:54:19 natal pluto[19045]: "besho-besntl" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
Oct 13 07:54:19 natal pluto[19045]: "besho-besntl" #1: ISAKMP SA established
Oct 13 07:54:19 natal pluto[19045]: "besho-besntl" #2: initiating Quick Mode PSK+RSASIG+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1}
Oct 13 07:54:19 natal pluto[19045]: "besho-besntl" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Oct 13 07:54:19 natal pluto[19045]: "besho-besntl" #2: sent QI2, IPsec SA established {ESP=>0xa63eeebb <0x2f4c0736}
Oct 13 07:54:19 natal sudo:   besmac : TTY=unknown ; PWD=/home/besmac ; USER=root ; COMMAND=/sbin/route add -net 192.168.0.0 netmask
255.255.255.0 eth1

I have compared it to the other remote server and the only difference is the TTY and the PWD how do I change this or is it not
necessary?

Thanks

Martin

Peter McGill wrote: 

Hmm, ipsec verify looks ok.

I don't see any problems in your iptables firewall rules, they look ok.

How are you doing your ping tests, from a computer in the local lan to

A computer in the remote lan? Or openswan server to openswan server?

If server to server your subnets are not setup for that, use lan pc to lan pc.

Do you know where fc puts log files, most Linuxes put in /var/log.

Openswan logs with process name pluto.

Generally grep 'pluto' /var/log/* should find your logs.

Peter McGill

-----Original Message-----

From: Martin Erasmus [mailto:martin at onyx.co.za] 

Sent: October 12, 2007 11:02 AM

To: petermcgill at goco.net

Cc: martin at onyx.co.za; users at openswan.org

Subject: RE: [Openswan Users] Link established no data going through

Could be a firewall issue, is the subnet for that connection in a

different private range then the others?

Yes all the locations have their own subnets

Check your iptables rules to make sure the traffic is accepted.

Do your ping tests match your subnet definitions, the only 

traffic to

traverse the tunnel is what matches the subnets.

It was working till I had to reinstall to fc7, all the 

systems have the

same fire wall configeration it is only the local subnet that 

is different

Additional info would be helpful...

Ie)

iptables -t filter -L -v -n

iptables -t nat -L -v -n

iptables -t mangle -L -v -n

iptables -t raw -L -v -n

See attached log files

ipsec version

fc2 with U2.1.5/K2.6.8-1.521smp

The relavent sections of your ipsec.conf:

The global parts (ie. config setup, conn %default, include 

.../no_oe.conf)

And any conn sections relavent to the connection.

conn besho-besntl

 type=tunnel

 left=besho.gotdns.org

 leftsubnet=192.168.0.0/24

 leftnexthop=165.165.128.1

 right=%defaultroute

 rightsubnet=192.168.4.0/24

 rightnexthop=

 rightid=@besntl

 auto=add

 authby=secret|rsasig

 leftrsasigkey=

#Disable Opportunistic Encryption

include /etc/ipsec.d/examples/no_oe.conf

Restart openswan (ipsec restart), do your ping tests, then use the

following to get the logs:

egrep -h -e 'Oct 12 09.*pluto' /var/log/*

Change the date and time to match your restart and test.

This did not give me a result

Peter McGill

-----Original Message-----

From: users-bounces at openswan.org

[mailto:users-bounces at openswan.org] On Behalf Of Martin Erasmus

Sent: October 12, 2007 6:15 AM

To: users at openswan.org

Subject: [Openswan Users] Link established no data going through

Hi All

I was running fc2 on all my servers, 5 systems, 4 external

servers linking

to the main server at head office. I have a hard drive crash

on my main

server, I have now had to install fc7.

The 4 external servers are running fc2 with 

U2.1.5/K2.6.8-1.521smp...

The main Server is running fc7 with U2.4.7/K2.6.21-1.3194.fc7

3 of the external servers link and work no problem the last

one seems to

link but no data travels thought the link

when I start the link I get the following

ipsec_setup: Starting Openswan IPsec U2.1.5/K2.6.8-1.521smp...

104 "besho-besntl" #1: STATE_MAIN_I1: initiate

003 "besho-besntl" #1: ignoring Vendor ID payload

[4f455a7e4261425d...]

003 "besho-besntl" #1: ignoring Vendor ID payload [Dead Peer

Detection]

106 "besho-besntl" #1: STATE_MAIN_I2: sent MI2, expecting MR2

108 "besho-besntl" #1: STATE_MAIN_I3: sent MI3, expecting MR3

004 "besho-besntl" #1: STATE_MAIN_I4: ISAKMP SA established

112 "besho-besntl" #2: STATE_QUICK_I1: initiate

004 "besho-besntl" #2: STATE_QUICK_I2: sent QI2, IPsec SA 

established

{ESP=>0x2f9d6b26 <0xed6cf187 IPCOMP=>0x00003e3e <0x00009a08}

but nothing travels through no ping nothing from both sides

any Ideas

Thanks

Martin

_______________________________________________

Users at openswan.org

http://lists.openswan.org/mailman/listinfo/users

Building and Integrating Virtual Private Networks with Openswan:

http://www.amazon.com/gp/product/1904811256/104-3099591-294632

7?n=283155

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20071015/83937d07/attachment-0001.html 