[Openswan Users] Link established no data going through
Martin Eramus
martin at onyx.co.za
Mon Oct 15 13:50:35 EDT 2007
Hi
After hours of looking at log file, I compared the ipsec.conf to a
working system and found that the only difference was that I had
compress=yes was in the file on the system that was not working.I
deleted this line and it worked
thanks for all your help
Marti
Peter McGill wrote:
> The TTY and PWD are irrelevant they're from sudo not openswan,
> completely unrelated.
> Hmm, your iptables firewall rules, ipsec.conf, log files, ipsec verify
> all looked good to me.
> None of your openswan switches are behind a NAT router are they?
> They all have direct internet connections?
> What does your config setup section in ipsec.conf look like?
> Try tcpdumping your public interface then ping during the tcpdump and
> watch the results.
> ie)
> tcpdump -i ppp0 host besho.gotdns.org
> Maybe that will contain a hint to your problem.
>
> Peter McGill
>
>
> ------------------------------------------------------------------------
> *From:* Martin Eramus [mailto:martin at onyx.co.za]
> *Sent:* October 13, 2007 2:16 AM
> *To:* petermcgill at goco.net
> *Cc:* users at openswan.org
> *Subject:* Re: [Openswan Users] Link established no data going through
>
> I have tried pinging from from a computer in the local lan to a
> computer in the remote lan, from remote openswan server to local
> openswan server.
>
> when I ping from anther remote openswan server to local openswan
> server.it works
>
> here is the pluto log
>
> Oct 13 07:54:13 natal ipsec__plutorun: Starting Pluto subsystem...
> Oct 13 07:54:13 natal pluto[19045]: Starting Pluto (Openswan
> Version 2.1.5 X.509-1.4.8-1 PLUTO_USES_KEYRR)
> Oct 13 07:54:13 natal pluto[19045]: including NAT-Traversal
> patch (Version 0.6c) [disabled]
> Oct 13 07:54:13 natal pluto[19045]: Using Linux 2.6 IPsec
> interface code
> Oct 13 07:54:14 natal pluto[19045]: Changing to directory
> '/etc/ipsec.d/cacerts'
> Oct 13 07:54:14 natal pluto[19045]: Warning: empty directory
> Oct 13 07:54:14 natal pluto[19045]: Changing to directory
> '/etc/ipsec.d/crls'
> Oct 13 07:54:14 natal pluto[19045]: Warning: empty directory
> Oct 13 07:54:14 natal pluto[19045]: added connection description
> "besho-besntl"
> Oct 13 07:54:14 natal pluto[19045]: listening for IKE messages
> Oct 13 07:54:14 natal pluto[19045]: adding interface ppp0/ppp0
> 41.240.44.24
> Oct 13 07:54:14 natal pluto[19045]: adding interface eth1/eth1
> 192.168.4.1
> Oct 13 07:54:14 natal pluto[19045]: adding interface eth0/eth0
> 10.0.0.1
> Oct 13 07:54:14 natal pluto[19045]: adding interface lo/lo 127.0.0.1
> Oct 13 07:54:14 natal pluto[19045]: adding interface lo/lo ::1
> Oct 13 07:54:14 natal pluto[19045]: loading secrets from
> "/etc/ipsec.secrets"
> Oct 13 07:54:18 natal sudo: besmac : TTY=unknown ;
> PWD=/home/besmac ; USER=root ; COMMAND=/usr/sbin/ipsec auto --up
> besho-besntl
> Oct 13 07:54:18 natal pluto[19045]: "besho-besntl" #1: initiating
> Main Mode
> Oct 13 07:54:18 natal pluto[19045]: "besho-besntl" #1: ignoring
> Vendor ID payload [4f455a7e4261425d...]
> Oct 13 07:54:18 natal pluto[19045]: "besho-besntl" #1: ignoring
> Vendor ID payload [Dead Peer Detection]
> Oct 13 07:54:18 natal pluto[19045]: "besho-besntl" #1: transition
> from state STATE_MAIN_I1 to state STATE_MAIN_I2
> Oct 13 07:54:19 natal pluto[19045]: "besho-besntl" #1: transition
> from state STATE_MAIN_I2 to state STATE_MAIN_I3
> Oct 13 07:54:19 natal pluto[19045]: "besho-besntl" #1: Peer ID is
> ID_IPV4_ADDR: '41.243.162.65'
> Oct 13 07:54:19 natal pluto[19045]: "besho-besntl" #1: transition
> from state STATE_MAIN_I3 to state STATE_MAIN_I4
> Oct 13 07:54:19 natal pluto[19045]: "besho-besntl" #1: ISAKMP SA
> established
> Oct 13 07:54:19 natal pluto[19045]: "besho-besntl" #2: initiating
> Quick Mode PSK+RSASIG+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1}
> Oct 13 07:54:19 natal pluto[19045]: "besho-besntl" #2: transition
> from state STATE_QUICK_I1 to state STATE_QUICK_I2
> Oct 13 07:54:19 natal pluto[19045]: "besho-besntl" #2: sent QI2,
> IPsec SA established {ESP=>0xa63eeebb <0x2f4c0736}
> Oct 13 07:54:19 natal sudo: besmac : TTY=unknown ;
> PWD=/home/besmac ; USER=root ; COMMAND=/sbin/route add -net
> 192.168.0.0 netmask 255.255.255.0 eth1
>
> I have compared it to the other remote server and the only
> difference is the TTY and the PWD how do I change this or is it
> not necessary?
>
> Thanks
>
> Martin
>
> Peter McGill wrote:
>> Hmm, ipsec verify looks ok.
>> I don't see any problems in your iptables firewall rules, they look ok.
>>
>> How are you doing your ping tests, from a computer in the local lan to
>> A computer in the remote lan? Or openswan server to openswan server?
>> If server to server your subnets are not setup for that, use lan pc to lan pc.
>>
>> Do you know where fc puts log files, most Linuxes put in /var/log.
>> Openswan logs with process name pluto.
>> Generally grep 'pluto' /var/log/* should find your logs.
>>
>> Peter McGill
>>
>>
>>
>>> -----Original Message-----
>>> From: Martin Erasmus [mailto:martin at onyx.co.za]
>>> Sent: October 12, 2007 11:02 AM
>>> To: petermcgill at goco.net
>>> Cc: martin at onyx.co.za; users at openswan.org
>>> Subject: RE: [Openswan Users] Link established no data going through
>>>
>>>
>>>> Could be a firewall issue, is the subnet for that connection in a
>>>> different private range then the others?
>>>>
>>> Yes all the locations have their own subnets
>>>
>>>
>>>> Check your iptables rules to make sure the traffic is accepted.
>>>> Do your ping tests match your subnet definitions, the only
>>>>
>>> traffic to
>>>
>>>> traverse the tunnel is what matches the subnets.
>>>>
>>> It was working till I had to reinstall to fc7, all the
>>> systems have the
>>> same fire wall configeration it is only the local subnet that
>>> is different
>>>
>>>
>>>> Additional info would be helpful...
>>>> Ie)
>>>> iptables -t filter -L -v -n
>>>> iptables -t nat -L -v -n
>>>> iptables -t mangle -L -v -n
>>>> iptables -t raw -L -v -n
>>>>
>>> See attached log files
>>>
>>>> ipsec version
>>>>
>>> fc2 with U2.1.5/K2.6.8-1.521smp
>>>
>>>
>>>> The relavent sections of your ipsec.conf:
>>>> The global parts (ie. config setup, conn %default, include
>>>>
>>> .../no_oe.conf)
>>>
>>>> And any conn sections relavent to the connection.
>>>>
>>> conn besho-besntl
>>> type=tunnel
>>> left=besho.gotdns.org
>>> leftsubnet=192.168.0.0/24
>>> leftnexthop=165.165.128.1
>>> right=%defaultroute
>>> rightsubnet=192.168.4.0/24
>>> rightnexthop=
>>> rightid=@besntl
>>> auto=add
>>> authby=secret|rsasig
>>> leftrsasigkey=
>>>
>>> #Disable Opportunistic Encryption
>>> include /etc/ipsec.d/examples/no_oe.conf
>>>
>>>
>>>
>>>> Restart openswan (ipsec restart), do your ping tests, then use the
>>>> following to get the logs:
>>>> egrep -h -e 'Oct 12 09.*pluto' /var/log/*
>>>> Change the date and time to match your restart and test.
>>>>
>>> This did not give me a result
>>>
>>>
>>>> Peter McGill
>>>>
>>>>
>>>>
>>>>> -----Original Message-----
>>>>> From: users-bounces at openswan.org
>>>>> [mailto:users-bounces at openswan.org] On Behalf Of Martin Erasmus
>>>>> Sent: October 12, 2007 6:15 AM
>>>>> To: users at openswan.org
>>>>> Subject: [Openswan Users] Link established no data going through
>>>>>
>>>>> Hi All
>>>>>
>>>>> I was running fc2 on all my servers, 5 systems, 4 external
>>>>> servers linking
>>>>> to the main server at head office. I have a hard drive crash
>>>>> on my main
>>>>> server, I have now had to install fc7.
>>>>>
>>>>> The 4 external servers are running fc2 with
>>>>>
>>> U2.1.5/K2.6.8-1.521smp...
>>>
>>>>> The main Server is running fc7 with U2.4.7/K2.6.21-1.3194.fc7
>>>>>
>>>>>
>>>>> 3 of the external servers link and work no problem the last
>>>>> one seems to
>>>>> link but no data travels thought the link
>>>>>
>>>>> when I start the link I get the following
>>>>>
>>>>> ipsec_setup: Starting Openswan IPsec U2.1.5/K2.6.8-1.521smp...
>>>>> 104 "besho-besntl" #1: STATE_MAIN_I1: initiate
>>>>> 003 "besho-besntl" #1: ignoring Vendor ID payload
>>>>> [4f455a7e4261425d...]
>>>>> 003 "besho-besntl" #1: ignoring Vendor ID payload [Dead Peer
>>>>> Detection]
>>>>> 106 "besho-besntl" #1: STATE_MAIN_I2: sent MI2, expecting MR2
>>>>> 108 "besho-besntl" #1: STATE_MAIN_I3: sent MI3, expecting MR3
>>>>> 004 "besho-besntl" #1: STATE_MAIN_I4: ISAKMP SA established
>>>>> 112 "besho-besntl" #2: STATE_QUICK_I1: initiate
>>>>> 004 "besho-besntl" #2: STATE_QUICK_I2: sent QI2, IPsec SA
>>>>>
>>> established
>>>
>>>>> {ESP=>0x2f9d6b26 <0xed6cf187 IPCOMP=>0x00003e3e <0x00009a08}
>>>>>
>>>>> but nothing travels through no ping nothing from both sides
>>>>>
>>>>> any Ideas
>>>>>
>>>>> Thanks
>>>>> Martin
>>>>> _______________________________________________
>>>>> Users at openswan.org
>>>>> http://lists.openswan.org/mailman/listinfo/users
>>>>> Building and Integrating Virtual Private Networks with Openswan:
>>>>> http://www.amazon.com/gp/product/1904811256/104-3099591-294632
>>>>> 7?n=283155
>>>>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20071015/9b9b0465/attachment-0001.html
More information about the Users
mailing list