[Openswan Users] VPN established, trafic is not encrypted

Ludovic MARCILLY lmarcilly at aressi.fr
Mon Sep 3 10:47:36 EDT 2007 

Hi all,

after succeeded in my first configuration:

LAN 1 -- ipsec gateway -- ipsec gateway -- LAN 2

i have to make this configuration work:

LAN 1 -- [ipsec gateway 1] -- [Router 1] 
                                 |
LAN 2 -- [ipsec gateway 2] -- [Router 2]

Here are network informations:

LAN 1: 192.168.3.0/24 default gateway 192.168.3.193
ipsec gateway 1: 192.168.3.193, 192.168.8.193, default gateway 192.168.8.195
Router 1: 192.168.8.195, 192.168.9.195 default gateway 192.168.9.253

LAN 2: 192.168.4.0/24 default gateway 192.168.4.194
ipsec gateway 2: 192.168.4.194, 192.168.7.194, default gateway 192.168.7.196
Router 1: 192.168.7.196, 192.168.9.196 default gateway 192.168.9.253

Here is my ipsec.conf file on ipsec gateway 1:

version 2

config setup
        interfaces=%defaultroute
        klipsdebug=none
        plutodebug=none
        uniqueids=yes
        nat_traversal=yes
        virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192.168.3.0/255.255.255.0,%v4:!172.16.0.0/255.255.0.0,%v4:!192.168.4.0/255.255.255.0

conn %default
        keyingtries=0
        disablearrivalcheck=no

conn vpncert
        left=192.168.8.193
        leftnexthop=%defaultroute
        leftsubnet=192.168.3.0/255.255.255.0
        leftcert=/var/ns/certs/hostcert.pem
        right=192.168.9.196
        rightsubnet=192.168.4.0/255.255.255.0
        rightnexthop=%defaultroute
        rightcert=/var/ns/certs/vpncertcert.pem
        ike=3des-sha-modp1024
        esp=3des-sha1
        ikelifetime=1h
        keylife=8h
        dpddelay=30
        dpdtimeout=120
        dpdaction=hold
        authby=rsasig
        auto=start

conn block
        auto=ignore

conn private
        auto=ignore

conn private-or-clear
        auto=ignore

conn clear-or-private
        auto=ignore

conn clear
        auto=ignore

conn packetdefault
        auto=ignore

I don't give my ipsec gateway 2 configuration file since it is almost the same.

On each endpoint, i can read "IPsec SA established" so the vpn is established but i can't ping through the vpn.

By using tcpdump, i have seen icmp packets going through my router. For example:

I try to ping 192.168.4.194 from a box in LAN 1 and i see icmp packets from 192.168.8.193 to 192.168.4.194 on router 1. I think i should not see these packets since they should be encrypted. Am i right ?

How can i find why packets are not encrypted ?

Thanks a lot for your help.

Ludovic MARCILLY

More information about the Users mailing list