[Openswan Users] Re-2: VPN established, trafic is not encrypted

Ludovic MARCILLY lmarcilly at aressi.fr
Tue Sep 4 03:01:11 EDT 2007 

Hi,

thanks for your answer.

> On Mon, 3 Sep 2007, Ludovic MARCILLY wrote:
> 
> > I don't give my ipsec gateway 2 configuration file since it is almost the 
> > same.
> >
> > On each endpoint, i can read "IPsec SA established" so the vpn is 
> > established but i can't ping through the vpn.
> 
> what does 'ipsec verify' say?

root at gateway:~ # ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan U2.4.8/K2.6.21.5 (netkey)
Checking for IPsec support in kernel                            [OK]
NETKEY detected, testing for disabled ICMP send_redirects       [FAILED]

  Please disable /proc/sys/net/ipv4/conf/*/send_redirects
  or NETKEY will cause the sending of bogus ICMP redirects!

NETKEY detected, testing for disabled ICMP accept_redirects     [OK]
Checking for RSA private key (/etc/ipsec.secrets)               [DISABLED]
  ipsec showhostkey: no default key in "/etc/ipsec.secrets"
Checking that pluto is running                                  [OK]
Two or more interfaces found, checking IP forwarding            [OK]
Checking NAT and MASQUERADEing
Checking for 'ip' command                                       [OK]
Checking for 'iptables' command                                 [OK]
Opportunistic Encryption Support                                [DISABLED]
  Cannot execute command "which iptables": No such file or directory


> > By using tcpdump, i have seen icmp packets going through my router. For 
> > example:
> >
> > I try to ping 192.168.4.194 from a box in LAN 1 and i see icmp packets from 
> > 192.168.8.193 to 192.168.4.194 on router 1. I think i should not see these 
> > packets since they should be encrypted. Am i right ?
> 
> Not if you are using NETKEY and not KLIPS. Check with ipsec --version.

Sorry, i have forgotten to say i'm using netkey:

root at gateway:~ # ipsec --version
Linux Openswan U2.4.8/K2.6.21.5 (netkey)

 
> > How can i find why packets are not encrypted ?
> 
> Because NETKEY encrypts them after tcpdump can see the packets.

i know that but i'm seeing packets on the router, not on the gateway. In my router logs, i can see icmp packets. 

Ludovic.


To: paul at xelerance.com
Cc: users at openswan.org

More information about the Users mailing list