[Openswan Users] No Encryption to Linksys WRV200

Peter McGill petermcgill at goco.net
Wed Aug 20 11:15:23 EDT 2008 

Michael,

What are you pinging from to?
If your pinging from your linux server to the linksys, then it will not
be encrypted, because the public addresses are not in the tunnel definition.
To test the tunnel ping from a host in leftsubnet to a host in rightsubnet.
That should be encrypted, however tcpdump may show both encrypted and unencrypted
packets for the ping test if you use netkey. Because the packets go through
the network stack twice, once unencrypted, then encrypted. They will however only
go out on the internet encrypted, the unencrypted packets are internal only.
Adding leftsourceip=<192.168.lan.address> (assuming linux = left) will allow you
to ping from the linux server to the rightsubnet w/ encryption through the tunnel.
However pinging from left to right public ips will allways be unencrypted unless
you add a second conn for it, identical to the first but without left/rightsubnets.

Peter McGill
IT Systems Analyst
Gra Ham Energy Limited 

> -----Original Message-----
> From: users-bounces at openswan.org 
> [mailto:users-bounces at openswan.org] On Behalf Of Michael Roessler
> Sent: August 20, 2008 5:57 AM
> To: Users at openswan.org
> Subject: [Openswan Users] No Encryption to Linksys WRV200
> 
> Hi @ll,
> 
> I try to connect between openswan 2.4.9 (on Fedora8) and 
> Linksys WRV200.
> Although the connection seems to be established a ping from 
> openswan-gw to Linksys-gw is unencrypted.
> This is the output if I establish the connection with "ipsec 
> auto --up tunnel":
> 
> 104 "tunnel" #1: STATE_MAIN_I1: initiate
> 106 "tunnel" #1: STATE_MAIN_I2: sent MI2, expecting MR2
> 108 "tunnel" #1: STATE_MAIN_I3: sent MI3, expecting MR3
> 004 "tunnel" #1: STATE_MAIN_I4: ISAKMP SA established 
> {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 
> prf=oakley_md5 group=modp1536}
> 117 "tunnel" #2: STATE_QUICK_I1: initiate
> 004 "tunnel" #2: STATE_QUICK_I2: sent QI2, IPsec SA 
> established {ESP=>0x482eb5f1 <0x511ad672 
> xfrm=3DES_0-HMAC_SHA1 NATD=none DPD=none}
> 
> ipsec.conf:
> +++++++++
> version 2
> 
> config setup
>         interfaces=%defaultroute
>         nat_traversal=yes
>         virtual_private=%4:192.168.0.0/16,%4:!192.168.xx.yy/24,%4:
> 
> conn %default
>         authby=secret
> 
> conn net-to-net
>        
>         left=213.23.xx.yy
>         leftsubnet=192.168.xx.yy/24
>         right=220.232.yy.zz
>         rightsubnet=192.168.yy.zz/24
>         pfs=yes
>         keylife=3600s
>         type=tunnel
>         auto=add
> +++++++++
> I have also commented out "nat_traversal" and shut down the 
> firewall. But the ping traffic is never encrypted.
> 
> This is tcpdump output(ping from openswan-gw to linksys-gw):
> +++++++++++++++
> 10:07:28.890178 IP linksys-ip > openswan-ip: ICMP echo reply, 
> id 23061, seq 13, length 64
> 10:07:29.274266 IP linksys-ip > openswan-ip: 
> ESP(spi=0xa515dadf,seq=0x7), length 100
> 10:07:29.529734 IP openswan-ip > linksys-ip: ICMP echo 
> request, id 23061, seq 14, length 64
> 10:07:29.882292 IP linksys-ip > openswan-ip: ICMP echo reply, 
> id 23061, seq 14, length 64
> 10:07:30.529730 IP openswan-ip > linksys-ip: ICMP echo 
> request, id 23061, seq 15, length 64
> 10:07:30.885900 IP linksys-ip > openswan-ip: ICMP echo reply, 
> id 23061, seq 15, length 64
> 10:07:31.529728 IP openswan-ip > linksys-ip: ICMP echo 
> request, id 23061, seq 16, length 64
> 10:07:31.789256 IP linksys-ip > openswan-ip: 
> ESP(spi=0xa515dadf,seq=0x8), length 100
> 10:07:31.901252 IP linksys-ip > openswan-ip: ICMP echo reply, 
> id 23061, seq 16, length 64
> 10:07:32.529730 IP openswan-ip > linksys-ip: ICMP echo 
> request, id 23061, seq 17, length 64
> 10:07:32.875537 IP linksys-ip > openswan-ip: ICMP echo reply, 
> id 23061, seq 17, length 64
> 10:07:33.529730 IP openswan-ip > linksys-ip: ICMP echo 
> request, id 23061, seq 18, length 64
> 10:07:33.885307 IP linksys-ip > openswan-ip: ICMP echo reply, 
> id 23061, seq 18, length 64
> 10:07:34.303336 IP linksys-ip > openswan-ip: 
> ESP(spi=0xa515dadf,seq=0x9), length 100
> +++++++++++++++
> 
> Can you please give me a hint what I need to look for? Thank you.
> 
> Michael
> -- 
> Ist Ihr Browser Vista-kompatibel? Jetzt die neuesten 
> Browser-Versionen downloaden: http://www.gmx.net/de/go/browser
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan: 
> http://www.amazon.com/gp/product/1904811256/104-3099591-294632
> 7?n=283155

More information about the Users mailing list