[Openswan Users] Possibly some stupid error - anything but ping do not work

Maciej Piechotka uzytkownik2 at gmail.com
Thu Jan 24 19:00:44 EST 2008 

I have such configuration of ipsec(I try to set up step by step):
For notebook:
version 2.0

config setup

conn notebook--router
	left=192.168.xxx.xxx
	leftid=@notebook
	leftrsasigkey=...
	right=192.168.xxx.yyy
	rightid=@router
	rightrsasigkey=...
	auto=add

For router:
version 2.0

config setup

conn router--notebook
	left=192.168.xxx.yyy
	leftid=@router
	leftrsasigkey=...
	right=192.168.xxx.xxx
	rightid=@notebook
	rightrsasigkey=...
	auto=add

Firewall(part of script):
echo "Allow icmp"
iptables -A INPUT -p icmp -j ACCEPT
ip6tables -A INPUT -p icmpv6 -j ACCEPT
echo "Allow ipsec"
iptables -A INPUT -p ah -j ACCEPT
ip6tables -A INPUT -p ah -j ACCEPT
iptables -A INPUT -p esp -j ACCEPT
ip6tables -A INPUT -p esp -j ACCEPT


After 
router # ipsec auto --up router--notebook         
104 "router--notebook" #1: STATE_MAIN_I1: initiate
003 "router--notebook" #1: received Vendor ID payload [Openswan (this 
version) 2.4.9  PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR]
003 "router--notebook" #1: received Vendor ID payload [Dead Peer Detection]
106 "router--notebook" #1: STATE_MAIN_I2: sent MI2, expecting MR2
108 "router--notebook" #1: STATE_MAIN_I3: sent MI3, expecting MR3
004 "router--notebook" #1: STATE_MAIN_I4: ISAKMP SA established 
{auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_md5 
group=modp1536}
117 "router--notebook" #2: STATE_QUICK_I1: initiate
004 "router--notebook" #2: STATE_QUICK_I2: sent QI2, IPsec SA established 
{ESP=>0xXXXXXXXX <0xXXXXXXXX xfrm=AES_0-HMAC_SHA1 NATD=none DPD=none}
notebook # ipsec auto --up notebook--router
117 "notebook--router" #3: STATE_QUICK_I1: initiate
004 "notebook--router" #3: STATE_QUICK_I2: sent QI2, IPsec SA established 
{ESP=>0xXXXXXXXX <0xXXXXXXXX xfrm=AES_0-HMAC_SHA1 NATD=none DPD=none}

it starts ok showing no error. If I try to ping 192.168.xxx.yyy from 
notebook I is ok but no other service is working. What may be wrong?

PS.
tcpdump shows nothing on interface. ipsec0 is not created as described in 
http://wiki.openswan.org/index.php/Openswan/DebuggingTCPDump but I heard 
it is normal in new kernels.
-- 
I've probably left my head... somewhere. Please wait untill I find it.
Homepage (pl_PL): http://uzytkownik.jogger.pl/
(GNU/)Linux User: #425935 (see http://counter.li.org/)

More information about the Users mailing list