[Openswan Users] Openswan+NetScreen - No route - Traffic filtered in ISP

Alejandro Alfonso alejandro.alfonso at telecyl.com
Wed Jan 30 10:30:47 EST 2008


I'm new in OpenSwan, and i'm trying to get connection a Linux Box (pppoe
as leftid) and Netscreen on the other side

Phase 1 and Phase 2 seems to be allright

wells ~ # ipsec auto --up myconn
112 "myconn" #1: STATE_AGGR_I1: initiate
003 "myconn" #1: ignoring unknown Vendor ID payload
003 "myconn" #1: ignoring Vendor ID payload [HeartBeat Notify 386b0100]
004 "myconn" #1: STATE_AGGR_I2: sent AI2, ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha
117 "myconn" #2: STATE_QUICK_I1: initiate
003 "myconn" #2: ignoring informational payload, type
004 "myconn" #2: STATE_QUICK_I2: sent QI2, IPsec SA established
{ESP=>0x7d72da83 <0x304bd4a9 xfrm=3DES_0-HMAC_SHA1 NATD=none DPD=none}

Here is my configuration:

conn myconn
        # phase1
        # phase2

When i do "ping" to rightid:

wells ~ # ping
PING ( 56(84) bytes of data.
>From icmp_seq=1 Packet filtered
>From icmp_seq=2 Packet filtered

And tcpdump -i ppp0 shows ICMP traffic

As you see... its no using IPSec tunnel, and ISP drop ClassB traffic

Do I have forgotten any step? As there's no ipsec0 device (linux 2.6
kernel, netkey)... how to get routing traffic throw IPSec? Routes are
managed from "route" / "ip route" or i should use "ipsec eroute"?  In
config setup i  have an "interfaces="ipsec0=ppp0"" line
Thanks in advance

Best Regards!

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use
172.XXX.8.XXX UGH   0      0        0 eth1
172.XXX.6.XXX UGH   0      0        0 eth1 UH    0      0        0 ppp0
172.XXX.6.XXX UGH   0      0        0 eth1   U     0      0        0 eth2   U     0      0        0 eth1   U     0      0        0 eth0     U     0      0        0 eth0       U     0      0        0 lo         88.YYY.YYY.95         UG    0      0        0 ppp0

wells ~ # ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan U2.4.9/K2.6.22-Wells04 (netkey)
Checking for IPsec support in kernel                            [OK]
NETKEY detected, testing for disabled ICMP send_redirects       [OK]
NETKEY detected, testing for disabled ICMP accept_redirects     [OK]
Checking for RSA private key (/etc/ipsec/ipsec.secrets)         [DISABLED]
  ipsec showhostkey: no default key in "/etc/ipsec/ipsec.secrets"
Checking that pluto is running                                  [OK]
Two or more interfaces found, checking IP forwarding            [OK]
Checking NAT and MASQUERADEing
Checking for 'ip' command                                       [OK]
Checking for 'iptables' command                                 [OK]
Opportunistic Encryption Support                                [DISABLED]

	Patrocinador Oficial: 	

*       Alejandro Alfonso Fernandez
      Responsable Área Corporativa * 	alejandro.alfonso at telecyl.com
<mailto:alejandro.alfonso at telecyl.com>
Proción 7, Portales 1-2 Edificio América II
28023 Madrid
Tfn: 902 60 25 55 - Fax: 91 452 18 08 	Juan García Hortelano, 43
Edificio Telecyl
47014 Valladolid
Tfn: 902 60 25 55 - Fax: 983 428 223


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20080130/12245b4e/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: telecylGenerico15.jpg
Type: image/jpeg
Size: 3211 bytes
Desc: not available
Url : http://lists.openswan.org/pipermail/users/attachments/20080130/12245b4e/attachment.jpg 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: logoCircuitoPaddel.jpg
Type: image/jpeg
Size: 3383 bytes
Desc: not available
Url : http://lists.openswan.org/pipermail/users/attachments/20080130/12245b4e/attachment-0001.jpg 

More information about the Users mailing list