[Openswan Users] Openswan+NetScreen - No route - Traffic filtered in ISP

Alejandro Alfonso alejandro.alfonso at telecyl.com
Wed Jan 30 10:30:47 EST 2008


Hello!

I'm new in OpenSwan, and i'm trying to get connection a Linux Box (pppoe
as leftid) and Netscreen on the other side

Phase 1 and Phase 2 seems to be allright

wells ~ # ipsec auto --up myconn
112 "myconn" #1: STATE_AGGR_I1: initiate
003 "myconn" #1: ignoring unknown Vendor ID payload
[85f41d68c72215a39fdc9358a3a3fbfae48d09690000000e00000500]
003 "myconn" #1: ignoring Vendor ID payload [HeartBeat Notify 386b0100]
004 "myconn" #1: STATE_AGGR_I2: sent AI2, ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha
group=modp1024}
117 "myconn" #2: STATE_QUICK_I1: initiate
003 "myconn" #2: ignoring informational payload, type
IPSEC_RESPONDER_LIFETIME
004 "myconn" #2: STATE_QUICK_I2: sent QI2, IPsec SA established
{ESP=>0x7d72da83 <0x304bd4a9 xfrm=3DES_0-HMAC_SHA1 NATD=none DPD=none}

Here is my configuration:

conn myconn
        auto=add
        left=88.YYY.YYY.95
        leftid=88.YYY.YYY.95
        leftsubnet=192.168.1.0/24
        right=XXX.143.XXX.XXX
        rightid=XXX.143.XXX.XXX
        rightsubnet=192.168.8.4/32
        type=tunnel
        # phase1
        authby=secret
        ike=3des-sha1-modp1024
        # phase2
        esp=3des-sha1
        rekey=yes
        pfs=yes
        aggrmode=yes
        compress=no

When i do "ping" to rightid: 192.168.8.4/32

wells ~ # ping 192.168.8.4
PING 192.168.8.4 (192.168.8.4) 56(84) bytes of data.
>From 192.168.153.1 icmp_seq=1 Packet filtered
>From 192.168.153.1 icmp_seq=2 Packet filtered

And tcpdump -i ppp0 shows ICMP traffic

As you see... its no using IPSec tunnel, and ISP drop ClassB traffic

Do I have forgotten any step? As there's no ipsec0 device (linux 2.6
kernel, netkey)... how to get routing traffic throw IPSec? Routes are
managed from "route" / "ip route" or i should use "ipsec eroute"?  In
config setup i  have an "interfaces="ipsec0=ppp0"" line
Thanks in advance

Best Regards!

Pd.
==========
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use
Iface
172.XXX.8.XXX   192.168.79.1    255.255.255.255 UGH   0      0        0 eth1
172.XXX.6.XXX   192.168.79.1    255.255.255.255 UGH   0      0        0 eth1
192.168.8.4   0.0.0.0         255.255.255.255 UH    0      0        0 ppp0
172.XXX.6.XXX   192.168.79.1    255.255.255.255 UGH   0      0        0 eth1
192.168.71.0    0.0.0.0         255.255.255.0   U     0      0        0 eth2
192.168.79.0    0.0.0.0         255.255.255.0   U     0      0        0 eth1
192.168.218.0   0.0.0.0         255.255.255.0   U     0      0        0 eth0
191.100.0.0     0.0.0.0         255.255.0.0     U     0      0        0 eth0
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
0.0.0.0         88.YYY.YYY.95  0.0.0.0         UG    0      0        0 ppp0


==========
wells ~ # ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan U2.4.9/K2.6.22-Wells04 (netkey)
Checking for IPsec support in kernel                            [OK]
NETKEY detected, testing for disabled ICMP send_redirects       [OK]
NETKEY detected, testing for disabled ICMP accept_redirects     [OK]
Checking for RSA private key (/etc/ipsec/ipsec.secrets)         [DISABLED]
  ipsec showhostkey: no default key in "/etc/ipsec/ipsec.secrets"
Checking that pluto is running                                  [OK]
Two or more interfaces found, checking IP forwarding            [OK]
Checking NAT and MASQUERADEing
Checking for 'ip' command                                       [OK]
Checking for 'iptables' command                                 [OK]
Opportunistic Encryption Support                                [DISABLED]

-- 
------------------------------------------------------------------------
	Patrocinador Oficial: 	

 
*       Alejandro Alfonso Fernandez
      Responsable Área Corporativa * 	alejandro.alfonso at telecyl.com
<mailto:alejandro.alfonso at telecyl.com>
http://www.telecyl.com/
 
Proción 7, Portales 1-2 Edificio América II
28023 Madrid
Tfn: 902 60 25 55 - Fax: 91 452 18 08 	Juan García Hortelano, 43
Edificio Telecyl
47014 Valladolid
Tfn: 902 60 25 55 - Fax: 983 428 223

------------------------------------------------------------------------

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20080130/12245b4e/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: telecylGenerico15.jpg
Type: image/jpeg
Size: 3211 bytes
Desc: not available
Url : http://lists.openswan.org/pipermail/users/attachments/20080130/12245b4e/attachment.jpg 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: logoCircuitoPaddel.jpg
Type: image/jpeg
Size: 3383 bytes
Desc: not available
Url : http://lists.openswan.org/pipermail/users/attachments/20080130/12245b4e/attachment-0001.jpg 


More information about the Users mailing list