[Openswan Users] Openswan+NetScreen - No route - Traffic filteredin ISP

Peter McGill petermcgill at goco.net
Thu Jan 31 14:15:49 EST 2008 

Linux may not be getting the source ip right on the ping packet.
Try adding this to conn...
    leftsourceip=192.168.1.x # lan ip
and/or using...
ping -I 192.168.1.x 192.168.8.4
and/or pinging from one of the 192.168.1.0/24 subnet hosts.
 
To answer the routing part, you don't route packets into the tunnel openswan handles automatically.
You just assign left/rightsubnet values and packets matching them go into the tunnel.
If you need additional subnets then add additional conn sections for them.
 
Peter McGill
 


  _____  

From: users-bounces at openswan.org [mailto:users-bounces at openswan.org] On Behalf Of Alejandro Alfonso
Sent: January 30, 2008 10:31 AM
To: users at lists.openswan.org
Subject: [Openswan Users] Openswan+NetScreen - No route - Traffic filteredin ISP


Hello!

I'm new in OpenSwan, and i'm trying to get connection a Linux Box (pppoe as leftid) and Netscreen on the other side

Phase 1 and Phase 2 seems to be allright

wells ~ # ipsec auto --up myconn
112 "myconn" #1: STATE_AGGR_I1: initiate
003 "myconn" #1: ignoring unknown Vendor ID payload [85f41d68c72215a39fdc9358a3a3fbfae48d09690000000e00000500]
003 "myconn" #1: ignoring Vendor ID payload [HeartBeat Notify 386b0100]
004 "myconn" #1: STATE_AGGR_I2: sent AI2, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha
group=modp1024}
117 "myconn" #2: STATE_QUICK_I1: initiate
003 "myconn" #2: ignoring informational payload, type IPSEC_RESPONDER_LIFETIME
004 "myconn" #2: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x7d72da83 <0x304bd4a9 xfrm=3DES_0-HMAC_SHA1 NATD=none
DPD=none}

Here is my configuration:

conn myconn
        auto=add
        left=88.YYY.YYY.95
        leftid=88.YYY.YYY.95
        leftsubnet=192.168.1.0/24
        right=XXX.143.XXX.XXX
        rightid=XXX.143.XXX.XXX
        rightsubnet=192.168.8.4/32
        type=tunnel
        # phase1
        authby=secret
        ike=3des-sha1-modp1024
        # phase2
        esp=3des-sha1
        rekey=yes
        pfs=yes
        aggrmode=yes
        compress=no

When i do "ping" to rightid: 192.168.8.4/32

wells ~ # ping 192.168.8.4
PING 192.168.8.4 (192.168.8.4) 56(84) bytes of data.
>From 192.168.153.1 icmp_seq=1 Packet filtered
>From 192.168.153.1 icmp_seq=2 Packet filtered

And tcpdump -i ppp0 shows ICMP traffic

As you see... its no using IPSec tunnel, and ISP drop ClassB traffic

Do I have forgotten any step? As there's no ipsec0 device (linux 2.6 kernel, netkey)... how to get routing traffic throw IPSec?
Routes are managed from "route" / "ip route" or i should use "ipsec eroute"?  In config setup i  have an "interfaces="ipsec0=ppp0""
line
Thanks in advance

Best Regards!

Pd. 
==========
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
172.XXX.8.XXX   192.168.79.1    255.255.255.255 UGH   0      0        0 eth1
172.XXX.6.XXX   192.168.79.1    255.255.255.255 UGH   0      0        0 eth1
192.168.8.4   0.0.0.0         255.255.255.255 UH    0      0        0 ppp0
172.XXX.6.XXX   192.168.79.1    255.255.255.255 UGH   0      0        0 eth1
192.168.71.0    0.0.0.0         255.255.255.0   U     0      0        0 eth2
192.168.79.0    0.0.0.0         255.255.255.0   U     0      0        0 eth1
192.168.218.0   0.0.0.0         255.255.255.0   U     0      0        0 eth0
191.100.0.0     0.0.0.0         255.255.0.0     U     0      0        0 eth0
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
0.0.0.0         88.YYY.YYY.95  0.0.0.0         UG    0      0        0 ppp0


==========
wells ~ # ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan U2.4.9/K2.6.22-Wells04 (netkey)
Checking for IPsec support in kernel                            [OK]
NETKEY detected, testing for disabled ICMP send_redirects       [OK]
NETKEY detected, testing for disabled ICMP accept_redirects     [OK]
Checking for RSA private key (/etc/ipsec/ipsec.secrets)         [DISABLED]
  ipsec showhostkey: no default key in "/etc/ipsec/ipsec.secrets"
Checking that pluto is running                                  [OK]
Two or more interfaces found, checking IP forwarding            [OK]
Checking NAT and MASQUERADEing
Checking for 'ip' command                                       [OK]
Checking for 'iptables' command                                 [OK]
Opportunistic Encryption Support                                [DISABLED]


-- 

  _____  

	 Patrocinador Oficial: 		
 	
      Alejandro Alfonso Fernandez 
      Responsable Área Corporativa 	alejandro.alfonso at telecyl.com 
http://www.telecyl.com/ 	
 	
Proción 7, Portales 1-2 Edificio América II 
28023 Madrid 
Tfn: 902 60 25 55 - Fax: 91 452 18 08 	Juan García Hortelano, 43 Edificio Telecyl 
47014 Valladolid 
Tfn: 902 60 25 55 - Fax: 983 428 223 	
  _____  



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20080131/441837bb/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 3211 bytes
Desc: not available
Url : http://lists.openswan.org/pipermail/users/attachments/20080131/441837bb/attachment-0002.jpe 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 3383 bytes
Desc: not available
Url : http://lists.openswan.org/pipermail/users/attachments/20080131/441837bb/attachment-0003.jpe

More information about the Users mailing list