[Openswan Users] Openswan+NetScreen - No route - Traffic filteredin ISP

Peter McGill petermcgill at goco.net
Thu Jan 31 14:15:49 EST 2008

Linux may not be getting the source ip right on the ping packet.
Try adding this to conn...
    leftsourceip=192.168.1.x # lan ip
and/or using...
ping -I 192.168.1.x
and/or pinging from one of the subnet hosts.
To answer the routing part, you don't route packets into the tunnel openswan handles automatically.
You just assign left/rightsubnet values and packets matching them go into the tunnel.
If you need additional subnets then add additional conn sections for them.
Peter McGill


From: users-bounces at openswan.org [mailto:users-bounces at openswan.org] On Behalf Of Alejandro Alfonso
Sent: January 30, 2008 10:31 AM
To: users at lists.openswan.org
Subject: [Openswan Users] Openswan+NetScreen - No route - Traffic filteredin ISP


I'm new in OpenSwan, and i'm trying to get connection a Linux Box (pppoe as leftid) and Netscreen on the other side

Phase 1 and Phase 2 seems to be allright

wells ~ # ipsec auto --up myconn
112 "myconn" #1: STATE_AGGR_I1: initiate
003 "myconn" #1: ignoring unknown Vendor ID payload [85f41d68c72215a39fdc9358a3a3fbfae48d09690000000e00000500]
003 "myconn" #1: ignoring Vendor ID payload [HeartBeat Notify 386b0100]
004 "myconn" #1: STATE_AGGR_I2: sent AI2, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha
117 "myconn" #2: STATE_QUICK_I1: initiate
003 "myconn" #2: ignoring informational payload, type IPSEC_RESPONDER_LIFETIME
004 "myconn" #2: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x7d72da83 <0x304bd4a9 xfrm=3DES_0-HMAC_SHA1 NATD=none

Here is my configuration:

conn myconn
        # phase1
        # phase2

When i do "ping" to rightid:

wells ~ # ping
PING ( 56(84) bytes of data.
>From icmp_seq=1 Packet filtered
>From icmp_seq=2 Packet filtered

And tcpdump -i ppp0 shows ICMP traffic

As you see... its no using IPSec tunnel, and ISP drop ClassB traffic

Do I have forgotten any step? As there's no ipsec0 device (linux 2.6 kernel, netkey)... how to get routing traffic throw IPSec?
Routes are managed from "route" / "ip route" or i should use "ipsec eroute"?  In config setup i  have an "interfaces="ipsec0=ppp0""
Thanks in advance

Best Regards!

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
172.XXX.8.XXX UGH   0      0        0 eth1
172.XXX.6.XXX UGH   0      0        0 eth1 UH    0      0        0 ppp0
172.XXX.6.XXX UGH   0      0        0 eth1   U     0      0        0 eth2   U     0      0        0 eth1   U     0      0        0 eth0     U     0      0        0 eth0       U     0      0        0 lo         88.YYY.YYY.95         UG    0      0        0 ppp0

wells ~ # ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan U2.4.9/K2.6.22-Wells04 (netkey)
Checking for IPsec support in kernel                            [OK]
NETKEY detected, testing for disabled ICMP send_redirects       [OK]
NETKEY detected, testing for disabled ICMP accept_redirects     [OK]
Checking for RSA private key (/etc/ipsec/ipsec.secrets)         [DISABLED]
  ipsec showhostkey: no default key in "/etc/ipsec/ipsec.secrets"
Checking that pluto is running                                  [OK]
Two or more interfaces found, checking IP forwarding            [OK]
Checking NAT and MASQUERADEing
Checking for 'ip' command                                       [OK]
Checking for 'iptables' command                                 [OK]
Opportunistic Encryption Support                                [DISABLED]



	 Patrocinador Oficial: 		
      Alejandro Alfonso Fernandez 
      Responsable Área Corporativa 	alejandro.alfonso at telecyl.com 
Proción 7, Portales 1-2 Edificio América II 
28023 Madrid 
Tfn: 902 60 25 55 - Fax: 91 452 18 08 	Juan García Hortelano, 43 Edificio Telecyl 
47014 Valladolid 
Tfn: 902 60 25 55 - Fax: 983 428 223 	

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20080131/441837bb/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 3211 bytes
Desc: not available
Url : http://lists.openswan.org/pipermail/users/attachments/20080131/441837bb/attachment-0002.jpe 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 3383 bytes
Desc: not available
Url : http://lists.openswan.org/pipermail/users/attachments/20080131/441837bb/attachment-0003.jpe 

More information about the Users mailing list