[Openswan Users] migration from 2.4.9-31.el4 to 2.6.14-1.el5_2.1

Sebastien COUPPEY sebastien.couppey at zero9.it
Wed Jul 2 11:31:42 EDT 2008 

with shorewall I also migrated, the connection is working,
So this is a firewall issue ... the migration from shorewall3.0 to
shorewall4.0 is not trivial, I might have missed something :/

On Wed, Jul 02, 2008 at 12:55:01PM +0200, Sebastien COUPPEY wrote:
> Hello,
> 
> I upgraded the opensan engine from : 
> 
> openswan-2.4.9-31.el4.rpm to openswan-2.6.14-1.el5_2.1
> 
> 
> but now I just have a 1 way commication for all my tunnels.
> Here is a configuration extraction :
> 
> RIGHT NODE : 
> conn test-to-wasabi
>         authby=secret
>         right=212.147.144.3
>         rightsubnet=10.44.0.0/24
>         rightsourceip=10.44.0.2
>         left=151.1.217.100
>         leftsubnet=10.0.3.99/32
>         leftsourceip=10.0.3.100
>         ike=aes256-sha1
>         esp=aes256-sha1
>         auto=start
> 
> 
> 
> LEFT NODE :
> 
> conn test-to-wasabi
>     authby=secret
>     right=212.147.144.3
>     rightsubnet=10.44.0.0/24
>     left=151.1.217.100
>     leftsubnet=10.0.3.99/32
>     leftsourceip=10.0.3.100
>     ike=aes256-sha1
>     esp=aes256-sha1
>     auto=start
> 
> 
> Tunnel is UP:
> 
> 
> 
> RIGHT to LEFT => OK
> LEFT to RIGHT => not working.
> 
> Here is the now working node verify status :
> ipsec verify
> Checking your system to see if IPsec got installed and started correctly:
> Version check and ipsec on-path                             	 [OK]
> Linux Openswan U2.6.14/K2.6.18-92.1.1.el5 (netkey)
> Checking for IPsec support in kernel														[OK]
> NETKEY detected, testing for disabled ICMP send_redirects   		[OK]
> NETKEY detected, testing for disabled ICMP accept_redirects 		[OK]
> Checking for RSA private key (/etc/ipsec.secrets)           		[OK]
> Checking that pluto is running                              		[OK]
> Two or more interfaces found, checking IP forwarding        		[OK]
> Checking NAT and MASQUERADEing                              
> Checking for 'ip' command																				[OK]
> Checking for 'iptables' command                             		[OK]
> 
> Opportunistic Encryption DNS checks:
>    Looking for TXT in forward dns zone: frw01
> 	 [MISSING]
>    Does the machine have at least one non-private address?			[OK]
>    Looking for TXT in reverse dns zone: 100.217.1.151.in-addr.arpa.
> 	 [MISSING]
> 
> 
> The ip_forward is activated. 
> The added route is :
> 
> 10.44.0.0/24 dev eth0  scope link  src 10.0.3.100
> 
> (eth0 is the internet link)
> 
> I am for sure missing a configuration option, but not able to spot the
> problem.
> 
> Any tips ?
> 
> thanks
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan: 
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>

More information about the Users mailing list