[Openswan Users] Openswan 2.5.17 doesn't work6

Paul Wouters paul at xelerance.com
Mon Mar 3 11:29:12 EST 2008 

On Mon, 3 Mar 2008, Milan Lesnik wrote:

> My setup (klips 2.5.17, pluto 2.5.17, kernel 2.6.19.7):

>     type=transport
>     left=164.8.1.116
>     leftnexthop=164.8.1.1
>     leftprotoport=17/1701

>     right=%any
>     rightprotoport=17/1701
>     rightsubnet=vhost:%no,%priv

> I establish an IPSEC connection but tunnel doesn't work.

This is the server side, and not the client side right?

> Here are commands eroute and route.
>
> v-debian:~# /usr/local/sbin/ipsec eroute
> 0     164.8.1.116/32  -> 192.168.2.3/32:1701 => comp0xdf5c at 82.149.5.181:17

Can you try using compress=no?
Can you also try leaving out "type=transport" ?

> Eroute doesn't show a suitable tunnel - it is tunnel but port 1701 is missing.

Indeed, it looks like the traffic selector got dropped. Can you show me the
output of: grep 164.8.1.116 /proc/net/ipsec/*eroute*. I want to make sure
that this is a real problem, and not just a displaying problem of the eroute
command.

> v-debian:~# route -n
> Kernel IP routing table
> Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
> 192.168.2.3     164.8.1.1       255.255.255.255 UGH   0      0        0 ipsec0
> 164.8.1.0       0.0.0.0         255.255.255.0   U     0      0        0 eth0
> 164.8.1.0       0.0.0.0         255.255.255.0   U     0      0        0 ipsec0
> 0.0.0.0         164.8.1.1       0.0.0.0         UG    0      0        0 eth0
>
> Route points to 192.168.2.3 and not to public address of the nat box.

I am not sure if I follow you here.

I also see only 1 interface here? Is this the client? If so, you need to use
%defaultroute, not %any.

> If I use same setup, same client, same firewall under openswan 2.4.12 (klips
> 2.4.12, pluto 2.4.12, kernel 2.6.18.4) everything works. Commands eroute and
> route show working tunnel:
>
> v-debian:~# /usr/local/sbin/ipsec eroute
> 0          164.8.1.116/32:1701 -> 82.149.5.181/32:1701 =>
> comp0xc96b at 82.149.5.181:17
>
> v-debian:~# route -n
> Kernel IP routing table
> Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
> 82.149.5.181    164.8.1.1       255.255.255.255 UGH   0      0        0 ipsec0
> 164.8.1.0       0.0.0.0         255.255.255.0   U     0      0        0 eth0
> 164.8.1.0       0.0.0.0         255.255.255.0   U     0      0        0 ipsec0
> 0.0.0.0         164.8.1.1       0.0.0.0         UG    0      0        0 eth0
>
> What is wrong or what am I missing?
>
>
>
> Also another problem (I disable netkey options in kernel) during startup
> (openswan 2.4.12 works even with netkey code):
>
> v-debian:~# /etc/init.d/ipsec start
> ipsec_setup: Starting Openswan IPsec 2.5.17...
> ipsec_setup: FATAL ERROR: Both KLIPS and NETKEY IPsec code is present in kernel
> ipsec_setup: OOPS, should have aborted!  Broken shell!

That is fixed in git, and will be in the next release.

Paul

More information about the Users mailing list