[Openswan Users] Possibly some stupid error - anything but ping

Tomás Alvarez talvarez at ipservice.cl
Sun Mar 9 10:57:45 EDT 2008


 

I have the same problem described.

It is not a firewall problem. If a set up a VPN over White Box Linux and it
work fine. The problem is with Fedora Core 5.

ICMP packet are correctly encrypted and send in the IPSec tunnel. No other
service (TCP or UDP) is encrypted by IPSec. 

When I Ping, I can see this traffic at the output interface:

 

# tcpdump -nli eth0 proto 50

            14:37:38.939450 IP XXX.XXX.XX.XX > YYY.YYY.YYY.YYY:
ESP(spi=0x3cec758d,seq=0x3), length 132

            14:37:38.989187 IP YYY.YYY.YYY.YYY > XXX.XXX.XX.XX:
ESP(spi=0x8a87736f,seq=0x3), length 132

            14:37:39.940881 IP XXX.XXX.XX.XX > YYY.YYY.YYY.YYY:
ESP(spi=0x3cec758d,seq=0x4), length 132

            14:37:39.992031 IP YYY.YYY.YYY.YYY > XXX.XXX.XX.XX:
ESP(spi=0x8a87736f,seq=0x4), length 132

 

When I try other protocol and service, SSH for example, I see the following
not encrypted and not NATed packets at the output interface:

# tcpdump -nli eth0 | grep 192.168.

            14:44:08.752777 IP 192.168.0.222.51379 > 192.168.20.101.ssh: S
1950168007:1950168007(0) win 5840 <mss 1460,sackOK,timestamp 155885933
0,nop,wscale 2>

            14:44:11.753190 IP 192.168.0.222.51379 > 192.168.20.101.ssh: S
1950168007:1950168007(0) win 5840 <mss 1460,sackOK,timestamp 155886683
0,nop,wscale 2>

 

 

LAN A
LAN B

192.168.0.202 ---[Left Box] ---- (Internet) ---- [Right Box] -----
192.168.20.101

 

Tomas Alvarez

 

> -----Original Message-----
> From:  <http://lists.openswan.org/mailman/listinfo/users> users-bounces at
openswan.org 
> [mailto: <http://lists.openswan.org/mailman/listinfo/users> users-bounces
at openswan.org] On Behalf Of Maciej Piechotka
> Sent: January 24, 2008 7:01 PM
> To:  <http://lists.openswan.org/mailman/listinfo/users> users at
lists.openswan.org
> Subject: [Openswan Users] Possibly some stupid error - 
> anything but ping donot work
> 
> I have such configuration of ipsec(I try to set up step by step):
> For notebook:
> version 2.0
> 
> config setup
> 
> conn notebook--router
>       left=192.168.xxx.xxx
>       leftid=@notebook
>       leftrsasigkey=...
>       right=192.168.xxx.yyy
>       rightid=@router
>       rightrsasigkey=...
>       auto=add
> 
> For router:
> version 2.0
> 
> config setup
> 
> conn router--notebook
>       left=192.168.xxx.yyy
>       leftid=@router
>       leftrsasigkey=...
>       right=192.168.xxx.xxx
>       rightid=@notebook
>       rightrsasigkey=...
>       auto=add
> 
> Firewall(part of script):
> echo "Allow icmp"
> iptables -A INPUT -p icmp -j ACCEPT
> ip6tables -A INPUT -p icmpv6 -j ACCEPT
> echo "Allow ipsec"
> iptables -A INPUT -p ah -j ACCEPT
> ip6tables -A INPUT -p ah -j ACCEPT
> iptables -A INPUT -p esp -j ACCEPT
> ip6tables -A INPUT -p esp -j ACCEPT
> 
> 
> After 
> router # ipsec auto --up router--notebook         
> 104 "router--notebook" #1: STATE_MAIN_I1: initiate
> 003 "router--notebook" #1: received Vendor ID payload [Openswan (this 
> version) 2.4.9  PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR]
> 003 "router--notebook" #1: received Vendor ID payload [Dead 
> Peer Detection]
> 106 "router--notebook" #1: STATE_MAIN_I2: sent MI2, expecting MR2
> 108 "router--notebook" #1: STATE_MAIN_I3: sent MI3, expecting MR3
> 004 "router--notebook" #1: STATE_MAIN_I4: ISAKMP SA established 
> {auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_md5 
> group=modp1536}
> 117 "router--notebook" #2: STATE_QUICK_I1: initiate
> 004 "router--notebook" #2: STATE_QUICK_I2: sent QI2, IPsec SA 
> established 
> {ESP=>0xXXXXXXXX <0xXXXXXXXX xfrm=AES_0-HMAC_SHA1 NATD=none DPD=none}
> notebook # ipsec auto --up notebook--router
> 117 "notebook--router" #3: STATE_QUICK_I1: initiate
> 004 "notebook--router" #3: STATE_QUICK_I2: sent QI2, IPsec SA 
> established 
> {ESP=>0xXXXXXXXX <0xXXXXXXXX xfrm=AES_0-HMAC_SHA1 NATD=none DPD=none}
> 
> it starts ok showing no error. If I try to ping 192.168.xxx.yyy from 
> notebook I is ok but no other service is working. What may be wrong?
> 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20080309/8ce6ec25/attachment-0001.html 


More information about the Users mailing list