[Openswan Users] local peer just doesn`t send any esp out

Mon May 5 23:14:46 EDT 2008

hi all,

i have a problem to get one openswan-openswan connection to work and
just cant find out whats wrong. the strange thing is that one of my
peer points already has two working vpn connections, but just the
third one doesn`t want to work.

i see that the connection gets initiated without any problem:

wiggum:~# ipsec auto --up tnc-poppen
104 "tnc-poppen" #7: STATE_MAIN_I1: initiate
003 "tnc-poppen" #7: ignoring unknown Vendor ID payload
[4f454b427a64597b774d5d40]
003 "tnc-poppen" #7: received Vendor ID payload [Dead Peer Detection]
106 "tnc-poppen" #7: STATE_MAIN_I2: sent MI2, expecting MR2
108 "tnc-poppen" #7: STATE_MAIN_I3: sent MI3, expecting MR3
010 "tnc-poppen" #7: STATE_MAIN_I3: retransmission; will wait 20s for response
004 "tnc-poppen" #7: STATE_MAIN_I4: ISAKMP SA established
{auth=OAKLEY_RSA_SIG cipher=aes_256 prf=oakley_sha group=modp1536}
117 "tnc-poppen" #8: STATE_QUICK_I1: initiate
004 "tnc-poppen" #8: STATE_QUICK_I2: sent QI2, IPsec SA established
{ESP=>0x5b520fb2 <0xbb98c00a xfrm=AES_256-HMAC_SHA1 IPCOMP=>0x0000abc9
<0x00003d66 NATD=none DPD=none}
wiggum:~#

i am on the 'tnc' site, 'poppen' is far away from my office. so what i
tried, is to ping the private ip of the  'poppen' peerpoint, but i
can`t ping it. when i ping through on of the other two vpns, its no
problem. so i started to tcpdump on my local 'tnc' peer, and i could
see that when i ping through one of the working vpns, i can see esp
packets go out of my local peerpoint here. but when i try to ping
'poppen', my local peerpoint doesn`t even send any esp packets out.
this quiet confused me, because i didn`t find any errors here on my
site, but still does my local peerpoint just don`t send any esp out
when i try to transfer something through the vpn.
i also tried to manually send udp packets on port 500 and 4500 from
each peerpoint to the other, and i could always capture them by
tcpdump on the other side. so i know that it cannot be a firewall
problem between these two.
 the only difference, between the two vpns which work, and the one
which doesn`t, is that the working connections are all on
debian/ubuntu. the 'poppen' peerpoint, which doesn`t work, is a SuSE
Linux Enterprise Sever 10 sp1. first i thought that this problem could
have something to do with the different versions, because debian
already has version openswan-2.4.12 and suse still used 2.4.4. same
thing with ipsec-tools, debian already has ipsec-tools-0.6.7, suse
still uses 0.6.5. so i created sles10 rpms of the same
openswan/ipsec-tools versions as debian is using and installed them on
the 'poppen' peerpoint. but i still have the same problem, my local
peer just doesn`t send any esp packets out when i try to transfer.
i also checked the routing table, and i think it should be right, it
has the same entries like on the two working vpns.

i already read through the whole ipsec barf of the tnc and the poppen
peer, but didn`t find any error. i attached both ipsec barfs to this
mail, and hope that you can see more than i do:-)

i would be really glad about some help, don`t know what to try anymore.

thanks, mauro
-------------- next part --------------
A non-text attachment was scrubbed...
Name: tnc_barf
Type: application/octet-stream
Size: 84257 bytes
Desc: not available
Url : http://lists.openswan.org/pipermail/users/attachments/20080506/0d7ca1bc/attachment-0002.obj 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: poppen_barf
Type: application/octet-stream
Size: 42784 bytes
Desc: not available
Url : http://lists.openswan.org/pipermail/users/attachments/20080506/0d7ca1bc/attachment-0003.obj 