[Openswan Users] IPSec SA established in quick mode, but nothing flows over ipsec interface
Eduan Basson
eduan at multenet.com
Tue Sep 9 11:55:37 EDT 2008
Hi
After I've been searching and reading and trying for a week now, I feel
I need to ask for help. I think this is almost certainly a configuration
error, but as I'm cross-compiling openswan for an Arm processor, I don't
have access to all the debugging tools (like verify, because it runs on
perl).
I'm using openswan 2.4.12 on linux 2.4.27 patched for ipsec, on an Arm 9
processor, as client. The server is (unfortunately) Microsoft 2003
Server. I only need to connect using PSK.
What happens is that the whole connection seems to be configured
successfully on ipsec, ending with the following log:
"ipsec" #1: STATE_MAIN_I4: ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha
group=modp1024}
This creates an ipsec0 interface identical to my ppp0 interface, BUT I
can not send a single ping, netcat, telnet or L2TP packet across this
interface. It seems that the negotiation for ipsec succeeds because
everything is still flowing through ppp0, but as soon as _updown changes
my routing to go through ipsec0, nothing can get through. tcpdump
confirms this.
I have an empty iptables right now, but I've tried it with udp
specifically accepted on proto 50, port 500, 4500 and 1701, with the
same result.
Barf gives less info than normal, because of the minimal executing
environment, but I will provide it if necessary. Here's just my two
config files so long:
ipsec.secrets:
41.240.16.102 [vpn ip]: PSK "replaced-psk-key"
ipsec.conf:
version 2
config setup
interfaces="ipsec0=ppp0"
nat_traversal=yes
nhelpers=0
klipsdebug=none
plutodebug=none
conn ipsec
authby=secret
auth=esp
pfs=no
rekey=yes
keyingtries=3
type=transport
leftprotoport=17/1701
left=41.240.16.102
rightprotoport=17/1701
right=[vpn ip]
auto=start
Could somebody at least give me an idea which further tests I can run?
Thank you
Eduan Basson
More information about the Users
mailing list