[Openswan Users] NETKEY issue with RoadWarrior connection to Checkpoint R65

Ondrej Valousek webserv at s3group.cz
Fri Dec 18 03:37:55 EST 2009 

Hi Paul,

No, it does not (note I am not using L2TP):

root at ondar ~]# ip xfrm policy
src 192.168.60.0/24 dst 193.86.86.100/32 proto tcp
         dir in priority 2088
         tmpl src 193.85.188.83 dst 193.86.86.100
                 proto esp reqid 16389 mode tunnel
src 193.86.86.100/32 dst 192.168.60.0/24 proto tcp
         dir out priority 2088
         tmpl src 193.86.86.100 dst 193.85.188.83
                 proto esp reqid 16389 mode tunnel
src 192.168.60.0/24 dst 193.86.86.100/32 proto tcp
         dir fwd priority 2088
         tmpl src 193.85.188.83 dst 193.86.86.100
                 proto esp reqid 16389 mode tunnel
src ::/0 dst ::/0
         dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
         dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
         dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
         dir in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
         dir in priority 0
src ::/0 dst ::/0
         dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
         dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
         dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
         dir out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
         dir out priority 0
[root at ondar ~]# ip xfrm state
src 193.86.86.100 dst 193.85.188.83
         proto esp spi 0xd422f931 reqid 16389 mode tunnel
         replay-window 32
         auth hmac(sha1) 0x9e86e3a35aafa69877304694d0bed95836a96322
         enc cbc(des3_ede) 
0x50ea5d294af956f623b66f3e4819640fb982c47b8fd9b631
src 193.85.188.83 dst 193.86.86.100
         proto esp spi 0x8f17a537 reqid 16389 mode tunnel
         replay-window 32
         auth hmac(sha1) 0x4be8c3c3d199ab0981b8b6904c4d74f04997b982
         enc cbc(des3_ede) 
0xbc53fad0ee86da3464e9b7717d8047302ed33c54559c0db7

Regards,
Ondrej


On 17.12.2009 22:50, Paul Wouters wrote:
> On Thu, 17 Dec 2009, Ondrej Valousek wrote:
>
>> I did not configure the policy properly on the firewall. Now it works 
>> fine (always glad when I can answer
>> myself :-)
>> Funny thing is, that the *protoport option is completely ignored 
>> (everything that belongs to the 192.168.60.x
>> subnet is being tunneled to the other side).
>
> Can you show "ip xfrm policy" and "ip xfrm state". Does it show the 
> 1701 ports?
>
> Paul

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20091218/ce2a4645/attachment-0001.html

More information about the Users mailing list