[Openswan Users] Wrong conf ipsec

Paul Wouters paul at xelerance.com
Mon Feb 23 12:41:36 EST 2009

On Mon, 23 Feb 2009, ALAEDDINE abbech wrote:

> i restart ipsec service and i (#ipsec auto --up test) in both host
> i have this message:
> 117 "test" #14: STATE_QUICK_I1: initiate
> 004 "test" #14: STATE_QUICK_I2: sent QI2, IPsec SA established transport mode {ESP=>0x11aed5dd <0xeabdc300
> xfrm=3DES_0-HMAC_SHA1 NATOA=none NATD=none DPD=none}

Looks good.

> and #ipsec setup status 
> IPsec running  - pluto pid: 3963
> pluto pid 3963
> No tunnels up

You are using netkey, and the ipsec setup status command only works for klips.
Check using:
ip xfrm policy
ip xfrm state

> i do #ipsec verify
> Checking your system to see if IPsec got installed and started correctly:
> Version check and ipsec on-path                                [OK]
> Linux Openswan U2.6.14/K2.6.18-92.1.10.el5 (netkey)
> Checking for IPsec support in kernel                           [OK]
> NETKEY detected, testing for disabled ICMP send_redirects      [FAILED]
>   Please disable /proc/sys/net/ipv4/conf/*/send_redirects
>   or NETKEY will cause the sending of bogus ICMP redirects!

See /etc/ipsec.d/examples/sysctl.conf and merge it with /etc/sysctl.conf


More information about the Users mailing list