[Openswan Users] vpn connection

Peter McGill petermcgill at goco.net
Mon Jan 19 11:42:27 EST 2009


Alfonso,

No you don't need KLIPS.
I don't see anything wrong with the info you sent so far.
Are you pinging from server to server or from subnet to subnet?
The two endpoints of your pings must be within the left/rightsubnets that you have defined.
ping -I often does not work, do your ping tests to/from hosts in the subnets.
If you use leftsourceip=<server lan ip> in your config then this can also help.
Showing me your ping output might help here.
You need to permit the ipsec traffic through your firewall both the openswan traffic ike/esp and the tunnel traffic (pings, etc...).
You also cannot nat the tunnel traffic.
I cannot tell if you've done this without...
iptables -t filter -L -n -v
iptables -t nat -L -n -v
I cannot tell if you have a configuration error without the following:
cat ipsec.conf
ipsec status

Peter McGill
IT Systems Analyst
Gra Ham Energy Limited 

> -----Original Message-----
> From: Alfonso Viso [mailto:alfonso.viso at selftrade.com] 
> Sent: January 19, 2009 11:17 AM
> To: petermcgill at goco.net; users at openswan.org
> Subject: RE: [Openswan Users] vpn connection
> 
> Hello Peter,
> 
> i send you the information:
> ipsec verify
> Checking your system to see if IPsec got installed and 
> started correctly:
> Version check and ipsec on-path                                 [OK]
> Linux Openswan U2.4.13/K2.6.17-1.2142_FC4smp (netkey)
> Checking for IPsec support in kernel                            [OK]
> Testing against enforced SElinux mode                           [OK]
> NETKEY detected, testing for disabled ICMP send_redirects       [OK]
> NETKEY detected, testing for disabled ICMP accept_redirects     [OK]
> Checking for RSA private key (/etc/ipsec.secrets)             
>   [DISABLED]
>   ipsec showhostkey: no default key in "/etc/ipsec.secrets"
> Checking that pluto is running                                  [OK]
> Two or more interfaces found, checking IP forwarding            [OK]
> Checking NAT and MASQUERADEing
> Checking for 'ip' command                                       [OK]
> Checking for 'iptables' command                                 [OK]
> Opportunistic Encryption Support                              
>   [DISABLED]
> 
> netstat -nr
> Kernel IP routing table
> Destination     Gateway         Genmask         Flags   MSS 
> Window  irtt Iface
> <net_public>   0.0.0.0         255.255.255.240 U         0 0  
>         0 eth1
> 10.105.228.0    0.0.0.0         255.255.252.0   U         0 0 
>          0 eth1
> 10.105.240.0    0.0.0.0         255.255.252.0   U         0 0 
>          0 eth0
> 10.105.0.0      10.105.240.20   255.255.0.0     UG        0 0 
>          0 eth0
> 169.254.0.0     0.0.0.0         255.255.0.0     U         0 0 
>          0 eth1
> 172.0.0.0       10.105.240.20   255.0.0.0       UG        0 0 
>          0 eth0
> 10.0.0.0        10.105.240.20   255.0.0.0       UG        0 0 
>          0 eth0
> 0.0.0.0        <gateway internet>   0.0.0.0         UG        
> 0 0          0 eth1
> 
> 
> iptables -t mangle -L -n -v
> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
>  pkts bytes target     prot opt in     out     source         
>       destination
> 
> Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
>  pkts bytes target     prot opt in     out     source         
>       destination
> 
> Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
>  pkts bytes target     prot opt in     out     source         
>       destination
> 
> Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
>  pkts bytes target     prot opt in     out     source         
>       destination
> 
> Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
>  pkts bytes target     prot opt in     out     source         
>       destination
> 
> the iptables rules are ok, but we don't have configured any 
> nat's rules, perhaps is it the problem?.
> Other thing, i read in an article if there are many vpn it's 
> necessary to use klips instead of netkey, is this true?.
> 
> thanks
> Alfonso
> 
> -----Original Message-----
> From: Peter McGill [mailto:petermcgill at goco.net]
> Sent: lunes, 19 de enero de 2009 16:40
> To: Alfonso Viso; users at openswan.org
> Subject: RE: [Openswan Users] vpn connection
> 
> 
> Alfonso,
> 
> There is several possible causes here.
> Please send the output of the following
> commands, to help in troubleshooting.
> ipsec verify
> netstat -nr
> cat ipsec.conf
> ipsec status
> iptables -t filter -L -n -v
> iptables -t nat -L -n -v
> iptables -t mangle -L -n -v
> 
> Peter McGill
> IT Systems Analyst
> Gra Ham Energy Limited 
> 
> > -----Original Message-----
> > From: users-bounces at openswan.org 
> > [mailto:users-bounces at openswan.org] On Behalf Of Alfonso Viso
> > Sent: January 17, 2009 7:08 AM
> > To: users at openswan.org
> > Subject: [Openswan Users] vpn connection
> > 
> > hi all,
> >  
> > i can set openswan between Pix Cisco and Linux Server FC4. I 
> > use NETKEY version and PSK. 
> > the remote site can connect to our intranet, and i see that 
> > the tunnel is up and the traffic is coming throught the 
> > tunnel. The problem is when i try to ping the other side, the 
> > traffic from local side don't go throught tunnel, i mean  the 
> > traffic generated by our side, for example. i only see 
> > traffic response by our side.
> > Any body could be help us?
> > thanks in advanced and sorry for my english.
> >  
> > regards
> > Alfonso
> > ________________________________
> > 
> > 
> > Ce message contient des informations confidentielles ou 
> > appartenant à Boursorama et est établi à l'intention 
> > exclusive de ses destinataires. Toute divulgation, 
> > utilisation, diffusion ou reproduction (totale ou partielle) 
> > de ce message, ou des informations qu'il contient, doit être 
> > préalablement autorisée. Tout message électronique est 
> > susceptible d'altération et son intégrité ne peut être assurée.
> > Boursorama décline toute responsabilité au titre de ce 
> > message s'il a été modifié ou falsifié. Si vous n'êtes pas 
> > destinataire de ce message, merci de le détruire 
> > immédiatement et d'avertir l'expéditeur de l'erreur de 
> > distribution et de la destruction du message. 
> > 
> > ________________________________
> > 
> > This e-mail contains confidential information or information 
> > belonging to Boursorama and is intended solely for the 
> > addressees. The unauthorised disclosure, use, dissemination 
> > or copying (either whole or partial) of this e-mail, or any 
> > information it contains, is prohibited. E-mails are 
> > susceptible to alteration and their integrity cannot be 
> > guaranteed. Boursorama shall not be liable for this e-mail if 
> > modified or falsified. If you are not the intended recipient 
> > of this e-mail, please delete it immediately from your system 
> > and notify the sender of the wrong delivery and the mail deletion. 
> > 
> > ________________________________
> > 
> > 
> 
> 
> 
> 
> ___________________________________
> 
> Ce message contient des informations confidentielles ou appartenant à
> Boursorama et est établi à l'intention exclusive de ses 
> destinataires. Toute
> divulgation, utilisation, diffusion ou reproduction (totale 
> ou partielle) de ce
> message, ou des informations qu'il contient, doit être préalablement
> autorisée. Tout message électronique est susceptible 
> d'altération et son
> intégrité ne peut être assurée. Boursorama décline toute 
> responsabilité au
> titre de ce message s'il a été modifié ou falsifié. Si vous n'êtes pas
> destinataire de ce message, merci de le détruire 
> immédiatement et d'avertir
> l'expéditeur de l'erreur de distribution et de la destruction 
> du message.
> ___________________________________
> 
> This e-mail contains confidential information or information 
> belonging to
> Boursorama and is intended solely for the addressees. The unauthorised
> disclosure, use, dissemination or copying (either whole or 
> partial) of this
> e-mail, or any information it contains, is prohibited. 
> E-mails are susceptible
> to alteration and their integrity cannot be guaranteed. 
> Boursorama shall not be
> liable for this e-mail if modified or falsified. If you are 
> not the intended
> recipient of this e-mail, please delete it immediately from 
> your system and
> notify the sender of the wrong delivery and the mail deletion.
> ___________________________________
> 



More information about the Users mailing list