[Openswan Users] Difficulties

João Kuchnier joao.kuchnier at gmail.com
Tue Jun 9 13:19:34 EDT 2009


Hi Paul, sorry about the delay! I lost your e-mail response...

On Fri, 5 Jun 2009, João Kuchnier wrote:

        right=192.168.1.224
        #rightnexthop=
        rightsubnet=192.168.1.224/32
        #rightid=
        left=200.x.x.x
        #leftnexthop=
        leftsubnet=192.168.102.0/24
        keyexchange=ike
        ike=3des-md5-modp1024
        esp=3des-md5
        #ah=3des-md5
        ikelifetime=28800s
        #keylife=28800s
        pfs=no
        compress=no
        authby=secret
        auto=start
        aggrmode=no


If both ends are openswan, use pfs=yes
--> The other end they have a french appliance.

conn 2
        right=192.168.1.224
        #rightnexthop=
        rightsubnet=192.168.1.224/32
        #rightid=
        left=200.x.x.x
        #leftnexthop=
        leftsubnet=10.201.136.0/21


"conn1" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
"conn1" #2: STATE_QUICK_I2: sent QI2, IPsec SA established
{ESP=>0x0d243b91 <0x964680c9 xfrm=3DES_0-HMAC_MD5 NATD=200.x.x.x:4500
DPD=none}
"conn2" #3: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
"conn2" #3: STATE_QUICK_I2: sent QI2, IPsec SA established
{ESP=>0x09bf8953 <0xea5fc696 xfrm=3DES_0-HMAC_MD5 NATD=200.x.x.x:4500
DPD=none}


Both tunnels establish, so my guess is this is a firewalling or
routing issues. Are you excluding packets that are going to be
tunneled from getting NAT'ed?

--> Like I said on the first e-mail (I lost it too), I have a firewall
with two zones, tunnels an hosts to both subnets on that end.
Everythin coming from or going to that end is accepted on firewall an
nat'ed to the DMZ Openswan server.

--> On the Openswan server there is another firewall (shorewall to)
nat'ing some specific packages for two other servers on DMZ.
--> /etc/shorewall/rules is like this: DNAT net net:192.168.1.x tcp 2xxx
--> maybe this is the problem at all

Jun  5 16:03:43 conn2 ipsec_setup: Starting Openswan IPsec 2.4.9...

Could use an update to openswan 2.4.14.
--> I'm using an Ubuntu Server 8.10. This version is the newest on
available in repositories...

Jun  5 16:03:44 conn2 ipsec__plutorun: 104 "conn2" #1: STATE_MAIN_I1:
initiate
Jun  5 16:03:44 conn2 ipsec__plutorun: ...could not start conn "conn2"


That's an oddness where at first it does not start, but on the second
attempt it does. you can ignore that for now.

What does 'ipsec verify' say?

--> ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                             	[OK]
Linux Openswan U2.4.9/K2.6.24-19-server (netkey)
Checking for IPsec support in kernel                        	[OK]
NETKEY detected, testing for disabled ICMP send_redirects   	[FAILED]

  Please disable /proc/sys/net/ipv4/conf/*/send_redirects
  or NETKEY will cause the sending of bogus ICMP redirects!

NETKEY detected, testing for disabled ICMP accept_redirects 	[FAILED]

  Please disable /proc/sys/net/ipv4/conf/*/accept_redirects
  or NETKEY will accept bogus ICMP redirects!

Checking for RSA private key (/etc/ipsec.secrets)           	[DISABLED]
  ipsec showhostkey: no default key in "/etc/ipsec.secrets"
Checking that pluto is running                              	[OK]
Two or more interfaces found, checking IP forwarding        	[OK]
Checking NAT and MASQUERADEing
Checking for 'ip' command                                   	[OK]
Checking for 'iptables' command                             	[OK]
Opportunistic Encryption Support                            	[DISABLED]


Paul

João K.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20090609/956091af/attachment.html 


More information about the Users mailing list