[Openswan Users] Difficulties

Paul Wouters paul at xelerance.com
Tue Jun 9 20:49:06 EDT 2009

On Tue, 9 Jun 2009, João Kuchnier wrote:

> If both ends are openswan, use pfs=yes
> --> The other end they have a french appliance.


> Both tunnels establish, so my guess is this is a firewalling or
> routing issues. Are you excluding packets that are going to be
> tunneled from getting NAT'ed?
> --> Like I said on the first e-mail (I lost it too), I have a firewall with two zones, tunnels an hosts to both subnets on that end. 
> Everythin coming from or going to that end is accepted on firewall an nat'ed to the DMZ Openswan server.
> --> On the Openswan server there is another firewall (shorewall to) nat'ing some specific packages for two other servers on DMZ.
> --> /etc/shorewall/rules is like this: DNAT net net:192.168.1.x tcp 2xxx

But you might not be excluding all NAT ranges you are trying to tunnel?

> --> maybe this is the problem at all
> Jun  5 16:03:43 conn2 ipsec_setup: Starting Openswan IPsec 2.4.9...
> Could use an update to openswan 2.4.14.
> --> I'm using an Ubuntu Server 8.10. This version is the newest on available in repositories...

Debian/ubuntu needs to learn not to ship ancient versions. I suggest you
upgrade to 2.4.14.

> What does 'ipsec verify' say?
> --> ipsec verify
> Checking your system to see if IPsec got installed and started correctly:
> Version check and ipsec on-path                             	[OK]
> Linux Openswan U2.4.9/K2.6.24-19-server (netkey)
> Checking for IPsec support in kernel                        	[OK]
> NETKEY detected, testing for disabled ICMP send_redirects   	[FAILED]
>   Please disable /proc/sys/net/ipv4/conf/*/send_redirects
>   or NETKEY will cause the sending of bogus ICMP redirects!
> NETKEY detected, testing for disabled ICMP accept_redirects 	[FAILED]
>   Please disable /proc/sys/net/ipv4/conf/*/accept_redirects
>   or NETKEY will accept bogus ICMP redirects!

Fix those. grab a recent openswan-2.6.x release and check programs/examples/sysctl.conf.in
to see the entries you need to have.


More information about the Users mailing list