[Openswan Users] SA establsihed, but no tunnel up and no route

CrashOverload at gmx.de CrashOverload at gmx.de
Wed Mar 18 08:40:47 EDT 2009

Hi guys,

I´m new to OpenSwan and had some problems to get it work. The tunnel is established but I cannot ping through it or can access the http server behind.

I´m using OpenSwan 2.6.14 and CentOS 5.2

And something what makes me confuse is, that the SA is established, but and "ipsec setup status" says me, that no tunnel is up.

I hope someone could help me.

My Config:

conn vpn

Initializing the IPsec tunnel:

ipsec auto --up vpn
104 "vpn" #1: STATE_MAIN_I1: initiate
003 "vpn" #1: ignoring unknown Vendor ID payload [424e455300000009]
003 "vpn" #1: received Vendor ID payload [Dead Peer Detection]
106 "vpn" #1: STATE_MAIN_I2: sent MI2, expecting MR2
108 "vpn" #1: STATE_MAIN_I3: sent MI3, expecting MR3
003 "vpn" #1: ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000
004 "vpn" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
117 "vpn" #2: STATE_QUICK_I1: initiate
004 "vpn" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x00ef4659 <0x817d492a xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=none}

IPsec verify output:
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan U2.6.14/K2.6.18-92.el5 (netkey)
Checking for IPsec support in kernel                            [OK]
NETKEY detected, testing for disabled ICMP send_redirects       [OK]
NETKEY detected, testing for disabled ICMP accept_redirects     [OK]
Checking for RSA private key (/etc/ipsec.secrets)               [OK]
Checking that pluto is running                                  [OK]
Two or more interfaces found, checking IP forwarding            [OK]
Checking NAT and MASQUERADEing                                  [OK]
Checking for 'ip' command                                       [OK]
Checking for 'iptables' command                                 [OK]

IPsec eroute output:
/usr/libexec/ipsec/eroute: NETKEY does not support eroute table.

IPsec setup status output:
IPsec running  - pluto pid: 18157
pluto pid 18157
No tunnels up

Aufgepasst: Sind Ihre Daten beim Online-Banking auch optimal geschützt?
Jetzt absichern: https://homebanking.gmx.net/?mc=mail@footer.hb

More information about the Users mailing list