[Openswan Users] IPSEC VPN established but no connection or packets send

Markus Locher ml at as-support.com
Fri May 15 04:31:00 EDT 2009


Hi Paul,

thanks for answer quickly. I am getting cracy.... Ok I don't thing it is
something with
opsenswan configuration. It seems that no packet goes through eth0 or it
is not the tunnel (see tcpdump).

The last version of opseswan from suse 10.3 was a 2.4. as it is now. Can
there be a problem with the used
configuration parameters?

The tunnel is up and stable (see whack status) so there are the packets
going? How can I realy be sure about
the tunnels endpoints - I think this is the line within whack status
(first IPSECTUNNEL line with "erouted").

Regards Markus

-----------
FIREWALL:
Yast Firewall ist not installed. Plesk Firewall is not aktive.

-----------
IP FORWARDING is enabled:
# cat /proc/sys/net/ipv4/ip_forward
1
-----------
==> ping 192.168.0.11
==> tcpdump -v icmp and host 192.168.0.11
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96
bytes
^C
0 packets captured
0 packets received by filter
0 packets dropped by kernel

-----------
# ipsec whack --status      
000 interface lo/lo ::1                 
000 interface lo/lo 127.0.0.1           
000 interface lo/lo 127.0.0.2           
000 interface eth0/eth0 80.16.24.9   
000 interface eth0/eth0 192.168.0.100   
000 %myid = (none)                      
000 debug none                          
000                                     
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64,
keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192,
keysizemax=192
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8,
keysizemin=40, keysizemax=448
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128,
keysizemax=256  
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256,
keysizemin=256, keysizemax=256
000
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,2,64}
trans={0,2,288} attrs={0,2,96}
000
000 "IPSECTUNNEL":
192.168.0.0/24===80.16.24.9...21.9.1.23===192.168.0.0/24; erouted;
eroute owner: #2
000 "IPSECTUNNEL":     srcip=192.168.0.100; dstip=unset; srcup=ipsec
_updown; dstup=ipsec _updown;
000 "IPSECTUNNEL":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin:
540s; rekey_fuzz: 100%; keyingtries: 0
000 "IPSECTUNNEL":   policy: PSK+ENCRYPT+TUNNEL+UP; prio: 24,24;
interface: eth0; encap: udp;
000 "IPSECTUNNEL":   dpd: action:clear; delay:30; timeout:120;
000 "IPSECTUNNEL":   newest ISAKMP SA: #1; newest IPsec SA: #2;
000 "IPSECTUNNEL":   IKE algorithms wanted: IDEA(5)_000-SHA1(2)-2,
flags=strict
000 "IPSECTUNNEL":   IKE algorithms found:  IDEA(5)_192-SHA1(2)_160-2,
000 "IPSECTUNNEL":   IKE algorithm newest: 3DES_CBC_192-SHA1-MODP1024
000 "IPSECTUNNEL":   ESP algorithms wanted: 3DES(3)_000-SHA1(2),
flags=strict
000 "IPSECTUNNEL":   ESP algorithms loaded: 3DES(3)_000-SHA1(2),
flags=strict
000 "IPSECTUNNEL":   ESP algorithm newest: 3DES_0-HMAC_SHA1; pfsgroup=<N/A>
000
000 #2: "IPSECTUNNEL":500 STATE_QUICK_I2 (sent QI2, IPsec SA
established); EVENT_SA_REPLACE in 27962s; newest IPSEC; eroute owner
000 #2: "IPSECTUNNEL" esp.4bb63d4 at 21.9.1.23 esp.db4308f7 at 80.16.24.9
tun.0 at 21.9.1.23 tun.0 at 80.16.24.9
000 #1: "IPSECTUNNEL":500 STATE_MAIN_I4 (ISAKMP SA established);
EVENT_SA_REPLACE in 2596s; newest ISAKMP; lastdpd=28s(seq in:20421 out:0)
000

--------------
NAT settings on cisco router are the same as before.
It doesn't work with "nat_traversal=yes" or "no"
--------------
# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan U2.4.7/K2.6.27.21rootserver-20090324a (netkey)
Checking for IPsec support in kernel                            [OK]
NETKEY detected, testing for disabled ICMP send_redirects       [OK]
NETKEY detected, testing for disabled ICMP accept_redirects     [OK]
Checking for RSA private key (/etc/ipsec.secrets)               [OK]
Checking that pluto is running                                  [OK]
Two or more interfaces found, checking IP forwarding            [OK]
Checking NAT and MASQUERADEing                                  [OK]
Checking for 'ip' command                                       [OK]
Checking for 'iptables' command                                 [OK]
Opportunistic Encryption Support                                [DISABLED]
--------------

Paul Wouters schrieb:
>
> Check with ipsec verify ?
> Check NAT settings
> Check firewall / forwarding
>
> Paul
>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: ml.vcf
Type: text/x-vcard
Size: 290 bytes
Desc: not available
Url : http://lists.openswan.org/pipermail/users/attachments/20090515/838fa64a/attachment-0001.vcf 


More information about the Users mailing list