[Openswan Users] IPSEC VPN established but no connection or packets send

Markus Locher ml at as-support.com
Fri May 15 04:31:00 EDT 2009

Hi Paul,

thanks for answer quickly. I am getting cracy.... Ok I don't thing it is
something with
opsenswan configuration. It seems that no packet goes through eth0 or it
is not the tunnel (see tcpdump).

The last version of opseswan from suse 10.3 was a 2.4. as it is now. Can
there be a problem with the used
configuration parameters?

The tunnel is up and stable (see whack status) so there are the packets
going? How can I realy be sure about
the tunnels endpoints - I think this is the line within whack status
(first IPSECTUNNEL line with "erouted").

Regards Markus

Yast Firewall ist not installed. Plesk Firewall is not aktive.

IP FORWARDING is enabled:
# cat /proc/sys/net/ipv4/ip_forward
==> ping
==> tcpdump -v icmp and host
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96
0 packets captured
0 packets received by filter
0 packets dropped by kernel

# ipsec whack --status      
000 interface lo/lo ::1                 
000 interface lo/lo           
000 interface lo/lo           
000 interface eth0/eth0   
000 interface eth0/eth0   
000 %myid = (none)                      
000 debug none                          
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64,
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192,
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8,
keysizemin=40, keysizemax=448
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128,
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256,
keysizemin=256, keysizemax=256
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,2,64}
trans={0,2,288} attrs={0,2,96}
000 "IPSECTUNNEL":; erouted;
eroute owner: #2
000 "IPSECTUNNEL":     srcip=; dstip=unset; srcup=ipsec
_updown; dstup=ipsec _updown;
000 "IPSECTUNNEL":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin:
540s; rekey_fuzz: 100%; keyingtries: 0
000 "IPSECTUNNEL":   policy: PSK+ENCRYPT+TUNNEL+UP; prio: 24,24;
interface: eth0; encap: udp;
000 "IPSECTUNNEL":   dpd: action:clear; delay:30; timeout:120;
000 "IPSECTUNNEL":   newest ISAKMP SA: #1; newest IPsec SA: #2;
000 "IPSECTUNNEL":   IKE algorithms wanted: IDEA(5)_000-SHA1(2)-2,
000 "IPSECTUNNEL":   IKE algorithms found:  IDEA(5)_192-SHA1(2)_160-2,
000 "IPSECTUNNEL":   IKE algorithm newest: 3DES_CBC_192-SHA1-MODP1024
000 "IPSECTUNNEL":   ESP algorithms wanted: 3DES(3)_000-SHA1(2),
000 "IPSECTUNNEL":   ESP algorithms loaded: 3DES(3)_000-SHA1(2),
000 "IPSECTUNNEL":   ESP algorithm newest: 3DES_0-HMAC_SHA1; pfsgroup=<N/A>
000 #2: "IPSECTUNNEL":500 STATE_QUICK_I2 (sent QI2, IPsec SA
established); EVENT_SA_REPLACE in 27962s; newest IPSEC; eroute owner
000 #2: "IPSECTUNNEL" esp.4bb63d4 at esp.db4308f7 at
tun.0 at tun.0 at
000 #1: "IPSECTUNNEL":500 STATE_MAIN_I4 (ISAKMP SA established);
EVENT_SA_REPLACE in 2596s; newest ISAKMP; lastdpd=28s(seq in:20421 out:0)

NAT settings on cisco router are the same as before.
It doesn't work with "nat_traversal=yes" or "no"
# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan U2.4.7/K2.6.27.21rootserver-20090324a (netkey)
Checking for IPsec support in kernel                            [OK]
NETKEY detected, testing for disabled ICMP send_redirects       [OK]
NETKEY detected, testing for disabled ICMP accept_redirects     [OK]
Checking for RSA private key (/etc/ipsec.secrets)               [OK]
Checking that pluto is running                                  [OK]
Two or more interfaces found, checking IP forwarding            [OK]
Checking NAT and MASQUERADEing                                  [OK]
Checking for 'ip' command                                       [OK]
Checking for 'iptables' command                                 [OK]
Opportunistic Encryption Support                                [DISABLED]

Paul Wouters schrieb:
> Check with ipsec verify ?
> Check NAT settings
> Check firewall / forwarding
> Paul

-------------- next part --------------
A non-text attachment was scrubbed...
Name: ml.vcf
Type: text/x-vcard
Size: 290 bytes
Desc: not available
Url : http://lists.openswan.org/pipermail/users/attachments/20090515/838fa64a/attachment-0001.vcf 

More information about the Users mailing list