[Openswan Users] Problem with networking traffic past the tunnel
me at jayftw.com
Tue Nov 3 16:32:05 EST 2009
Here is what it says when I do "ipsec verify"
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.6.16/K22.214.171.124-5-pae (netkey)
Checking for IPsec support in kernel [OK]
NETKEY detected, testing for disabled ICMP send_redirects [FAILED]
Please disable /proc/sys/net/ipv4/conf/*/send_redirects
or NETKEY will cause the sending of bogus ICMP redirects!
NETKEY detected, testing for disabled ICMP accept_redirects [FAILED]
Please disable /proc/sys/net/ipv4/conf/*/accept_redirects
or NETKEY will accept bogus ICMP redirects!
Checking for RSA private key (/etc/ipsec.secrets) [OK]
Checking that pluto is running [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing [N/A]
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption DNS checks:
Looking for TXT in forward dns zone: DNSZONE [MISSING]
Does the machine have at least one non-private address? [OK]
Looking for TXT in reverse dns zone: 98.x.x.x.in-addr.arpa. [MISSING]
Looking for TXT in reverse dns zone: 202.x.x.x.in-addr.arpa. [MISSING]
Not sure what that means so any help is appreciated. Any additional thoughts
related or unrelated to this? Thanks!
On Tue, Nov 3, 2009 at 1:45 PM, Paul Wouters <paul at xelerance.com> wrote:
> On Tue, 3 Nov 2009, Jay Smith wrote:
> Greetings fellow travellers. I have an interesting problem that I
>> hope someone can help illuminate.
>> We have a 'working' tunnel. The remote site (192.168.50.xx, Cisco
>> ASA 3000 series) is able to ping the local gateway box (Suse
>> Enterprise Linux 11, kernel 126.96.36.199-5-pae) at 172.38.xx.xxx, but
>> nothing beyond the gateway on the local side;
> Usually that means forwarding is disabled, or some accidental NAT is
> What does "ipsec verify" say?
> There might also be issues if the ipsec gateway is not the default gateway,
> and return packets never reach it due to a missing route back to the ipsec
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Users