[Openswan Users] Problem with networking traffic past the tunnel

Jay Smith me at jayftw.com
Tue Nov 3 16:32:05 EST 2009

    Here is what it says when I do "ipsec verify"
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan U2.6.16/K2.6.27.19-5-pae (netkey)
Checking for IPsec support in kernel                            [OK]
NETKEY detected, testing for disabled ICMP send_redirects       [FAILED]

  Please disable /proc/sys/net/ipv4/conf/*/send_redirects
  or NETKEY will cause the sending of bogus ICMP redirects!

NETKEY detected, testing for disabled ICMP accept_redirects     [FAILED]

  Please disable /proc/sys/net/ipv4/conf/*/accept_redirects
  or NETKEY will accept bogus ICMP redirects!

Checking for RSA private key (/etc/ipsec.secrets)               [OK]
Checking that pluto is running                                  [OK]
Two or more interfaces found, checking IP forwarding            [OK]
Checking NAT and MASQUERADEing                                  [N/A]
Checking for 'ip' command                                       [OK]
Checking for 'iptables' command                                 [OK]

Opportunistic Encryption DNS checks:
   Looking for TXT in forward dns zone: DNSZONE                [MISSING]
   Does the machine have at least one non-private address?      [OK]
   Looking for TXT in reverse dns zone: 98.x.x.x.in-addr.arpa.    [MISSING]
   Looking for TXT in reverse dns zone: 202.x.x.x.in-addr.arpa.    [MISSING]
Not sure what that means so any help is appreciated. Any additional thoughts
related or unrelated to this? Thanks!



On Tue, Nov 3, 2009 at 1:45 PM, Paul Wouters <paul at xelerance.com> wrote:

> On Tue, 3 Nov 2009, Jay Smith wrote:
>  Greetings fellow travellers. I have an interesting problem that I
>> hope someone can help illuminate.
>>   We have a 'working' tunnel. The remote site (192.168.50.xx, Cisco
>> ASA 3000 series) is able to ping the local gateway box (Suse
>> Enterprise Linux 11, kernel at 172.38.xx.xxx, but
>> nothing beyond the gateway on the local side;
> Usually that means forwarding is disabled, or some accidental NAT is
> happening.
> What does "ipsec verify" say?
> There might also be issues if the ipsec gateway is not the default gateway,
> and return packets never reach it due to a missing route back to the ipsec
> server.
> Paul
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20091103/85e2874d/attachment-0001.html 

More information about the Users mailing list