[Openswan Users] dns via IPSEC tunnel

aurfalien at gmail.com aurfalien at gmail.com
Wed Dec 8 16:46:30 EST 2010

On Dec 7, 2010, at 10:29 PM, Paul Wouters wrote:

> On Tue, 7 Dec 2010, aurfalien at gmail.com wrote:
>> I finally got Openswan 2.14 to work with Centos 5.5
> That's not a valid version number. Did you mean 2.4.14 ?

yes, typo.

>> openswan 2.6.x works fine on centos 5.5

How did you deal with the following error;

ipsec__plutorun: adjusting ipsec.d to /etc/ipsec.d
ipsec__plutorun: 002 added connection description "vinz"
ipsec__plutorun: 003 NAT-Traversal: Trying new style NAT-T
ipsec__plutorun: 003 NAT-Traversal: ESPINUDP(1) setup failed for new  
style NAT-T family IPv4 (errno=19)
ipsec__plutorun: 003 NAT-Traversal: Trying old style NAT-T

And just sits there.

While ipsec is still started, I do ipsec verify and get;

Version check and ipsec on-path								OK
Linux Openswan U2.6.26/K2.6.18-194.11.1.el5					OK
Checking for IPsec support in kernel							OK
SAref kernel support											N/A
NETKEY detected, testing for disabled ICMP send_redirects		FAILED

	Please disable /proc/sys/net/ipv4/conf/*/accept_redirects
	or NETKEY will cause the sending of bogus ICMP redirects!

NETKEY detected, testing for disabled ICMP accept_redirects		FAILED

	Please disable /proc/sys/net/ipv4/conf/*/accept_redirects
	or NETKEY will accept bogus ICMP redirects!

Checking that pluto is running									OK
Pluto listening for IKE on udp 500								OK
Pluto listening for NAT-T on udp 4500							OK
two or more interfaces found, checking for IP forwarding			OK
Checking NAT and MASQUERADING							N/A
Checking for 'ip' command										OK
Checking for 'iptables' command								OK
Opportunistic Encryption Support								DISABLED

Any nuggets are GREATLY appreciated.

PS I do have ICMP send and accept redirects set as 0 in my sysctl.conf  
file for all interfaces and for both IPV4/6 so I'm unsure why ipsec  
verify says its not.

More information about the Users mailing list