[Openswan Users] Old user having troubles with new techniques

Bob Miller bob at computerisms.ca
Wed Jun 30 12:54:29 EDT 2010

Hi Larry,
I can't give you a specific answer, but I can say my personal rules of
thumb in troubleshooting these problems.
First, once the tunnel comes up, I have found that in general you don't
need to mess with your openswan config anymore.  As a rule, at least for
me, the only thing you can add is features to tunnel, such as being able
to ping the gateway on the other end.
Once I see "SA established", the next place I look is the l2tp log.  If
I find error in there, I fix it.  I dont' recall seeing that you were
using l2tp, so probably doesn't apply in your case.
If the tunnel is up and the PPP/L2TP session established, then my rule
is: "stop looking elsewhere, the problem is iptables".  I know it won't
*always* work out like that, but I have yet to find an exception.
Since you are using netkey, you will need to mark your packets with
iptables as they are accepted, then the remaining iptables rules will be
used to match on those marks.  This took me a long while to wrap my head
around when I first started playing with it, but in the end it works for
me every time now.
This link is the one from Peter McGill that finally helped me piece it
all together, hopefully it gives you example enough to work from:
good luck, persistence is key...

On Wed, 2010-06-30 at 10:28 -0400, Larry Brown wrote:
> Just in case it helps this is the output from the tunnel:
> 104 "road" #1: STATE_MAIN_I1: initiate
> 003 "road" #1: received Vendor ID payload [Openswan (this version)
> 2.6.27 ]
> 003 "road" #1: received Vendor ID payload [Dead Peer Detection]
> 003 "road" #1: received Vendor ID payload [RFC3947] method set to=109
> 106 "road" #1: STATE_MAIN_I2: sent MI2, expecting MR2
> 003 "road" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): i
> am NATed
> 108 "road" #1: STATE_MAIN_I3: sent MI3, expecting MR3
> 003 "road" #1: received Vendor ID payload [CAN-IKEv2]
> 004 "road" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_RSA_SIG
> cipher=aes_128 prf=oakley_sha group=modp2048}
> 117 "road" #2: STATE_QUICK_I1: initiate
> 004 "road" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel
> mode {ESP=>0x1b9a005a <0x82c74892 xfrm=AES_128-HMAC_SHA1 NATOA=none
> NATD=none DPD=enabled}
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan: 
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

Bob Miller
bob at computerisms.ca
Network, Internet, Server,
and Open Source Solutions

More information about the Users mailing list