[Openswan Users] Openswan with NETKEY and monitoring data

Mark Dalton mdalton at princeton.edu
Fri Apr 8 11:22:34 EDT 2011

I will try this again.    Does anyone know if I can do this and what I 
need to do to
accomplish this.   I am just trying to help out a research group.   We 
just want to
be able to monitor the packets with tcpdump both sending and received and be
able to see which client (on the right hand side) is accessing on the 

I just need a pointer in the right direction, I am not sure why I needed 
to have:

I have tweaked things back and forth..  To see what I need to do .. 
routing, etc..

I may have translated the below incorrectly.   However, with
leftsubnet= it is working, but not with leftsubnet=
However, I do you know what I would need to do to be able to see the packets
on my openswan server.
(I am willing to redirect it to another ethernet as a gateway
  to the internet or a virtual interface.).   The server I was
asked to do this on is Ubuntu 10.10 (maverick):
         Linux Openswan U2.6.26/K2.6.35-28-generic (netkey) 
(1:2.6.26+dfsg-1 )
         2.6.35-28-generic #49-Ubuntu SMP (2.6.35-28.49)

This is what I heard indirectly from the people with the
right side Cisco VPN.

 > SA that established was for -
 > IPSEC FLOW: permit ip host
 > xxx.xxx.xx.174
 > They need to re-identify their permitted traffic (on Cisco it is
 > done
 > in the Crypto ACL) to allow any IP traffic to the mobile pool, not
 > just one host. This is to mirror-reverse match what we have
 > configured on our side -
 > IPSEC FLOW: permit ip

       eth2 network  - OpenSwan (eth0)  -- Internet --  Remote Cisco     
(xxx.xxx.xx.233)    ( or

  Left OpenSwan Server:
     eth0 (inet addr:xxx.xxx.xx.174  Bcast:xxx.xxx.xx.255  
     ??? ????
     eth2 (inet addr:  Bcast:  

  Right Cisco 7000 (or around that I only know what they sent me):
     Internet IP - xxx.xxx.xx.233
     subnet -  ( or

Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt 
Iface UG        0 0          0 
eth0 U         0 0          0 
xxx.xxx.xx.0   U         0 0          0 
eth0     U         0 0          0 
eth0         xxx.xxx.xx.1         UG        0 0          0 

config setup
#       nat_traversal=yes
         uniqueids = yes

conn cisco-swan
         type=           tunnel
         authby=         secret
         # Local OpenSwan
         left=           xxx.xxx.xx.174
#        leftsubnet=
         leftnexthop=    %defaultroute
         # Remote/Cisco router IP Address
         right=          xxx.xxx.xx.233
         rightnexthop=   %defaultroute
         phase2alg=      3des-sha1
         ike=            3des-sha1
         keyexchange=    ike
         pfs=            no

More information about the Users mailing list