[Openswan Users] Can't get traffic over ipSec

Martin Walker martin at marsjupiter.com
Tue Aug 30 07:52:47 EDT 2011 

I am using OpenSwan on Centos6

When I could not get traffic using the default install I compiled 2.6.35 
(klips)

I get a tunnel established:

#ipsec eroute
0          10.0.0.0/16        -> 10.1.0.0/16        => 
tun0x1004 at 62.128.215.101


But when I try and ping from either end I get:

# tail /var/log/messages
Aug 30 12:37:24 ipsec kernel: klips_debug:rj_match: ** try to match a 
leaf, t=0pffff8800035e6c00
Aug 30 12:37:24 ipsec kernel: klips_debug:rj_match: *** start searching 
up the tree, t=0pffff8800035e6c00
Aug 30 12:37:24 ipsec kernel: klips_debug:rj_match: **** 
t=0pffff8800035e6c30
Aug 30 12:37:24 ipsec kernel: klips_debug:rj_match: **** 
t=0pffff88003e2fde38
Aug 30 12:37:24 ipsec kernel: klips_debug:rj_match: ***** 
cp2=0pffff88003bc88358 cp3=0pffff88003d545f20
Aug 30 12:37:24 ipsec kernel: klips_debug:rj_match: ***** not found.
Aug 30 12:37:24 ipsec kernel: klips_debug:ipsec_xmit_SAlookup: checking 
for local udp/500 IKE, udp/4500 NAT-T, ESP or AH packets 
saddr=109.169.13.252, er=0p(null), daddr=10.1.100.100, er_dst=0, proto=1 
sport=0 dport=0
Aug 30 12:37:24 ipsec kernel: klips_debug:ipsec_xmit_encap_bundle: shunt 
SA of DROP or no eroute: dropping.
Aug 30 12:37:24 ipsec kernel: klips_debug:ipsec_xsm: processing 
completed due to IPSEC_XMIT_STOLEN.
Aug 30 12:37:24 ipsec kernel: klips_debug:ipsec_tunnel_start_xmit: 
encap_bundle failed: 2

I have routes setup

#route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use 
Iface
109.169.13.128  *               255.255.255.128 U     0      0        0 eth0
10.0.0.0        *               255.255.0.0     U     0      0        0 eth1
10.1.0.0        *               255.255.0.0     U     0      0        0 
ipsec0
link-local      *               255.255.0.0     U     1002   0        0 eth0
link-local      *               255.255.0.0     U     1003   0        0 eth1
default         109.169.13.129  0.0.0.0         UG    0      0        0 eth0

# ifconfig
eth0      Link encap:Ethernet  HWaddr 36:0F:8E:FE:F2:81
           inet addr:109.169.13.252  Bcast:109.169.13.255  
Mask:255.255.255.128
           inet6 addr: fe80::340f:8eff:fefe:f281/64 Scope:Link
           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
           RX packets:4596 errors:0 dropped:0 overruns:0 frame:0
           TX packets:1089 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:1000
           RX bytes:271328 (264.9 KiB)  TX bytes:679855 (663.9 KiB)
           Interrupt:43

eth1      Link encap:Ethernet  HWaddr 6E:E9:AC:34:54:BB
           inet addr:10.0.100.100  Bcast:10.0.255.255  Mask:255.255.0.0
           inet6 addr: fe80::6ce9:acff:fe34:54bb/64 Scope:Link
           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
           RX packets:3135 errors:0 dropped:0 overruns:0 frame:0
           TX packets:12 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:1000
           RX bytes:370105 (361.4 KiB)  TX bytes:720 (720.0 b)
           Interrupt:44

ipsec0    Link encap:Ethernet  HWaddr 36:0F:8E:FE:F2:81
           inet addr:109.169.13.252  Mask:255.255.255.255
           inet6 addr: fe80::340f:8eff:fefe:f281/128 Scope:Link
           UP RUNNING NOARP  MTU:1500  Metric:1
           RX packets:0 errors:0 dropped:0 overruns:0 frame:0
           TX packets:0 errors:0 dropped:5 overruns:0 carrier:0
           collisions:0 txqueuelen:10
           RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)



Any ideas would be appreciated.

regards

Martin Walker

More information about the Users mailing list