[Openswan Users] IPSEC tunnelling between OPENSWAN and router CISCO 1900: ping is not OK
Paul Wouters
paul at xelerance.com
Mon Feb 14 14:44:31 EST 2011
On Mon, 14 Feb 2011, Maurice SELLIN wrote:
> I want to realize a IPSEC tunnel between a linux station and a cisco router 1900.
> The initializations phases IKE and ESP are now Ok, but the ping command doesn't work between the 2 private interfaces (without response)
> conn jsat
> left=La.Lb.Lc.Ld
> leftsubnet=10.0.0.0/24
> leftnexthop=Ra.Rb.Rc.Rd
> leftsourceip=10.0.0.1
>
> right=Ra.Rb.Rc.Rd
> rightsubnet=10.1.0.0/24
> rightsourceip=10.1.0.1
> rightnexthop=La.Lb.Lc.Ld
>
> ike=aes128-sha1;modp1024
> phase2=esp
> phase2alg=aes128-sha1;modp1024
>
> pfs=yes
> authby=secret
> auto=add
Remove the blanc lines, are use indented "#" symbols
> 004 "jsat" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_128 prf=oakley_sha group=modp1024}
> 004 "jsat" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0xd693fe78 <0x411d2446 xfrm=AES_128-HMAC_SHA1 NATOA=none
> NATD=none DPD=none}
>
>
> on linux station
> ================
> ping -I 10.0.0.1 10.1.0.1
> I can see the ESP protocol message from La.Lb.Lc.Ld to Ra.Rb.Rc.Rd but not the response Ra.Rb.Rc.Rd to La.Lb.Lc.Ld
Run "ipsec verify" and see what it says. For testing, disable the firewall and see if that
makes a difference.
Paul
More information about the Users
mailing list