[Openswan Users] Trying to get basics down

Chris Ditri grooveman at brokensolstice.com
Thu May 19 09:33:12 EDT 2011

Okay... according to tcpdump, the tunnel has been established:

tcpdump -n -i eth0 |grep -i esp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
09:26:34.689663 IP >  
ESP(spi=0x7e2eb1cb,seq=0x24), length 148
09:26:34.697211 IP >  
ESP(spi=0x0209e228,seq=0x17), length 148
09:26:34.697530 IP >  
ESP(spi=0x7e2eb1cb,seq=0x25), length 100

... but I'm still not sure why I'm getting this when I try to verify:

Pluto listening for NAT-T on udp 4500                           [FAILED]
Two or more interfaces found, checking IP forwarding            [FAILED]

Like I said, there is no nat on my simple network, and IP forwarding  
has been enabled on both boxes: net.ipv4.ip_forward = 1 (from  

I know this may be rudimentary stuff, but I have looked, and I cannot  
find an answer... (though I have seen people with the same problem).

I appreciate the help.


Quoting Chris <cjdl01 at brokensolstice.com>:

> Okay,
> I have been fussing with this for some time now, and I even bought the
> PACT Openswan book, and read every word up to and through chapter 4 --
>   but this is still not working for me.
> I don't know how much of my misunderstanding is due to things being
> outdated, how much is due to the differences of ipsec implementation
> from distro to distro, and how much of it is me just missing the
> mark... but I'm no noob to linux.
> Anyway,
> I made a test environment with 4 machines on my own network -- no nat
> anywhere.  The network is -- acting as my test "Internet".
>   The left machine is connected via crossover cable to a computer,
> leftcomp1.  The right machine is connected via crossover cable to a
> computer, rightcomp1.
> I am using Debian Squeeze.  I installed openswan.  I put this in my
> sysctl.conf:
> net.ipv4.conf.default.send_redirects = 0
> net.ipv4.conf.all.send_redirects = 0
> net.ipv4.conf.default.accept_redirects = 0
> net.ipv4.conf.all.accept_redirects = 0
> net.ipv4.ip_forward = 1
> net.ipv4.conf.default.rp_filter = 0
> I setup my ipsec.conf as on page 82:
> config setup
>          protostack=netkey
>          interfaces=%defaultroute
> conn %default
>      authby=rsasig
> conn west-east
>      left=
>      right=
>      type=tunnel
> leftrsasigkey=0sAwEAAcs7JqTAxnSomeLongStringTakenFromShowHostKey....
> rightrsasigkey=0sAwEAAarDoUWtx/0d7j+X6iKKNKmaeySomeLongStringTakenFromShowHostKey...
>      auto=start
> At this point, I'm not using KLIPS, because I couldn't find a package
> for Debian for this, and I just want to get this thing working... I
> didn't want to have to compile a custom kernel.  I don't even know if
> KLIPS is recommended anymore (though it is encouraged in the book).
> So, I start up ipsec like so:  /etc/init.d/ipsec start
> It starts with  no complaints, but when I issue:  ipsec verify
> I get:
> Version check and ipsec on-path                                 [OK]
> Linux Openswan U2.6.28/K2.6.32-5-686 (netkey)
> Checking for IPsec support in kernel                            [OK]
> NETKEY detected, testing for disabled ICMP send_redirects       [OK]
> NETKEY detected, testing for disabled ICMP accept_redirects     [OK]
> Checking that pluto is running                                  [OK]
> Pluto listening for IKE on udp 500                              [OK]
> Pluto listening for NAT-T on udp 4500                           [FAILED]
> Two or more interfaces found, checking IP forwarding            [FAILED]
> Checking NAT and MASQUERADEing                                  [N/A]
> Checking for 'ip' command                                       [OK]
> Checking for 'iptables' command                                 [OK]
> Opportunistic Encryption Support                                [DISABLED]
> I don't understand the failures here.  I'm not using NAT, so I don't
> know why Pluto is looking for it.  I enabled ip forwarding, so I don't
> know why that is failing either.  I cannot find any help on this
> anywhere, least of all the deiban forums.  The wiki  page that Paul
> was nice enough to publish, doesn't include this sort of information
> -- even though I tried it.  I also tried the most basic setup on the
> openswan wiki -- which likewise didn't work.  I think that perhaps
> these failures are getting in my way.
> Could someone please lend a hand? How do I get rid of these failures?
> Thank you.
> -Chris
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

Reduce spam!  Send emails only from your trusted email service --  
Avoid entering
a friend's email address on any web site (such as "social-networking"  
sites, an
"e-card" service, or page that asks you to "mail to a friend").  RESPECTABLE
--Spread the word, add this to your signature block!

More information about the Users mailing list