[Openswan Users] no traffic through ipsec0

Ray@truedays.org ray at truedays.org
Tue May 1 11:43:40 EDT 2012


Hi,

I'm still having trouble. I'm in a test environment trying to have two
centos servers using openswan to connect over ipsec. Eventually they
will have their own public (no NAT) IP. Once IPsec is working I want
to tunnel lt2p through it.

My first question is.. Do I want this to be a type=tunnel or
type=transport. My loose understanding of the concept is that
type=transport would be easier (to configure) and is what I want.

My second question/issue. before I start ipsec I can ping both BoxA
(67.67.67.110) <-> BoxB (67.67.67.120), but once I start ipsec neither
can reach each other, and I'm stumped as to how to troubleshoot this.

Network:
BoxA:
eth0=192.168.5.110(dhcp IP from router) => switch => router => Internet
eth1=67.67.67.110(generic IP) => (same switch as above) switch => BoxB

BoxB:
eth0= 192.168.5.120 (dhcp) => switch (same)  => router => Internet
eth1= 67.67.67.120 => same switch => BoxA

[root at BoxA ~]# route -n   ### route table before IPSEC
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.5.1     0.0.0.0         UG    0      0        0 eth0
67.67.67.0      0.0.0.0         255.255.255.0   U     0      0        0 eth1
169.254.0.0     0.0.0.0         255.255.0.0     U     1002   0        0 eth0
169.254.0.0     0.0.0.0         255.255.0.0     U     1003   0        0 eth1
192.168.5.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0

[root at BoxA ~]# service ipsec restart
ipsec_setup: Stopping Openswan IPsec...
ipsec_setup: Starting Openswan IPsec 2.6.38...
ipsec_setup: ipsec0 -> NULL mtu=0(0) -> 0

[root at BoxA ~]# ipsec verify  #### No errors
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                             	[OK]
Linux Openswan 2.6.38 (klips)
Checking for IPsec support in kernel                        	[OK]
 KLIPS: checking for NAT Traversal support                  	[OK]
 KLIPS: checking for OCF crypto offload support             	[N/A]
 SAref kernel support                                       	[N/A]
Checking that pluto is running                              	[OK]
 Pluto listening for IKE on udp 500                         	[OK]
 Pluto listening for NAT-T on udp 4500                      	[OK]
Two or more interfaces found, checking IP forwarding        Checking
NAT and MASQUERADEing                              	[OK]
Checking for 'ip' command                                   	[OK]
Checking /bin/sh is not /bin/dash                           	[OK]
Checking for 'iptables' command                             	[OK]
Opportunistic Encryption Support                            	[DISABLED]

[root at BoxA ~]# route -n   ### route table after IPSEC started
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.5.1     0.0.0.0         UG    0      0        0 eth0
67.67.67.0      0.0.0.0         255.255.255.0   U     0      0        0 eth1
67.67.67.120    0.0.0.0         255.255.255.255 UH    0      0        0 ipsec0
169.254.0.0     0.0.0.0         255.255.0.0     U     1002   0        0 eth0
169.254.0.0     0.0.0.0         255.255.0.0     U     1003   0        0 eth1
192.168.5.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0

[root at BoxA ~]# cat /etc/ipsec.conf
version	2.0
config setup
	plutodebug=none
	klipsdebug=none
	interfaces="ipsec0=eth1"
	oe=off
	protostack=auto
	nat_traversal=yes

conn ebh
	type=transport
	left=67.67.67.110
	right=67.67.67.120
	authby=secret
	auto=start


More information about the Users mailing list