[Openswan Users] Host-to-host connection with SAref without tunneling

Eduard Veleba eduard.veleba at emtc.cz
Fri Jan 18 14:41:33 EST 2013

Hello Daniel,


yes, I have net.ipv4.ip_forward=1 in nearly all my Linux systems. Also I'm
trying everything with empty iptables with ACCEPT policy:


[virtmaster] root at ingwe:~# sysctl -a 2>/dev/null | grep ip_forward

net.ipv4.ip_forward = 1

[virtmaster] root at ingwe:~# iptables -L

Chain INPUT (policy ACCEPT)

target     prot opt source               destination


Chain FORWARD (policy ACCEPT)

target     prot opt source               destination


Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination


Do you mean "ipsec verify"? If so, here it is:

[virtmaster] root at ingwe:~# ipsec verify

Checking your system to see if IPsec got installed and started correctly:

Version check and ipsec on-path                                 [OK]

Linux Openswan 2.6.38 (klips)

Checking for IPsec support in kernel                            [OK]

KLIPS: checking for NAT Traversal support                      [OK]

KLIPS: checking for OCF crypto offload support                 [N/A]

Kernel: IPsec SAref kernel support                             [OK]

Kernel: IPsec SAref Bind kernel support                        [OK]

Checking that pluto is running                                  [OK]

Pluto listening for IKE on udp 500                             [OK]

Pluto listening for NAT-T on udp 4500                          [OK]

Two or more interfaces found, checking IP forwarding            [FAILED]

Checking NAT and MASQUERADEing

Checking for 'ip' command                                       [OK]

Checking /bin/sh is not /bin/dash                               [WARNING]

Checking for 'iptables' command                                 [OK]

Opportunistic Encryption Support                                [DISABLED]


If you mean something else, how can I try it? "ipsec auto verify" shows me
usage (help) screen.

Should I send output of "ipsec barf"?





Eduard Veleba


Have you enabled ip.forwarding in /etc/sysctl.conf ? 


also, have you done ipsec auto verify ?



On 18 Jan 2013, at 10:46, Eduard Veleba wrote:



I need to set up host-to-host IPsec encrypted (ESP) connection without any
VPN (just "plain" transport mode). There's our server with public IP address
on the left side and many clients (with different OS) with different IP
addresses (some of them on public addresses, some of them behind NAT, some
of them even behind the very same NAT).


As I need to handle multiple clients behind the same NAT, I assume I need to
use MAST stack and SAref patched kernel. I have now both functional (kernel
is patched and I can modprobe ipsec without problems) and command "ipsec
verify" shows "OK" for SAref support as well.


I don't want to use L2TP or any other tunneling, I just need to secure
connection to that single IP address (server address) with ESP.


My ipsec.conf looks like this (our IP address replaced with

version 2.0


config setup





conn host-to-host

















And when I start Openswan, clients are able to associate (I see multiple
SAs), but ping doesn't work. Mast interface looks like this:


mast0     Link encap:UNSPEC  HWaddr
          UP RUNNING NOARP  MTU:16260  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:10
          RX bytes:26840 (26.2 KiB)  TX bytes:0 (0.0 B)


The strange thing is I can see ping requests on mast0 with tcpdump and also
if I change stack from MAST to KLIPS or NETKEY, everything works well
(except only one client behind each NAT can connect, I assume that SAref is
supported only in MAST stack).


What may I be doing wrong? Are my assumptions about the need of using MAST
stack correct or can I get SAref support with KLIPS stack somehow?





Eduard Veleba


Users at lists.openswan.org
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
Building and Integrating Virtual Private Networks with Openswan:






-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20130118/f0348d8e/attachment-0001.html>

More information about the Users mailing list