LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
 
Search this Thread
Old 06-24-2008, 08:12 AM   #1
aikie
LQ Newbie
 
Registered: Jun 2008
Location: Netherlands
Distribution: CentOS
Posts: 2

Rep: Reputation: 0
CentOS 5.1 with Openswan 2.6 problem


My situation:

Site 1 & Site 2:
CentOS 5.1
Openswan 2.6.14-1.el5_2.1
Iptables 1.3.5-1.2.1
LAN = eth0
WAN = eth1

When I start ipsec the connection is esstablished, but when I try to ping form one network to the other no reply comes.
When I take a look at network traffic by using tcpdump only during the ping some ESP-traffic is done.

ipsec barf result:

Code:
Jun 24 15:07:17 firewall pluto[24174]: "dep-hoofd" #6: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Jun 24 15:07:17 firewall pluto[24174]: "dep-hoofd" #6: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Jun 24 15:07:17 firewall pluto[24174]: "dep-hoofd" #6: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Jun 24 15:07:17 firewall pluto[24174]: "dep-hoofd" #6: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP=>0x11b4ea44 <0x96e58807 xfrm=AES_128-HMAC_SHA1 NATOA=<invalid> NATD=<invalid>:500 DPD=enabled}
my ipsec.conf

Code:
version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        # Debug-logging controls:  "none" for (almost) none, "all" for lots.
        klipsdebug="none"
        plutodebug="none"
        uniqueids=yes
        # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
        protostack=netkey
        nat_traversal=yes

conn %default
        keyingtries=%forever
        compress=yes
        authby=rsasig
        disablearrivalcheck=no

conn dep-hoofd
        leftid=@firewall.dependance
        left=[local WAN IP]
        leftnexthop=[local WAN GATEWAY]
        leftsourceip=192.168.3.252
        leftsubnet=192.168.3.0/24
        leftrsasigkey=[some left key]
        rightid=@firewall.intranet
        right=[remote WAN IP]
        rightnexthop=[remote WAN GATEWAY}
        rightsourceip=192.168.2.252
        rightsubnet=192.168.2.0/24
        rightrsasigkey=[some right key]
        auto=start

conn block
        auto=ignore

conn clear
        auto=ignore

conn clear-or-private
        auto=ignore

conn private
        auto=ignore

conn private-or-clear
        auto=ignore

conn packetdefault
        auto=ignore
my iptables modifications:

Code:
*nat
-I POSTROUTING 1 -p 50 -j ACCEPT
-A POSTROUTING -o eth1 -d ! 192.168.0.0/16 -j MASQUERADE
COMMIT

*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -i eth1 -p 50 -j MARK --set-mark 1
-A PREROUTING -i eth1 -p 51 -j MARK --set-mark 2
COMMIT

*filter
-A INPUT -p 50 -j ACCEPT
-A INPUT -p 51 -j ACCEPT
-A INPUT -p udp -m udp --dport 500 -j ACCEPT
-A INPUT -i eth1 -m mark --mark 1 -j ACCEPT
-A INPUT -i eth1 -m mark --mark 2 -j ACCEPT

-A FORWARD -i eth1 -m mark --mark 1 -j ACCEPT

-A OUTPUT -p 50 -j ACCEPT
-A OUTPUT -p 51 -j ACCEPT
-A OUTPUT -p udp -m udp --sport 500 -j ACCEPT
COMMIT
iptables does allow all trafic from LAN to WAN

ipsec verify result:

Code:
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan U2.6.14/K2.6.18-53.1.21.el5 (netkey)
Checking for IPsec support in kernel                            [OK]
NETKEY detected, testing for disabled ICMP send_redirects       [OK]
NETKEY detected, testing for disabled ICMP accept_redirects     [OK]
Checking for RSA private key (/etc/ipsec.secrets)               [OK]
Checking that pluto is running                                  [OK]
Two or more interfaces found, checking IP forwarding            [OK]
Checking NAT and MASQUERADEing
Checking for 'ip' command                                       [OK]
Checking for 'iptables' command                                 [OK]
Opportunistic Encryption Support                                [DISABLED]
This configuration worked fine with CentOS 5.0 and does still work fine at other customers.

any suggestions would be great.
 
Old 08-05-2008, 01:38 AM   #2
aikie
LQ Newbie
 
Registered: Jun 2008
Location: Netherlands
Distribution: CentOS
Posts: 2

Original Poster
Rep: Reputation: 0
Smile Problem Solved

We replaced the "Siemens Efficient" modems by "ZyXel Prestige" and added ipsec-tools and all is up and running now.

So my lesson for today: when using openswan don't forget to install ipsec-tools as well ;-)
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
openswan 2.1.1 Giovanni26 Linux - Security 5 01-07-2010 11:44 AM
Problem:VPN wireless connection with OpenSwan on Slackware 12.0 Salgeras Linux - Wireless Networking 2 10-05-2007 02:46 AM
problem installing openswan Baracuda Linux - Security 1 11-24-2005 04:46 PM
Openswan: STATE_QUICK_I1: initiate (NAT Problem?) havelino Linux - Networking 0 11-03-2005 11:04 AM
openswan Circuit Monkey Linux - Newbie 1 03-22-2005 02:30 PM


All times are GMT -5. The time now is 12:12 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration