RE Anyone try to install openswan-2.4.4 on L

Hi Paul,

As my English not very good, I think this will help to
understand what
happen

Here is how it setup

On 1.2.3.4
It has installed openswan-2.4.5rc5 with KLIP on
linux-2.6.14.4
When I do ping behind it, I found the following on WAN
interface

11:39:42.109197 9.8.7.6 > 1.2.3.4:
ESP(spi=0x56fa544f,seq=0x34)
11:39:43.110076 1.2.3.4 > 9.8.7.6:
ESP(spi=0xcbe4c4c8,seq=0x37) 

On 9.8.7.6
It has installed openswan-2.4.4 with KLIP on linux-2.4.32
When I do ping behind it, I only found the following on WAN
interface, got
no reply from 1.2.3.4

9.8.7.6 > 1.2.3.4: ESP(spi=0x56fa544f,seq=0x34)

I have VPN on this box, connected to other openswan-2.4.4
box for more than
1 years, and find no problem.


 
If I change the box, 1.2.3.4, to have same installation as
9.8.7.6,
openswan-2.4.4 with KLIP on linux-2.4.32 and keep the
ipsec.conf the same, I
have no problem to access to either side.

I have set the firewall on both end to allow ips to access
each other end
without any restriction.

What I can see somehow packets get dropped on 1.2.3.4 when
its
openswan-2.4.5rc5 with linux-2.6.14.4

Any suggestion I can play with on 1.2.3.4 end to resolve the
issue


Thanks
Sherman



-----Original Message-----
From: Sherman Chan 
Sent: Thursday, 23 February 2006 3:06 PM
To: 'Paul Wouters'; Sherman Chan
Cc: 'usersopenswan.org'
Subject: RE: RE [Openswan Users] Anyone try to install
openswan-2.4.4 on L

Hi Paul 

BTW I only see this on WAN interface eth0, but I see nothing
on LAN
interface eth1

11:39:42.109197 9.8.7.6 > 1.2.3.4:
ESP(spi=0x56fa544f,seq=0x34)
11:39:43.110076 1.2.3.4 > 9.8.7.6:
ESP(spi=0xcbe4c4c8,seq=0x37) 

Thanks
Sherman


-----Original Message-----
From: users-bouncesopenswan.org [mailto:users-bouncesopenswan.org] On
Behalf Of Paul Wouters
Sent: Thursday, 23 February 2006 2:46 PM
To: Sherman Chan
Cc: 'usersopenswan.org'
Subject: RE: RE [Openswan Users] Anyone try to install
openswan-2.4.4 on L

On Thu, 23 Feb 2006, Sherman Chan wrote:

> Hi Paul,
>
> The same firewall rule and rp_filter, which been set to
0, I used on
> openswan-2.4.4 with linux-2,4,3x and working ok.
>
> Do I need to set it to 1 on openswan 2.4.5rc with linux
2.6.14.4?

no no.

So you have a conn that works on 2.4.3 but not 2.4.4?
Did you try a userland 2.4.3 with klips 2.4.4 and/or a
userland 2.4.4 and a
klips 2.4.3?

Another bug work around for 2.4.4 was to set fragicmp=no.
But for 2.4.5.rcX
that should no longer be needed.

Paul

>
> The firewall rule basically
> -A INPUT -p all -s xxx/24 -j ACCEPT
> And
> -A FORWARD -p all -s xxx/24 -j ACCETP
>
> So I do not think it is a firewall rule issue
>
> Sherman
>
> -----Original Message-----
> From: Paul Wouters [mailto:paulxelerance.com]
> Sent: Thursday, 23 February 2006 12:46 PM
> To: Sherman Chan
> Cc: 'usersopenswan.org'
> Subject: RE: RE [Openswan Users] Anyone try to install
openswan-2.4.4 
> on L inux -2.6.14.4
>
> On Thu, 23 Feb 2006, Sherman Chan wrote:
>
> > These is what I see with openswan 2.4.5rc5 on
linux-2.6.14.4, since 
> > I'm not using NAT Travelsal, so I ignore the
error, or I should not
> >
> > Version check and ipsec on-path                   
             [OK]
> > Linux Openswan 2.4.5rc5 (klips)
> > Checking for IPsec support in kernel              
             [OK]
> > KLIPS detected, checking for NAT Traversal support
             [FAILED]
> > Checking for RSA private key (/etc/ipsec.secrets) 
             [OK]
> > Checking that pluto is running                    
             [OK]
> > Two or more interfaces found, checking IP
forwarding            [OK]
> > Checking NAT and MASQUERADEing
> > Checking for 'ip' command                       
               [OK]
> > Checking for 'iptables' command                 
               [OK]
> > Opportunistic Encryption Support
[DISABLED]
>
> Looks good.
>
> > 004 "my-access" #705: STATE_QUICK_I2:
sent QI2, IPsec SA established 
> > {ESP=>0x56fa544f <0xcbe4c4c8
xfrm=AES_0-HMAC_SHA1 NATD=none 
> > DPD=none}
>
> Looks good.
>
> > When I do ping, I got time out, and with tcpdump
> >
> > I see the following 2 keeping repeating itself
> > 11:39:42.109197 9.8.7.6 > 1.2.3.4:
ESP(spi=0x56fa544f,seq=0x34)
> > 11:39:43.110076 1.2.3.4 > 9.8.7.6:
ESP(spi=0xcbe4c4c8,seq=0x37)
>
> Those are your encrypted pings
>
> Are there firewall rules or perhaps rp_filter that
might block the
packets?
>
> Paul
>

-- 

"Happiness is never grand"

	--- Mustapha Mond, World Controller (Brave New World)
_______________________________________________
Usersopenswan.org
http
://lists.openswan.org/mailman/listinfo/users
Building and Integrating Virtual Private Networks with
Openswan: 
http://www.amazon.com/gp/product/1904811
256/104-3099591-2946327?n=283155
_______________________________________________
Usersopenswan.org
http
://lists.openswan.org/mailman/listinfo/users
Building and Integrating Virtual Private Networks with
Openswan: 
http://www.amazon.com/gp/product/1904811
256/104-3099591-2946327?n=283155

On Fri, 24 Feb 2006, Sherman Chan wrote:

> On 9.8.7.6
> It has installed openswan-2.4.4 with KLIP on
linux-2.4.32
> When I do ping behind it, I only found the following on
WAN interface, got
> no reply from 1.2.3.4
>
> 9.8.7.6 > 1.2.3.4: ESP(spi=0x56fa544f,seq=0x34)
>
> I have VPN on this box, connected to other
openswan-2.4.4 box for more than
> 1 years, and find no problem.
>
> If I change the box, 1.2.3.4, to have same installation
as 9.8.7.6,
> openswan-2.4.4 with KLIP on linux-2.4.32 and keep the
ipsec.conf the same, I
> have no problem to access to either side.

Can you provide me (off list) with the output of
"ipsec barf" from both
setups? So when you setup the tunnels, and did the ping, can
you then run
the ipsec barf command on 9.8.7.6 so I can have a look at
what the difference
could be?

Paul
_______________________________________________
Usersopenswan.org
http
://lists.openswan.org/mailman/listinfo/users
Building and Integrating Virtual Private Networks with
Openswan: 
http://www.amazon.com/gp/product/1904811
256/104-3099591-2946327?n=283155