Stephen Gran on 18 Jan 2006 01:19:01 -0000


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Fedora Core 4 and IPSEC/OpenSwan


On Tue, Jan 17, 2006 at 07:44:57PM -0500, Eric Hidle said:
> I'm looking for a little assistance with OpenSwan on FC4. I have created 
> a simple static-keyed connection between two machines on the same 
> subnet. Each machine has another network behind it that it is 
> protecting. Basically like this:
> 
> 10.0.5.0/24:192.168.0.243 <====> 192.168.0.244:10.0.3.0/24
> 
> With the following config:
> 
> conn securecf
> left=192.168.0.243
> leftsubnet=10.0.3.0/24
> leftid=@lefthost.leftdomain
> leftrsasigkey={snip}
> leftnexthop=192.168.0.244
> right=192.168.0.244
> rightrsasigkey={snip}
> rightsubnet=10.0.5.0/24
> rightid=@righthost.rightdomain
> rightnexthop=192.168.0.243
> auto=add
> 
> after upping the connection, the connection is properly negotiated and 
> both sides show SA Established.
> 
> I can then ping 3.1 from 0.243 and also ping 5.1 from 0.244..
> 
> BUT, I cannot PROVE that this traffic is going over the IPSEC 
> connection. For some reason, there is no ipsec0 device created (this is 
> alleged to be "normal"), and iptraf shows that the pings look like 
> normal traffic. The routing table just shows a normal gatewayed setup, 
> so it's completely possible that IPSEC is just being ignored.

Not so much FC4, but general openswan advice:

leftsubnet=10.0.3.0/24 : this looks wrong (should be 10.0.5.0/24)
leftnexthop is unneeded - this is only if traffic is going over an
  intermediate gateway, in which case left=%defaultroute is usually
  easier
repeat for right

There will be no ipsec0 device on newer kernels.

I would recommend using pfs if it is between 2 linux openswan instances,
as well as dpd and the other hooks openswan offers.

tcpdump should show you traffic that is esp encapsulated.  If not, it
may be that you already have a route to the other networks that is
getting used ahead of the in kernel stuff openswan does.

HTH,
-- 
 --------------------------------------------------------------------------
|  Stephen Gran                  | A furore Normanorum libera nos, O       |
|  steve@lobefin.net             | Domine!  [From the fury of the norsemen |
|  http://www.lobefin.net/~steve | deliver us, O Lord!]   -- Medieval      |
|                                | prayer                                  |
 --------------------------------------------------------------------------

Attachment: signature.asc
Description: Digital signature

___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug