Re: [PLUG] Fedora Core 4 and IPSEC/OpenSwan

Eric Hidle on 18 Jan 2006 12:42:41 -0000

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Fedora Core 4 and IPSEC/OpenSwan

From: Eric Hidle <junkmail@ie-ap.org>

To: "Philadelphia Linux User's Group Discussion List" <plug@lists.phillylinux.org>

Subject: Re: [PLUG] Fedora Core 4 and IPSEC/OpenSwan

Date: Wed, 18 Jan 2006 07:42:20 -0500

Reply-to: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>

Sender: plug-bounces@lists.phillylinux.org

User-agent: Mozilla Thunderbird 1.0.7 (Windows/20050923)

I typed up my email wrong haha... the conf file is correct, and I did figure out what I was doing wrong... I was forgetting to use the -I parameter to ping to make the requests come from the inside. Once I did that, I could see the ESP encap. in tcpdump just fine.

Thx E

Stephen Gran wrote:

On Tue, Jan 17, 2006 at 07:44:57PM -0500, Eric Hidle said:

I'm looking for a little assistance with OpenSwan on FC4. I have created a simple static-keyed connection between two machines on the same subnet. Each machine has another network behind it that it is protecting. Basically like this:

10.0.5.0/24:192.168.0.243 <====> 192.168.0.244:10.0.3.0/24

With the following config:

conn securecf left=192.168.0.243 leftsubnet=10.0.3.0/24 leftid=@lefthost.leftdomain leftrsasigkey={snip} leftnexthop=192.168.0.244 right=192.168.0.244 rightrsasigkey={snip} rightsubnet=10.0.5.0/24 rightid=@righthost.rightdomain rightnexthop=192.168.0.243 auto=add

after upping the connection, the connection is properly negotiated and both sides show SA Established.

I can then ping 3.1 from 0.243 and also ping 5.1 from 0.244..

BUT, I cannot PROVE that this traffic is going over the IPSEC connection. For some reason, there is no ipsec0 device created (this is alleged to be "normal"), and iptraf shows that the pings look like normal traffic. The routing table just shows a normal gatewayed setup, so it's completely possible that IPSEC is just being ignored.

Not so much FC4, but general openswan advice:

leftsubnet=10.0.3.0/24 : this looks wrong (should be 10.0.5.0/24) leftnexthop is unneeded - this is only if traffic is going over an intermediate gateway, in which case left=%defaultroute is usually easier repeat for right

There will be no ipsec0 device on newer kernels.

I would recommend using pfs if it is between 2 linux openswan instances, as well as dpd and the other hooks openswan offers.

tcpdump should show you traffic that is esp encapsulated. If not, it may be that you already have a route to the other networks that is getting used ahead of the in kernel stuff openswan does.

HTH,

------------------------------------------------------------------------

___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug

___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug

References:

[PLUG] Perl question...
From: Eric <eric@lucii.org>

[PLUG] Fedora Core 4 and IPSEC/OpenSwan
From: Eric Hidle <junkmail@ie-ap.org>

Re: [PLUG] Fedora Core 4 and IPSEC/OpenSwan
From: Stephen Gran <steve@lobefin.net>

Prev by Date: Re: [PLUG] SW raid/lvm suse

Next by Date: Re: [PLUG] Perl question...

Previous by thread: Re: [PLUG] Fedora Core 4 and IPSEC/OpenSwan

Next by thread: Re: [PLUG] Perl question...

Index(es):

Date

Thread