Eric Hidle on 18 Jan 2006 12:42:41 -0000

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Fedora Core 4 and IPSEC/OpenSwan

I typed up my email wrong haha... the conf file is correct, and I did figure out what I was doing wrong... I was forgetting to use the -I parameter to ping to make the requests come from the inside. Once I did that, I could see the ESP encap. in tcpdump just fine.


Stephen Gran wrote:

On Tue, Jan 17, 2006 at 07:44:57PM -0500, Eric Hidle said:

I'm looking for a little assistance with OpenSwan on FC4. I have created a simple static-keyed connection between two machines on the same subnet. Each machine has another network behind it that it is protecting. Basically like this: <====>

With the following config:

conn securecf

after upping the connection, the connection is properly negotiated and both sides show SA Established.

I can then ping 3.1 from 0.243 and also ping 5.1 from 0.244..

BUT, I cannot PROVE that this traffic is going over the IPSEC connection. For some reason, there is no ipsec0 device created (this is alleged to be "normal"), and iptraf shows that the pings look like normal traffic. The routing table just shows a normal gatewayed setup, so it's completely possible that IPSEC is just being ignored.

Not so much FC4, but general openswan advice:

leftsubnet= : this looks wrong (should be
leftnexthop is unneeded - this is only if traffic is going over an
 intermediate gateway, in which case left=%defaultroute is usually
repeat for right

There will be no ipsec0 device on newer kernels.

I would recommend using pfs if it is between 2 linux openswan instances,
as well as dpd and the other hooks openswan offers.

tcpdump should show you traffic that is esp encapsulated.  If not, it
may be that you already have a route to the other networks that is
getting used ahead of the in kernel stuff openswan does.



Philadelphia Linux Users Group --
Announcements -
General Discussion --

___________________________________________________________________________ Philadelphia Linux Users Group -- Announcements - General Discussion --