I''m trying to build a RoadWarrior VPN Gateway using openswan 2.4.0rc3 on a xen 2.0.7 domU. I''m having a bit of trouble and before I beat my head against the wall for hours, I was wondering if anyone else has done this and can give me some pointers. I am not using L2TP so I should not have the driver problem. When I disable ipsec on both the xen station and the CyberGuard SG580 were using for testing as the office gateway (as opposed to the RAS gateway), they can ping each other fine. When I enable ipsec, it''s as if the xen station does not want to listen to the SG. The SG sends MI1 and there is no response. The xen device sends MI1, the SG send MR1 and xen ignores it. The same configuration with a non-xen gateway works fine. Please don''t spend lots of time on this as I should put more time in myself before really crying for help but, if someone has done this or knows what the problem is, please let me know. Thanks - John -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan@opensourcedevel.com If you would like to participate in the development of an open source enterprise class network security management system, please visit http://iscs.sourceforge.net _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
If you''re using -unstable, look for an earlier thread about using ethtool to disable checksum offload on the virtual interfaces. We do need to fix the underlying problem at some point, though. Ian> I''m trying to build a RoadWarrior VPN Gateway using openswan > 2.4.0rc3 on a xen 2.0.7 domU. I''m having a bit of trouble > and before I beat my head against the wall for hours, I was > wondering if anyone else has done this and can give me some pointers. > > I am not using L2TP so I should not have the driver problem. > When I disable ipsec on both the xen station and the > CyberGuard SG580 were using for testing as the office gateway > (as opposed to the RAS gateway), they can ping each other > fine. When I enable ipsec, it''s as if the xen station does > not want to listen to the SG. The SG sends MI1 and there is > no response. The xen device sends MI1, the SG send MR1 and > xen ignores it. > > The same configuration with a non-xen gateway works fine. > Please don''t spend lots of time on this as I should put more > time in myself before really crying for help but, if someone > has done this or knows what the problem is, please let me > know. Thanks - John > -- > John A. Sullivan III > Open Source Development Corporation > +1 207-985-7880 > jsullivan@opensourcedevel.com > > If you would like to participate in the development of an > open source enterprise class network security management > system, please visit http://iscs.sourceforge.net > > > _______________________________________________ > Xen-users mailing list > Xen-users@lists.xensource.com > http://lists.xensource.com/xen-users >_______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
That sounds like something that could keep me spinning my wheels for hours if you hadn''t told me! Thanks. However, we are very hesitant to use unstable on a production device. Is there a way to solve the problem in the 2.0.7 stable release? - John On Sat, 2005-09-03 at 11:15 +0100, Ian Pratt wrote:> If you''re using -unstable, look for an earlier thread about using > ethtool to disable checksum offload on the virtual interfaces. We do > need to fix the underlying problem at some point, though. > > Ian > > > I''m trying to build a RoadWarrior VPN Gateway using openswan > > 2.4.0rc3 on a xen 2.0.7 domU. I''m having a bit of trouble > > and before I beat my head against the wall for hours, I was > > wondering if anyone else has done this and can give me some pointers. > > > > I am not using L2TP so I should not have the driver problem. > > When I disable ipsec on both the xen station and the > > CyberGuard SG580 were using for testing as the office gateway > > (as opposed to the RAS gateway), they can ping each other > > fine. When I enable ipsec, it''s as if the xen station does > > not want to listen to the SG. The SG sends MI1 and there is > > no response. The xen device sends MI1, the SG send MR1 and > > xen ignores it. > > > > The same configuration with a non-xen gateway works fine. > > Please don''t spend lots of time on this as I should put more > > time in myself before really crying for help but, if someone > > has done this or knows what the problem is, please let me > > know. Thanks - John > > -- > > John A. Sullivan III > > Open Source Development Corporation > > +1 207-985-7880 > > jsullivan@opensourcedevel.com > > > > If you would like to participate in the development of an > > open source enterprise class network security management > > system, please visit http://iscs.sourceforge.net > > > > > > _______________________________________________ > > Xen-users mailing list > > Xen-users@lists.xensource.com > > http://lists.xensource.com/xen-users > >-- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan@opensourcedevel.com Financially sustainable open source development http://www.opensourcedevel.com _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
> That sounds like something that could keep me spinning my > wheels for hours if you hadn''t told me! Thanks. However, we > are very hesitant to use unstable on a production device. Is > there a way to solve the problem in the 2.0.7 stable release? - JohnHmm, I don''t think 2.0.7 does checksum offload, so it shouldn''t be an issue. I''ve certainly used IPSec on earlier 2.0 versions just fine. Ian _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Hi list!: Our problem was that the openswan userland tools and kernel patches not was from the same openswan version. The VPN gateway is working using: 2.4.30 xenU kernel 2.3.1 openswan Thanks for your help. Jorge. El sáb, 03-09-2005 a las 03:20 -0400, John A. Sullivan III escribió:> I''m trying to build a RoadWarrior VPN Gateway using openswan 2.4.0rc3 on > a xen 2.0.7 domU. I''m having a bit of trouble and before I beat my head > against the wall for hours, I was wondering if anyone else has done this > and can give me some pointers. > > I am not using L2TP so I should not have the driver problem. When I > disable ipsec on both the xen station and the CyberGuard SG580 were > using for testing as the office gateway (as opposed to the RAS gateway), > they can ping each other fine. When I enable ipsec, it''s as if the xen > station does not want to listen to the SG. The SG sends MI1 and there > is no response. The xen device sends MI1, the SG send MR1 and xen > ignores it. > > The same configuration with a non-xen gateway works fine. Please don''t > spend lots of time on this as I should put more time in myself before > really crying for help but, if someone has done this or knows what the > problem is, please let me know. Thanks - John-- Jorge Isaac Davila Lopez _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
the xen version is 2.0.7 El jue, 06-10-2005 a las 13:28 -0600, Jorge I. Davila L. escribió:> Hi list!: > > Our problem was that the openswan userland tools and kernel patches not > was from the same openswan version. > > The VPN gateway is working using: > > 2.4.30 xenU kernel > 2.3.1 openswan > > Thanks for your help. > > Jorge. > > El sáb, 03-09-2005 a las 03:20 -0400, John A. Sullivan III escribió: > > I''m trying to build a RoadWarrior VPN Gateway using openswan 2.4.0rc3 on > > a xen 2.0.7 domU. I''m having a bit of trouble and before I beat my head > > against the wall for hours, I was wondering if anyone else has done this > > and can give me some pointers. > > > > I am not using L2TP so I should not have the driver problem. When I > > disable ipsec on both the xen station and the CyberGuard SG580 were > > using for testing as the office gateway (as opposed to the RAS gateway), > > they can ping each other fine. When I enable ipsec, it''s as if the xen > > station does not want to listen to the SG. The SG sends MI1 and there > > is no response. The xen device sends MI1, the SG send MR1 and xen > > ignores it. > > > > The same configuration with a non-xen gateway works fine. Please don''t > > spend lots of time on this as I should put more time in myself before > > really crying for help but, if someone has done this or knows what the > > problem is, please let me know. Thanks - John-- Jorge Isaac Davila Lopez _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users