<p>I want to configure the simplest, host-to-host IPsec tunnel between two Linux(Redhat9) machines running Openswan. And I choose X.509 certificates for authentication.(RSA Signature Method I have tried is OK)<br>But the configuration can't be successful,so I turn for your help!
</p>
<p>I choose one machine act as CA and host(<a href="http://192.168.0.16"><font color="red"><b>MailScanner warning: numerical links are often malicious:</b></font> 192.168.0.16</a>),and the other one is client(<a href="http://192.168.0.9"><font color="red"><b>MailScanner warning: numerical links are often malicious:</b></font> 192.168.0.9</a>).The two hosts are under the same subnet(becasue I have no more hardware equipments).The reference I used is:
<br><a href="http://www.natecarlson.com/linux/ipsec-x509.php">http://www.natecarlson.com/linux/ipsec-x509.php</a></p>
<p>The ipsec status and conf list below:<br>[root@ca]# ipsec auto --status<br>000 interface ipsec0/eth0 <a href="http://192.168.0.16"><font color="red"><b>MailScanner warning: numerical links are often malicious:</b></font> 192.168.0.16</a><br>000 <br>000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=64, keysizemin=56, keysizemax=56
<br>000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=64, keysizemin=168, keysizemax=168<br>000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=64, keysizemin=40, keysizemax=128<br>000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0
<br>000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128<br>000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160<br>000 <br>000 algorithm IKE encrypt: id=65289, name=OAKLEY_SSH_PRIVATE_65289, blocksize=16, keydeflen=128
<br>000 algorithm IKE encrypt: id=65005, name=OAKLEY_TWOFISH_CBC, blocksize=16, keydeflen=128<br>000 algorithm IKE encrypt: id=65004, name=OAKLEY_SERPENT_CBC, blocksize=16, keydeflen=128<br>000 algorithm IKE encrypt: id=6, name=OAKLEY_CAST_CBC, blocksize=8, keydeflen=128
<br>000 algorithm IKE encrypt: id=3, name=OAKLEY_BLOWFISH_CBC, blocksize=8, keydeflen=128<br>000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128<br>000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
<br>000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64<br>000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32<br>000 algorithm IKE hash: id=2, name=OAKLEY_SHA, hashsize=20<br>000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
<br>000 algorithm IKE dh group: id=1, name=OAKLEY_GROUP_MODP768, bits=768<br>000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024<br>000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
<br>000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048<br>000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072<br>000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
<br>000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144<br>000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192<br>000 <br>000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,9,36} trans={0,9,96} attrs={0,9,160}
<br>000 <br>000 "myipsec": 192.168.0.16[@luyang]---192.168.0.1...192.168.0.9[@why]<br>000 "myipsec": CAs: '%any'...'%any'<br>000 "myipsec": ike_life: 720s; ipsec_life: 600s; rekey_margin: 20s; rekey_fuzz: 50%; keyingtries: 0
<br>000 "myipsec": policy: RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS; interface: eth0; trap erouted<br>000 "myipsec": newest ISAKMP SA: #0; newest IPsec SA: #0; eroute owner: #0<br>000 "myipsec": IKE algorithms wanted: 5_000-1-5, 5_000-2-5, 5_000-1-2, 5_000-2-2, 5_000-1-1, 5_000-2-1, flags=-strict
<br>000 "myipsec": IKE algorithms found: 5_192-1_128-5, 5_192-2_160-5, 5_192-1_128-2, 5_192-2_160-2, 5_192-1_128-1, 5_192-2_160-1, <br>000 "myipsec": ESP algorithms wanted: 3_000-1, 3_000-2, flags=-strict
<br>000 "myipsec": ESP algorithms loaded: 3_168-1_128, 3_168-2_160, <br>000 <br>000 #16: "myipsec" STATE_MAIN_R2 (sent MR2, expecting MI3); EVENT_RETRANSMIT in 17s<br>000 #17: "myipsec" STATE_MAIN_I3 (sent MI3, expecting MR3); EVENT_RETRANSMIT in 5s
</p>
<div>But it seems it exists route between <a href="http://192.168.0.16"><font color="red"><b>MailScanner warning: numerical links are often malicious:</b></font> 192.168.0.16</a> and <a href="http://192.168.0.9"><font color="red"><b>MailScanner warning: numerical links are often malicious:</b></font> 192.168.0.9</a> through typing: route -n (interface ipsec0,gateway <a href="http://192.168.0.1"><font color="red"><b>MailScanner warning: numerical links are often malicious:</b></font> 192.168.0.1
</a>)</div>
<div><br># /etc/ipsec.conf<br>#luyang(<a href="http://192.168.0.16"><font color="red"><b>MailScanner warning: numerical links are often malicious:</b></font> 192.168.0.16</a>)<br>conn %default<br> keyingtries=0<br> compress=yes<br> disablearrivalcheck=no<br> leftrsasigkey=%cert<br> rightrsasigkey=%cert<br> authby=rsasig
<br> <br>conn myipsec<br> left=%defaultroute<br> leftcert=luyang.pem <br> right=<a href="http://192.168.0.9"><font color="red"><b>MailScanner warning: numerical links are often malicious:</b></font> 192.168.0.9</a><br> pfs=yes<br> auto=start</div>
<p>#why(<a href="http://192.168.0.1"><font color="red"><b>MailScanner warning: numerical links are often malicious:</b></font> 192.168.0.1</a>)<br>conn %default<br> keyingtries=0<br> compress=yes<br> disablearrivalcheck=no<br> leftrsasigkey=%cert<br> rightrsasigkey=%cert<br> authby=rsasig<br> <br>conn myipsec
<br> left=<a href="http://192.168.0.16"><font color="red"><b>MailScanner warning: numerical links are often malicious:</b></font> 192.168.0.16</a><br> leftcert=luyang.pem<br> <a href="mailto:leftid=@luyang">leftid=@luyang</a><br> right=%defaultroute<br> rightcert=why.pem<br>
<a href="mailto:rightid=@why">rightid=@why</a><br> pfs=yes<br> auto=start<br></p><br>-- <br>Best wishes!<br>Yan Zeng£¨ÔøÑÞ£©<br>Pharmaceutical Informatics Institute<br>Department of Chinese Medicine Science & Engineering,Zhejiang Univ.
<br><a href="mailto:Email:swallowfly@gmail.com">Email:swallowfly@gmail.com</a>