<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
</head>
<body bgcolor="#ffffff" text="#000000">
Hi, problem with Openswan Lan to Lan<br>
<br>
My configuration :<br>
<br>
<b>Host A</b><br>
ETH0 Openswan server 192.168.1.1<br>
ETH1 10.0.0.10<br>
GW 10.0.0.1<br>
<br>
ipsec.conf<br>
<br>
version 2.0 <br>
config setup<br>
forwardcontrol=yes<br>
interfaces=%defaultroute<br>
nat_traversal=yes<br>
plutodebug=control<br>
virtual_private=%v4:10.0.0.0/8,%v4:128.0.0.0/16,%v4:192.168.0.0/24,%v4:!192.168.1.0/24<br>
<br>
conn %default<br>
authby=secret<br>
leftrsasigkey=%cert<br>
rightrsasigkey=%cert<br>
<br>
conn RPV<br>
left=10.0.0.10<br>
leftid="####"<br>
leftcert=newcert.pem<br>
leftnexthop=%defaultroute<br>
leftsubnet=192.168.1.0/24<br>
right=public ip host B<br>
rightnexthop=%defaultroute<br>
rightid="####"<br>
rightsubnet=128.0.0.0/16<br>
auto=add<br>
<br>
iptable :<br>
<br>
iptables -A INPUT -p udp --dport 4500 -j ACCEPT<br>
iptables -A INPUT -p udp --sport 4500 -j ACCEPT<br>
iptables -A INPUT -p 50 -j ACCEPT<br>
iptables -A INPUT -p 51 -j ACCEPT<br>
iptables -I FORWARD -s 192.168.1.1 -d 10.0.0.10 -p udp --dport 500 -j
ACCEPT<br>
iptables -I FORWARD -s 192.168.1.1 -d 10.0.0.10 -p udp --sport 500 -j
ACCEPT<br>
iptables -I FORWARD -s 192.168.1.1 -d 10.0.0.10 -p udp --sport 4500 -j
ACCEPT<br>
iptables -I FORWARD -s 192.168.1.1 -d 10.0.0.10 -p udp --dport 4500 -j
ACCEPT<br>
iptables -A INPUT -p udp -i eth1 --sport 500 --dport 500 -j ACCEPT<br>
iptables -A OUTPUT -p udp -o eth1 --sport 500 --dport 500 -j ACCEPT<br>
iptables -A FORWARD -d 10.0.0.10/16 -i ipsec+ -j ACCEPT<br>
<br>
<br>
iptables -t nat -A POSTROUTING -o eth1 -s 192.168.1.0/24 -d !
128.0.0.0/16 -j MASQUERADE<br>
<br>
Route <br>
<br>
10.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0
eth1<br>
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0
eth0<br>
128.0.0.0 10.0.0.1 255.255.0.0 UG 0 0 0
eth1<br>
0.0.0.0 10.0.0.1 0.0.0.0 UG 0 0 0
eth1<br>
<br>
<br>
<b><br>
Host B</b><br>
ETH0 Openswan server 128.0.0.1<br>
ETH1 192.168.0.10<br>
GW 192.168.0.1<br>
<br>
<br>
ipsec.conf<br>
<br>
<br>
version 2.0 <br>
config setup<br>
forwardcontrol=yes<br>
interfaces=%defaultroute<br>
nat_traversal=yes<br>
plutodebug=control<br>
virtual_private=%v4:10.0.0.0/16,%v4:192.168.0.0/24,%v4:192.168.1.0/24,%v4:!128.0.0.0/16<br>
conn %default<br>
<br>
authby=secret<br>
leftrsasigkey=%cert<br>
rightrsasigkey=%cert<br>
<br>
conn RPV<br>
left=192.168.0.10<br>
leftid="####"<br>
leftnexthop=%defaultroute<br>
leftcert=newcert.pem<br>
leftsubnet=128.0.0.0/16<br>
right=public IP Host A<br>
rightid="####"<br>
rightnexthop=%defaultroute<br>
rightsubnet=192.168.1.0/24<br>
auto=add<br>
<br>
iptable :<br>
iptables -A INPUT -p udp -i eth1 --sport 500 --dport 500 -j ACCEPT<br>
iptables -A OUTPUT -p udp -o eth1 --sport 500 --dport 500 -j ACCEPT<br>
<br>
iptables -A INPUT -p udp --dport 4500 -j ACCEPT<br>
iptables -A INPUT -p udp --sport 4500 -j ACCEPT<br>
iptables -A INPUT -p 50 -j ACCEPT<br>
iptables -A INPUT -p 51 -j ACCEPT<br>
iptables -I FORWARD -s 128.0.0.1 -d 192.168.0.10 -p udp --dport 500 -j
ACCEPT<br>
iptables -I FORWARD -s 128.0.0.1 -d 192.168.0.10 -p udp --sport 500 -j
ACCEPT<br>
iptables -I FORWARD -s 128.0.0.1 -d 192.168.0.10 -p udp --sport 4500 -j
ACCEPT<br>
iptables -I FORWARD -s 128.0.0.1 -d 192.168.0.10 -p udp --dport 4500 -j
ACCEPT<br>
iptables -A FORWARD -d 192.168.0.10/24 -i ipsec+ -j ACCEPT<br>
<br>
iptables -t nat -A POSTROUTING -o eth1 -s 128.0.0.0/16 -d !
192.168.1.0/24 -j MASQUERADE<br>
<br>
<br>
Route :<br>
192.168.1.0 192.168.0.1 255.255.255.0 UG 0 0 0
eth1<br>
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0
eth1<br>
128.0.0.0 0.0.0.0 255.255.0.0 U 0 0 0
eth0<br>
0.0.0.0 192.168.0.1 0.0.0.0 UG 0 0 0
eth1<br>
<br>
<br>
ipsec verify<br>
<br>
Checking your system to see if IPsec got installed and started
correctly:<br>
Version check and ipsec on-path [OK]<br>
Linux Openswan U2.4.6/K2.6.18-4-686 (netkey)<br>
Checking for IPsec support in kernel [OK]<br>
NETKEY detected, testing for disabled ICMP send_redirects [OK]<br>
NETKEY detected, testing for disabled ICMP accept_redirects [OK]<br>
Checking for RSA private key (/etc/ipsec.secrets) [OK]<br>
Checking that pluto is running [OK]<br>
Two or more interfaces found, checking IP forwarding [OK]<br>
Checking NAT and MASQUERADEing<br>
Checking for 'ip' command [OK]<br>
Checking for 'iptables' command [OK]<br>
Opportunistic Encryption Support
[DISABLED]<br>
<br>
<br>
<br>
<b>when ipsec auto --up RPV</b><br>
<br>
104 "RPV" #1: STATE_MAIN_I1: initiate<br>
003 "RPV" #1: received Vendor ID payload [Openswan (this version)
2.4.6 X.509-1.5.4 LDAP_V3 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR]<br>
003 "RPV" #1: received Vendor ID payload [Dead Peer Detection]<br>
003 "RPV" #1: received Vendor ID payload [RFC 3947] method set to=110<br>
106 "RPV" #1: STATE_MAIN_I2: sent MI2, expecting MR2<br>
003 "RPV" #1: NAT-Traversal: Result using 3: both are NATed<br>
108 "RPV" #1: STATE_MAIN_I3: sent MI3, expecting MR3<br>
004 "RPV" #1: STATE_MAIN_I4: ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5
group=modp1536}<br>
117 "RPV" #2: STATE_QUICK_I1: initiate<br>
004 "RPV" #2: STATE_QUICK_I2: sent QI2, IPsec SA established
{ESP=>0x9e48c21a <0x36726b37 xfrm=AES_0-HMAC_SHA1 NATD=PublicIP
Host B:4500 DPD=none}<br>
<br>
Connection established, but no ping from W2K3 Host A and W2K3 Host B<br>
<br>
<br>
LAN A :<br>
<br>
server W2K3 128.0.0.102<br>
server Linux 128.0.0.1<br>
<br>
<br>
LAN B<br>
server W2K3 192.168.1.12<br>
server Linux 192.168.1.1<br>
<br>
Lan class B and Lan class don't work ?<br>
<br>
thanks for you'r help<br>
<br>
Raphaël<br>
<br>
<br>
</body>
</html>