<div dir="ltr">i have tried to implement vpn remote access from my home to my office...<br><br>i already buy the book building integrated virtual private network with openswan...<br><br>but i still have problems to make a connection to my office..<br>
<br>for your information..my network structure is like this..<br><br>roadwarrior======outside network====firewall====DMZ====vpnserver<br><br>this is my ipsec.conf..<br><br>version 2.0 # conforms to second version of ipsec.conf specification<br>
<br># basic configuration<br>config setup<br> interfaces="ipsec1=eth1"<br> # interfaces=%defaultroute<br> # plutodebug / klipsdebug = "all", "none" or a combation from below:<br>
# "raw crypt parsing emitting control klips pfkey natt x509 private"<br> # eg: plutodebug="control parsing"<br> #<br> # ONLY enable plutodebug=all or klipsdebug=all if you are a developer !!<br>
#<br> # NAT-TRAVERSAL support, see README.NAT-Traversal<br> nat_traversal=yes<br> virtual_private=%v4:<a href="http://219.93.36.0/24,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192.168.1.0/24">219.93.36.0/24,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192.168.1.0/24</a><br>
plutodebug=none<br> plutostderrlog=/var/log/pluto.log<br> #<br> # enable this if you see "failed to find any available worker"<br> # nhelpers=0<br> # uniqueids=yes<br><br>
# Add connections here<br> <br>conn %default<br> authby=rsasig<br> keyingtries=1<br> compress=yes<br> disablearrivalcheck=no<br> ikelifetime=1h<br> leftrsasigkey=0sAQNVXmjfKU5XMZqIGYQD5qtn7FpL9Fq0kgXTOnbLp1Lz1mib1xK39xzM+4d/y2qEkYal2HNf+EXuDj2ZXKIGbePXBVLZOLiSR00N1o8Nk9qYkXffi75yK24HxwgJRtC5In6lev7APqa6bufEnylDInXXa4KZ4WKkvOIK+2IQWTqxUsmKuM1Wn2/1TdHQbKJzeCzyLCk3fFDmRW74hj/YGag0uUxT6sRQ1Pl1woIQK3PoBaz7uutTwcwzmbjKw58qrqGL2I4xkWsHHpFWZMzwdwYlfyVj/8SjGFBAvaS2Axea4Ow6dKn9L4tGih4urjaT/p/lWM5fLxR2MTapsTS6Kt2WaAciJ7kEUGOoFHOmz+8xXDol<br>
# leftcert=/etc/ipsec.d/private/mykey.pem<br> rightrsasigkey=0sAQNVXmjfKU5XMZqIGYQD5qtn7FpL9Fq0kgXTOnbLp1Lz1mib1xK39xzM+4d/y2qEkYal2HNf+EXuDj2ZXKIGbePXBVLZOLiSR00N1o8Nk9qYkXffi75yK24HxwgJRtC5In6lev7APqa6bufEnylDInXXa4KZ4WKkvOIK+2IQWTqxUsmKuM1Wn2/1TdHQbKJzeCzyLCk3fFDmRW74hj/YGag0uUxT6sRQ1Pl1woIQK3PoBaz7uutTwcwzmbjKw58qrqGL2I4xkWsHHpFWZMzwdwYlfyVj/8SjGFBAvaS2Axea4Ow6dKn9L4tGih4urjaT/p/lWM5fLxR2MTapsTS6Kt2WaAciJ7kEUGOoFHOmz+8xXDol<br>
auto=ignore<br><br> <br> #conn roadwarrior-all<br> # leftsubnet=<a href="http://0.0.0.0/0">0.0.0.0/0</a><br> # also=roadwarrior<br><br>conn road<br> type=tunnel<br> forceencaps=yes<br> left=<a href="http://219.93.36.214">219.93.36.214</a><br>
# left=%defaultroute<br> leftcert=mycert.pem<br> leftid="C=MY, ST=Selangor, O=Scan Berhad, OU=Isd, CN=vpnserver, E=.net"<br> # leftid=@<a href="http://vpnserver.scan-associates.net">vpnserver.scan-associates.net</a><br>
# leftnexthop=219.93.36.xxx<br> right=<a href="http://60.54.220.178">60.54.220.178</a><br> # right=%any<br> # rightsubnet=vhost:%no,%priv<br> rightprotoport=17/1701<br> # rightnexthop=%defaultroute<br> leftprotoport=17/1701<br>
leftsubnet=<a href="http://192.168.1.0/24">192.168.1.0/24</a><br> esp=aes128-sha1<br> ike=aes128-sha<br> rightid="C=MY, ST=Selangor, O=Scan Berhad, OU=Isd, CN=vpnserver, E="<br> pfs=no<br> dpddelay=40<br>
dpdtimeout=130<br> dpdaction=clear<br> leftupdown=/opt/commsmundi/htdocs/networking/scripts/monitor_vpn.sh<br> rightupdown=/opt/commsmundi/htdocs/networking/scripts/monitor_vpn.sh<br> auto=add<br><br>
<br><br>#conn roadwarrior-l2tp<br> # ike=aes128-md5-modp1024<br> # esp=aes128-md5<br> # type=transport<br> # auth=esp<br> #left=<a href="http://192.168.1.74">192.168.1.74</a><br> # left=219.xx.36.xxx<br>
#leftcert=mycert.pem<br> # leftprotoport=17/1701<br> # right=<a href="http://219.93.152.23">219.93.152.23</a><br> #right=219.xx.36.xxx<br> # rightprotoport=17/1701<br> # pfs=no<br> # auto=add<br>
<br><br>#conn roadwarrior-l2tp-oldwin<br> # left=219.xx.36.xxx<br> # left=%defaultroute<br> # leftcert=mycert.pem<br> # leftprotoport=17/0<br> # right=<a href="http://219.95.57.226">219.95.57.226</a><br>
# rightprotoport=17/1701<br> # rightsubnet=vhost:%no,%priv<br> # pfs=no<br> # auto=add<br><br>conn block<br> auto=ignore<br><br>conn private<br> auto=ignore<br><br>conn private-or-clear<br>
auto=ignore<br><br>conn clear-or-private<br> auto=ignore<br><br>conn clear<br> auto=ignore<br><br>conn packetdefault<br> auto=ignore<br> <br># sample VPN connections, see /etc/ipsec.d/examples/<br><br>
#Disable Opportunistic Encryption<br>include /etc/ipsec.d/examples/no_oe.conf<br><br><br><br><br>when i tried to up the connection..<br><br>this is the error log on the pluto.log<br><br>"road" #4: initiating Main Mode<br>
"road" #4: ERROR: asynchronous network error report on eth1 (sport=500) for message to <a href="http://60.54.220.178">60.54.220.178</a> port 500, complainant <a href="http://60.54.220.178">60.54.220.178</a>: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]<br>
"road" #4: ERROR: asynchronous network error report on eth1 (sport=500) for message to <a href="http://60.54.220.178">60.54.220.178</a> port 500, complainant <a href="http://60.54.220.178">60.54.220.178</a>: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]<br>
"road" #4: max number of retransmissions (2) reached STATE_MAIN_I1. No response (or no acceptable response) to our first IKE message<br><br><br></div>