<html>
<head>
<style>
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 10pt;
font-family:Verdana
}
</style>
</head>
<body class='hmmessage'>
Hi !<br> Looking at the configuration files i see that the encryption domains ( rightsubnet / leftsubnet ) are not defined in ipsec.conf files. The type of vpn is specified as transport ( type=transport ) and should be type=tunnel for full encrypted tunnel. From "ipsec verify" - i see that ip forwarding is turned off - which is fine if this is just a host-to-host setup and you don't want network behind these peers to communicate with each other across the tunnel - else turn forwarding on. Hope that helps.<br><br><span style="font-family: Tahoma,Helvetica,Sans-Serif; font-style: italic; font-weight: bold;">-<span style="font-family: Times New Roman,Times,Serif;"> Simon Charles - </span></span><br><br><br><br><br><hr id="stopSpelling">Date: Mon, 23 Feb 2009 11:52:46 +0000<br>From: alasupcom@yahoo.fr<br>To: users@openswan.org<br>Subject: [Openswan Users] Wrong conf ipsec<br><br><table border="0" cellpadding="0" cellspacing="0"><tbody><tr><td style="font-family: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; font-size: inherit; line-height: inherit; font-size-adjust: inherit; font-stretch: inherit; -x-system-font: none;" valign="top">Hi all;<br>I'm new in openswan mailing list.<br>I have estabilished ipsec tunnel beetwen two host machines.<br><br>172.30.0.3 - host A <------ipsec------> host B - 172.30.2.10<br><br>My /etc/ipsec.conf in host A is:<br><br style="background-color: rgb(0, 0, 191);"><span style="background-color: rgb(255, 255, 255); color: rgb(0, 0, 127);">version 2.0 # conforms to second version of ipsec.conf specification</span><br style="background-color: rgb(255, 255, 255); color: rgb(0, 0, 127);"><br style="background-color: rgb(255, 255, 255); color: rgb(0, 0, 127);"><span style="background-color: rgb(255, 255, 255); color: rgb(0, 0, 127);"># basic configuration</span><br style="background-color: rgb(255, 255, 255); color: rgb(0, 0, 127);"><span style="background-color: rgb(255, 255, 255); color: rgb(0, 0, 127);">config setup</span><br style="background-color: rgb(255, 255, 255); color: rgb(0, 0, 127);"><span style="background-color: rgb(255, 255, 255); color: rgb(0, 0, 127);"># Debug-logging controls: "none" for (almost) none, "all" for lots.</span><br style="background-color: rgb(255, 255, 255); color: rgb(0, 0, 127);"><span style="background-color: rgb(255, 255, 255); color: rgb(0, 0, 127);"># klipsdebug=none</span><br style="background-color: rgb(255, 255, 255); color: rgb(0, 0, 127);"><span style="background-color: rgb(255, 255, 255); color: rgb(0, 0, 127);"># plutodebug="control parsing"</span><br style="background-color: rgb(255, 255, 255); color: rgb(0, 0, 127);"><span style="background-color: rgb(255, 255, 255); color: rgb(0, 0, 127);">conn %default</span><br style="background-color: rgb(255, 255, 255); color: rgb(0, 0, 127);"><span style="background-color: rgb(255, 255, 255); color: rgb(0, 0, 127);"> keyingtries=0</span><br style="background-color: rgb(255, 255, 255); color: rgb(0, 0, 127);"><span style="background-color: rgb(255, 255, 255); color: rgb(0, 0, 127);"> # disablearrivalcheck=no</span><br style="background-color: rgb(255, 255, 255); color: rgb(0, 0, 127);"><span style="background-color: rgb(255, 255, 255); color: rgb(0, 0, 127);"> authby=rsasig</span><br style="background-color: rgb(255, 255, 255); color: rgb(0, 0, 127);"><span style="background-color: rgb(255, 255, 255); color: rgb(0, 0, 127);"> # leftrsasigkey=%dns</span><br style="background-color: rgb(255, 255, 255); color: rgb(0, 0, 127);"><span style="background-color: rgb(255, 255, 255); color: rgb(0, 0, 127);"> # rightrsasigkey=%dns</span><br style="background-color: rgb(255, 255, 255); color: rgb(0, 0, 127);"><br style="background-color: rgb(255, 255, 255); color: rgb(0, 0, 127);"><span style="background-color: rgb(255, 255, 255); color: rgb(0, 0, 127);">conn test</span><br style="background-color: rgb(255, 255, 255); color: rgb(0, 0, 127);"><span style="background-color: rgb(255, 255, 255); color: rgb(0, 0, 127);"> auto=start</span><br style="background-color: rgb(255, 255, 255); color: rgb(0, 0, 127);"><span style="background-color: rgb(255, 255, 255); color: rgb(0, 0, 127);"> left=172.30.0.3</span><br style="background-color: rgb(255, 255, 255); color: rgb(0, 0, 127);"><span style="background-color: rgb(255, 255, 255); color: rgb(0, 0, 127);"> right=172.30.0.10</span><br style="background-color: rgb(255, 255, 255); color: rgb(0, 0, 127);"><span style="background-color: rgb(255, 255, 255); color: rgb(0, 0, 127);">
keyexchange=ike</span><br style="background-color: rgb(255, 255, 255); color: rgb(0, 0, 127);"><span style="background-color: rgb(255, 255, 255); color: rgb(0, 0, 127);"> esp=3des-sha1-96</span><br style="background-color: rgb(255, 255, 255); color: rgb(0, 0, 127);"><span style="background-color: rgb(255, 255, 255); color: rgb(0, 0, 127);"> keyingtries=0</span><br style="background-color: rgb(255, 255, 255); color: rgb(0, 0, 127);"><span style="background-color: rgb(255, 255, 255); color: rgb(0, 0, 127);"> rekeymargin=4m</span><br style="background-color: rgb(255, 255, 255); color: rgb(0, 0, 127);"><span style="background-color: rgb(255, 255, 255); color: rgb(0, 0, 127);"> type=transport</span><br style="background-color: rgb(255, 255, 255); color: rgb(0, 0, 127);"><span style="background-color: rgb(255, 255, 255); color: rgb(0, 0, 127);">
disablearrivalcheck=no</span><br style="background-color: rgb(255, 255, 255); color: rgb(0, 0, 127);"><span style="background-color: rgb(255, 255, 255); color: rgb(0, 0, 127);"> authby=secret</span><br style="background-color: rgb(255, 255, 255); color: rgb(0, 0, 127);"><span style="background-color: rgb(255, 255, 255); color: rgb(0, 0, 127);"> pfs=yes</span><br>and /etc/ipsec.secrets in A is:<br><br><span style="color: rgb(0, 0, 127);">172.30.0.10 172.30.0.3: PSK 0x123456</span><br><br>My /etc/ipsec.conf in host B is:<br>
<br><span style="color: rgb(0, 0, 127);">version 2.0 # conforms to second version of ipsec.conf specification</span><br style="color: rgb(0, 0, 127);"><br style="color: rgb(0, 0, 127);"><span style="color: rgb(0, 0, 127);"># basic configuration</span><br style="color: rgb(0, 0, 127);"><span style="color: rgb(0, 0, 127);">config setup</span><br style="color: rgb(0, 0, 127);"><span style="color: rgb(0, 0, 127);"># Debug-logging controls: "none" for (almost) none, "all" for lots.</span><br style="color: rgb(0, 0, 127);"><span style="color: rgb(0, 0, 127);"> #klipsdebug=none</span><br style="color: rgb(0, 0, 127);"><span style="color: rgb(0, 0, 127);"> #plutodebug="control parsing"</span><br style="color: rgb(0, 0, 127);"><span style="color: rgb(0, 0, 127);">conn %default</span><br style="color: rgb(0, 0, 127);"><span style="color: rgb(0, 0, 127);"> keyingtries=0</span><br style="color: rgb(0, 0, 127);"><span style="color: rgb(0, 0, 127);"> # disablearrivalcheck=no</span><br style="color: rgb(0, 0, 127);"><span style="color: rgb(0, 0, 127);"> authby=rsasig</span><br style="color: rgb(0, 0, 127);"><span style="color: rgb(0, 0, 127);"> # leftrsasigkey=%dns</span><br style="color: rgb(0, 0, 127);"><span style="color: rgb(0, 0, 127);"> # rightrsasigkey=%dns</span><br style="color: rgb(0, 0, 127);"><span style="color: rgb(0, 0, 127);">conn test</span><br style="color: rgb(0, 0, 127);"><span style="color: rgb(0, 0, 127);"> auto=start</span><br style="color: rgb(0, 0, 127);"><span style="color: rgb(0, 0, 127);"> left=172.30.0.3</span><br style="color: rgb(0, 0, 127);"><span style="color: rgb(0, 0, 127);"> right=172.30.0.10</span><br style="color: rgb(0, 0, 127);"><span style="color: rgb(0, 0, 127);"> keyexchange=ike</span><br style="color: rgb(0, 0, 127);"><span style="color: rgb(0, 0, 127);"> esp=3des-sha1-96</span><br style="color: rgb(0, 0, 127);"><span style="color: rgb(0, 0, 127);"> keyingtries=0</span><br style="color: rgb(0, 0, 127);"><span style="color: rgb(0, 0, 127);"> rekeymargin=4m</span><br style="color: rgb(0, 0, 127);"><span style="color: rgb(0, 0, 127);"> type=transport</span><br style="color: rgb(0, 0, 127);"><span style="color: rgb(0, 0, 127);"> disablearrivalcheck=no</span><br style="color: rgb(0, 0, 127);"><span style="color: rgb(0, 0, 127);"> authby=secret</span><br style="color: rgb(0, 0, 127);"><span style="color: rgb(0, 0, 127);"> pfs=yes</span><br style="color: rgb(0, 0, 127);"><br>and /etc/ipsec.secrets in B is:<br><br><span style="color: rgb(0, 0, 127);">172.30.0.3 172.30.0.10: PSK 0x123456</span><br><br>i restart ipsec service and i (#ipsec auto --up test) in both host<br>i have this message:<br><span style="color: rgb(0, 0, 127);">117 "test" #14: STATE_QUICK_I1: initiate</span><br style="color: rgb(0, 0, 127);"><span style="color: rgb(0, 0, 127);">004 "test" #14: STATE_QUICK_I2: sent QI2, IPsec SA established transport mode {ESP=>0x11aed5dd <0xeabdc300 xfrm=3DES_0-HMAC_SHA1 NATOA=none NATD=none DPD=none}</span><br>and #ipsec setup status i have this message in both host<br><span style="color: rgb(0, 0, 127);">IPsec running - pluto pid: 3963</span><br style="color: rgb(0, 0, 127);"><span style="color: rgb(0, 0, 127);">pluto pid 3963</span><br style="color: rgb(0, 0, 127);"><span style="color: rgb(0, 0, 127); font-weight: bold;">No
tunnels up</span><br><br>i do #ipsec verify<br><span style="color: rgb(0, 0, 127);">Checking your system to see if IPsec got installed and started correctly:</span><br style="color: rgb(0, 0, 127);"><span style="color: rgb(0, 0, 127);">Version check and ipsec on-path [OK]</span><br style="color: rgb(0, 0, 127);"><span style="color: rgb(0, 0, 127);">Linux Openswan U2.6.14/K2.6.18-92.1.10.el5 (netkey)</span><br style="color: rgb(0, 0, 127);"><span style="color: rgb(0, 0, 127);">Checking for IPsec support in kernel [OK]</span><br style="color: rgb(0, 0, 127);"><span style="color: rgb(0, 0, 127);">NETKEY detected, testing
for disabled ICMP send_redirects [FAILED]</span><br style="color: rgb(0, 0, 127);"><br style="color: rgb(0, 0, 127);"><span style="color: rgb(0, 0, 127);"> Please disable /proc/sys/net/ipv4/conf/*/send_redirects</span><br style="color: rgb(0, 0, 127);"><span style="color: rgb(0, 0, 127);"> or NETKEY will cause the sending of bogus ICMP redirects!</span><br style="color: rgb(0, 0, 127);"><br style="color: rgb(0, 0, 127);"><span style="color: rgb(0, 0, 127);">NETKEY detected, testing for disabled ICMP accept_redirects [FAILED]</span><br style="color: rgb(0, 0, 127);"><br style="color: rgb(0, 0, 127);"><span style="color: rgb(0, 0, 127);"> Please disable /proc/sys/net/ipv4/conf/*/accept_redirects</span><br style="color: rgb(0, 0, 127);"><span style="color: rgb(0, 0, 127);"> or NETKEY will accept bogus ICMP redirects!</span><br style="color: rgb(0, 0, 127);"><br style="color: rgb(0, 0, 127);"><span style="color: rgb(0, 0, 127);">Checking for RSA private key (/etc/ipsec.secrets) [OK]</span><br style="color: rgb(0, 0, 127);"><span style="color: rgb(0, 0, 127);">Checking that pluto is running [OK]</span><br style="color: rgb(0, 0, 127);"><span style="color: rgb(0, 0, 127);">Two or more interfaces found, checking IP forwarding [FAILED]</span><br style="color: rgb(0, 0, 127);"><span style="color: rgb(0, 0, 127);">Checking for 'ip'
command [OK]</span><br style="color: rgb(0, 0, 127);"><span style="color: rgb(0, 0, 127);">Checking for 'iptables' command [OK]</span><br style="color: rgb(0, 0, 127);"><br style="color: rgb(0, 0, 127);"><span style="color: rgb(0, 0, 127);">Opportunistic Encryption DNS checks:</span><br style="color: rgb(0, 0, 127);"><span style="color: rgb(0, 0, 127);"> Looking for TXT in forward dns zone: RTPPROXY [MISSING]</span><br style="color: rgb(0, 0, 127);"><span style="color: rgb(0, 0, 127);"> Cannot execute command "host -t txt RTPPROXY": No such file or directory</span><br style="color: rgb(0, 0, 127);"><span style="color: rgb(0, 0, 127);"> Does the machine have at least one non-private address? [FAILED]</span><br style="color: rgb(0, 0, 127);"><br>I don't know where is the fault in my config<br>
Please who can help me.<br>Thanks.<br style="color: rgb(0, 0, 127);"><br style="color: rgb(0, 0, 127);"><br></td></tr></tbody></table><br></body>
</html>