Hello, I'm trying to setup a pretty straightforward vpn tunnel from my house to my friend's house. We both have debian machines of the same release and both have the same version openswan. I've dug through every tutorial and such that I can find and everything LOOKS right to me but it's just not picking up and going. <br>
<br>Both machines have two NIC's - one connected to the cable modem which gets a real world IP (eth1 in both cases) and one that gets the private IP (eth0 - 192.168.0.3 for left, eth2 - 192.168.1.3 for right).<br><br>
IP masquerading is running on both machines so that the private networks can spoof out behind the public IP's on eth1, and iptables is setup on both to drop all packets (very last rule is to drop anything not specifically allowed higher up) that do not have an explicit 'accept' statement in the rules, with an 'established' clause at the very beginning of the set.<br>
<br>I'm stumped... I'm hoping a few more sets of eyes looking at this will get me back on track.<br><br>So, that as a preliminary, here's the meat of the matter<br><br>------------config file (identical on both machines)-----------<br>
config setup<br> nat_traversal=no<br> nhelpers=0<br><br>conn net-to-net<br> left=69.x.x.x<br> leftsubnet=<a href="http://192.168.0.0/24">192.168.0.0/24</a><br> leftid=@user-12l.x.x.x<br> leftrsasigkey=0sAQN0kZV......<br>
leftnexthop=%defaultroute<br> right=70.x.x.x<br> rightsubnet=<a href="http://192.168.1.0/24">192.168.1.0/24</a><br> rightid=@cpe-70-x.x.x<br> rightrsasigkey=0sAQOOk......<br> rightnexthop=%defaultroute<br> auto=start<br>
<br>include /etc/ipsec.d/examples/no_oe.conf<br>-------------------------------<br><br>Iptables rules that I've put in place on both machines relating to try and accept all traffic for ipsec:<br>-------<br>iptables -A INPUT -i eth1 -p 50 -j ACCEPT<br>
iptables -A INPUT -i eth1 -p 51 -j ACCEPT<br>iptables -A INPUT -i eth1 -p udp --dport 500 -j ACCEPT<br><br>/sbin/iptables -t nat -A POSTROUTING -o eth1 -s <a href="http://192.168.0.0/24">192.168.0.0/24</a> -d \! <a href="http://192.168.1.0/24">192.168.1.0/24</a> -j MASQUERADE (left host masquerade rule)<br>
/sbin/iptables -t nat -A POSTROUTING -o eth1 -s <a href="http://192.168.1.0/24">192.168.1.0/24</a> -d \! <a href="http://192.168.1.0/24">192.168.1.0/24</a> -j MASQUERADE (right host masquerade rule)<br><br>output rules that may or may not be related:<br>
iptables -A OUTPUT -d <a href="http://192.168.0.0/255.255.255.0">192.168.0.0/255.255.255.0</a> -o eth0 -j ACCEPT (192.168.1 and eth2 on right host)<br>iptables -A OUTPUT -s 255.255.255.255 -o eth1 -j ACCEPT<br>-------<br>
<br>When I go to start ipsec, this is what I see:<br>-----------------<br>/etc/init.d/ipsec start<br>ipsec_setup: NETKEY on eth1 <a href="http://70.112.22.94/255.255.240.0">70.112.22.94/255.255.240.0</a> broadcast 255.255.255.255 <br>
ipsec_setup: ...Openswan IPsec started<br>ipsec_setup: Starting Openswan IPsec 2.4.12...<br>ipsec_setup: Starting Openswan IPsec 2.4.12...<br>ipsec__plutorun: 104 "net-to-net" #1: STATE_MAIN_I1: initiate<br>ipsec__plutorun: ...could not start conn "net-to-net"<br>
------------------<br><br>Here's my route table (right host) after starting up ipsec:<br>---------<br>netstat -rn<br>Kernel IP routing table<br>Destination Gateway Genmask Flags MSS Window irtt Iface<br>
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2<br>192.168.0.0 70.x.x.1 255.255.255.0 UG 0 0 0 eth1<br>70.x.x.0 0.0.0.0 255.255.240.0 U 0 0 0 eth1<br>
0.0.0.0 70.x.x.1 0.0.0.0 UG 0 0 0 eth1<br>----------<br><br>And finally this is what I get from a --status check on the right host (the left host is similar in all respects to this for routing and status)<br>
<br>ipsec auto --status<br>000 interface lo/lo ::1<br>000 interface lo/lo 127.0.0.1<br>000 interface eth1/eth1 70.x.x.x<br>000 interface eth2/eth2 192.168.1.3<br>000 %myid = (none)<br>000 debug none<br>000 <br>000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64<br>
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192<br>000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448<br>000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0<br>
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256<br>000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256<br>000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256<br>
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128<br>000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160<br>000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256<br>
000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0<br>000 <br>000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192<br>000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128<br>
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16<br>000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20<br>000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024<br>000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536<br>
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048<br>000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072<br>000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096<br>
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144<br>000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192<br>000 <br>000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0} <br>
000 <br>000 "net-to-net": <a href="http://192.168.1.0/24===70.x.x.x[@cpe-70-x.x.x]---70.x.x.1...70.x.x.1---69.x.x.48[@user-12l.x.x.x]===192.168.0.0/24">192.168.1.0/24===70.x.x.x[@cpe-70-x.x.x]---70.x.x.1...70.x.x.1---69.x.x.48[@user-12l.x.x.x]===192.168.0.0/24</a>; erouted; eroute owner: #4<br>
000 "net-to-net": srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;<br>000 "net-to-net": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0<br>
000 "net-to-net": policy: RSASIG+ENCRYPT+TUNNEL+PFS+UP; prio: 24,24; interface: eth1; encap: esp;<br>000 "net-to-net": newest ISAKMP SA: #1; newest IPsec SA: #4; <br>000 "net-to-net": IKE algorithm newest: 3DES_CBC_192-MD5-MODP1536<br>
000 <br>000 #3: "net-to-net":500 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 28496s<br>000 #3: "net-to-net" esp.33b504ac@69.x.x.x esp.ffa99974@70.x.x.x tun.0@69.x.x.x tun.0@70.x.x.x<br>
000 #2: "net-to-net":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 3295s; lastdpd=-1s(seq in:0 out:0)<br>000 #4: "net-to-net":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 27952s; newest IPSEC; eroute owner<br>
000 #4: "net-to-net" esp.27529dc9@69.x.x.x esp.c086da7@70.x.x.x tun.0@69.x.x.x tun.0@70.x.x.x<br>000 #1: "net-to-net":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 2979s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0)<br>
000 <br>