<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
<title></title>
</head>
<body bgcolor="#ffffff" text="#000000">
<small>I read more documentation about openswan and vpn and I think
I now have a clear view of the network infrastructure... So here
are the details.<br>
<br>
<br>
machine 1 (ubuntu 9.10 (kernel 2.6.31) with openswan 2.6.22 (using
netkey))<br>
192.168.1.200 #DMZ# (static ip provided by the adsl box)<br>
|<br>
|<br>
|<br>
192.168.1.1<br>
adsl box with NAT<br>
217.128.31.99<br>
|<br>
|<br>
INTERNET<br>
|<br>
|<br>
82.239.74.246<br>
adsl box with NAT<br>
192.168.1.1<br>
|<br>
|<br>
|<br>
192.168.1.100 #DMZ# (static ip provided by the adsl box)<br>
machine 2 (ubuntu 8.04 (kernel 2.6.24) with openswan 2.4.9 (using
netkey))<br>
<br>
I want to establish a vpn between machine 1 and machine 2 and I
want only these to machine to be accessible through the vpn.<br>
<br>
Here are the configuration files :</small><br>
<br>
<b><br>
machine 1:</b><br>
<br>
<pre>version 2.0 # conforms to second version of ipsec.conf specification</pre>
<pre># basic configuration
config setup
nat_traversal=yes
oe=off
protostack=netkey
virtual_private=%v4:10.0.0.0/8,%4:172.16.40.0/24,%4:192.168.0.0/16
nhelpers=0</pre>
<pre>
#vpn connection
conn net-to-net
keyingtries=2
authby=secret
type=tunnel
keyexchange=ike
left=192.168.1.200
leftid=192.168.1.200
leftsubnet=192.168.1.210/30
leftnexthop=%defaultroute
right=82.239.74.246
rightid=82.239.74.246
rightsubnet=192.168.1.110/30
rightnexthop=%defaultroute
auto=add</pre>
<br>
<b>machine 2:</b><br>
<br>
<pre wrap="">version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/16
protostack=netkey
nhelpers=0
# vpn connection
conn net-to-net
keyingtries=2
authby=secret
type=tunnel
keyexchange=ike
left=192.168.1.100
leftid=192.168.1.100
leftsubnet=192.168.1.110/30
leftnexthop=%defaultroute
right=217.128.31.99
rightid=217.128.31.99
rightsubnet=192.168.1.210/30
rightnexthop=%defaultroute
auto=add
include /etc/ipsec.d/examples/no_oe.conf
</pre>
<br>
<small>There must be something wrong with the configuration but I
don't know what...<br>
Also, I'm not sure about what to write inside the ipsec.secrets
file. I want to use a <b>PSK </b>and I know I must write
something like left ip right ip: PSK "mysecretkey" but I don't
know if I should use the local ip address of machine 1 and machine
2 or public ip of adsl box 1 and 2. Do the content of the
ipsec.secrets file have to be exactly the same on both side or
should I invert the ip according to left and right side? <br>
<br>
On machine 1, <b>ipsec verify</b> return everything as OK except
the Opportunistic Encruption Support which is disabled.<br>
On machine 2, <b>ipsec verify</b> return everything as OK except
the "<b>Checking for RSA private key : ipsec showhostkey: no
default key in "/etc/ipsec.secrets</b>"</small><br>
<br>
<small>The actual content of the machine 1 ipsec.secrets file is</small>
: <small>192.168.1.200 %any: PSK "testkey"</small><br>
<small>For machine 2, it is : 192.168.1.100 %any: PSK "testkey"</small><br>
<br>
<small>When I start ipsec an the tunnel, it doesn't succeed. the
result of the ipsec barf command contains :<br>
<br>
can't authenticate: no preshared key found for '192.168.1.100' and
'217.128.31.99'. Attribute OAKLEY_AUTHENTICATION_METHOD</small><br>
<br>
<small>There is obviously a problem with the ipsec.secrets config on
machine 2 side but I don't know how to fix it...<br>
<br>
If you need more informations, please feel free to ask :)<br>
<br>
Thnak you for your help :)<br>
<br>
<br>
</small><br>
Le 06/12/2010 19:17, Neal Murphy a écrit :
<blockquote cite="mid:201012061317.15373.neal.p.murphy@alum.wpi.edu"
type="cite">
<pre wrap="">On Monday 06 December 2010 04:48:50 Gary Long wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Hi again :)
Sorry for the late answer. I wasn't able to work on this until today =(
I tried the ip addr command on both computer and they both have only
their local ip addresses on eth0.
machine 1 :
inet 192.168.1.200/24 brd 192.168.1.255 scope global eth0
machine 2:
inet 192.168.1.200/24 brd 192.168.1.255 scope global eth0
</pre>
</blockquote>
<pre wrap="">
Will having the same subnet at both ends cause problems?
_______________________________________________
<a class="moz-txt-link-abbreviated" href="mailto:Users@openswan.org">Users@openswan.org</a>
<a class="moz-txt-link-freetext" href="http://lists.openswan.org/mailman/listinfo/users">http://lists.openswan.org/mailman/listinfo/users</a>
Micropayments: <a class="moz-txt-link-freetext" href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy">https://flattr.com/thing/38387/IPsec-for-Linux-made-easy</a>
Building and Integrating Virtual Private Networks with Openswan:
<a class="moz-txt-link-freetext" href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a>
</pre>
</blockquote>
<br>
</body>
</html>