<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<style>
<!--
@font-face
{font-family:"Cambria Math"}
@font-face
{font-family:Calibri}
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif"}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline}
a:visited, span.MsoHyperlinkFollowed
{color:purple;
text-decoration:underline}
span.E-MailFormatvorlage17
{font-family:"Calibri","sans-serif";
color:windowtext}
.MsoChpDefault
{font-family:"Calibri","sans-serif"}
@page WordSection1
{margin:70.85pt 70.85pt 2.0cm 70.85pt}
div.WordSection1
{}
-->
</style>
</head>
<body lang="DE" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal">Hello,</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal"><span lang="EN-US">I am new to OpenSwan – so I have to ask a few questions ;)</span></p>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
<p class="MsoNormal"><span lang="EN-US">I have 2 Locations with static public IPs.
</span></p>
<p class="MsoNormal"><span lang="EN-US">Location A Linux Server with Ubuntu 10 Server, OpenSwan and iptables</span></p>
<p class="MsoNormal"><span lang="EN-US">Location B Lancom 1711 VPN Router</span></p>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
<p class="MsoNormal"><span lang="EN-US">My Plan is to have a IPSec Tunnel between both locations and transfer all Internet Traffic from Location B over VPN to Location A and then to the Internet.</span></p>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
<p class="MsoNormal"><span lang="EN-US">Here is my Configuration for OpenSwan:</span></p>
<p class="MsoNormal"><span lang="EN-US"># /etc/ipsec.conf - Openswan IPsec configuration file</span></p>
<p class="MsoNormal"><span lang="EN-US"># RCSID $Id: ipsec.conf.in,v 1.16 2005/07/26 12:29:45 ken Exp $</span></p>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
<p class="MsoNormal"><span lang="EN-US"># This file: /usr/share/doc/openswan/ipsec.conf-sample</span></p>
<p class="MsoNormal"><span lang="EN-US">#</span></p>
<p class="MsoNormal"><span lang="EN-US"># Manual: ipsec.conf.5</span></p>
<p class="MsoNormal"><span lang="EN-US">version 2.0 # conforms to second version of ipsec.conf specification</span></p>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
<p class="MsoNormal"><span lang="EN-US"># basic configuration</span></p>
<p class="MsoNormal"><span lang="EN-US">config setup</span></p>
<p class="MsoNormal"><span lang="EN-US"> forwardcontrol=yes</span></p>
<p class="MsoNormal"><span lang="EN-US"> interfaces=%defaultroute</span></p>
<p class="MsoNormal"><span lang="EN-US"> nat_traversal=yes</span></p>
<p class="MsoNormal"><span lang="EN-US"> oe=off</span></p>
<p class="MsoNormal"><span lang="EN-US"> protostack=netkey</span></p>
<p class="MsoNormal"><span lang="EN-US"> syslog=user.debug</span></p>
<p class="MsoNormal"><span lang="EN-US"> virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12</span></p>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
<p class="MsoNormal"><span lang="EN-US">conn HOME</span></p>
<p class="MsoNormal"><span lang="EN-US"> auth=esp</span></p>
<p class="MsoNormal"><span lang="EN-US"> authby=secret</span></p>
<p class="MsoNormal"><span lang="EN-US"> auto=start</span></p>
<p class="MsoNormal"><span lang="EN-US"> esp=aes-128-md5</span></p>
<p class="MsoNormal"><span lang="EN-US"> ike=aes256</span></p>
<p class="MsoNormal"><span lang="EN-US"> ikelifetime=8000s</span></p>
<p class="MsoNormal"><span lang="EN-US"> keylife=2000s</span></p>
<p class="MsoNormal"><span lang="EN-US"> left=212.117.XXX.XXX</span></p>
<p class="MsoNormal"><span lang="EN-US"> leftid=212.117.XXX.XXX</span></p>
<p class="MsoNormal"><span lang="EN-US"> leftnexthop=%defaultroute</span></p>
<p class="MsoNormal"><span lang="EN-US"> leftsubnet=0.0.0.0/0</span></p>
<p class="MsoNormal"><span lang="EN-US"> pfs=no</span></p>
<p class="MsoNormal"><span lang="EN-US"> right=217.92.XXX.XXX</span></p>
<p class="MsoNormal"><span lang="EN-US"> rightid=217.92.XXX.XXX</span></p>
<p class="MsoNormal"><span lang="EN-US"> rightnexthop=%defaultroute</span></p>
<p class="MsoNormal"><span lang="EN-US"> rightsubnet=10.70.0.0/24</span></p>
<p class="MsoNormal"><span lang="EN-US"> type=tunnel</span></p>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
<p class="MsoNormal"><span lang="EN-US">The Configuration on Site B is Supported from the Vendor an should be no Problem I have done this several Times with the Lancom Boxes.
</span></p>
<p class="MsoNormal"><span lang="EN-US">I can’t export the Configuration in a readable Form so here a few Things from Site B</span></p>
<p class="MsoNormal"><span lang="EN-US">Nat-Traversal: Yes</span></p>
<p class="MsoNormal"><span lang="EN-US">DPD: 60 Seconds</span></p>
<p class="MsoNormal"><span lang="EN-US">Dynamic: No</span></p>
<p class="MsoNormal"><span lang="EN-US">IKE-Exchange: Main Mode</span></p>
<p class="MsoNormal"><span lang="EN-US">Certificate Authentication: No</span></p>
<p class="MsoNormal"><span lang="EN-US">Let Remote Site choose the Remote Network: No</span></p>
<p class="MsoNormal"><span lang="EN-US">SAs: Shared for KeepAlive</span></p>
<p class="MsoNormal"><span lang="EN-US">PFS:No</span></p>
<p class="MsoNormal"><span lang="EN-US">IKE Group: 2 MODP-1024</span></p>
<p class="MsoNormal"><span lang="EN-US">IKE-Proposals: AES CBC 128bit Hash MD5 Lifetime 8000 Seconds</span></p>
<p class="MsoNormal"><span lang="EN-US">IPSec-Proposals: Mode Tunnel, Enryption-ESP AES-CBC 128 bit , Auth-ESP HMAC-MD5, No AH, No IPCOMP, Lifetime 2000 Seconds</span></p>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
<p class="MsoNormal"><span lang="EN-US">In the Routing Table is an Entry for 0.0.0.0/0 where the VPN is defined as Default Gateway/Nexthop</span></p>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
<p class="MsoNormal"><span lang="EN-US">So here is the Problem:</span></p>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
<p class="MsoNormal"><span lang="EN-US">Actually my Lancom Box says the VPN Connection is established.</span></p>
<p class="MsoNormal"><span lang="EN-US">But no Traffic is going over the VPN to the Internet.
</span></p>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
<p class="MsoNormal"><span lang="EN-US">Lancom Tracelog:</span></p>
<p class="MsoNormal"><span lang="EN-US">[VPN-Status] 2011/04/29 20:30:50,033 Devicetime: 2011/04/29 20:30:50,180
<br>
IKE info: Phase-1 negotiation started for peer LUX rule isakmp-peer-LUX using MAIN mode
<br>
[VPN-Status] 2011/04/29 20:30:50,258 Devicetime: 2011/04/29 20:30:50,210 <br>
IKE info: Phase-1 remote proposal 1 for peer LUX matched with local proposal 1 <br>
<br>
[VPN-Status] 2011/04/29 20:30:50,459 Devicetime: 2011/04/29 20:30:50,470 <br>
IKE info: Phase-1 [inititiator] for peer LUX between initiator id 217.92.35.33, responder id 212.117.175.46 done
<br>
IKE info: SA ISAKMP for peer LUX encryption aes-cbc authentication md5 <br>
IKE info: life time ( 8000 sec/ 0 kb) <br>
[VPN-Status] 2011/04/29 20:30:50,459 Devicetime: 2011/04/29 20:30:50,470 <br>
IKE info: Phase-1 SA Rekeying Timeout (Soft-Event) for peer LUX set to 6400 seconds (Initiator)
<br>
<br>
[VPN-Status] 2011/04/29 20:30:50,474 Devicetime: 2011/04/29 20:30:50,470 <br>
IKE info: Phase-1 SA Timeout (Hard-Event) for peer LUX set to 8000 seconds (Initiator)
<br>
<span style="color:red">[VPN-Status] 2011/04/29 20:30:50,474 Devicetime: 2011/04/29 20:30:50,520
<br>
IKE info: NOTIFY received of type INVALID_ID_INFORMATION for peer LUX</span> <br>
<br>
<br>
[VPN-Status] 2011/04/29 20:30:56,381 Devicetime: 2011/04/29 20:30:56,530 <br>
IKE info: Phase-2 remote proposal 1 for peer LUX matched with local proposal 1 <br>
<br>
[VPN-Status] 2011/04/29 20:30:56,583 Devicetime: 2011/04/29 20:30:56,560 <br>
IKE info: Phase-2 SA Rekeying Timeout (Soft-Event) for peer LUX set to 1800 seconds (Responder)
<br>
<br>
[VPN-Status] 2011/04/29 20:30:56,583 Devicetime: 2011/04/29 20:30:56,560 <br>
IKE info: Phase-2 SA Timeout (Hard-Event) for peer LUX set to 2000 seconds (Responder)
<br>
<br>
[VPN-Status] 2011/04/29 20:30:56,594 Devicetime: 2011/04/29 20:30:56,560 <br>
IKE info: Phase-2 [responder] done with 2 SAS for peer LUX rule ipsec-0-LUX-pr0-l0-r0
<br>
IKE info: rule:' ipsec 10.70.0.0/255.255.255.0 <-> 0.0.0.0/0.0.0.0 ' <br>
IKE info: SA ESP [0x37ca9ff0] alg AES keylength 128 +hmac HMAC_MD5 outgoing <br>
IKE info: SA ESP [0x7c42c092] alg AES keylength 128 +hmac HMAC_MD5 incoming <br>
IKE info: life soft( 1800 sec/0 kb) hard (2000 sec/0 kb) <br>
IKE info: tunnel between src: 217.92.35.33 dst: 212.117.175.46 <br>
<br>
[VPN-Status] 2011/04/29 20:30:57,444 Devicetime: 2011/04/29 20:30:57,570 <br>
VPN: LUX (212.117.175.46) connected <br>
<br>
<span style="color:red">[VPN-Status] 2011/04/29 20:30:57,636 Devicetime: 2011/04/29 20:30:57,620
<br>
IKE info: NOTIFY received of type INVALID_ID_INFORMATION for peer LUX</span></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:12.0pt; font-family:"Times New Roman","serif"">[VPN-Packet] 2011/04/29 20:16:38,560 Devicetime: 2011/04/29 20:16:38,510
<br>
no sa available: give up, should be retransmitted: 10.70.20.100->217.237.151.142 82 UDP port 65370->53
</span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:12.0pt; font-family:"Times New Roman","serif""> </span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:12.0pt; font-family:"Times New Roman","serif""> </span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:12.0pt; font-family:"Times New Roman","serif"">As Attachment ive added the output from ipsec barf and ipsec auto –status</span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:12.0pt; font-family:"Times New Roman","serif""> </span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:12.0pt; font-family:"Times New Roman","serif"">Hoping for some suggetions.</span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:12.0pt; font-family:"Times New Roman","serif""> </span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:12.0pt; font-family:"Times New Roman","serif"">Best Regards
</span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:12.0pt; font-family:"Times New Roman","serif""> </span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:12.0pt; font-family:"Times New Roman","serif"">Sebastian</span></p>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
</div>
<br>
<hr>
<font face="Arial" color="Gray" size="1"><br>
---------------------------------<br>
Non-Public E-Mail Hosting by www.it-freakz.net<br>
<br>
Diese E-Mail ist nur für den Empfänger bestimmt, an den sie gerichtet ist und kann vertrauliches bzw. unter das Berufsgeheimnis fallendes Material enthalten.<br>
Sind Sie nicht der Empfänger, so haben Sie diese E-Mail irrtümlich erhalten und jegliche Verwendung, Veröffentlichung, Weiterleitung, Abschrift oder jeglicher Druck ist strengstens untersagt.<br>
</font>
</body>
</html>