<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#ffffff">
I have a problem using openswan ipsec (2.6.31)<br>
I have a working configuration on ADSL (ppp), but wen using the same
conf on FTTH it doesnt work.<br>
<br>
ipsec:conf:<br>
-----<br>
<br>
config setup<br>
interfaces="ipsec0=ppp0"<br>
nat_traversal=no<br>
oe=off<br>
protostack=klips<br>
uniqueids=yes<br>
<br>
# default settings for connections<br>
conn %default<br>
authby=secret<br>
ikelifetime=86400s<br>
keylife=3600s<br>
keyingtries=0<br>
ike=3des-md5;modp1024<br>
phase2alg=3des-md5;modp1024<br>
sareftrack=no<br>
<br>
include /etc/ipsec.d/remote<br>
<br>
-----<br>
<br>
remote conf:<br>
-----<br>
<br>
conn remote-all<br>
authby=secret<br>
auto=start<br>
# Left security gateway, subnet behind it, next hop toward
right.<br>
left=192.168.33.130<br>
leftsubnet=0.0.0.0/0<br>
#leftnexthop=%defaultroute<br>
# Right security gateway, subnet behind it, next hop toward
left.<br>
right=10.231.249.166<br>
rightsubnet=0.0.0.0/0<br>
rightsourceip=10.228.248.1<br>
<br>
------<br>
<br>
<br>
<br>
This works on ppp, but if i switch to FTTH on eth2 the conf looks
like :<br>
(only interface is eth2 instead of ppp0, and WAN IP is different)<br>
<br>
ipsec.conf<br>
<br>
<br>
-----<br>
<br>
config setup<br>
interfaces="ipsec0=<b>eth2</b>"<br>
nat_traversal=no<br>
oe=off<br>
protostack=klips<br>
uniqueids=yes<br>
<br>
# default settings for connections<br>
conn %default<br>
authby=secret<br>
ikelifetime=86400s<br>
keylife=3600s<br>
keyingtries=0<br>
ike=3des-md5;modp1024<br>
phase2alg=3des-md5;modp1024<br>
sareftrack=no<br>
<br>
include /etc/ipsec.d/remote<br>
<br>
-----<br>
<br>
/etc/ipsec.d/remote:<br>
<br>
conn remote-all<br>
authby=secret<br>
auto=start<br>
# Left security gateway, subnet behind it, next hop toward
right.<br>
left=192.168.33.130<br>
leftsubnet=0.0.0.0/0<br>
<br>
I tried here with IP of default GW for FTTH or %defaultroute but
won't conect<br>
<br>
#leftnexthop=%defaultroute<br>
# Right security gateway, subnet behind it, next hop toward
left.<br>
right=10.253.19.226<br>
rightsubnet=0.0.0.0/0<br>
rightsourceip=10.228.248.1<br>
<br>
<br>
Here is the error:<br>
<br>
Jun 15 10:34:11 localhost pluto[8875]: Starting Pluto (Openswan
Version 2.6.31; Vendor ID OE}GnD\177ZAYe[) pid:8875<br>
Jun 15 10:34:11 localhost pluto[8875]: LEAK_DETECTIVE support
[enabled]<br>
Jun 15 10:34:11 localhost pluto[8875]: SAref support [disabled]:
Protocol not available<br>
Jun 15 10:34:11 localhost pluto[8875]: SAbind support [disabled]:
Protocol not available<br>
Jun 15 10:34:11 localhost pluto[8875]: NSS support [disabled]<br>
Jun 15 10:34:11 localhost pluto[8875]: HAVE_STATSD notification
support not compiled in<br>
Jun 15 10:34:11 localhost pluto[8875]: Setting NAT-Traversal
port-4500 floating to off<br>
Jun 15 10:34:11 localhost pluto[8875]: port floating activation
criteria nat_t=0/port_float=1<br>
Jun 15 10:34:11 localhost pluto[8875]: NAT-Traversal support
[disabled]<br>
Jun 15 10:34:11 localhost pluto[8875]: using /dev/urandom as source
of random entropy<br>
Jun 15 10:34:11 localhost pluto[8875]: ike_alg_register_enc():
Activating OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)<br>
Jun 15 10:34:11 localhost pluto[8875]: ike_alg_register_enc():
Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)<br>
Jun 15 10:34:11 localhost pluto[8875]: ike_alg_register_enc():
Activating OAKLEY_SERPENT_CBC: Ok (ret=0)<br>
Jun 15 10:34:11 localhost pluto[8875]: ike_alg_register_enc():
Activating OAKLEY_AES_CBC: Ok (ret=0)<br>
Jun 15 10:34:11 localhost pluto[8875]: ike_alg_register_enc():
Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)<br>
Jun 15 10:34:11 localhost pluto[8875]: ike_alg_register_hash():
Activating OAKLEY_SHA2_512: Ok (ret=0)<br>
Jun 15 10:34:11 localhost pluto[8875]: ike_alg_register_hash():
Activating OAKLEY_SHA2_256: Ok (ret=0)<br>
Jun 15 10:34:11 localhost pluto[8875]: starting up 1 cryptographic
helpers<br>
Jun 15 10:34:11 localhost pluto[8875]: started helper pid=8878
(fd:7)<br>
Jun 15 10:34:11 localhost pluto[8875]: Using KLIPS IPsec interface
code on 2.6.31.14-0.6-default<br>
Jun 15 10:34:11 localhost pluto[8875]: Changed path to directory
'/etc/ipsec.d/cacerts'<br>
Jun 15 10:34:11 localhost pluto[8875]: Could not change to directory
'/etc/ipsec.d/aacerts': /<br>
Jun 15 10:34:11 localhost pluto[8875]: Could not change to directory
'/etc/ipsec.d/ocspcerts': /<br>
Jun 15 10:34:11 localhost pluto[8875]: Changing to directory
'/etc/ipsec.d/crls'<br>
Jun 15 10:34:11 localhost pluto[8875]: Warning: empty directory<br>
Jun 15 10:34:11 localhost pluto[8878]: using /dev/urandom as source
of random entropy<br>
Jun 15 10:34:11 localhost pluto[8875]: added connection description
"mercator-all"<br>
Jun 15 10:34:11 localhost ipsec__plutorun: 002 added connection
description "mercator-all"<br>
Jun 15 10:34:12 localhost pluto[8875]: listening for IKE messages<br>
Jun 15 10:34:12 localhost pluto[8875]: | invalid listen= option
ignored: empty string <br>
Jun 15 10:34:12 localhost pluto[8875]: adding interface ipsec0/eth2
10.253.19.226:500<br>
Jun 15 10:34:12 localhost pluto[8875]: loading secrets from
"/etc/ipsec.secrets"<br>
Jun 15 10:34:12 localhost pluto[8875]: "mercator-all" #1: initiating
Main Mode<br>
Jun 15 10:34:12 localhost ipsec__plutorun: 104 "mercator-all" #1:
STATE_MAIN_I1: initiate<br>
Jun 15 10:34:15 localhost pluto[8875]: "remote-all" #1: ERROR:
asynchronous network error report on eth2 (sport=500) for message to
192.168.23.130 port 500, complainant 10.253.19.226: No route to host
[errno 113, origin ICMP type 3 code 1 (not authenticated)]<br>
Jun 15 10:34:19 localhost pluto[8875]: packet from
192.168.23.130:500: Quick Mode message is for a non-existent
(expired?) ISAKMP SA<br>
Jun 15 10:34:21 localhost pluto[8875]: packet from
192.168.23.130:500: Quick Mode message is for a non-existent
(expired?) ISAKMP SA<br>
Jun 15 10:34:23 localhost pluto[8875]: packet from
192.168.23.130:500: Quick Mode message is for a non-existent
(expired?) ISAKMP SA<br>
Jun 15 10:34:25 localhost pluto[8875]: packet from
192.168.23.130:500: Quick Mode message is for a non-existent
(expired?) ISAKMP SA<br>
Jun 15 10:34:25 localhost pluto[8875]: "remote-all" #1: ERROR:
asynchronous network error report on eth2 (sport=500) for message to
192.168.23.130 port 500, complainant 10.253.19.226: No route to host
[errno 113, origin ICMP type 3 code 1 (not authenticated)]<br>
<br>
this are routes:<br>
<br>
10.253.19.224 0.0.0.0 255.255.255.252 U 0
0 0 eth2<br>
10.253.19.224 0.0.0.0 255.255.255.252 U 0
0 0 ipsec0<br>
10.228.248.0 0.0.0.0 255.255.255.0 U 0
0 0 eth0<br>
127.0.0.0 0.0.0.0 255.0.0.0 U
0 0 0 lo<br>
0.0.0.0 10.253.19.225 0.0.0.0 UG 0
0 0 eth2<br>
<br>
<br>
I've notice this is missing in comparison to ppp0<br>
0.0.0.0 0.0.0.0 128.0.0.0 U 0
0 0 ipsec0<br>
128.0.0.0 0.0.0.0 128.0.0.0 U 0
0 0 ipsec0<br>
<br>
<br>
ifconfig:<br>
eth0 Link encap:Ethernet HWaddr 6C:F0:49:AB:31:BA <br>
inet addr:10.228.248.1 Bcast:10.228.248.255
Mask:255.255.255.0<br>
UP BROADCAST MULTICAST MTU:1500 Metric:1<br>
RX packets:0 errors:0 dropped:0 overruns:0 frame:0<br>
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0<br>
collisions:0 txqueuelen:1000 <br>
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)<br>
Interrupt:27 Base address:0xc000 <br>
<br>
<br>
eth2 Link encap:Ethernet HWaddr 00:08:A1:7E:FA:A8 <br>
inet addr:10.253.19.226 Bcast:10.253.19.227
Mask:255.255.255.252<br>
UP BROADCAST MULTICAST MTU:1500 Metric:1<br>
RX packets:0 errors:0 dropped:0 overruns:0 frame:0<br>
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0<br>
collisions:0 txqueuelen:1000 <br>
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)<br>
Interrupt:20 <br>
<br>
ipsec0 Link encap:Ethernet HWaddr 00:08:A1:7E:FA:A8 <br>
inet addr:10.253.19.226 Mask:255.255.255.252<br>
UP RUNNING NOARP MTU:1500 Metric:1<br>
RX packets:0 errors:0 dropped:0 overruns:0 frame:0<br>
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0<br>
collisions:0 txqueuelen:10 <br>
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)<br>
<br>
<br>
<br>
tcpdump on eth2 shows only incoming traffic from 192.168.23.130 port
500, but no response. <br>
<br>
My gues is that something with routes is not ok, or do I have to add
something to ipsec configuration?<br>
<br>
Anyone with a clue?<br>
<br>
Thank you<br>
<br>
<pre class="moz-signature" cols="72">--
Sebastijan Šilec, sistemska podpora
Predlog! Obiscite prenovljeno spletno stran <a class="moz-txt-link-freetext" href="http://www.agenda.si">http://www.agenda.si</a>
ODPRTA KODA IN LINUX
STORITVE : POSLOVNE RESITVE : UPRAVLJANJE IT : INFRASTRUKTURA IT :
IZOBRAZEVANJE : PROGRAMSKA OPREMA
Visit our updated web page at <a class="moz-txt-link-freetext" href="http://www.agenda.si">http://www.agenda.si</a>
OPEN SOURCE AND LINUX
SERVICES : BUSINESS SOLUTIONS : IT MANAGEMENT : IT INFRASTRUCTURE :
TRAINING : SOFTWARE
</pre>
</body>
</html>