I guys, it's a week i'm working on IpSec VPN. I can't solve this issue. Can anyone tell me where I'm doing the wrong step?<br>The following is how my facility was built.<br><br>Office A<br>ROUTER<br>2.229.125.x (Public IP)<br>
192.168.20.254 (Private IP)<br><br>VPNENDPOINT<br>192.168.20.1<br>192.168.0.1 (Private LAN)<br><br>Office B<br>Firewall<br>212.4.7.x (Public IP)<br>192.168.2.1 (Private IP)<br><br>VPNENDPOINT<br>192.168.2.52<br>192.168.2.x (Private LAN)<br>
<br>In B Firewall is well-configurated for redirect all traffic to VPNENDPOINT.<br><br>Configuration for IpSec Office A is <br>conn catt3<br> right=2.229.125.x<br> rightsubnet=<a href="http://192.168.0.0/24">192.168.0.0/24</a><br>
rightnexthop=%defaultroute<br> left=212.4.7.x<br> leftsubnet=<a href="http://192.168.0.0/255.255.0.0">192.168.0.0/255.255.0.0</a><br> leftnexthop=%defaultroute<br><br><br>Configuration for IpSec Office B is<br>
conn officeA<br> left=2.229.125.x<br> leftsubnet=<a href="http://192.168.0.0/24">192.168.0.0/24</a><br> right=212.4.7.x<br> rightnexthop=192.168.2.1<br> rightsubnet=<a href="http://192.168.0.0/16">192.168.0.0/16</a><br>
<br>ipsec.secret is the same on both endpoint<br>2.229.125.x 212.4.7.x : PSK "xxxxxxxxxxxxxx"<br><br>Log on Office A IpSec is the following<br>Jun 24 10:36:19 efw21 ipsec_setup: KLIPS ipsec0 on eth1 <a href="http://192.168.20.1/255.255.255.0">192.168.20.1/255.255.255.0</a> broadcast 192.168.20.255 <br>
Jun 24 10:36:19 efw21 ipsec__plutorun: Starting Pluto subsystem...<br>Jun 24 10:36:19 efw21 ipsec__plutorun: Unknown default RSA hostkey scheme, not generating a default hostkey<br>Jun 24 10:36:19 efw21 ipsec_setup: ...Openswan IPsec started<br>
Jun 24 10:36:19 efw21 ipsec_setup: Starting Openswan IPsec 2.4.7...<br>Jun 24 10:36:19 efw21 pluto[18063]: Starting Pluto (Openswan Version 2.4.7 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID OEZ~BaB]r\134p_)<br>Jun 24 10:36:19 efw21 pluto[18063]: Setting NAT-Traversal port-4500 floating to on<br>
Jun 24 10:36:19 efw21 pluto[18063]: port floating activation criteria nat_t=1/port_fload=1<br>Jun 24 10:36:19 efw21 pluto[18063]: including NAT-Traversal patch (Version 0.6c)<br>Jun 24 10:36:19 efw21 pluto[18063]: 2 bad entries in virtual_private - none loaded<br>
Jun 24 10:36:19 efw21 pluto[18063]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)<br>Jun 24 10:36:19 efw21 pluto[18063]: starting up 1 cryptographic helpers<br>Jun 24 10:36:19 efw21 pluto[18063]: started helper pid=18064 (fd:6)<br>
Jun 24 10:36:19 efw21 pluto[18063]: Using KLIPS IPsec interface code on 2.6.9-42.0.3.EL.endian16<br>Jun 24 10:36:19 efw21 pluto[18063]: Changing to directory '/etc/ipsec.d/cacerts'<br>Jun 24 10:36:19 efw21 pluto[18063]: Changing to directory '/etc/ipsec.d/aacerts'<br>
Jun 24 10:36:19 efw21 pluto[18063]: Changing to directory '/etc/ipsec.d/ocspcerts'<br>Jun 24 10:36:19 efw21 pluto[18063]: Changing to directory '/etc/ipsec.d/crls'<br>Jun 24 10:36:19 efw21 pluto[18063]: Warning: empty directory<br>
Jun 24 10:36:20 efw21 pluto[18063]: loading secrets from "/etc/ipsec.secrets"<br>Jun 24 10:36:20 efw21 pluto[18063]: added connection description "catt3"<br>Jun 24 10:36:20 efw21 pluto[18063]: listening for IKE messages<br>
Jun 24 10:36:20 efw21 pluto[18063]: adding interface ipsec0/eth1 <a href="http://192.168.20.1:500">192.168.20.1:500</a><br>Jun 24 10:36:20 efw21 pluto[18063]: adding interface ipsec0/eth1 <a href="http://192.168.20.1:4500">192.168.20.1:4500</a><br>
Jun 24 10:36:20 efw21 pluto[18063]: forgetting secrets<br>Jun 24 10:36:20 efw21 pluto[18063]: loading secrets from "/etc/ipsec.secrets"<br>Jun 24 10:36:21 efw21 ipsec__plutorun: 022 "catt3": we cannot identify ourselves with either end of this connection<br>
Jun 24 10:36:21 efw21 ipsec__plutorun: ...could not route conn "catt3"<br>Jun 24 10:36:21 efw21 pluto[18063]: "catt3": We cannot identify ourselves with either end of this connection.<br>Jun 24 10:36:21 efw21 ipsec__plutorun: 022 "catt3": We cannot identify ourselves with either end of this connection.<br>
Jun 24 10:36:21 efw21 ipsec__plutorun: ...could not start conn "catt3"<br><br>Using ipsec auto --status on Office A<br>000 "catt3": <a href="http://192.168.0.0/16===212.4.7.x---192.168.20.254...192.168.20.254---2.229.125.x===192.168.0.0/24">192.168.0.0/16===212.4.7.x---192.168.20.254...192.168.20.254---2.229.125.x===192.168.0.0/24</a>; unrouted; eroute owner: #0<br>
000 "catt3": srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;<br>000 "catt3": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0<br>000 "catt3": policy: PSK+ENCRYPT+TUNNEL; prio: 16,24; interface: ; encap: esp;<br>
000 "catt3": dpd: action:hold; delay:30; timeout:120; <br>000 "catt3": newest ISAKMP SA: #0; newest IPsec SA: #0; <br>000 "catt3": IKE algorithms wanted: BLOWFISH(7)_128-SHA1(2)-5, BLOWFISH(7)_128-SHA1(2)-2, BLOWFISH(7)_128-MD5(1)-5, BLOWFISH(7)_128-MD5(1)-2, IDEA(5)_000-SHA1(2)-5, IDEA(5)_000-SHA1(2)-2, IDEA(5)_000-MD5(1)-5, IDEA(5)_000-MD5(1)-2, flags=strict<br>
000 "catt3": IKE algorithms found: BLOWFISH(7)_128-SHA1(2)_160-5, BLOWFISH(7)_128-SHA1(2)_160-2, BLOWFISH(7)_128-MD5(1)_128-5, BLOWFISH(7)_128-MD5(1)_128-2, IDEA(5)_192-SHA1(2)_160-5, IDEA(5)_192-SHA1(2)_160-2, IDEA(5)_192-MD5(1)_128-5, IDEA(5)_192-MD5(1)_128-2, <br>
000 "catt3": ESP algorithms wanted: AES(12)_128-SHA1(2), AES(12)_128-MD5(1), 3DES(3)_000-SHA1(2), 3DES(3)_000-MD5(1), flags=strict<br>000 "catt3": ESP algorithms loaded: AES(12)_128-SHA1(2), AES(12)_128-MD5(1), 3DES(3)_000-SHA1(2), 3DES(3)_000-MD5(1), flags=strict<br>
<br>On Office B<br>Jun 24 11:24:33 c1p8 ipsec__plutorun: 022 "officeA": We cannot identify ourselves with either end of this connection.<br>Jun 24 11:24:33 c1p8 ipsec__plutorun: ...could not start conn "officeA"<br>
<br>ipsec auto --status (Office B)<br>000 interface lo/lo 127.0.0.1<br>000 interface eth0/eth0 192.168.2.52<br>000 %myid = (none)<br>000 debug none<br>000 <br>000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64<br>
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192<br>000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448<br>000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0<br>
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256<br>000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256<br>000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256<br>
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128<br>000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160<br>000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256<br>
000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0<br>000 <br>000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128<br>000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192<br>
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20<br>000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16<br>000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024<br>000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536<br>
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048<br>000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072<br>000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096<br>
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144<br>000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192<br>000 <br>000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0} <br>
000 <br>000 "officeA": <a href="http://192.168.0.0/24===2.229.125.x...192.168.2.1---212.4.7.x===192.168.0.0/16">192.168.0.0/24===2.229.125.x...192.168.2.1---212.4.7.x===192.168.0.0/16</a>; unrouted; eroute owner: #0<br>
000 "officeA": srcip=unset; dstip=unset<br>000 "officeA": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0<br>000 "officeA": policy: PSK+ENCRYPT+TUNNEL+PFS; prio: 24,16; interface: ; <br>
000 "officeA": dpd: action:hold; delay:30; timeout:128; <br>000 "officeA": newest ISAKMP SA: #0; newest IPsec SA: #0;<br><br>Thanks.<br><br>Christian<br>