<div dir="ltr">Hi Nick,<div><br></div><div>Thanks for the response. I have confused the situation as you have suggested.</div><div><br></div><div>So now my configs looks like this:</div><div><br></div><div>In the current office Openswan (one interface connects directly to the outside world)-</div>
<div><br></div><div><div>conn current</div><div> authby=secret</div><div> left=<my fixed internet IP></div><div> leftid=@current</div><div> leftnexthop=<my fixed internet IP next hop></div>
<div> leftsubnet=<a href="http://192.168.1.0/24">192.168.1.0/24</a></div><div> leftsourceip=192.168.1.2</div><div> right=<non fixed IP of the new office router></div><div> rightsubnets= { <a href="http://192.168.3.0/24">192.168.3.0/24</a> }</div>
<div> type=tunnel</div><div> auto=start</div><div> pfs=no</div><div> ikelifetime=86400s</div><div> salifetime=28800s</div></div><div><br></div><div>note that the new office does not have a fixed IP address (it will in the future, but people are moving in before the carrier has that ready)</div>
<div><br></div><div>The current config of the new office-</div><div><br></div><div><div>conn new</div><div> authby=secret</div><div> left=192.168.3.3</div><div> leftid=@new</div><div> leftnexthop=%defaultroute</div>
<div> leftsourceip=192.168.3.3</div><div> leftsubnet=<a href="http://192.168.3.0/24">192.168.3.0/24</a></div><div> right=<my fixed internet IP of current office></div><div> rightsubnets={<a href="http://10.134.162.59/32">10.134.162.59/32</a> <a href="http://10.134.210.64/28">10.134.210.64/28</a> <a href="http://192.168.1.0/24">192.168.1.0/24</a>}</div>
<div> type=tunnel</div><div> auto=start</div><div> pfs=no</div><div> salifetime=28800s</div><div> ikelifetime=86400s</div></div><div><br></div><div>So far I can bring up the new office tunnel but can't ping anything on the other side.</div>
<div><br></div><div><div>000 initiating all conns with alias='new'</div><div>104 "new/0x3" #25: STATE_MAIN_I1: initiate</div><div>003 "new/0x3" #25: received Vendor ID payload [Openswan (this version) 2.6.32 ]</div>
<div>003 "new/0x3" #25: received Vendor ID payload [Dead Peer Detection]</div><div>003 "new/0x3" #25: received Vendor ID payload [RFC 3947] method set to=109</div><div>106 "new/0x3" #25: STATE_MAIN_I2: sent MI2, expecting MR2</div>
<div>003 "new/0x3" #25: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): both are NATed</div><div>108 "new/0x3" #25: STATE_MAIN_I3: sent MI3, expecting MR3</div><div>003 "new/0x3" #25: received Vendor ID payload [CAN-IKEv2]</div>
<div>004 "new/0x3" #25: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_128 prf=oakley_sha group=modp2048}</div><div>117 "new/0x1" #26: STATE_QUICK_I1: initiate</div><div>117 "new/0x2" #27: STATE_QUICK_I1: initiate</div>
<div>117 "new/0x3" #28: STATE_QUICK_I1: initiate</div><div>004 "new/0x1" #26: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x28d68261 <0x554dc93f xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=<my fixed internet IP of current office>:4500 DPD=none}</div>
<div>004 "new/0x2" #27: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x0021555f <0xa7d4a5fb xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=<my fixed internet IP of current office>:4500 DPD=none}</div>
<div>004 "new/0x3" #28: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0xb1e4e80f <0xa82a3d85 xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=<my fixed internet IP of current office>:4500 DPD=none}</div>
<div><br></div></div><div>I can't bring up the tunnel from the current office to the new office though - I suspect IPtables might be involved there but am not sure as I would of thought these rules would be fine which are in place for road runner types:</div>
<div><br></div><div><div>-A INPUT -p udp --dport 500 -j ACCEPT</div><div>-A INPUT -p udp --dport 4500 -j ACCEPT</div></div><div><br></div><div>and on the new office side I have</div><div><br></div><div><div>-A INPUT -p udp --dport 500 -s <my fixed internet IP of current office> -j ACCEPT</div>
<div>-A INPUT -p udp --dport 4500 -s <my fixed internet IP of current office> -j ACCEPT</div></div><div><br></div><div>Thanks for trying to help me here.</div><div><br></div><div>Paul</div><div><br></div><div><br></div>
<div><br></div><div><br></div><div><br></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On 18 September 2013 22:25, Nick Howitt <span dir="ltr"><<a href="mailto:n1ck.h0w1tt@gmail.com" target="_blank">n1ck.h0w1tt@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><u></u>
<div style="font-family:Arial,Helvetica,sans-serif">
<p>Your server and aconns do not match at all. I would rename the server connto something like roadwarrior and move some of the settings into conn %default - the ones which would apply to every conn such as left, leftnexthop (probably not needed) possibly pfs and auto and add leftsourceip (the server's LAN IP). Create a new conn which you could call aconn if you wanted. The server's aconn should pretty much match the remote's aconn with left and right reversed. (Generally wou don't need to reverse left and right at each end but the use of conn %default means you must). I would also suggest enabling PFS for aconn.</p>
<div><div class="h5">
<p>On 2013-09-18 09:49, Paul Young wrote:</p>
</div></div><blockquote type="cite" style="padding-left:5px;border-left:#1010ff 2px solid;margin-left:5px"><div><div class="h5">
<div dir="ltr">Hi Everyone,
<div> </div>
<div>I am in the deep end with Openswan and possibly the following will show that. Apologies!</div>
<div> </div>
<div>So far I have been relying heavily on this - <a href="http://www.jacco2.dds.nl/networking/openswan-l2tp.html" target="_blank">http://www.jacco2.dds.nl/networking/openswan-l2tp.html</a></div>
<div> </div>
<div>A little bit of background first. We have a just opened a new office and not all the infrastructure is in place as yet.</div>
<div> </div>
<div>So the idea is to use a site to site VPN back to the current office so that all resources can be reached.</div>
<div> </div>
<div>There is a server acting as the openswan VPN\gateway etc in both offices - current office and new office.</div>
<div> </div>
<div>The current office has a number of site to site configs already in place to third parties. I have configured a server side which looks like this:</div>
<div> </div>
<div>
<div><em>conn server</em></div>
<div><em> authby=secret</em></div>
<div><em> pfs=no</em></div>
<div><em> auto=add</em></div>
<div><em> keyingtries=3</em></div>
<div><em> type=transport</em></div>
<div><em> forceencaps=yes</em></div>
<div><em> right=%any</em></div>
<div><em> #rightsubnet=vhost:%priv,%no</em></div>
<div><em> rightprotoport=17/%any</em></div>
<div><em> # Using the magic port of "0" means "any one single port". This is</em></div>
<div><em> # a work around required for Apple OSX clients that use a randomly</em></div>
<div><em> # high port, but propose "0" instead of their port. Could also be 17/%any</em></div>
<div><em> left=<my outside fixed IP address></em></div>
<div><em> leftnexthop=<my outside fixed IP address next hop></em></div>
<div><em> leftprotoport=17/1701</em></div>
<div><em> # Apple iOS doesn't send delete notify so we need dead peer detection</em></div>
<div><em> # to detect vanishing clients</em></div>
<div><em> dpddelay=10</em></div>
<div><em> dpdtimeout=90</em></div>
<div><em> dpdaction=clear</em></div>
</div>
<div> </div>
<div>behind that is some ppp and xl2tp settings that work well for some of our remote types. but I am looking at pure Ipsec at this point.</div>
<div> </div>
<div>In the new office I have set up a conn like this:</div>
<div> </div>
<div>
<div><em>conn aconn</em></div>
<div><em> authby=secret</em></div>
<div><em> left=192.168.3.3</em></div>
<div><em> #left=%any</em></div>
<div><em> leftid=@vpn</em></div>
<div><em> leftnexthop=%defaultroute</em></div>
<div><em> leftsourceip=192.168.3.3</em></div>
<div><em> leftsubnet=<a href="http://192.168.3.0/24" target="_blank">192.168.3.0/24</a></em></div>
<div><em> right=</em><em><my outside fixed IP address></em></div>
<div><em> rightsubnets={<a href="http://10.134.162.59/32" target="_blank">10.134.162.59/32</a> <a href="http://10.134.210.64/28" target="_blank">10.134.210.64/28</a> <a href="http://192.168.1.0/24" target="_blank">192.168.1.0/24</a>}</em></div>
<div><em> type=tunnel</em></div>
<div><em> auto=start</em></div>
<div><em> pfs=no</em></div>
<div><em> salifetime=28800s</em></div>
<div><em> ikelifetime=86400s</em></div>
</div>
<div> </div>
<div>It sits behind a router so left is the local interface. And the subnets are back in the current office.</div>
<div> </div>
<div>It comes up ok:</div>
<div> </div>
<div>
<div><em># service ipsec status</em></div>
<div><em>IPsec running - pluto pid: 11869</em></div>
<div><em>pluto pid 11869</em></div>
<div><em>3 tunnels up</em></div>
<div><em>some eroutes exist</em></div>
</div>
<div> </div>
<div>I see the routes come up ok on the new office side:</div>
<div> </div>
<div>
<div><em># ip xfrm policy</em></div>
<div><em>src <a href="http://192.168.3.0/24" target="_blank">192.168.3.0/24</a> dst <a href="http://10.134.162.59/32" target="_blank">10.134.162.59/32</a></em></div>
<div><em> dir out priority 2336 ptype main</em></div>
<div><em> tmpl src 192.168.3.3 dst 203.215.150.142</em></div>
<div><em> proto esp reqid 16385 mode tunnel</em></div>
<div><em>src <a href="http://10.134.162.59/32" target="_blank">10.134.162.59/32</a> dst <a href="http://192.168.3.0/24" target="_blank">192.168.3.0/24</a></em></div>
<div><em> dir fwd priority 2336 ptype main</em></div>
<div><em> tmpl src 203.215.150.142 dst 192.168.3.3</em></div>
<div><em> proto esp reqid 16385 mode tunnel</em></div>
<div><em>src <a href="http://10.134.162.59/32" target="_blank">10.134.162.59/32</a> dst <a href="http://192.168.3.0/24" target="_blank">192.168.3.0/24</a></em></div>
<div><em> dir in priority 2336 ptype main</em></div>
<div><em> tmpl src 203.215.150.142 dst 192.168.3.3</em></div>
<div><em> proto esp reqid 16385 mode tunnel</em></div>
<div><em>src <a href="http://192.168.3.0/24" target="_blank">192.168.3.0/24</a> dst <a href="http://10.134.210.64/28" target="_blank">10.134.210.64/28</a></em></div>
<div><em> dir out priority 2340 ptype main</em></div>
<div><em> tmpl src 192.168.3.3 dst 203.215.150.142</em></div>
<div><em> proto esp reqid 16389 mode tunnel</em></div>
<div><em>src <a href="http://10.134.210.64/28" target="_blank">10.134.210.64/28</a> dst <a href="http://192.168.3.0/24" target="_blank">192.168.3.0/24</a></em></div>
<div><em> dir fwd priority 2340 ptype main</em></div>
<div><em> tmpl src 203.215.150.142 dst 192.168.3.3</em></div>
<div><em> proto esp reqid 16389 mode tunnel</em></div>
<div><em>src <a href="http://10.134.210.64/28" target="_blank">10.134.210.64/28</a> dst <a href="http://192.168.3.0/24" target="_blank">192.168.3.0/24</a></em></div>
<div><em> dir in priority 2340 ptype main</em></div>
<div><em> tmpl src 203.215.150.142 dst 192.168.3.3</em></div>
<div><em> proto esp reqid 16389 mode tunnel</em></div>
<div><em>src <a href="http://192.168.3.0/24" target="_blank">192.168.3.0/24</a> dst <a href="http://192.168.1.0/24" target="_blank">192.168.1.0/24</a></em></div>
<div><em> dir out priority 2344 ptype main</em></div>
<div><em> tmpl src 192.168.3.3 dst 203.215.150.142</em></div>
<div><em> proto esp reqid 16393 mode tunnel</em></div>
<div><em>src <a href="http://192.168.1.0/24" target="_blank">192.168.1.0/24</a> dst <a href="http://192.168.3.0/24" target="_blank">192.168.3.0/24</a></em></div>
<div><em> dir fwd priority 2344 ptype main</em></div>
<div><em> tmpl src 203.215.150.142 dst 192.168.3.3</em></div>
<div><em> proto esp reqid 16393 mode tunnel</em></div>
<div><em>src <a href="http://192.168.1.0/24" target="_blank">192.168.1.0/24</a> dst <a href="http://192.168.3.0/24" target="_blank">192.168.3.0/24</a></em></div>
<div><em> dir in priority 2344 ptype main</em></div>
<div><em> tmpl src 203.215.150.142 dst 192.168.3.3</em></div>
<div><em> proto esp reqid 16393 mode tunnel</em></div>
</div>
<div> </div>
<div>Can't ping anything back in the current office from the new office even though I can see encapsulated traffic going across at the time of my ping - nothing comes back.</div>
<div> </div>
<div>I also don't see anything being created in the xfrm policy for the current office and if I add a rightsubnet(s) line to the current office config then the road runners types can't connect.</div>
<div> </div>
<div>Is what I am trying to do even possible?</div>
<div> </div>
<div>Thanks,</div>
<div>Paul</div>
</div>
<br>
</div></div><pre>_______________________________________________
<a href="mailto:Users@lists.openswan.org" target="_blank">Users@lists.openswan.org</a>
<a href="https://lists.openswan.org/mailman/listinfo/users" target="_blank">https://lists.openswan.org/mailman/listinfo/users</a>
Micropayments: <a href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy" target="_blank">https://flattr.com/thing/38387/IPsec-for-Linux-made-easy</a>
Building and Integrating Virtual Private Networks with Openswan:
<a href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155" target="_blank">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a>
</pre>
</blockquote>
</div>
<br>_______________________________________________<br>
<a href="mailto:Users@lists.openswan.org">Users@lists.openswan.org</a><br>
<a href="https://lists.openswan.org/mailman/listinfo/users" target="_blank">https://lists.openswan.org/mailman/listinfo/users</a><br>
Micropayments: <a href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy" target="_blank">https://flattr.com/thing/38387/IPsec-for-Linux-made-easy</a><br>
Building and Integrating Virtual Private Networks with Openswan:<br>
<a href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155" target="_blank">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a><br>
<br></blockquote></div><br></div>