<div dir="ltr"><div><div>Hi Kent,<br><br></div>Nice images, way better than the usual textart. I think that you need to change virtual private to virtual_private=%v4:<a href="http://0.0.0.0/0,%v6:fd00::/8,%v6:fe80::/10,%v4:!10.1.1.0/24">0.0.0.0/0,%v6:fd00::/8,%v6:fe80::/10,%v4:!10.1.1.0/24</a> on left and virtual_private=%v4:<a href="http://0.0.0.0/0,%v6:fd00::/8,%v6:fe80::/10,%v4:!10.1.2.0/24">0.0.0.0/0,%v6:fd00::/8,%v6:fe80::/10,%v4:!10.1.2.0/24</a> on right. In ipsec.conf it is normal to have left as the local computer. So the ipsec.conf on computer B would be left = 192.168.2.1 leftsubnet = <a href="http://10.1.2.0/24">10.1.2.0/24</a> right = 192.168.1.1 rightsubnet = <a href="http://10.1.1.0/24">10.1.1.0/24</a> . And I dont use leftnexthop and rightnexthop in my config, and I dont think you need it, it is the next hop to the ISP, so in the direction of the WAN network.<br>
<br></div>Greetings,<br><br>Bart<br><div> <br></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">2013/11/16 Ana <span dir="ltr"><<a href="mailto:kentdavies@gmail.com" target="_blank">kentdavies@gmail.com</a>></span><br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><p class="MsoNormal"><span lang="EN-US">Hi
everybody.</span></p><p class="MsoNormal"><span lang="EN-US"><br></span></p>
<p class="MsoNormal"><span lang="EN-US">I’m
starting to learn <b>IPsec</b> and I'm having some problems.</span></p><p class="MsoNormal"><span lang="EN-US"><br></span></p>
<p class="MsoNormal"><span lang="EN-US">I’m running
two virtual machines with CentOS that simulates the network depicted in the
bellow picture.</span></p><p class="MsoNormal"><span lang="EN-US"><img src="cid:ii_14260a4a0eff4c49" alt="Inline image 1"><br></span></p><p class="MsoNormal"><span lang="EN-US"><span style="margin-left:101px;margin-top:878px;width:595px;min-height:329px"></span></span></p>
<p class="MsoNormal"><span lang="EN-US"><span style="margin-left:101px;margin-top:878px;width:595px;min-height:329px"></span></span></p><p class="MsoNormal"><br></p>
<p class="MsoNormal"><span lang="EN-US">I want to
create an IPsec tunnel between machine A and machine B. The keys should be negotiated
using IKE and the tunnel should enable total connectivity between the two
machines. </span></p><p class="MsoNormal"><span lang="EN-US"><br></span></p><p class="MsoNormal"><span lang="EN-US"><br></span></p><p class="MsoNormal"><span lang="EN-US">My
<b>ipsec.conf</b> file on both machines is this:</span></p><p class="MsoNormal"><span lang="EN-US"><br></span></p><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><p class="MsoNormal" style="margin-bottom:0.0001pt">
<span style="font-size:8pt;font-family:'Courier New'" lang="EN-US">config setup</span></p><p class="MsoNormal" style="margin-bottom:0.0001pt"><span style="font-size:8pt;font-family:'Courier New'" lang="EN-US"> protostack=netkey</span></p>
<p class="MsoNormal" style="margin-bottom:0.0001pt"><span style="font-size:8pt;font-family:'Courier New'" lang="EN-US"> dumpdir=/var/run/pluto/</span></p><p class="MsoNormal" style="margin-bottom:0.0001pt">
<span style="font-size:8pt;font-family:'Courier New'" lang="EN-US"> nat_traversal=yes</span></p><p class="MsoNormal" style="margin-bottom:0.0001pt"><span style="font-size:8pt;font-family:'Courier New'" lang="EN-US"> virtual_private=%v4:<a href="http://10.1.1.0/24,%v4:10.1.2.0/24" target="_blank">10.1.1.0/24,%v4:10.1.2.0/24</a></span></p>
<p class="MsoNormal" style="margin-bottom:0.0001pt"><span style="font-size:8pt;font-family:'Courier New'" lang="EN-US">conn gw-to-gw</span></p><p class="MsoNormal" style="margin-bottom:0.0001pt"><span style="font-size:8pt;font-family:'Courier New'" lang="EN-US"> authby=secret</span></p>
<p class="MsoNormal" style="margin-bottom:0.0001pt"><span style="font-size:8pt;font-family:'Courier New'" lang="EN-US"> left=192.168.1.1</span></p><p class="MsoNormal" style="margin-bottom:0.0001pt">
<span style="font-size:8pt;font-family:'Courier New'" lang="EN-US"> leftsubnet=<a href="http://10.1.1.0/24" target="_blank">10.1.1.0/24</a></span></p><p class="MsoNormal" style="margin-bottom:0.0001pt">
<span style="font-size:8pt;font-family:'Courier New'" lang="EN-US"> leftnexthop=192.168.1.2</span></p>
<p class="MsoNormal" style="margin-bottom:0.0001pt"><span style="font-size:8pt;font-family:'Courier New'" lang="EN-US"> right=192.168.1.2</span></p><p class="MsoNormal" style="margin-bottom:0.0001pt">
<span style="font-size:8pt;font-family:'Courier New'" lang="EN-US"> rightsubnet=<a href="http://10.1.2.0/24" target="_blank">10.1.2.0/24</a></span></p><p class="MsoNormal" style="margin-bottom:0.0001pt">
<span style="font-size:8pt;font-family:'Courier New'" lang="EN-US"> rightnexthop=192.168.1.1</span></p>
<p class="MsoNormal" style="margin-bottom:0.0001pt"><span style="font-size:8pt;font-family:'Courier New'" lang="EN-US"> auto=start</span></p><p class="MsoNormal">
</p><p class="MsoNormal" style="margin-bottom:0.0001pt"><span style="font-size:8pt;font-family:'Courier New'" lang="EN-US"> type=tunnel</span></p></blockquote><p class="MsoNormal"><span lang="EN-US"><br>
</span></p><p class="MsoNormal"><span lang="EN-US">And
<b>ipsec.secrets</b> on both machines is this:</span></p><p class="MsoNormal"><span lang="EN-US"><br></span></p><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><p class="MsoNormal"><span lang="EN-US"><font face="courier new, monospace">192.168.1.1
192.168.1.2 : PSK "test"</font></span></p></blockquote><p class="MsoNormal"><span lang="EN-US"> </span></p><p class="MsoNormal"><span lang="EN-US">I then do<b>
service ipsec start</b> on machine A followed by the same command on machine B.
Then, again on machine A, I do <b>ipsec auto –up gw-to-gw</b> followed by the exact
same command on machine B. </span></p><p class="MsoNormal"><span lang="EN-US">Machine A output:</span></p><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><p class="MsoNormal" style="margin-bottom:0.0001pt">
<span style="font-size:8pt;font-family:'Courier New'" lang="EN-US">[root@mainmachine
etc]# service ipsec start</span></p><p class="MsoNormal" style="margin-bottom:0.0001pt"><span style="font-size:8pt;font-family:'Courier New'" lang="EN-US">ipsec_setup:
Starting Openswan IPsec U2.6.32/K2.6.32-358.23.2.el6.i686...</span></p><p class="MsoNormal" style="margin-bottom:0.0001pt"><span style="font-size:8pt;font-family:'Courier New'" lang="EN-US">ipsec_setup:
/usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled</span></p><p class="MsoNormal" style="margin-bottom:0.0001pt"><span style="font-size:8pt;font-family:'Courier New'" lang="EN-US">[root@mainmachine
etc]# ipsec auto --up gw-to-gw</span></p><p class="MsoNormal" style="margin-bottom:0.0001pt"><span style="font-size:8pt;font-family:'Courier New'" lang="EN-US">117
"gw-to-gw" #5: STATE_QUICK_I1: initiate</span></p><p class="MsoNormal" style="margin-bottom:0.0001pt"><span style="font-size:8pt;font-family:'Courier New'" lang="EN-US">004
"gw-to-gw" #5: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel
mode {ESP=>0xc17e5cb7 <0xefd31319 xfrm=AES_128-HMAC_SHA1 NATOA=none
NATD=none DPD=none}</span></p><p class="MsoNormal" style="margin-bottom:0.0001pt"><span style="font-size:8pt;font-family:'Courier New'" lang="EN-US">[root@mainmachine
etc]#</span></p></blockquote><p class="MsoNormal" style="margin-bottom:0.0001pt"><br></p><p class="MsoNormal"><span lang="EN-US">Machine B
output:</span></p><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><p class="MsoNormal" style="margin-bottom:0.0001pt"><span style="font-size:8pt;font-family:'Courier New'" lang="EN-US">[root@mainmachine
etc]# service ipsec start</span></p><p class="MsoNormal" style="margin-bottom:0.0001pt"><span style="font-size:8pt;font-family:'Courier New'" lang="EN-US">ipsec_setup:
Starting Openswan IPsec U2.6.32/K2.6.32-358.23.2.el6.i686...</span></p><p class="MsoNormal" style="margin-bottom:0.0001pt"><span style="font-size:8pt;font-family:'Courier New'" lang="EN-US">ipsec_setup:
/usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled</span></p><p class="MsoNormal" style="margin-bottom:0.0001pt"><span style="font-size:8pt;font-family:'Courier New'" lang="EN-US">[root@mainmachine
etc]# ipsec auto --up gw-to-gw</span></p><p class="MsoNormal" style="margin-bottom:0.0001pt"><span style="font-size:8pt;font-family:'Courier New'" lang="EN-US">117
"gw-to-gw" #6: STATE_QUICK_I1: initiate</span></p><p class="MsoNormal" style="margin-bottom:0.0001pt"><span style="font-size:8pt;font-family:'Courier New'" lang="EN-US">004
"gw-to-gw" #6: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel
mode {ESP=>0xf5fe7b43 <0x94c97925 xfrm=AES_128-HMAC_SHA1 NATOA=none
NATD=none DPD=none}</span></p><p class="MsoNormal" style="margin-bottom:0.0001pt"><span style="font-size:8pt;font-family:'Courier New'" lang="EN-US">[root@mainmachine
etc]#</span></p></blockquote><p class="MsoNormal"><span lang="EN-US"> </span></p><p class="MsoNormal"><span lang="EN-US">I’m now
using Wireshark to see how the traffic goes through the network from machine A
to machine B. </span></p><p class="MsoNormal"><span lang="EN-US"><br></span></p><p class="MsoNormal"><span lang="EN-US">Listening
on interface <b>eth5 </b>of machine B and pinging<b> 10.1.2.254</b> or <b>10.1.2.2</b> from machine
A, Wireshark does not capture any packet. If I do the exact same procedure but
not listening on interface <b>eth6</b> Wireshark captures the following image.</span></p><p class="MsoNormal"><span lang="EN-US"><img src="cid:ii_14260a8878502b5c" alt="Inline image 2"><br></span></p><p class="MsoNormal">
<span lang="EN-US"> </span></p><p class="MsoNormal"><span lang="EN-US">I believe
that the packet should somehow be encrypted but Wireshark is telling me that it
is not, so probably I have some kind of error on my <b>ipsec.conf</b> configuration.</span></p><p class="MsoNormal"><span lang="EN-US"> </span></p><p class="MsoNormal"><span lang="EN-US">Can someone
point me in some direction?</span></p><p class="MsoNormal"><span lang="EN-US"> </span></p><p class="MsoNormal"><span lang="EN-US">Thanks, </span></p><p class="MsoNormal"><span lang="EN-US"> </span></p><p class="MsoNormal">
<span lang="EN-US">
</span></p><p class="MsoNormal"><span lang="EN-US">Kent Davies</span></p><p class="MsoNormal"><span lang="EN-US"><br></span></p><p class="MsoNormal"><span lang="EN-US"><br></span></p><p class="MsoNormal"><span lang="EN-US"><br>
</span></p><p class="MsoNormal"><span lang="EN-US"><br></span></p><p class="MsoNormal"><span lang="EN-US"><br></span></p><p class="MsoNormal"><span lang="EN-US"><br></span></p><p class="MsoNormal"><span lang="EN-US"><br>
</span></p>
<p class="MsoNormal"><span lang="EN-US"><br></span></p><p class="MsoNormal"><span lang="EN-US"><br></span></p><p class="MsoNormal"><span lang="EN-US"><br></span></p><p class="MsoNormal"><span lang="EN-US"><br></span></p>
<p class="MsoNormal">
<span lang="EN-US"><br></span></p><p class="MsoNormal"><span lang="EN-US"><br></span></p><p class="MsoNormal"><span lang="EN-US"><br></span></p><p class="MsoNormal"><span lang="EN-US"><br></span></p><p class="MsoNormal">
<span lang="EN-US"><br>
</span></p><p class="MsoNormal"><span lang="EN-US"><br></span></p><p class="MsoNormal"><span lang="EN-US"><br></span></p><p class="MsoNormal"><span lang="EN-US"><br></span></p><p class="MsoNormal"><span lang="EN-US"><br>
</span></p>
<p class="MsoNormal"><span lang="EN-US"><br></span></p><p class="MsoNormal"><span lang="EN-US"><br></span></p><p class="MsoNormal"><span lang="EN-US"><br></span></p></div>
<br>_______________________________________________<br>
<a href="mailto:Users@lists.openswan.org">Users@lists.openswan.org</a><br>
<a href="https://lists.openswan.org/mailman/listinfo/users" target="_blank">https://lists.openswan.org/mailman/listinfo/users</a><br>
Micropayments: <a href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy" target="_blank">https://flattr.com/thing/38387/IPsec-for-Linux-made-easy</a><br>
Building and Integrating Virtual Private Networks with Openswan:<br>
<a href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155" target="_blank">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a><br>
<br></blockquote></div><br><br clear="all"><br>-- <br><span style="font-family:Calibri,sans-serif;font-size:14px;border-collapse:collapse">**** DISCLAIMER ****<br><br>"This e-mail and any attachment thereto may contain information which is confidential and/or protected by intellectual property rights and are intended for the sole use of the recipient(s) named above. <br>
Any use of the information contained herein (including, but not limited to, total or partial reproduction, communication or distribution in any form) by other persons than the designated recipient(s) is prohibited. <br>If you have received this e-mail in error, please notify the sender either by telephone or by e-mail and delete the material from any computer".<br>
<br>Thank you for your cooperation.</span>
</div>