<html><head><meta http-equiv="Content-Type" content="text/html charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;"><div>Rescued from the Spam bucket. Please remember to subscribe to the mailing list before posting to it.</div><div><br></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px;"><span style="font-family:'Helvetica'; color:rgba(127, 127, 127, 1.0);"><b>From: </b></span><span style="font-family:'Helvetica';">Gopi Boga <<a href="mailto:gopib.4180@gmail.com">gopib.4180@gmail.com</a>><br></span></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px;"><span style="font-family:'Helvetica'; color:rgba(127, 127, 127, 1.0);"><b>Subject: </b></span><span style="font-family:'Helvetica';"><b>Fwd: Help needed</b><br></span></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px;"><span style="font-family:'Helvetica'; color:rgba(127, 127, 127, 1.0);"><b>Date: </b></span><span style="font-family:'Helvetica';">November 28, 2013 at 1:56:47 AM EST<br></span></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px;"><span style="font-family:'Helvetica'; color:rgba(127, 127, 127, 1.0);"><b>To: </b></span><span style="font-family:'Helvetica';"><a href="mailto:users@lists.openswan.org">users@lists.openswan.org</a><br></span></div><br><br><div dir="ltr"><div class="gmail_quote"><div dir="ltr">Hi all,<div><br></div><div>i am new to this ipsec configuration. i am trying to establish ipsec tunnel in between solarish machine and RHEL machine.</div><div><br></div>
<div>i am able to ping from RHEL to tunnel but not from solarish machine.</div>
<div><br></div><div>could you please help me in resolving this issue??</div><div><br></div><div>below are the my configurations on ompside (solaris)</div><div>----------------------------------------------------------------------------</div>
<div><br></div><div><br></div><div><div>s210omp root> cat ipsecinit.conf </div><div>{tunnel ip.tun234316288 negotiate tunnel raddr 2.2.2.7 laddr 1.1.1.7} ipsec {encr_algs aes encr_auth_algs hmac-md5}</div>
<div>{tunnel ip.tun234316291 negotiate tunnel raddr 2.2.2.8 laddr 1.1.1.8} ipsec {encr_algs aes encr_auth_algs hmac-md5}</div><div>s210omp root> </div><div><br></div><div><br></div><div>s210omp root> cat /etc/inet/secret/ike.preshared</div>
<div>#</div><div>#ident "@(#)ike.preshared 1.1 01/09/28 SMI"</div><div>#</div><div># Copyright (c) 2001 by Sun Microsystems, Inc.</div><div># All rights reserved.</div><div>#</div><div><br></div><div>
# ike.preshared - Pre-shared secrets for IKE authentication.</div>
<div>#</div><div># Entries are of the form:</div><div>#</div><div># {</div><div># <attribute> <value></div><div># ...</div><div># }</div><div>#</div><div># Consult the man page for ike.preshared(4) for details.</div>
<div># ike.preshared for 172.33.8.250 and 172.33.8.128</div><div>{</div><div> localidtype IP</div><div> localid 172.33.8.250</div><div> remoteidtype IP</div><div> remoteid 172.33.8.128</div><div>
key 775908663bfb52dfb6e6c625ec7318cc</div><div>}</div><div># ike.preshared for 172.33.8.250 and 172.33.8.131</div><div>{</div><div> localidtype IP</div><div> localid 172.33.8.250</div><div> remoteidtype IP</div>
<div> remoteid 172.33.8.131</div><div> key 12192a9542ea382fa18e04ee7843a971</div><div>}</div><div>s210omp root> </div><div><br></div><div><br></div><div><br></div><div>s210omp root> cat /etc/inet/ike/config</div>
<div>###############################################################################</div><div># Copyright (c) 2003 Lucent Technologies </div><div># All Rights Reserved </div>
<div># </div><div># This is unpublished proprietary source code of Lucent Technologies. </div><div># The copyright notice above does not evidence any actual </div>
<div># or intended publication of such source code. </div><div># </div><div># ike.config - IKE uses the rules defined in this file to match incoming</div>
<div># IKE requests and for constructing outgoing IKE requests.</div><div># These rules are used to manage the keys exchanged for security</div><div># association</div><div>###############################################################################</div>
<div><br></div><div>###### global parameters...</div><div><br></div><div>## Phase 1 transform defaults...</div><div><br></div><div>p1_lifetime_secs 14400</div><div>p1_nonce_len 20</div><div><br></div><div># global default phase 1 transform</div>
<div>p1_xform { auth_method preshared oakley_group 5 auth_alg md5 encr_alg 3des }</div><div><br></div><div># global phase 2 OD-H group</div><div>p2_pfs 5</div><div># IKE rule between 172.33.8.250 and 172.33.8.128</div><div>
{</div><div> label "172.33.8.250 - 172.33.8.128"</div><div> local_id_type IP</div><div> local_addr 172.33.8.250</div><div> remote_addr 172.33.8.128</div><div>}</div><div># IKE rule between 172.33.8.250 and 172.33.8.131</div>
<div>{</div><div> label "172.33.8.250 - 172.33.8.131"</div><div> local_id_type IP</div><div> local_addr 172.33.8.250</div><div> remote_addr 172.33.8.131</div><div>}</div><div>s210omp root> </div>
<div><br></div><div><br></div><div>s210omp root> ipseckey -f /etc/inet/secret/ipseckeys</div><div>s210omp root> ipsecconf</div><div>#INDEX 4 </div><div>{tunnel ip.tun234316288 negotiate tunnel raddr 2.2.2.7 laddr 1.1.1.7} ipsec {encr_algs aes encr_auth_algs hmac-md5}</div>
<div><br></div><div>#INDEX 12 </div><div>{tunnel ip.tun234316291 negotiate tunnel raddr 2.2.2.8 laddr 1.1.1.8} ipsec {encr_algs aes encr_auth_algs hmac-md5}</div><div><br></div><div>s210omp root> </div><div><br></div>
<div>
s210omp root> ipsecconf -a ./ipsecinit.conf</div><div><br></div><div> IPsec policy should be managed using smf(5). Modifying</div><div> the IPsec policy from the command line while the 'policy'</div>
<div> service is enabled could result in an inconsistent</div><div> security policy.</div><div><br></div><div>ipsecconf: Kernel returned: Entry already exists</div><div>ipsecconf: Duplicate policy entry (ignored):</div>
<div>{tunnel ip.tun234316288 negotiate tunnel raddr 2.2.2.7 laddr 1.1.1.7} ipsec {encr_algs aes encr_auth_algs hmac-md5}</div><div><br></div><div>ipsecconf: Kernel returned: Entry already exists</div><div>ipsecconf: Duplicate policy entry (ignored):</div>
<div>{tunnel ip.tun234316291 negotiate tunnel raddr 2.2.2.8 laddr 1.1.1.8} ipsec {encr_algs aes encr_auth_algs hmac-md5}</div><div><br></div><div> WARNING : New policy entries that are being added may</div><div> affect the existing connections. Existing connections</div>
<div> that are not subjected to policy constraints, may be</div><div> subjected to policy constraints because of the new</div><div> policy. This can disrupt the communication of the</div><div> existing connections.</div>
<div><br></div><div>s210omp root> </div><div><br></div><div>s210omp root> ifconfig ip.tun234316288</div><div>ip.tun234316288: flags=10008d1<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST,IPv4> mtu 1480 index 19</div>
<div>
inet tunnel src 172.33.8.250 tunnel dst 172.33.8.128</div><div> tunnel security settings --> use 'ipsecconf -ln -i ip.tun234316288'</div><div> tunnel hop limit 60 </div><div> inet 1.1.1.7 --> 2.2.2.7 netmask ffffff00 </div>
<div>s210omp root> </div><div><br></div><div><br></div><div><br></div><div><br></div><div>s210omp root> ifconfig -a</div><div>lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1</div>
<div> inet 127.0.0.1 netmask ff000000 </div><div>ce0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2</div><div> inet 135.254.174.160 netmask ffffff80 broadcast 135.254.174.255</div>
<div> ether 0:14:4f:d6:4c:6e </div><div>ce3: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 3</div><div> inet 172.33.8.250 netmask ffff0000 broadcast 172.33.255.255</div><div> ether 0:14:4f:d6:4c:6f </div>
<div>ce4: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 4</div><div> inet 172.16.47.254 netmask fffff000 broadcast 172.16.47.255</div><div> ether 0:14:4f:44:7a:9c </div><div>ce5: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 5</div>
<div> inet 172.16.31.254 netmask fffff000 broadcast 172.16.31.255</div><div> ether 0:14:4f:67:45:fe </div><div>ip.tun234316288: flags=10008d1<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST,IPv4> mtu 1480 index 19</div>
<div> inet tunnel src 172.33.8.250 tunnel dst 172.33.8.128</div><div> tunnel security settings --> use 'ipsecconf -ln -i ip.tun234316288'</div><div> tunnel hop limit 60 </div><div> inet 1.1.1.7 --> 2.2.2.7 netmask ffffff00 </div>
<div>ip.tun234316291: flags=10008d1<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST,IPv4> mtu 1480 index 13</div><div> inet tunnel src 172.33.8.250 tunnel dst 172.33.8.131</div><div> tunnel security settings --> use 'ipsecconf -ln -i ip.tun234316291'</div>
<div> tunnel hop limit 60 </div><div> inet 1.1.1.8 --> 2.2.2.8 netmask ffffff00 </div><div>s210omp root> </div></div><div><br></div><div><br></div><div><br></div><div><br></div><div>below are the configuration from ap(RHEL)</div>
<div>-------------------------------------------------------------</div><div><br></div><div><div>[flx4007]-> ifconfig ip.tun0 </div><div>ip.tun0 Link encap:IPIP Tunnel HWaddr </div><div> inet addr:2.2.2.7 P-t-P:1.1.1.7 Mask:255.255.255.0</div>
<div> UP POINTOPOINT RUNNING NOARP MTU:1480 Metric:1</div><div> RX packets:0 errors:0 dropped:0 overruns:0 frame:0</div><div> TX packets:0 errors:14 dropped:0 overruns:0 carrier:14</div><div>
collisions:0 txqueuelen:0 </div>
<div> RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)</div><div><br></div><div>[flx4007]-> </div><div>[flx4007]-> cat iptun0.conf</div><div>conn iptun0</div><div> type=tunnel</div><div> authby=secret</div>
<div> left=172.33.8.128</div><div> leftsubnet=<a href="http://1.1.1.7/32" target="_blank">1.1.1.7/32</a></div><div> leftsourceip=1.1.1.7</div><div> right=172.33.8.250</div><div> rightsubnet=<a href="http://2.2.2.7/32" target="_blank">2.2.2.7/32</a></div>
<div> rightsourceip=2.2.2.7</div><div> auto=start</div><div> pfs=yes</div><div> ike=3des-md5;modp1536</div><div> phase2alg=3des-md5;modp1536</div><div> aggrmode=no</div><div> ikelifetime=14400s</div>
<div> salifetime=3600s</div><div> compress=no</div><div>[flx4007]-> cat iptun0.secrets</div><div>172.33.8.250 172.33.8.128 : PSK "0x775908663bfb52dfb6e6c625ec7318cc"</div><div>[flx4007]-> </div>
</div><div><br></div><div><div>[flx4007]-> ping 1.1.1.7</div><div>PING 1.1.1.7 (1.1.1.7) 56(84) bytes of data.</div><div>64 bytes from <a href="http://1.1.1.7/" target="_blank">1.1.1.7</a>: icmp_seq=1 ttl=64 time=0.023 ms</div>
<div>64 bytes from <a href="http://1.1.1.7/" target="_blank">1.1.1.7</a>: icmp_seq=2 ttl=64 time=0.017 ms</div>
<div>64 bytes from <a href="http://1.1.1.7/" target="_blank">1.1.1.7</a>: icmp_seq=3 ttl=64 time=0.014 ms</div><div>64 bytes from <a href="http://1.1.1.7/" target="_blank">1.1.1.7</a>: icmp_seq=4 ttl=64 time=0.017 ms</div>
<div>64 bytes from <a href="http://1.1.1.7/" target="_blank">1.1.1.7</a>: icmp_seq=5 ttl=64 time=0.013 ms</div>
<div>^C</div><div>--- 1.1.1.7 ping statistics ---</div><div>5 packets transmitted, 5 received, 0% packet loss, time 4503ms</div><div>rtt min/avg/max/mdev = 0.013/0.016/0.023/0.006 ms</div><div>[flx4007]-> ping 2.2.2.7</div>
<div>PING 2.2.2.7 (2.2.2.7) 56(84) bytes of data.</div><div>64 bytes from <a href="http://2.2.2.7/" target="_blank">2.2.2.7</a>: icmp_seq=1 ttl=64 time=0.022 ms</div><div>64 bytes from <a href="http://2.2.2.7/" target="_blank">2.2.2.7</a>: icmp_seq=2 ttl=64 time=0.013 ms</div>
<div>64 bytes from <a href="http://2.2.2.7/" target="_blank">2.2.2.7</a>: icmp_seq=3 ttl=64 time=0.015 ms</div><div>64 bytes from <a href="http://2.2.2.7/" target="_blank">2.2.2.7</a>: icmp_seq=4 ttl=64 time=0.014 ms</div>
<div>^C</div><div>--- 2.2.2.7 ping statistics ---</div>
<div>4 packets transmitted, 4 received, 0% packet loss, time 3242ms</div><div>rtt min/avg/max/mdev = 0.013/0.016/0.022/0.003 ms</div><div>[flx4007]-> </div></div><div><br></div><div><br></div><div><br></div><div><br></div>
<div><br></div><div><div>s210omp root> s210omp root> </div><div>s210omp root> ping 1.1.1.7</div><div>1.1.1.7 is alive</div><div>s210omp root> ping 2.2.2.7</div><div><br></div><div><br></div><div>^Cs210omp root> </div>
</div><div><br></div><div><br></div><div>ping from omp is not working could you please help me wat i am doing wrong??</div><div><br></div><div>please let me know if you need any information...</div><div><br></div><div>thanks,</div>
<div>gopi </div><div><br></div></div>
</div><br></div>
<br><br></body></html>