<div dir="ltr">Hey guys,<div><br></div><div>I'm trying to establish an IPsec tunnel between two different networks ...</div><div><br></div><div>Server A (openSwan over Ubuntu): has a subnet 10.1.3.0</div><div>Server B (Vyatta): has a subnet 10.54.229.0</div>
<div><br></div><div>I want route traffic between the two different networks using a IPsec tunnel...I think I got to establish the tunnel:</div><div><br></div><div><br></div><div>In server A (ip:129.35.213.xx), I got this log from <b>/var/log.auth.log</b></div>
<div><br></div><div><br></div><div><div>Jan 19 23:00:05 vm-10-1-3-39 pluto[12250]: "sample" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3</div><div>Jan 19 23:00:05 vm-10-1-3-39 pluto[12250]: "sample" #1: STATE_MAIN_I3: sent MI3, expecting MR3</div>
<div>Jan 19 23:00:05 vm-10-1-3-39 pluto[12250]: "sample" #1: Main mode peer ID is ID_IPV4_ADDR: '50.23.67.xx'</div><div>Jan 19 23:00:05 vm-10-1-3-39 pluto[12250]: "sample" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4</div>
<div>Jan 19 23:00:05 vm-10-1-3-39 pluto[12250]: "sample" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp1536}</div><div>Jan 19 23:00:05 vm-10-1-3-39 pluto[12250]: "sample" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+DONTREKEY+UP+IKEv2ALLOW {using isakmp#1 msgid:9deaa9b8 proposal=3DES(3)_192-MD5(1)_128 pfsgroup=no-pfs}</div>
<div>Jan 19 23:00:05 vm-10-1-3-39 pluto[12250]: "sample" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2</div><div>Jan 19 23:00:05 vm-10-1-3-39 pluto[12250]: "sample" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0xc4377ca1 <0x33607d15 xfrm=3DES_0-HMAC_MD5 NATOA=none NATD=none DPD=none}</div>
<div>Jan 19 23:00:23 vm-10-1-3-39 pluto[12250]: "sample" #1: ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0xced37bef) not found (maybe expired)</div><div>Jan 19 23:00:23 vm-10-1-3-39 pluto[12250]: "sample" #1: received and ignored informational message</div>
</div><div><br></div><div><b>/etc/log/syslog</b></div><div><br></div><div><div>Jan 19 23:00:04 vm-10-1-3-39 ipsec_setup: ...Openswan IPsec started</div><div>Jan 19 23:00:04 vm-10-1-3-39 ipsec__plutorun: adjusting ipsec.d to /etc/ipsec.d</div>
<div>Jan 19 23:00:04 vm-10-1-3-39 pluto: adjusting ipsec.d to /etc/ipsec.d</div><div>Jan 19 23:00:04 vm-10-1-3-39 ipsec__plutorun: 002 added connection description "sample"</div><div>Jan 19 23:00:04 vm-10-1-3-39 ipsec__plutorun: 104 "sample" #1: STATE_MAIN_I1: initiate</div>
</div><div><br></div><div><b>ipsec auto --status</b></div><div><br></div><div><div>000 "sample": <a href="http://10.1.3.0/26===129.35.213.xx[+S=C]...50.23.67.xx">10.1.3.0/26===129.35.213.xx[+S=C]...50.23.67.xx</a><50.23.67.xx>[+S=C]===<a href="http://10.54.229.0/26">10.54.229.0/26</a>; erouted; eroute owner: #2</div>
<div>000 "sample": myip=unset; hisip=unset;</div><div>000 "sample": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0</div><div>000 "sample": policy: PSK+ENCRYPT+TUNNEL+DONTREKEY+UP+IKEv2ALLOW+lKOD+rKOD; prio: 26,26; interface: eth0; </div>
<div>000 "sample": newest ISAKMP SA: #1; newest IPsec SA: #2; </div><div>000 "sample": IKE algorithms wanted: AES_CBC(7)_256-SHA1(2)-MODP1536(5), AES_CBC(7)_256-SHA1(2)-MODP1024(2); flags=-strict</div>
<div>000 "sample": IKE algorithms found: AES_CBC(7)_256-SHA1(2)_160-5, AES_CBC(7)_256-SHA1(2)_160-2, </div><div>000 "sample": IKE algorithm newest: AES_CBC_256-SHA1-MODP1536</div><div>000 "sample": ESP algorithms wanted: 3DES(3)_000-MD5(1); flags=-strict</div>
<div>000 "sample": ESP algorithms loaded: 3DES(3)_192-MD5(1)_128</div><div>000 "sample": ESP algorithm newest: 3DES_0-HMAC_MD5; pfsgroup=<N/A></div><div>000 </div><div>000 #2: "sample":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE_IF_USED in 27734s; newest IPSEC; eroute owner; isakmp#1; idle; import:admin initiate</div>
<div>000 #2: "sample" esp.c4377ca1@50.23.67.xx esp.33607d15@129.35.213.xx tun.0@50.23.67.xx tun.0@129.35.213.xx ref=0 refhim=4294901761</div><div>000 #1: "sample":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE_IF_USED in 2608s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate</div>
<div>000 </div></div><div><br></div><div><br></div><div><br></div><div>In server B (Vyatta, ip 50.23.67.xx)</div><div><br></div><div><div><b> show vpn ike sa</b></div><div><b><br></b></div><div><b><br></b></div><div>Peer ID / IP Local ID / IP </div>
<div>------------ -------------</div><div>129.35.213.xx 50.23.67.xx </div><div><br></div><div> State Encrypt Hash D-H Grp NAT-T A-Time L-Time</div>
<div> ----- ------- ---- ------- ----- ------ ------</div><div> up aes256 sha1 5 no 651 3600 </div></div><div><br></div><div><br></div><div><br></div><div><div><b>show vpn ipsec sa</b></div>
<div><b><br></b></div><div>Peer ID / IP Local ID / IP </div><div>------------ -------------</div><div>129.35.213.xx 50.23.67.xx </div>
<div><br></div><div> Tunnel State Bytes Out/In Encrypt Hash NAT-T A-Time L-Time Proto</div><div> ------ ----- ------------- ------- ---- ----- ------ ------ -----</div><div> 1 up 0.0/0.0 3des md5 no 693 1800 all</div>
</div><div><br></div><div><div><b>show log vpn ipsec</b></div></div><div><br></div><div><div>Jan 19 17:00:03 havyatta-3 pluto[15748]: "peer-129.35.213.xx-tunnel-1" #1452: received Delete SA payload: replace IPSEC State #1451 in 10 seconds</div>
<div>Jan 19 17:00:03 havyatta-3 pluto[15748]: "peer-129.35.213.xx-tunnel-1" #1448: received Delete SA payload: deleting ISAKMP State #1448</div><div>Jan 19 17:00:03 havyatta-3 pluto[15748]: "peer-129.35.213.xx-tunnel-1" #1452: received Delete SA payload: deleting ISAKMP State #1452</div>
<div>Jan 19 17:00:03 havyatta-3 pluto[15748]: ERROR: asynchronous network error report on eth1 for message to 129.35.213.xx port 500, complainant 129.35.213.xxx: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]</div>
<div>Jan 19 17:00:03 havyatta-3 pluto[15748]: ERROR: asynchronous network error report on eth1 for message to 129.35.213.xx port 500, complainant 129.35.213.xx: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]</div>
<div>Jan 19 17:00:05 havyatta-3 pluto[15748]: packet from 129.35.213.xx:500: ignoring Vendor ID payload [4f456d406b6753464548407f]</div><div>Jan 19 17:00:05 havyatta-3 pluto[15748]: packet from 129.35.213.xx:500: received Vendor ID payload [Dead Peer Detection]</div>
<div>Jan 19 17:00:05 havyatta-3 pluto[15748]: "peer-129.35.213.xx-tunnel-1" #1453: responding to Main Mode</div><div>Jan 19 17:00:05 havyatta-3 pluto[15748]: "peer-129.35.213.xx-tunnel-1" #1453: Peer ID is ID_IPV4_ADDR: '129.35.213.xx'</div>
<div>Jan 19 17:00:05 havyatta-3 pluto[15748]: "peer-129.35.213.xx-tunnel-1" #1453: sent MR3, ISAKMP SA established</div><div>Jan 19 17:00:05 havyatta-3 pluto[15748]: "peer-129.35.213.xx-tunnel-1" #1454: responding to Quick Mode</div>
<div>Jan 19 17:00:05 havyatta-3 pluto[15748]: "peer-129.35.213.xx-tunnel-1" #1454: IPsec SA established {ESP=>0x33607d15 <0xc4377ca1}</div></div><div><br></div><div><br></div><div><br></div><div>Looks like the tunnel si established....but how can I now coonect from machine in network 10.1.3.0 to a machine in a network 10.54.229.0???</div>
<div><br></div><div><br></div><div>Could you help me??</div><div><br></div><div>thanks in advance</div><div><br></div><div><br></div></div>