<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
I am not sure about your first INPUT rule and would normally use:<br>
<br>
iptables -A INPUT -p 50 -j ACCEPT<br>
<br>
<div class="moz-cite-prefix">which could be refined with a "-s
$ciscoPublicIP". Your POSTROUTING rule should be fine instead of
mine.<br>
<br>
Can you post your connection log, your conn as it is now and a
traceroute to the Cisco router.<br>
<br>
Nick<br>
<br>
On 15/07/2014 13:36, Piotr Pawłowski wrote:<br>
</div>
<blockquote
cite="mid:1405427811.20364.5.camel@GY-GD-K059.goyello.net"
type="cite">
<pre wrap="">I'va cleared iptables and added your rule - still nothing. Before change
I had only this:
iptables -A POSTROUTING -t nat -d 10.0.0.0/24 -o eth0 -m policy --dir
out --pol ipsec -j ACCEPT
iptables -A INPUT -m policy --dir in --pol ipsec -j ACCEPT
iptables -A INPUT -p udp -m multiports --dports 500,4500 -j ACCEPT
iptables -A FORWARD -m policy --dir in --pol ipsec -j ACCEPT
Default chains policy is to accept everything.
Any other ideas?
Thanks in advance.
Piotr
Dnia 2014-07-15, wto o godzinie 12:53 +0100, Nick Howitt pisze:
</pre>
<blockquote type="cite">
<pre wrap="">What firewall rules do you have in place - especially in the POSTROUTING
chain which might affect this? If you have nothing, try adding this
generic one:
iptables -t nat -I POSTROUTING -m policy --dir out --pol ipsec -j ACCEPT
On 2014-07-15 10:44, Piotr Pawłowski wrote:
</pre>
<blockquote type="cite">
<pre wrap="">On Cisco side there is 10.0.0.0/24 network while openswan runs on one
server where address 10.0.100.1 is a IP attached to loopback
sub-interface.
Dnia 2014-07-14, pon o godzinie 15:32 +0100, Nick Howitt pisze:
</pre>
<blockquote type="cite">
<pre wrap="">What are the real LAN subnets at either end of the tunnel?
On 2014-07-14 13:51, Piotr Pawłowski wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Indeed... Typo in networks (facepalm)... That's the result of
</pre>
</blockquote>
<pre wrap="">debugging
</pre>
<blockquote type="cite">
<pre wrap="">too long. Thanks for the tip.
Now VPN is established, however there is no possibility to reach
</pre>
</blockquote>
<pre wrap="">any
</pre>
<blockquote type="cite">
<pre wrap="">end
(from openswan I am not able to reach 10.0.0.2/32 and from Cisco I
cannot reach 10.0.100.1).
Route on openswan side is added by the software. Route on Cisco
</pre>
</blockquote>
<pre wrap="">side
</pre>
<blockquote type="cite">
<pre wrap="">looks like this:
ip route 10.0.100.1 255.255.255.255 $ciscoPublicIP
Any kind of tip will be helpful.
Regards
Piotr
Dnia 2014-07-14, pon o godzinie 09:02 +0100, Nick Howitt pisze:
</pre>
<blockquote type="cite">
<pre wrap="">I don't know if your configs are edited, but you must not have
</pre>
</blockquote>
</blockquote>
<pre wrap="">any
</pre>
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">blank
lines in a conn. A blank line signifies the end of a conn. It
</pre>
</blockquote>
</blockquote>
<pre wrap="">probably
</pre>
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">also applies to config setup. If you want, you can use an
</pre>
</blockquote>
</blockquote>
<pre wrap="">indented #
</pre>
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">rather than a totally blank line.
I can't read Cisco configs but it also seems that your
left/rightsubnets
don't match your access-list. Is this correct or do you specify
subnets
elsewhere in the Cisco config?
Nick
On 2014-07-14 08:36, Piotr Pawłowski wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Dear all,
>From two weeks I am trying to setup ipsec vpn connection
</pre>
</blockquote>
</blockquote>
</blockquote>
<pre wrap="">between two
</pre>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">hosts. One of them is openswan on linux, other is Cisco device.
</pre>
</blockquote>
</blockquote>
</blockquote>
<pre wrap="">Without
</pre>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">luck.
Openswan configuration below:
config setup
interfaces=%defaultroute
plutodebug=none
klipsdebug=none
plutoopts="--perpeerlog"
nat_traversal=yes
virtual_private=%v4:10.0.100.1/32,%v4:10.0.0.2/32
oe=off
protostack=netkey
plutostderrlog=/var/log/pluto.log
conn testConnection
auto=start
type=tunnel
aggrmode=no
left=$openswanPublicIP
leftsubnet=10.0.100.1/32
leftsourceip=10.0.100.1
right=$ciscoPublicIP
rightsubnet=10.0.0.2/32
keyexchange=ike
ike=3des-md5-modp1024
authby=secret
phase2=esp
phase2alg=3des-md5
pfs=yes
Cisco configuration:
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 28800
crypto isakmp key TestKey address $openswanPublicIP
crypto ipsec transform-set OPENSWAN esp-3des esp-md5-hmac
mode tunnel
crypto map openswan-map 1 ipsec-isakmp
set peer $openswanPublicIP
set transform-set OPENSWAN
match address 190
access-list 190 permit ip 10.0.0.0 0.0.1.255 10.0.100.0
</pre>
</blockquote>
</blockquote>
</blockquote>
<pre wrap="">0.0.0.255
</pre>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">
IMHO everything looks fine. Openswan thinks different. Below
</pre>
</blockquote>
</blockquote>
</blockquote>
<pre wrap="">output
</pre>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">from
pluto.log.
Plutorun started on Mon Jul 14 07:01:57 UTC 2014
adjusting ipsec.d to /etc/ipsec.d
Starting Pluto (Openswan Version 2.6.28; Vendor ID
</pre>
</blockquote>
</blockquote>
</blockquote>
<pre wrap="">OEQ{O177nez{CQ)
</pre>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">pid:23920
SAref support [disabled]: Protocol not available
SAbind support [disabled]: Protocol not available
Setting NAT-Traversal port-4500 floating to on
port floating activation criteria nat_t=1/port_float=1
NAT-Traversal support [enabled]
using /dev/urandom as source of random entropy
ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC_SSH: Ok
</pre>
</blockquote>
</blockquote>
</blockquote>
<pre wrap="">(ret=0)
</pre>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok
</pre>
</blockquote>
</blockquote>
</blockquote>
<pre wrap="">(ret=0)
</pre>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok
</pre>
</blockquote>
</blockquote>
</blockquote>
<pre wrap="">(ret=0)
</pre>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
ike_alg_register_enc(): Activating OAKLEY_BLOWFISH_CBC: Ok
</pre>
</blockquote>
</blockquote>
</blockquote>
<pre wrap="">(ret=0)
</pre>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)
ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)
starting up 1 cryptographic helpers
started helper pid=23924 (fd:4)
Using Linux 2.6 IPsec interface code on 2.6.32-5-amd64
</pre>
</blockquote>
</blockquote>
</blockquote>
<pre wrap="">(experimental
</pre>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">code)
using /dev/urandom as source of random entropy
ike_alg_register_enc(): Activating aes_ccm_8: Ok (ret=0)
ike_alg_add(): ERROR: Algorithm already exists
ike_alg_register_enc(): Activating aes_ccm_12: FAILED (ret=-17)
ike_alg_add(): ERROR: Algorithm already exists
ike_alg_register_enc(): Activating aes_ccm_16: FAILED (ret=-17)
ike_alg_add(): ERROR: Algorithm already exists
ike_alg_register_enc(): Activating aes_gcm_8: FAILED (ret=-17)
ike_alg_add(): ERROR: Algorithm already exists
ike_alg_register_enc(): Activating aes_gcm_12: FAILED (ret=-17)
ike_alg_add(): ERROR: Algorithm already exists
ike_alg_register_enc(): Activating aes_gcm_16: FAILED (ret=-17)
Changed path to directory '/etc/ipsec.d/cacerts'
Changed path to directory '/etc/ipsec.d/aacerts'
Changed path to directory '/etc/ipsec.d/ocspcerts'
Changing to directory '/etc/ipsec.d/crls'
Warning: empty directory
added connection description "testConnection"
listening for IKE messages
NAT-Traversal: Trying new style NAT-T
NAT-Traversal: ESPINUDP(1) setup failed for new style NAT-T
</pre>
</blockquote>
</blockquote>
</blockquote>
<pre wrap="">family IPv4
</pre>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">(errno=19)
NAT-Traversal: Trying old style NAT-T
adding interface eth0/eth0 $openswanPublicIP:500
adding interface eth0/eth0 $openswanPublicIP:4500
adding interface lo:1/lo:1 10.0.100.1:500
adding interface lo:1/lo:1 10.0.100.1:4500
adding interface lo/lo 127.0.0.1:500
adding interface lo/lo 127.0.0.1:4500
adding interface lo/lo ::1:500
loading secrets from "/etc/ipsec.secrets"
loading secrets from "/var/lib/openswan/ipsec.secrets.inc"
"testConnection" #1: initiating Main Mode
"testConnection" #1: received Vendor ID payload [RFC 3947]
</pre>
</blockquote>
</blockquote>
</blockquote>
<pre wrap="">method set
</pre>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">to=109
"testConnection" #1: enabling possible NAT-traversal with
</pre>
</blockquote>
</blockquote>
</blockquote>
<pre wrap="">method 4
</pre>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">"testConnection" #1: transition from state STATE_MAIN_I1 to
</pre>
</blockquote>
</blockquote>
</blockquote>
<pre wrap="">state
</pre>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">STATE_MAIN_I2
"testConnection" #1: STATE_MAIN_I2: sent MI2, expecting MR2
"testConnection" #1: received Vendor ID payload [Cisco-Unity]
"testConnection" #1: received Vendor ID payload [Dead Peer
</pre>
</blockquote>
</blockquote>
</blockquote>
<pre wrap="">Detection]
</pre>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">"testConnection" #1: ignoring unknown Vendor ID payload
[9df211f6d27b7ea9251edca1d227fdd5]
"testConnection" #1: received Vendor ID payload [XAUTH]
"testConnection" #1: NAT-Traversal: Result using RFC 3947
(NAT-Traversal): no NAT detected
"testConnection" #1: transition from state STATE_MAIN_I2 to
</pre>
</blockquote>
</blockquote>
</blockquote>
<pre wrap="">state
</pre>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">STATE_MAIN_I3
"testConnection" #1: STATE_MAIN_I3: sent MI3, expecting MR3
"testConnection" #1: Main mode peer ID is ID_IPV4_ADDR:
'$ciscoPublicIP'
"testConnection" #1: transition from state STATE_MAIN_I3 to
</pre>
</blockquote>
</blockquote>
</blockquote>
<pre wrap="">state
</pre>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">STATE_MAIN_I4
"testConnection" #1: STATE_MAIN_I4: ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192
</pre>
</blockquote>
</blockquote>
</blockquote>
<pre wrap="">prf=oakley_md5
</pre>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">group=modp1024}
"testConnection" #2: initiating Quick Mode
</pre>
</blockquote>
</blockquote>
</blockquote>
<pre wrap="">PSK+ENCRYPT+TUNNEL+PFS+UP
</pre>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">+IKEv2ALLOW {using isakmp#1 msgid:b73ac6a6
proposal=3DES(3)_192-MD5(1)_128 pfsgroup=OAKLEY_GROUP_MODP1024}
"testConnection" #1: ignoring informational payload, type
NO_PROPOSAL_CHOSEN msgid=00000000
"testConnection" #1: received and ignored informational message
:testConnection" #2: max number of retransmissions (2) reached
STATE_QUICK_I1. No acceptable response to our first Quick Mode
message:
perhaps peer likes no proposal
I also tried with 'transform-set esp-aes 256 esp-sha-hmac' on
</pre>
</blockquote>
</blockquote>
</blockquote>
<pre wrap="">Cisco
</pre>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">side
and keyexchange=ike , ike=3des-md5-modp1024 , phase2=esp ,
phase2alg=3des-md5;modp1024 on openswan side. Also with same
</pre>
</blockquote>
</blockquote>
</blockquote>
<pre wrap="">error as
</pre>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">shown in pluto.log .
Can anybody point the area, where I am doing something wrong?
Thank you in advance.
Regards
Piotr
_______________________________________________
<a class="moz-txt-link-abbreviated" href="mailto:Users@lists.openswan.org">Users@lists.openswan.org</a>
<a class="moz-txt-link-freetext" href="https://lists.openswan.org/mailman/listinfo/users">https://lists.openswan.org/mailman/listinfo/users</a> [1]
Micropayments:
</pre>
</blockquote>
</blockquote>
</blockquote>
<pre wrap=""><a class="moz-txt-link-freetext" href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy">https://flattr.com/thing/38387/IPsec-for-Linux-made-easy</a> [2]
</pre>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">Building and Integrating Virtual Private Networks with
</pre>
</blockquote>
</blockquote>
</blockquote>
<pre wrap="">Openswan:
</pre>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">
</pre>
</blockquote>
</blockquote>
</blockquote>
<pre wrap="">
</pre>
</blockquote>
<pre wrap=""><a class="moz-txt-link-freetext" href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a>
</pre>
<blockquote type="cite">
<pre wrap="">[3]
</pre>
<blockquote type="cite">
<pre wrap="">_______________________________________________
<a class="moz-txt-link-abbreviated" href="mailto:Users@lists.openswan.org">Users@lists.openswan.org</a>
<a class="moz-txt-link-freetext" href="https://lists.openswan.org/mailman/listinfo/users">https://lists.openswan.org/mailman/listinfo/users</a> [1]
Micropayments:
</pre>
</blockquote>
<pre wrap=""><a class="moz-txt-link-freetext" href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy">https://flattr.com/thing/38387/IPsec-for-Linux-made-easy</a> [2]
</pre>
<blockquote type="cite">
<pre wrap="">Building and Integrating Virtual Private Networks with Openswan:
</pre>
</blockquote>
<pre wrap="">
</pre>
</blockquote>
<pre wrap=""><a class="moz-txt-link-freetext" href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a>
</pre>
<blockquote type="cite">
<pre wrap="">[3]
</pre>
</blockquote>
<pre wrap="">
Links:
------
[1] <a class="moz-txt-link-freetext" href="https://lists.openswan.org/mailman/listinfo/users">https://lists.openswan.org/mailman/listinfo/users</a>
[2] <a class="moz-txt-link-freetext" href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy">https://flattr.com/thing/38387/IPsec-for-Linux-made-easy</a>
[3]
<a class="moz-txt-link-freetext" href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a>
</pre>
</blockquote>
</blockquote>
</blockquote>
<br>
</body>
</html>