<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">Hi,<br>
<br>
El 04/05/15 a las 19:44, Nick Howitt escribió:<br>
</div>
<blockquote cite="mid:5547B00B.7070803@howitts.co.uk" type="cite">
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
Have a look at the commands "ip xfrm state" and "ip xfrm policy".
There you should see your tunnel.<br>
</blockquote>
Yes, they see my tunnel:<br>
<br>
$ ip xfrm state<br>
src 198.202.190.103 dst 192.168.0.6<br>
proto esp spi 0x8f1cd06b reqid 16385 mode tunnel<br>
replay-window 32 flag af-unspec<br>
auth-trunc hmac(md5) 0x321291db65b04e02e7d1f4526f7b718f 96<br>
enc cbc(des3_ede)
0xff3cf71fe47304ad69cc038503e884fac069cf65a1e7d92a<br>
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0<br>
src 192.168.0.6 dst 198.202.190.103<br>
proto esp spi 0xef2410db reqid 16385 mode tunnel<br>
replay-window 32 flag af-unspec<br>
auth-trunc hmac(md5) 0x550b2287f176cc05602d5c92c3d59639 96<br>
enc cbc(des3_ede)
0x881215730d651d7ac9838838a9dc05730db60eb170f2cd2e<br>
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0<br>
<br>
$ ip xfrm policy<br>
src 192.168.0.6/32 dst 192.168.30.0/24 <br>
dir out priority 2088 <br>
tmpl src 192.168.0.6 dst 198.202.190.103<br>
proto esp reqid 16385 mode tunnel<br>
src 192.168.30.0/24 dst 192.168.0.6/32 <br>
dir fwd priority 2088 <br>
tmpl src 198.202.190.103 dst 192.168.0.6<br>
proto esp reqid 16385 mode tunnel<br>
src 192.168.30.0/24 dst 192.168.0.6/32 <br>
dir in priority 2088 <br>
tmpl src 198.202.190.103 dst 192.168.0.6<br>
proto esp reqid 16385 mode tunnel<br>
src ::/0 dst ::/0 <br>
socket out priority 0 <br>
src ::/0 dst ::/0 <br>
socket in priority 0 <br>
src 0.0.0.0/0 dst 0.0.0.0/0 <br>
socket out priority 0 <br>
src 0.0.0.0/0 dst 0.0.0.0/0 <br>
socket in priority 0 <br>
src 0.0.0.0/0 dst 0.0.0.0/0 <br>
socket out priority 0 <br>
src 0.0.0.0/0 dst 0.0.0.0/0 <br>
socket in priority 0 <br>
src 0.0.0.0/0 dst 0.0.0.0/0 <br>
socket out priority 0 <br>
src 0.0.0.0/0 dst 0.0.0.0/0 <br>
socket in priority 0 <br>
src 0.0.0.0/0 dst 0.0.0.0/0 <br>
socket out priority 0 <br>
src 0.0.0.0/0 dst 0.0.0.0/0 <br>
socket in priority 0<br>
<br>
<blockquote cite="mid:5547B00B.7070803@howitts.co.uk" type="cite"> <br>
Are you running a firewall on 192.168.0.6? If you are, have you
set any rules for the tunnel? When you are pinging the remote
subnet, is it from 192.168.0.6 or some other machine on the LAN?<br>
</blockquote>
No, i'm not running any firewall on that machine. I'm pinging from
192.168.0.6.<br>
<blockquote cite="mid:5547B00B.7070803@howitts.co.uk" type="cite"> <br>
Nick<br>
<br>
<div class="moz-cite-prefix">On 04/05/2015 18:36, Roi Rodríguez
wrote:<br>
</div>
<blockquote cite="mid:5547AE1C.6060107@qubitia.com" type="cite">
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
<div class="moz-cite-prefix">Hi Nick,<br>
<br>
El 04/05/15 a las 19:19, Nick Howitt escribió:<br>
</div>
<blockquote cite="mid:5547AA3C.6050907@howitts.co.uk"
type="cite">
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
It looks like your tunnel is up and running - I am a little
surprised as you don't have "nat_traversal=yes" in config
setup.<br>
</blockquote>
I added "nat_traversal=yes", as well as "forceencaps=yes" in my
connection config. <br>
<blockquote cite="mid:5547AA3C.6050907@howitts.co.uk"
type="cite"> <br>
You won't see an ipsecX interface with netkey, only with klips
which you are not using.<br>
</blockquote>
Ok. So the question is: With my setup, what should i see as the
result of the tunnel going up? new routing rules? I don't see
any new routing, iptables rules (NAT), etc appearing. So pinging
someone inside their subnet does not succeed.<br>
<br>
I'm sure this is me not understanding what goes on...<br>
<br>
<br>
<blockquote cite="mid:5547AA3C.6050907@howitts.co.uk"
type="cite"> <br>
Nick<br>
<br>
<div class="moz-cite-prefix">On 04/05/2015 17:52, Roi
Rodríguez wrote:<br>
</div>
<blockquote cite="mid:5547A3EB.5040104@qubitia.com"
type="cite">
<meta http-equiv="content-type" content="text/html;
charset=windows-1252">
Hi,<br>
<br>
I'm having difficulties setting up a site-to-site tunnel.
I've got no previous backgroud with ipsec or VPNs.<br>
<br>
My network setup:<br>
<br>
192.168.0.6-->192.168.0.1(gw:PUBLIC IP
IFACE)====THEIR_PUBLIC_IP---192.168.30.0/24<br>
<br>
192.168.0.6 is the machine where i installed and configured
openswan. 192.168.0.1 is our office's router. The rest is on
their side. I enabled "IPSec passthrough" and redirected UDP
500 and 4500 to 192.168.0.6.<br>
<br>
<br>
<br>
This is my ipsec.conf file:<br>
<br>
version 2.0<br>
<br>
config setup<br>
plutodebug=none<br>
dumpdir=/var/run/pluto/<br>
oe=off<br>
protostack=netkey<br>
interfaces=%defaultroute<br>
<br>
conn idata<br>
auto=start<br>
authby=secret<br>
type=tunnel<br>
ike=3des-md5;modp1024<br>
# Phase 1<br>
keyexchange=ike<br>
ikelifetime=86400s<br>
# Phase 2<br>
phase2=esp<br>
pfs=no<br>
leftid=$THEIR_PUBLIC_IP<br>
left=$THEIR_PUBLIC_IP<br>
leftnexthop=%defaultroute<br>
leftsubnet=192.168.30.0/24<br>
rightid=192.168.0.6<br>
right=192.168.0.6<br>
rightnexthop=192.168.0.1<br>
rightsubnet=192.168.0.6/32<br>
<br>
COMMENT: 192.168.0.6/32 as the rightsubnet is just a test,
i'll setup this once connectivity works.<br>
<br>
When i bring up the "idata" connection:<br>
$ service ipsec status<br>
IPsec running - pluto pid: 5112<br>
pluto pid 5112<br>
1 tunnels up<br>
some eroutes exist<br>
$ ipsec auto --status<br>
000 using kernel interface: netkey<br>
000 interface lo/lo ::1<br>
000 interface lo/lo 127.0.0.1<br>
000 interface lo/lo 127.0.0.1<br>
000 interface eth0/eth0 192.168.0.6<br>
000 interface eth0/eth0 192.168.0.6<br>
000 %myid = (none)<br>
000 debug none<br>
000 <br>
000 virtual_private (%priv):<br>
000 - allowed 0 subnets: <br>
000 - disallowed 0 subnets: <br>
000 WARNING: Either virtual_private= is not specified, or
there is a syntax <br>
000 error in that line.
'left/rightsubnet=vhost:%priv' will not work!<br>
000 WARNING: Disallowed subnets in virtual_private= is
empty. If you have <br>
000 private address space in internal use, it
should be excluded!<br>
000 <br>
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8,
keysizemin=64, keysizemax=64<br>
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8,
keysizemin=192, keysizemax=192<br>
000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8,
keysizemin=40, keysizemax=128<br>
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8,
keysizemin=40, keysizemax=448<br>
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0,
keysizemin=0, keysizemax=0<br>
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8,
keysizemin=128, keysizemax=256<br>
000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8,
keysizemin=160, keysizemax=288<br>
000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A,
ivlen=8, keysizemin=128, keysizemax=256<br>
000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B,
ivlen=8, keysizemin=128, keysizemax=256<br>
000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C,
ivlen=8, keysizemin=128, keysizemax=256<br>
000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A,
ivlen=8, keysizemin=128, keysizemax=256<br>
000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B,
ivlen=8, keysizemin=128, keysizemax=256<br>
000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C,
ivlen=8, keysizemin=128, keysizemax=256<br>
000 algorithm ESP encrypt: id=22, name=ESP_CAMELLIA,
ivlen=8, keysizemin=128, keysizemax=256<br>
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT,
ivlen=8, keysizemin=128, keysizemax=256<br>
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH,
ivlen=8, keysizemin=128, keysizemax=256<br>
000 algorithm ESP auth attr: id=1,
name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128<br>
000 algorithm ESP auth attr: id=2,
name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160,
keysizemax=160<br>
000 algorithm ESP auth attr: id=5,
name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256,
keysizemax=256<br>
000 algorithm ESP auth attr: id=6,
name=AUTH_ALGORITHM_HMAC_SHA2_384, keysizemin=384,
keysizemax=384<br>
000 algorithm ESP auth attr: id=7,
name=AUTH_ALGORITHM_HMAC_SHA2_512, keysizemin=512,
keysizemax=512<br>
000 algorithm ESP auth attr: id=8,
name=AUTH_ALGORITHM_HMAC_RIPEMD, keysizemin=160,
keysizemax=160<br>
000 algorithm ESP auth attr: id=9,
name=AUTH_ALGORITHM_AES_CBC, keysizemin=128, keysizemax=128<br>
000 algorithm ESP auth attr: id=251,
name=AUTH_ALGORITHM_NULL_KAME, keysizemin=0, keysizemax=0<br>
000 <br>
000 algorithm IKE encrypt: id=0, name=(null), blocksize=16,
keydeflen=131<br>
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC,
blocksize=8, keydeflen=192<br>
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC,
blocksize=16, keydeflen=128<br>
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16<br>
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20<br>
000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256,
hashsize=32<br>
000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512,
hashsize=64<br>
000 algorithm IKE dh group: id=2,
name=OAKLEY_GROUP_MODP1024, bits=1024<br>
000 algorithm IKE dh group: id=5,
name=OAKLEY_GROUP_MODP1536, bits=1536<br>
000 algorithm IKE dh group: id=14,
name=OAKLEY_GROUP_MODP2048, bits=2048<br>
000 algorithm IKE dh group: id=15,
name=OAKLEY_GROUP_MODP3072, bits=3072<br>
000 algorithm IKE dh group: id=16,
name=OAKLEY_GROUP_MODP4096, bits=4096<br>
000 algorithm IKE dh group: id=17,
name=OAKLEY_GROUP_MODP6144, bits=6144<br>
000 algorithm IKE dh group: id=18,
name=OAKLEY_GROUP_MODP8192, bits=8192<br>
000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22,
bits=1024<br>
000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23,
bits=2048<br>
000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24,
bits=2048<br>
000 <br>
000 stats db_ops: {curr_cnt, total_cnt, maxsz}
:context={0,0,0} trans={0,0,0} attrs={0,0,0} <br>
000 <br>
000 "idata":
192.168.0.6/32===192.168.0.6<192.168.0.6>---192.168.0.1...192.168.0.1---198.202.190.103<198.202.190.103>===192.168.30.0/24;
erouted; eroute owner: #2<br>
000 "idata": myip=unset; hisip=unset;<br>
000 "idata": ike_life: 86400s; ipsec_life: 28800s;
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0 <br>
000 "idata": policy:
PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio:
24,32; interface: eth0; <br>
000 "idata": newest ISAKMP SA: #1; newest IPsec SA: #2; <br>
000 "idata": IKE algorithms wanted:
3DES_CBC(5)_000-MD5(1)_000-MODP1024(2); flags=-strict<br>
000 "idata": IKE algorithms found:
3DES_CBC(5)_192-MD5(1)_128-MODP1024(2)<br>
000 "idata": IKE algorithm newest:
3DES_CBC_192-MD5-MODP1024<br>
000 <br>
000 #2: "idata":4500 STATE_QUICK_I2 (sent QI2, IPsec SA
established); EVENT_SA_REPLACE in 26911s; newest IPSEC;
eroute owner; isakmp#1; idle; import:admin initiate<br>
000 #2: "idata" <a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:esp.e00edafe@198.202.190.103">esp.e00edafe@198.202.190.103</a>
<a moz-do-not-send="true" class="moz-txt-link-abbreviated"
href="mailto:esp.e6393f98@192.168.0.6">esp.e6393f98@192.168.0.6</a>
<a moz-do-not-send="true" class="moz-txt-link-abbreviated"
href="mailto:tun.0@198.202.190.103">tun.0@198.202.190.103</a>
<a moz-do-not-send="true" class="moz-txt-link-abbreviated"
href="mailto:tun.0@192.168.0.6">tun.0@192.168.0.6</a>
ref=0 refhim=4294901761<br>
000 #1: "idata":4500 STATE_MAIN_I4 (ISAKMP SA established);
EVENT_SA_REPLACE in 84648s; newest ISAKMP; lastdpd=17s(seq
in:0 out:0); idle; import:admin initiate<br>
000<br>
<br>
<br>
According to the output tunnel seems up, but i can't see any
ipsec0 interface or such. <br>
$ cat /var/run/pluto/ipsec.info <br>
defaultroutephys=eth0<br>
defaultroutevirt=none<br>
defaultrouteaddr=192.168.0.6<br>
defaultroutenexthop=192.168.0.1<br>
<br>
defaultroutevirt=none? Also "%myid = (none)", "myip=unset;
hisip=unset;"... I'm not sure these are problems. <br>
<br>
Can anyone give some help?<br>
<br>
Best regards<br>
<div class="moz-signature">-- <br>
<table width="600px">
<tbody>
<tr>
<td>
<address style="font-family: Arial; font-size:
10pt; font-style: normal; color: black;"> Roi
Rodríguez Méndez<br>
Partner @ <b>Qubitia Solutions S.L.</b><br>
Avda. Conde de Bugallal Nº61H 2ºA<br>
36004 - Pontevedra (SPAIN)<br>
Phone. +34886213038<br>
<a moz-do-not-send="true"
href="mailto:roi.rodriguez@qubitia.com">roi.rodriguez@qubitia.com</a><br>
<a moz-do-not-send="true"
href="http://www.qubitia.com">http://www.qubitia.com</a>
<br>
<br>
</address>
</td>
</tr>
<tr>
<td>
<p style="font-family: Arial; font-size: 8pt;
font-style: normal; color: black;">El contenido
de este e-mail (incluyendo los documentos
adjuntos) es privado y confidencial. Si usted no
es el destinatario correcto, no debe copiar,
distribuir, tomar medida alguna o revelar ningún
detalle de este e-mail (incluyendo los
documentos adjuntos) a ninguna persona, empresa
o corporación. Si usted recibiera este e-mail
por error, por favor notifíquenoslo
inmediatamente.</p>
</td>
</tr>
<tr>
<td>
<p style="font-family: Arial; font-size: 8pt;
font-style: normal; color: grey;">The contents
of this email (including any attachments) are
privileged & confidential. If you are not an
intended recipient, you must not copy,
distribute, take action in reliance on or
disclose any details of the e-mail (including
any attachments) to any other person, firm or
corporation. If you received this email in
error, please notify us immediately.</p>
</td>
</tr>
</tbody>
</table>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:Users@lists.openswan.org">Users@lists.openswan.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://lists.openswan.org/mailman/listinfo/users">https://lists.openswan.org/mailman/listinfo/users</a>
Micropayments: <a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy">https://flattr.com/thing/38387/IPsec-for-Linux-made-easy</a>
Building and Integrating Virtual Private Networks with Openswan:
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a>
</pre>
</blockquote>
<br>
</blockquote>
<br>
<br>
<div class="moz-signature">-- <br>
<table width="600px">
<tbody>
<tr>
<td>
<address style="font-family: Arial; font-size: 10pt;
font-style: normal; color: black;"> Roi Rodríguez
Méndez<br>
Partner @ <b>Qubitia Solutions S.L.</b><br>
Avda. Conde de Bugallal Nº61H 2ºA<br>
36004 - Pontevedra (SPAIN)<br>
Phone. +34886213038<br>
<a moz-do-not-send="true"
href="mailto:roi.rodriguez@qubitia.com">roi.rodriguez@qubitia.com</a><br>
<a moz-do-not-send="true"
href="http://www.qubitia.com">http://www.qubitia.com</a>
<br>
<br>
</address>
</td>
</tr>
<tr>
<td>
<p style="font-family: Arial; font-size: 8pt;
font-style: normal; color: black;">El contenido de
este e-mail (incluyendo los documentos adjuntos) es
privado y confidencial. Si usted no es el
destinatario correcto, no debe copiar, distribuir,
tomar medida alguna o revelar ningún detalle de este
e-mail (incluyendo los documentos adjuntos) a
ninguna persona, empresa o corporación. Si usted
recibiera este e-mail por error, por favor
notifíquenoslo inmediatamente.</p>
</td>
</tr>
<tr>
<td>
<p style="font-family: Arial; font-size: 8pt;
font-style: normal; color: grey;">The contents of
this email (including any attachments) are
privileged & confidential. If you are not an
intended recipient, you must not copy, distribute,
take action in reliance on or disclose any details
of the e-mail (including any attachments) to any
other person, firm or corporation. If you received
this email in error, please notify us immediately.</p>
</td>
</tr>
</tbody>
</table>
</div>
</blockquote>
<br>
</blockquote>
<br>
<br>
<div class="moz-signature">-- <br>
<table width="600px">
<tbody>
<tr>
<td>
<address style="font-family: Arial; font-size: 10pt;
font-style: normal; color: black;">
Roi Rodríguez Méndez<br>
Partner @ <b>Qubitia Solutions S.L.</b><br>
Avda. Conde de Bugallal Nº61H 2ºA<br>
36004 - Pontevedra (SPAIN)<br>
Phone. +34886213038<br>
<a href="mailto:roi.rodriguez@qubitia.com">roi.rodriguez@qubitia.com</a><br>
<a href="http://www.qubitia.com">http://www.qubitia.com</a>
<br>
<br>
</address>
</td>
</tr>
<tr>
<td>
<p style="font-family: Arial; font-size: 8pt; font-style:
normal; color: black;">El contenido de este e-mail
(incluyendo los documentos adjuntos) es privado y
confidencial. Si usted no es el destinatario correcto,
no debe copiar, distribuir, tomar medida alguna o
revelar ningún detalle de este e-mail (incluyendo los
documentos adjuntos) a ninguna persona, empresa o
corporación. Si usted recibiera este e-mail por error,
por favor notifíquenoslo inmediatamente.</p>
</td>
</tr>
<tr>
<td>
<p style="font-family: Arial; font-size: 8pt; font-style:
normal; color: grey;">The contents of this email
(including any attachments) are privileged &
confidential. If you are not an intended recipient, you
must not copy, distribute, take action in reliance on or
disclose any details of the e-mail (including any
attachments) to any other person, firm or corporation.
If you received this email in error, please notify us
immediately.</p>
</td>
</tr>
</tbody>
</table>
</div>
</body>
</html>