<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
Hi,<br>
<br>
I'm having difficulties setting up a site-to-site tunnel. I've got
no previous backgroud with ipsec or VPNs.<br>
<br>
My network setup:<br>
<br>
192.168.0.6-->192.168.0.1(gw:PUBLIC IP
IFACE)====THEIR_PUBLIC_IP---192.168.30.0/24<br>
<br>
192.168.0.6 is the machine where i installed and configured
openswan. 192.168.0.1 is our office's router. The rest is on their
side. I enabled "IPSec passthrough" and redirected UDP 500 and 4500
to 192.168.0.6.<br>
<br>
<br>
<br>
This is my ipsec.conf file:<br>
<br>
version 2.0<br>
<br>
config setup<br>
plutodebug=none<br>
dumpdir=/var/run/pluto/<br>
oe=off<br>
protostack=netkey<br>
interfaces=%defaultroute<br>
<br>
conn idata<br>
auto=start<br>
authby=secret<br>
type=tunnel<br>
ike=3des-md5;modp1024<br>
# Phase 1<br>
keyexchange=ike<br>
ikelifetime=86400s<br>
# Phase 2<br>
phase2=esp<br>
pfs=no<br>
leftid=$THEIR_PUBLIC_IP<br>
left=$THEIR_PUBLIC_IP<br>
leftnexthop=%defaultroute<br>
leftsubnet=192.168.30.0/24<br>
rightid=192.168.0.6<br>
right=192.168.0.6<br>
rightnexthop=192.168.0.1<br>
rightsubnet=192.168.0.6/32<br>
<br>
COMMENT: 192.168.0.6/32 as the rightsubnet is just a test, i'll
setup this once connectivity works.<br>
<br>
When i bring up the "idata" connection:<br>
$ service ipsec status<br>
IPsec running - pluto pid: 5112<br>
pluto pid 5112<br>
1 tunnels up<br>
some eroutes exist<br>
$ ipsec auto --status<br>
000 using kernel interface: netkey<br>
000 interface lo/lo ::1<br>
000 interface lo/lo 127.0.0.1<br>
000 interface lo/lo 127.0.0.1<br>
000 interface eth0/eth0 192.168.0.6<br>
000 interface eth0/eth0 192.168.0.6<br>
000 %myid = (none)<br>
000 debug none<br>
000 <br>
000 virtual_private (%priv):<br>
000 - allowed 0 subnets: <br>
000 - disallowed 0 subnets: <br>
000 WARNING: Either virtual_private= is not specified, or there is a
syntax <br>
000 error in that line. 'left/rightsubnet=vhost:%priv' will
not work!<br>
000 WARNING: Disallowed subnets in virtual_private= is empty. If you
have <br>
000 private address space in internal use, it should be
excluded!<br>
000 <br>
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8,
keysizemin=64, keysizemax=64<br>
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8,
keysizemin=192, keysizemax=192<br>
000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8,
keysizemin=40, keysizemax=128<br>
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8,
keysizemin=40, keysizemax=448<br>
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0,
keysizemin=0, keysizemax=0<br>
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8,
keysizemin=128, keysizemax=256<br>
000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8,
keysizemin=160, keysizemax=288<br>
000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8,
keysizemin=128, keysizemax=256<br>
000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8,
keysizemin=128, keysizemax=256<br>
000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8,
keysizemin=128, keysizemax=256<br>
000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8,
keysizemin=128, keysizemax=256<br>
000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=8,
keysizemin=128, keysizemax=256<br>
000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=8,
keysizemin=128, keysizemax=256<br>
000 algorithm ESP encrypt: id=22, name=ESP_CAMELLIA, ivlen=8,
keysizemin=128, keysizemax=256<br>
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8,
keysizemin=128, keysizemax=256<br>
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8,
keysizemin=128, keysizemax=256<br>
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
keysizemin=128, keysizemax=128<br>
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
keysizemin=160, keysizemax=160<br>
000 algorithm ESP auth attr: id=5,
name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256<br>
000 algorithm ESP auth attr: id=6,
name=AUTH_ALGORITHM_HMAC_SHA2_384, keysizemin=384, keysizemax=384<br>
000 algorithm ESP auth attr: id=7,
name=AUTH_ALGORITHM_HMAC_SHA2_512, keysizemin=512, keysizemax=512<br>
000 algorithm ESP auth attr: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD,
keysizemin=160, keysizemax=160<br>
000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC,
keysizemin=128, keysizemax=128<br>
000 algorithm ESP auth attr: id=251, name=AUTH_ALGORITHM_NULL_KAME,
keysizemin=0, keysizemax=0<br>
000 <br>
000 algorithm IKE encrypt: id=0, name=(null), blocksize=16,
keydeflen=131<br>
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
keydeflen=192<br>
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
keydeflen=128<br>
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16<br>
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20<br>
000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32<br>
000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64<br>
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024,
bits=1024<br>
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536,
bits=1536<br>
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048,
bits=2048<br>
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072,
bits=3072<br>
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096,
bits=4096<br>
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144,
bits=6144<br>
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192,
bits=8192<br>
000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024<br>
000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048<br>
000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048<br>
000 <br>
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0}
trans={0,0,0} attrs={0,0,0} <br>
000 <br>
000 "idata":
192.168.0.6/32===192.168.0.6<192.168.0.6>---192.168.0.1...192.168.0.1---198.202.190.103<198.202.190.103>===192.168.30.0/24;
erouted; eroute owner: #2<br>
000 "idata": myip=unset; hisip=unset;<br>
000 "idata": ike_life: 86400s; ipsec_life: 28800s; rekey_margin:
540s; rekey_fuzz: 100%; keyingtries: 0 <br>
000 "idata": policy:
PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 24,32;
interface: eth0; <br>
000 "idata": newest ISAKMP SA: #1; newest IPsec SA: #2; <br>
000 "idata": IKE algorithms wanted:
3DES_CBC(5)_000-MD5(1)_000-MODP1024(2); flags=-strict<br>
000 "idata": IKE algorithms found:
3DES_CBC(5)_192-MD5(1)_128-MODP1024(2)<br>
000 "idata": IKE algorithm newest: 3DES_CBC_192-MD5-MODP1024<br>
000 <br>
000 #2: "idata":4500 STATE_QUICK_I2 (sent QI2, IPsec SA
established); EVENT_SA_REPLACE in 26911s; newest IPSEC; eroute
owner; isakmp#1; idle; import:admin initiate<br>
000 #2: "idata" <a class="moz-txt-link-abbreviated" href="mailto:esp.e00edafe@198.202.190.103">esp.e00edafe@198.202.190.103</a>
<a class="moz-txt-link-abbreviated" href="mailto:esp.e6393f98@192.168.0.6">esp.e6393f98@192.168.0.6</a> <a class="moz-txt-link-abbreviated" href="mailto:tun.0@198.202.190.103">tun.0@198.202.190.103</a> <a class="moz-txt-link-abbreviated" href="mailto:tun.0@192.168.0.6">tun.0@192.168.0.6</a>
ref=0 refhim=4294901761<br>
000 #1: "idata":4500 STATE_MAIN_I4 (ISAKMP SA established);
EVENT_SA_REPLACE in 84648s; newest ISAKMP; lastdpd=17s(seq in:0
out:0); idle; import:admin initiate<br>
000<br>
<br>
<br>
According to the output tunnel seems up, but i can't see any ipsec0
interface or such. <br>
$ cat /var/run/pluto/ipsec.info <br>
defaultroutephys=eth0<br>
defaultroutevirt=none<br>
defaultrouteaddr=192.168.0.6<br>
defaultroutenexthop=192.168.0.1<br>
<br>
defaultroutevirt=none? Also "%myid = (none)", "myip=unset;
hisip=unset;"... I'm not sure these are problems. <br>
<br>
Can anyone give some help?<br>
<br>
Best regards<br>
<div class="moz-signature">-- <br>
<table width="600px">
<tbody>
<tr>
<td>
<address style="font-family: Arial; font-size: 10pt;
font-style: normal; color: black;">
Roi Rodríguez Méndez<br>
Partner @ <b>Qubitia Solutions S.L.</b><br>
Avda. Conde de Bugallal Nº61H 2ºA<br>
36004 - Pontevedra (SPAIN)<br>
Phone. +34886213038<br>
<a href="mailto:roi.rodriguez@qubitia.com">roi.rodriguez@qubitia.com</a><br>
<a href="http://www.qubitia.com">http://www.qubitia.com</a>
<br>
<br>
</address>
</td>
</tr>
<tr>
<td>
<p style="font-family: Arial; font-size: 8pt; font-style:
normal; color: black;">El contenido de este e-mail
(incluyendo los documentos adjuntos) es privado y
confidencial. Si usted no es el destinatario correcto,
no debe copiar, distribuir, tomar medida alguna o
revelar ningún detalle de este e-mail (incluyendo los
documentos adjuntos) a ninguna persona, empresa o
corporación. Si usted recibiera este e-mail por error,
por favor notifíquenoslo inmediatamente.</p>
</td>
</tr>
<tr>
<td>
<p style="font-family: Arial; font-size: 8pt; font-style:
normal; color: grey;">The contents of this email
(including any attachments) are privileged &
confidential. If you are not an intended recipient, you
must not copy, distribute, take action in reliance on or
disclose any details of the e-mail (including any
attachments) to any other person, firm or corporation.
If you received this email in error, please notify us
immediately.</p>
</td>
</tr>
</tbody>
</table>
</div>
</body>
</html>