<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
It looks like your tunnel is up and running - I am a little
surprised as you don't have "nat_traversal=yes" in config setup.<br>
<br>
You won't see an ipsecX interface with netkey, only with klips which
you are not using.<br>
<br>
Nick<br>
<br>
<div class="moz-cite-prefix">On 04/05/2015 17:52, Roi Rodríguez
wrote:<br>
</div>
<blockquote cite="mid:5547A3EB.5040104@qubitia.com" type="cite">
<meta http-equiv="content-type" content="text/html;
charset=windows-1252">
Hi,<br>
<br>
I'm having difficulties setting up a site-to-site tunnel. I've got
no previous backgroud with ipsec or VPNs.<br>
<br>
My network setup:<br>
<br>
192.168.0.6-->192.168.0.1(gw:PUBLIC IP
IFACE)====THEIR_PUBLIC_IP---192.168.30.0/24<br>
<br>
192.168.0.6 is the machine where i installed and configured
openswan. 192.168.0.1 is our office's router. The rest is on their
side. I enabled "IPSec passthrough" and redirected UDP 500 and
4500 to 192.168.0.6.<br>
<br>
<br>
<br>
This is my ipsec.conf file:<br>
<br>
version 2.0<br>
<br>
config setup<br>
plutodebug=none<br>
dumpdir=/var/run/pluto/<br>
oe=off<br>
protostack=netkey<br>
interfaces=%defaultroute<br>
<br>
conn idata<br>
auto=start<br>
authby=secret<br>
type=tunnel<br>
ike=3des-md5;modp1024<br>
# Phase 1<br>
keyexchange=ike<br>
ikelifetime=86400s<br>
# Phase 2<br>
phase2=esp<br>
pfs=no<br>
leftid=$THEIR_PUBLIC_IP<br>
left=$THEIR_PUBLIC_IP<br>
leftnexthop=%defaultroute<br>
leftsubnet=192.168.30.0/24<br>
rightid=192.168.0.6<br>
right=192.168.0.6<br>
rightnexthop=192.168.0.1<br>
rightsubnet=192.168.0.6/32<br>
<br>
COMMENT: 192.168.0.6/32 as the rightsubnet is just a test, i'll
setup this once connectivity works.<br>
<br>
When i bring up the "idata" connection:<br>
$ service ipsec status<br>
IPsec running - pluto pid: 5112<br>
pluto pid 5112<br>
1 tunnels up<br>
some eroutes exist<br>
$ ipsec auto --status<br>
000 using kernel interface: netkey<br>
000 interface lo/lo ::1<br>
000 interface lo/lo 127.0.0.1<br>
000 interface lo/lo 127.0.0.1<br>
000 interface eth0/eth0 192.168.0.6<br>
000 interface eth0/eth0 192.168.0.6<br>
000 %myid = (none)<br>
000 debug none<br>
000 <br>
000 virtual_private (%priv):<br>
000 - allowed 0 subnets: <br>
000 - disallowed 0 subnets: <br>
000 WARNING: Either virtual_private= is not specified, or there is
a syntax <br>
000 error in that line. 'left/rightsubnet=vhost:%priv'
will not work!<br>
000 WARNING: Disallowed subnets in virtual_private= is empty. If
you have <br>
000 private address space in internal use, it should be
excluded!<br>
000 <br>
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8,
keysizemin=64, keysizemax=64<br>
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8,
keysizemin=192, keysizemax=192<br>
000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8,
keysizemin=40, keysizemax=128<br>
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8,
keysizemin=40, keysizemax=448<br>
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0,
keysizemin=0, keysizemax=0<br>
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8,
keysizemin=128, keysizemax=256<br>
000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8,
keysizemin=160, keysizemax=288<br>
000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8,
keysizemin=128, keysizemax=256<br>
000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8,
keysizemin=128, keysizemax=256<br>
000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8,
keysizemin=128, keysizemax=256<br>
000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8,
keysizemin=128, keysizemax=256<br>
000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=8,
keysizemin=128, keysizemax=256<br>
000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=8,
keysizemin=128, keysizemax=256<br>
000 algorithm ESP encrypt: id=22, name=ESP_CAMELLIA, ivlen=8,
keysizemin=128, keysizemax=256<br>
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8,
keysizemin=128, keysizemax=256<br>
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8,
keysizemin=128, keysizemax=256<br>
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
keysizemin=128, keysizemax=128<br>
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
keysizemin=160, keysizemax=160<br>
000 algorithm ESP auth attr: id=5,
name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256<br>
000 algorithm ESP auth attr: id=6,
name=AUTH_ALGORITHM_HMAC_SHA2_384, keysizemin=384, keysizemax=384<br>
000 algorithm ESP auth attr: id=7,
name=AUTH_ALGORITHM_HMAC_SHA2_512, keysizemin=512, keysizemax=512<br>
000 algorithm ESP auth attr: id=8,
name=AUTH_ALGORITHM_HMAC_RIPEMD, keysizemin=160, keysizemax=160<br>
000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC,
keysizemin=128, keysizemax=128<br>
000 algorithm ESP auth attr: id=251,
name=AUTH_ALGORITHM_NULL_KAME, keysizemin=0, keysizemax=0<br>
000 <br>
000 algorithm IKE encrypt: id=0, name=(null), blocksize=16,
keydeflen=131<br>
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC,
blocksize=8, keydeflen=192<br>
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC,
blocksize=16, keydeflen=128<br>
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16<br>
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20<br>
000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32<br>
000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64<br>
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024,
bits=1024<br>
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536,
bits=1536<br>
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048,
bits=2048<br>
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072,
bits=3072<br>
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096,
bits=4096<br>
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144,
bits=6144<br>
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192,
bits=8192<br>
000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22,
bits=1024<br>
000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23,
bits=2048<br>
000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24,
bits=2048<br>
000 <br>
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0}
trans={0,0,0} attrs={0,0,0} <br>
000 <br>
000 "idata":
192.168.0.6/32===192.168.0.6<192.168.0.6>---192.168.0.1...192.168.0.1---198.202.190.103<198.202.190.103>===192.168.30.0/24;
erouted; eroute owner: #2<br>
000 "idata": myip=unset; hisip=unset;<br>
000 "idata": ike_life: 86400s; ipsec_life: 28800s; rekey_margin:
540s; rekey_fuzz: 100%; keyingtries: 0 <br>
000 "idata": policy:
PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio:
24,32; interface: eth0; <br>
000 "idata": newest ISAKMP SA: #1; newest IPsec SA: #2; <br>
000 "idata": IKE algorithms wanted:
3DES_CBC(5)_000-MD5(1)_000-MODP1024(2); flags=-strict<br>
000 "idata": IKE algorithms found:
3DES_CBC(5)_192-MD5(1)_128-MODP1024(2)<br>
000 "idata": IKE algorithm newest: 3DES_CBC_192-MD5-MODP1024<br>
000 <br>
000 #2: "idata":4500 STATE_QUICK_I2 (sent QI2, IPsec SA
established); EVENT_SA_REPLACE in 26911s; newest IPSEC; eroute
owner; isakmp#1; idle; import:admin initiate<br>
000 #2: "idata" <a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:esp.e00edafe@198.202.190.103">esp.e00edafe@198.202.190.103</a>
<a moz-do-not-send="true" class="moz-txt-link-abbreviated"
href="mailto:esp.e6393f98@192.168.0.6">esp.e6393f98@192.168.0.6</a>
<a moz-do-not-send="true" class="moz-txt-link-abbreviated"
href="mailto:tun.0@198.202.190.103">tun.0@198.202.190.103</a> <a
moz-do-not-send="true" class="moz-txt-link-abbreviated"
href="mailto:tun.0@192.168.0.6">tun.0@192.168.0.6</a> ref=0
refhim=4294901761<br>
000 #1: "idata":4500 STATE_MAIN_I4 (ISAKMP SA established);
EVENT_SA_REPLACE in 84648s; newest ISAKMP; lastdpd=17s(seq in:0
out:0); idle; import:admin initiate<br>
000<br>
<br>
<br>
According to the output tunnel seems up, but i can't see any
ipsec0 interface or such. <br>
$ cat /var/run/pluto/ipsec.info <br>
defaultroutephys=eth0<br>
defaultroutevirt=none<br>
defaultrouteaddr=192.168.0.6<br>
defaultroutenexthop=192.168.0.1<br>
<br>
defaultroutevirt=none? Also "%myid = (none)", "myip=unset;
hisip=unset;"... I'm not sure these are problems. <br>
<br>
Can anyone give some help?<br>
<br>
Best regards<br>
<div class="moz-signature">-- <br>
<table width="600px">
<tbody>
<tr>
<td>
<address style="font-family: Arial; font-size: 10pt;
font-style: normal; color: black;"> Roi Rodríguez
Méndez<br>
Partner @ <b>Qubitia Solutions S.L.</b><br>
Avda. Conde de Bugallal Nº61H 2ºA<br>
36004 - Pontevedra (SPAIN)<br>
Phone. +34886213038<br>
<a moz-do-not-send="true"
href="mailto:roi.rodriguez@qubitia.com">roi.rodriguez@qubitia.com</a><br>
<a moz-do-not-send="true"
href="http://www.qubitia.com">http://www.qubitia.com</a>
<br>
<br>
</address>
</td>
</tr>
<tr>
<td>
<p style="font-family: Arial; font-size: 8pt;
font-style: normal; color: black;">El contenido de
este e-mail (incluyendo los documentos adjuntos) es
privado y confidencial. Si usted no es el destinatario
correcto, no debe copiar, distribuir, tomar medida
alguna o revelar ningún detalle de este e-mail
(incluyendo los documentos adjuntos) a ninguna
persona, empresa o corporación. Si usted recibiera
este e-mail por error, por favor notifíquenoslo
inmediatamente.</p>
</td>
</tr>
<tr>
<td>
<p style="font-family: Arial; font-size: 8pt;
font-style: normal; color: grey;">The contents of this
email (including any attachments) are privileged &
confidential. If you are not an intended recipient,
you must not copy, distribute, take action in reliance
on or disclose any details of the e-mail (including
any attachments) to any other person, firm or
corporation. If you received this email in error,
please notify us immediately.</p>
</td>
</tr>
</tbody>
</table>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
<a class="moz-txt-link-abbreviated" href="mailto:Users@lists.openswan.org">Users@lists.openswan.org</a>
<a class="moz-txt-link-freetext" href="https://lists.openswan.org/mailman/listinfo/users">https://lists.openswan.org/mailman/listinfo/users</a>
Micropayments: <a class="moz-txt-link-freetext" href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy">https://flattr.com/thing/38387/IPsec-for-Linux-made-easy</a>
Building and Integrating Virtual Private Networks with Openswan:
<a class="moz-txt-link-freetext" href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a>
</pre>
</blockquote>
<br>
</body>
</html>