[Openswan Users] Stumbling towards functional
Geoffrey
geoffrey at ticom.com
Fri Apr 16 19:26:15 CEST 2004
Okay, I'm getting closer to converting my tunnels over to Openswan. The
problem now appears to be that I have a connection established, but
there is no routing going on. There is a TXT entry with the key in our
forward zonefiles for the home users OpenSWAN gateway system. I have
modified the conf files as follows:
---------------- BEGIN conf FILES -------------------------------------------
ipsec.conf:
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
# Debug-logging controls: "none" for (almost) none, "all" for
lots.
# klipsdebug=all
# plutodebug=dns
# interfaces="ipsec0=eth0"
interfaces=%defaultroute
plutodebug=all
uniqueids=yes
#nat_traversal=yes
include ipsec.office.conf
include no_oe.conf
ipsec.office.conf:
conn office
left=%defaultroute
leftsubnet=192.168.1.0/24
leftid=@homeuser.domain.com
leftrsasigkey=
right=<External IP of gateway here.>
rightsubnet=192.168.0.0/24
rightid=@gateway.domain.com
rightrsasigkey=<key data deleted here.>
pfs=yes
ikelifetime=8h
keylife=1h
rekey=yes
keyingtries=0
auto=start
no_oe.conf:
# 'include' this file to disable Opportunistic Encryption.
# See /usr/share/doc/openswan-2.1.0/policygroups.html for details.
#
# RCSID $Id: no_oe.conf.in,v 1.1 2004/01/20 19:24:23 sam Exp $
conn block
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear-or-private
auto=ignore
conn clear
auto=ignore
conn packetdefault
auto=ignore
----------- END conf FILES ---------------------------------------------
----------- BEGIN status -------------------------------------------------
On the home user side I see:
ipsec auto --up office
112 "office" #4: STATE_QUICK_I1: initiate
004 "office" #4: STATE_QUICK_I2: sent QI2, IPsec SA established {...
Here is the result of "ipsec auto --status":
ipsec auto --status
000 interface lo/lo ::1
000 interface eth0/eth0 <ISP dhcp-supplied IP address>
000 interface eth1/eth1 192.168.1.254
000 interface lo/lo 127.0.0.1
000 %myid = (none)
000 debug
raw+crypt+parsing+emitting+control+lifecycle+klips+dns+oppo+controlmore+pfkey+nattraversal
000
000 "office":
192.168.1.0/24===<ISP dhcp-supplied
IP>[@homeuser.domain.com]---<ISP gateway IP>...<gateway external IP here.>[@gateway.domain.com]===192.168.0.0/24;
erouted; eroute owner: #4
000 "office": ike_life: 28800s; ipsec_life: 3600s; rekey_margin: 540s;
rekey_fuzz: 100%; keyingtries: 0
000 "office": policy: RSASIG+ENCRYPT+TUNNEL+PFS+UP; prio: 24,24;
interface: eth0;
000 "office": newest ISAKMP SA: #1; newest IPsec SA: #4;
000
000 #4: "office" STATE_QUICK_I2 (sent QI2, IPsec SA established);
EVENT_SA_REPLACE in 2209s; newest IPSEC; eroute owner
000 #4: "office" esp.26e1a3eb@<gateway external IP> esp.5b10d85a@<ISP dhcp-supplied IP>
tun.0@<gateway external IP> tun.0@<ISP dhcp-supplied IP>
000 #3: "office" STATE_QUICK_I2 (sent QI2, IPsec SA established);
EVENT_SA_REPLACE in 1191s
000 #3: "office" esp.26e1a3ea@<gateway external IP> esp.920fc4ed@<ISP dhcp-supplied IP>
tun.0@<gateway external IP> tun.0@<ISP dhcp-supplied IP>
000 #2: "office" STATE_QUICK_I2 (sent QI2, IPsec SA established);
EVENT_SA_REPLACE in 896s
000 #2: "office" esp.26e1a3e9@<gateway external IP> esp.77623523@<ISP dhcp-supplied IP>
tun.0@<gateway external IP> tun.0@<ISP dhcp-supplied IP>
000 #1: "office" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE
in 26042s; newest ISAKMP
000
------ END status ------------------------------------------------------
All clues are welcome. Thanks for playing.
geoffrey
--
++++++++++++++++++++++++++
This space intentionally
left non-blank
++++++++++++++++++++++++++
More information about the Users
mailing list