[Openswan Users] Problem of ping

Paul Wouters paul at xelerance.com
Wed Aug 11 11:05:40 CEST 2004 

On Wed, 11 Aug 2004, Jérémie Wetzler wrote:

> I’m actually working on Opoenswan for my Companie. Openswan doesn’t work in
> a LAN (with a router with 2 interfaces). Negociating Security IP and when I
> sniff the network, I can see “Isa KMP phase 1, IKE PHASE 2 ” and “frag IP”.
> I retried the how to of Nate Carlson with certificates but it doesn’t work


btw. whatever your mail client is doing, it is VERY hard for me to read through it.
 
> config setup
>         interfaces=%defaultroute
>         #interfaces="ipsec0=eth0"
>         klipsdebug=none
>         plutodebug=none
>         uniqueids=yes
>         nat_traversal=yes
>         virtual_private=%v4:192.1.0.0/24,%v4:192.168.0.0/24

Note you are adding 192.1.0.0/24 as a virtual private network. This means openswan will expect
this network to be a valid private network at the roadwarrior end.

> conn roadwarrior-net
>         # leftsubnet <=> reseau interne derriere le windows
>         leftsubnet=192.1.0.0/24

And that conflicts with having that subnet on the server end. Perhaps you meant to use 192.168.0.0/24?

You mean to say something like :

         virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,!%v4:192.1.0.0/24

This means that valid ranges for addresses behind NAT is anything in the 10.* range
and the 192.168.* range, and explicitely excludes 192.1.0.0/24 (even though that is
technically not needed, since it doesnt overlap with the previous entries)

> conn roadwarrior
>       # left <=> mon ip du windows client derrière un eventuel LAN
>       left=%any
>       # Ip du serveur du coté du client windows
>       right=192.1.0.142
>       # Contenu du certificat: openssl x509 -in demoCA/cacert.pem -noout -subject
>       rightca="C=FR, S=France, L=Montreuil, O=RXBURO, CN=jeremie, Email=jwetzler at reseaux-bureautique.com"
>       network=auto
>       auto=start
>       pfs=yes

The right cannot be part of the left subnet. That would mean that the IP 192.1.0.142 is both
on the left and right side. You need to think of having two "public" ip addresses, one on each
end, and possible have two "private" subnets behind either one of them. Don't mix them. If you
are not using more then two machines, and the machines are therefor in the same local network,
then you cannot put that network into a subnet= line. If this is a test network, then add a third
machines pretending to be "the internet", so you don't run into this problem.

> conn roadwarrior-net
>       # left <=> mon ip personnel du windows derrière un eventuel LAN
>       left=%any
>       # right <=> ip publique du firewall
>       right=192.1.0.142
>       rightsubnet=192.168.0.0/24

Same here.
 
>       rightca="C=FR, S=France, L=Montreuil, O=RXBURO, CN=jeremie,
> Email=jwetzler at reseaux-bureautique.com"
>       network=auto
>       auto=start
>       pfs=yes

> When I try a ipsec barf everything is ok however it says ipsec.secrets
> [FAILED

ipsec barf just dumps all debug info. It does not say "ok" or "not ok". You
probably meant 'ipsec verify'. You can ignore the error in ipsec.secrets for
that entry, since you are using certificates and not raw rsa keys. This 
warning should not happen on modern openswan-2 releases, but I am not
entirely sure where this got fixed. 

Paul

More information about the Users mailing list