[Openswan Users] Cannot establish VPN connection
Thomas Simmons
twsnnva at cox.net
Mon Dec 27 16:30:14 CET 2004
I'm trying to establish a vpn between two locations, and having some
problems. I'm calling the local location left and the remote right. The
right location is running smoothwall and smoothwall reports that
everything is good on it's end. Ipsec is running.
Right Setup
/etc/ipsec.conf
config setup
interfaces=%defaultroute
klipsdebug=none
plutodebug=none
plutoload=%search
plutostart=%search
plutowait=no
uniqueids=yes
conn %default
keyingtries=0
conn net
left=68.0.26.238
leftsubnet=10.10.65.0/24
leftnexthop=%defaultroute
right=68.230.211.23
rightsubnet=192.168.1.0/24
rightnexthop=%defaultroute
compress=no
auto=start
/etc/ipsec.secrets
68.0.1.1 68.230.1.1 : PSK "pass"
The left location is running debian sarge with openswan. This is also
the router/firewall for this network. The debian kernel already has
ipsec support so no patches should be required.
Also, this setup does not like the plutowait, plutostart, and plutoload
options under the config section of the ipsec.conf. According to
openswan this has been removed so that's expected. Here are the config
files for the left location.
Left Setup
/etc/ipsec.conf
config setup
interfaces=%defaultroute
klipsdebug=none
plutodebug=none
uniqueids=yes
conn %default
keyingtries=0
conn net
left=68.0.1.1
leftsubnet=10.10.65.0/24
leftnexthop=%defaultroute
right=68.230.1.1
rightsubnet=192.168.1.0/24
rightnexthop=%defaultroute
compress=no
auto=start
/etc/ipsec.secrets
68.0.1.1 68.230.1.1 : PSK "pass"
output of "route" with ipsec stopped.
Destination Gateway Genmask Flags Metric Ref Use
Iface
localnet * 255.255.255.0 U 0 0 0 eth0
10.10.66.0 * 255.255.255.0 U 0 0 0 eth1
68.0.16.0 * 255.255.240.0 U 0 0 0 eth2
default ip68-0-16-1.hr. 0.0.0.0 UG 0 0 0 eth2
to ensure that there are no firewall problems i reset iptables with this
script
#!/bin/sh
IPTCMD="/sbin/iptables"
PUB="eth2"
PRV="eth0"
DMZ="eth1"
$IPTCMD -F
$IPTCMD -X
$IPTCMD -F -t nat
$IPTCMD -P INPUT ACCEPT
$IPTCMD -P OUTPUT ACCEPT
$IPTCMD -P FORWARD ACCEPT
$IPTCMD -t nat -A POSTROUTING -o $PUB -d ! 192.168.1.0/24 -j MASQUERADE
Here's the problem. When I start ipsec (/etc/init.d/ipsec start) I lose
all network connectivity to and from this system. Now the output of
"route" looks like this.
Destination Gateway Genmask Flags Metric Ref Use
Iface
localnet * 255.255.255.0 U 0 0 0 eth0
192.168.1.0 68.0.16.1 255.255.255.0 UG 0 0 0 eth2
10.10.66.0 * 255.255.255.0 U 0 0 0 eth1
68.0.16.0 * 255.255.240.0 U 0 0 0 eth2
default 68.0.16.1 128.0.0.0 UG 0 0 0 eth2
128.0.0.0 68.0.16.1 128.0.0.0 UG 0 0 0 eth2
default 68.0.16.1 0.0.0.0 UG 0 0 0 eth2
Syslog shows
Dec 27 10:50:47 lightning ipsec_setup: ...Openswan IPsec stopped
Dec 27 10:50:47 lightning ipsec_setup: Stopping Openswan IPsec...
Dec 27 10:50:47 lightning ipsec_setup: KLIPS ipsec0 on eth2
68.0.1.1/255.255.240.0 broadcast 68.0.31.255
Dec 27 10:50:47 lightning ipsec_setup: ...Openswan IPsec started
Dec 27 10:50:47 lightning ipsec_setup: Starting Openswan IPsec
U2.2.0/K2.4.27...
Dec 27 10:50:49 lightning ipsec__plutorun: 104 "net" #1: STATE_MAIN_I1:
initiate
Dec 27 10:50:49 lightning ipsec__plutorun: ...could not start conn "net"
I have read elsewhere that changing interfaces=%defaultroute to
interfaces="ipsec0=eth2" in ipsec.conf may fix some problems. When I do this
I do not lose the network connection to the system but the vpn
connection is not made and syslog reports:
Dec 27 10:45:12 lightning ipsec_setup: KLIPS ipsec0 on eth2
68.0.1.1/255.255.240.0 broadcast 68.0.31.255
Dec 27 10:45:12 lightning ipsec_setup: ...Openswan IPsec started
Dec 27 10:45:12 lightning ipsec_setup: Starting Openswan IPsec
U2.2.0/K2.4.27...
Dec 27 10:45:12 lightning ipsec__plutorun: ipsec_auto: fatal error in
"net": %defaultroute requested but not known
Dec 27 10:45:12 lightning ipsec__plutorun: ipsec_auto: fatal error in
"packetdefault": %defaultroute requested but not known
Dec 27 10:45:13 lightning ipsec__plutorun: ipsec_auto: fatal error in
"block": %defaultroute requested but not known
Dec 27 10:45:13 lightning ipsec__plutorun: ipsec_auto: fatal error in
"clear-or-private": %defaultroute requested but not known
Dec 27 10:45:13 lightning ipsec__plutorun: ipsec_auto: fatal error in
"clear": %defaultroute requested but not known
Dec 27 10:45:13 lightning ipsec__plutorun: ipsec_auto: fatal error in
"private-or-clear": %defaultroute requested but not known
Dec 27 10:45:13 lightning ipsec__plutorun: ipsec_auto: fatal error in
"private": %defaultroute requested but not known
Dec 27 10:45:13 lightning ipsec__plutorun: 021 no connection named
"packetdefault"
Dec 27 10:45:13 lightning ipsec__plutorun: ...could not route conn
"packetdefault"
Dec 27 10:45:13 lightning ipsec__plutorun: 021 no connection named "block"
Dec 27 10:45:13 lightning ipsec__plutorun: ...could not route conn "block"
Dec 27 10:45:13 lightning ipsec__plutorun: 021 no connection named
"clear-or-private"
Dec 27 10:45:13 lightning ipsec__plutorun: ...could not route conn
"clear-or-private"
Dec 27 10:45:13 lightning ipsec__plutorun: 021 no connection named "clear"
Dec 27 10:45:13 lightning ipsec__plutorun: ...could not route conn "clear"
Dec 27 10:45:13 lightning ipsec__plutorun: 021 no connection named
"private-or-clear"
Dec 27 10:45:13 lightning ipsec__plutorun: ...could not route conn
"private-or-clear"
Dec 27 10:45:13 lightning ipsec__plutorun: 021 no connection named "private"
Dec 27 10:45:13 lightning ipsec__plutorun: ...could not route conn "private"
syslog ipsec0=eth2
Output of "route"
Destination Gateway Genmask Flags Metric Ref Use
Iface
localnet * 255.255.255.0 U 0 0 0 eth0
10.10.66.0 * 255.255.255.0 U 0 0 0 eth1
68.0.16.0 * 255.255.240.0 U 0 0 0 eth2
default ip68-0-16-1.hr. 0.0.0.0 UG 0 0 0 eth2
Does anyone have any thoughts as to what might be going on?
More information about the Users
mailing list