[Openswan Users] Troubles 2

Radovan Bukoci radobukoci at nextra.sk
Mon May 3 23:06:24 CEST 2004 

Hallo,

I have troubles to set up this network:

10.8.192.32/28 --- PC rovinka --- 10.8.254.64/28 --- NATing gateway --- 
internet --- PC dulaknet --- 10.0.0.0/24

both PC rovinka and dulaknet are Slackware 9.1 (with added iproute2 
2.4.7) , Openswan 2.1.1.
Kernel 2.4.25 patched with openswan-2.1.1-natt-patch. I didn't patch it 
with kern-patch - maybe that's my problem.
But `ipsec verify` says that IPSEC is in kernel (I use ipsec.o compiled 
from Openswan-2.1.1, so I thought it is enough).

Where can I find information, for which kernel versions are used kernel 
patches ? For example,
2.1.1.-kern-patch fails on 2.4.25 (with prompt File to patch:). (on 
clean kernel from kernel.org)
(BTW, the natt-patch I applied manually (copy-paste))

As I found in http://jixen.tripod.com/#NATed%20gateways, I have to use 
leftnexthop= and rightnexthop=
parameters for NATed connection. But, I would like to understand them - 
is somewhere a good story that explains, how these parameters work ?


Here is my  ipsec.conf on both PCs:

config setup
    dumpdir=/tmp/dump
    interfaces=%defaultroute
    klipsdebug=none
    plutodebug=all
    #plutoload=%search
    #plutostart=%search
    uniqueids=yes
    nat_traversal=yes

conn %default
    keyingtries=1
    compress=yes
    disablearrivalcheck=no
    auth=esp
    #authby=secret
    authby=rsasig
    leftrsasigkey=%cert
    rightrsasigkey=%cert

include /etc/ipsec.d/examples/no_oe.conf

conn ap-dulak
    left=(outer adress of the NATing gateway)
    leftsubnet=10.8.192.32/28
    #leftnexthop=?
    leftcert=rovinka.autoparts.sk.pem
    right=%defaultroute
    rightsubnet=10.0.0.0/24
    rightcert=server.dulaknet.sk.pem
    auto=add

Result: The connection ap-dulak is succesffully created (the log 
follows), also routes on both sides are created, but nothing goes 
through - not even ping. My firewalls are set up to log everything what 
is droped, but nothing is in log. Tcp dump shows the ping packets enter 
ipsec0, but there is nothing going out throuh ppp0 (my ADSL modem).

# ipsec auto --up ap-dulak
104 "ap-dulak" #1: STATE_MAIN_I1: initiate
003 "ap-dulak" #1: received Vendor ID payload 
[draft-ietf-ipsec-nat-t-ike-03]
106 "ap-dulak" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "ap-dulak" #1: NAT-Traversal: Result using 
draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed
108 "ap-dulak" #1: STATE_MAIN_I3: sent MI3, expecting MR3
004 "ap-dulak" #1: STATE_MAIN_I4: ISAKMP SA established
112 "ap-dulak" #2: STATE_QUICK_I1: initiate
004 "ap-dulak" #2: STATE_QUICK_I2: sent QI2, IPsec SA established 
{ESP=>0x2cdf212b <0x3a4a23e6 IPCOMP=>0x00007bc3 <0x00001f79}

#tail /var/log/secure:
May  3 21:46:17 server ipsec__plutorun: Starting Pluto subsystem...
May  3 21:46:17 server pluto[12030]: Starting Pluto (Openswan Version 
2.1.1 X.509-1.4.8 PLUTO_USES_KEYRR)
May  3 21:46:17 server pluto[12030]:   including NAT-Traversal patch 
(Version 0.6c)
May  3 21:46:17 server pluto[12030]: Using KLIPS IPsec interface code
May  3 21:46:17 server pluto[12030]: Changing to directory 
'/etc/ipsec.d/cacerts'
May  3 21:46:17 server pluto[12030]:   loaded cacert file 
'dulaknet.cacert.pem' (1350 bytes)
May  3 21:46:17 server pluto[12030]:   loaded cacert file 
'autoparts.cacert.pem' (1436 bytes)
May  3 21:46:17 server pluto[12030]: Changing to directory 
'/etc/ipsec.d/crls'
May  3 21:46:17 server pluto[12030]:   Warning: empty directory
May  3 21:46:22 server pluto[12030]:   loaded host cert file 
'/etc/ipsec.d/certs/rovinka.autoparts.sk.pem' (4691 bytes)
May  3 21:46:22 server pluto[12030]:   loaded host cert file 
'/etc/ipsec.d/certs/server.dulaknet.sk.pem' (4568 bytes)
May  3 21:46:22 server pluto[12030]: added connection description "ap-dulak"
May  3 21:46:22 server pluto[12030]: listening for IKE messages
May  3 21:46:22 server pluto[12030]: adding interface ipsec0/ppp0 A.B.C.D
May  3 21:46:22 server pluto[12030]: adding interface ipsec0/ppp0 
A.B.C.D:4500
May  3 21:46:22 server pluto[12030]: loading secrets from 
"/etc/ipsec.secrets"
May  3 21:46:22 server pluto[12030]:   loaded private key file 
'/etc/ipsec.d/private/server.dulaknet.sk.key' (1751 bytes)
May  3 21:47:33 server pluto[12030]: "ap-dulak" #1: initiating Main Mode
May  3 21:47:33 server pluto[12030]: "ap-dulak" #1: received Vendor ID 
payload [draft-ietf-ipsec-nat-t-ike-03]
May  3 21:47:33 server pluto[12030]: "ap-dulak" #1: enabling possible 
NAT-traversal with method RFC XXXX (NAT-Traversal)
May  3 21:47:33 server pluto[12030]: "ap-dulak" #1: transition from 
state STATE_MAIN_I1 to state STATE_MAIN_I2
May  3 21:47:34 server pluto[12030]: "ap-dulak" #1: NAT-Traversal: 
Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed
May  3 21:47:34 server pluto[12030]: "ap-dulak" #1: transition from 
state STATE_MAIN_I2 to state STATE_MAIN_I3
May  3 21:47:34 server pluto[12030]: "ap-dulak" #1: Peer ID is 
ID_DER_ASN1_DN: 'C=SK, ST=Slovakia, L=Bratislava, O=Autoparts, 
CN=Autoparts VPN'
May  3 21:47:34 server pluto[12030]: "ap-dulak" #1: issuer crl not found
May  3 21:47:34 server pluto[12030]: "ap-dulak" #1: issuer crl not found
May  3 21:47:34 server pluto[12030]: "ap-dulak" #1: transition from 
state STATE_MAIN_I3 to state STATE_MAIN_I4
May  3 21:47:34 server pluto[12030]: "ap-dulak" #1: ISAKMP SA established
May  3 21:47:34 server pluto[12030]: "ap-dulak" #2: initiating Quick 
Mode RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP {using isakmp#1}
May  3 21:47:36 server pluto[12030]: "ap-dulak" #2: transition from 
state STATE_QUICK_I1 to state STATE_QUICK_I2
May  3 21:47:36 server pluto[12030]: "ap-dulak" #2: sent QI2, IPsec SA 
established {ESP=>0x6d7f9a46 <0xc5f249f6 IPCOMP=>0x0000 bcf9 <0x000087df}

     Thank you very much

            Rado Bukoci

More information about the Users mailing list