[Openswan Users] Troubles 2
Radovan Bukoci
radobukoci at nextra.sk
Mon May 3 23:06:24 CEST 2004
Hallo,
I have troubles to set up this network:
10.8.192.32/28 --- PC rovinka --- 10.8.254.64/28 --- NATing gateway ---
internet --- PC dulaknet --- 10.0.0.0/24
both PC rovinka and dulaknet are Slackware 9.1 (with added iproute2
2.4.7) , Openswan 2.1.1.
Kernel 2.4.25 patched with openswan-2.1.1-natt-patch. I didn't patch it
with kern-patch - maybe that's my problem.
But `ipsec verify` says that IPSEC is in kernel (I use ipsec.o compiled
from Openswan-2.1.1, so I thought it is enough).
Where can I find information, for which kernel versions are used kernel
patches ? For example,
2.1.1.-kern-patch fails on 2.4.25 (with prompt File to patch:). (on
clean kernel from kernel.org)
(BTW, the natt-patch I applied manually (copy-paste))
As I found in http://jixen.tripod.com/#NATed%20gateways, I have to use
leftnexthop= and rightnexthop=
parameters for NATed connection. But, I would like to understand them -
is somewhere a good story that explains, how these parameters work ?
Here is my ipsec.conf on both PCs:
config setup
dumpdir=/tmp/dump
interfaces=%defaultroute
klipsdebug=none
plutodebug=all
#plutoload=%search
#plutostart=%search
uniqueids=yes
nat_traversal=yes
conn %default
keyingtries=1
compress=yes
disablearrivalcheck=no
auth=esp
#authby=secret
authby=rsasig
leftrsasigkey=%cert
rightrsasigkey=%cert
include /etc/ipsec.d/examples/no_oe.conf
conn ap-dulak
left=(outer adress of the NATing gateway)
leftsubnet=10.8.192.32/28
#leftnexthop=?
leftcert=rovinka.autoparts.sk.pem
right=%defaultroute
rightsubnet=10.0.0.0/24
rightcert=server.dulaknet.sk.pem
auto=add
Result: The connection ap-dulak is succesffully created (the log
follows), also routes on both sides are created, but nothing goes
through - not even ping. My firewalls are set up to log everything what
is droped, but nothing is in log. Tcp dump shows the ping packets enter
ipsec0, but there is nothing going out throuh ppp0 (my ADSL modem).
# ipsec auto --up ap-dulak
104 "ap-dulak" #1: STATE_MAIN_I1: initiate
003 "ap-dulak" #1: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-03]
106 "ap-dulak" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "ap-dulak" #1: NAT-Traversal: Result using
draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed
108 "ap-dulak" #1: STATE_MAIN_I3: sent MI3, expecting MR3
004 "ap-dulak" #1: STATE_MAIN_I4: ISAKMP SA established
112 "ap-dulak" #2: STATE_QUICK_I1: initiate
004 "ap-dulak" #2: STATE_QUICK_I2: sent QI2, IPsec SA established
{ESP=>0x2cdf212b <0x3a4a23e6 IPCOMP=>0x00007bc3 <0x00001f79}
#tail /var/log/secure:
May 3 21:46:17 server ipsec__plutorun: Starting Pluto subsystem...
May 3 21:46:17 server pluto[12030]: Starting Pluto (Openswan Version
2.1.1 X.509-1.4.8 PLUTO_USES_KEYRR)
May 3 21:46:17 server pluto[12030]: including NAT-Traversal patch
(Version 0.6c)
May 3 21:46:17 server pluto[12030]: Using KLIPS IPsec interface code
May 3 21:46:17 server pluto[12030]: Changing to directory
'/etc/ipsec.d/cacerts'
May 3 21:46:17 server pluto[12030]: loaded cacert file
'dulaknet.cacert.pem' (1350 bytes)
May 3 21:46:17 server pluto[12030]: loaded cacert file
'autoparts.cacert.pem' (1436 bytes)
May 3 21:46:17 server pluto[12030]: Changing to directory
'/etc/ipsec.d/crls'
May 3 21:46:17 server pluto[12030]: Warning: empty directory
May 3 21:46:22 server pluto[12030]: loaded host cert file
'/etc/ipsec.d/certs/rovinka.autoparts.sk.pem' (4691 bytes)
May 3 21:46:22 server pluto[12030]: loaded host cert file
'/etc/ipsec.d/certs/server.dulaknet.sk.pem' (4568 bytes)
May 3 21:46:22 server pluto[12030]: added connection description "ap-dulak"
May 3 21:46:22 server pluto[12030]: listening for IKE messages
May 3 21:46:22 server pluto[12030]: adding interface ipsec0/ppp0 A.B.C.D
May 3 21:46:22 server pluto[12030]: adding interface ipsec0/ppp0
A.B.C.D:4500
May 3 21:46:22 server pluto[12030]: loading secrets from
"/etc/ipsec.secrets"
May 3 21:46:22 server pluto[12030]: loaded private key file
'/etc/ipsec.d/private/server.dulaknet.sk.key' (1751 bytes)
May 3 21:47:33 server pluto[12030]: "ap-dulak" #1: initiating Main Mode
May 3 21:47:33 server pluto[12030]: "ap-dulak" #1: received Vendor ID
payload [draft-ietf-ipsec-nat-t-ike-03]
May 3 21:47:33 server pluto[12030]: "ap-dulak" #1: enabling possible
NAT-traversal with method RFC XXXX (NAT-Traversal)
May 3 21:47:33 server pluto[12030]: "ap-dulak" #1: transition from
state STATE_MAIN_I1 to state STATE_MAIN_I2
May 3 21:47:34 server pluto[12030]: "ap-dulak" #1: NAT-Traversal:
Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed
May 3 21:47:34 server pluto[12030]: "ap-dulak" #1: transition from
state STATE_MAIN_I2 to state STATE_MAIN_I3
May 3 21:47:34 server pluto[12030]: "ap-dulak" #1: Peer ID is
ID_DER_ASN1_DN: 'C=SK, ST=Slovakia, L=Bratislava, O=Autoparts,
CN=Autoparts VPN'
May 3 21:47:34 server pluto[12030]: "ap-dulak" #1: issuer crl not found
May 3 21:47:34 server pluto[12030]: "ap-dulak" #1: issuer crl not found
May 3 21:47:34 server pluto[12030]: "ap-dulak" #1: transition from
state STATE_MAIN_I3 to state STATE_MAIN_I4
May 3 21:47:34 server pluto[12030]: "ap-dulak" #1: ISAKMP SA established
May 3 21:47:34 server pluto[12030]: "ap-dulak" #2: initiating Quick
Mode RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP {using isakmp#1}
May 3 21:47:36 server pluto[12030]: "ap-dulak" #2: transition from
state STATE_QUICK_I1 to state STATE_QUICK_I2
May 3 21:47:36 server pluto[12030]: "ap-dulak" #2: sent QI2, IPsec SA
established {ESP=>0x6d7f9a46 <0xc5f249f6 IPCOMP=>0x0000 bcf9 <0x000087df}
Thank you very much
Rado Bukoci
More information about the Users
mailing list