[Openswan Users] dhcp over ipsec
Radu Brumariu
radu at cs.kent.edu
Mon May 17 17:21:04 CEST 2004
Ok,
it pulls a dhcp address but then it doesn't initialize the real tunnel .
Here is what I get in the logs :
cannot respond to IPsec SA request because no connection is known for
0.0.0.0/0===131.123.35.3[C=US, ST=Ohio, L=Kent, O=KSU, OU=Computer
Science, CN=ipsec.cs.kent.edu,
E=radu at cs.kent.edu]:17/0...131.123.33.179[C=US, ST=Ohio, L=Kent, O=KSU,
OU=Computer Science, CN=radu at cs.kent.edu,
E=radu at cs.kent.edu]:17/0===131.123.35.159/32
but I have this entry in my ipsec.conf :
conn lab
type=tunnel
rightid="C=US, ST=Ohio, L=Kent, O=KSU, OU=Computer Science,
CN=radu at cs.kent.edu, E=radu at cs.kent.edu"
leftsubnet=0.0.0.0/0
leftupdown=/usr/local/lib/ipsec/_updown_x509
rightsubnetwithin=131.123.35.0/24
auto=add
And here is what 'ipsec auto --status' shows :
000 "dhcp": 0.0.0.0/0===131.123.35.3[C=US, ST=Ohio, L=Kent, O=KSU,
OU=Computer Science, CN=ipsec.cs.kent.edu,
E=radu at cs.kent.edu]:17/67---131.123.35.1...%any[C=US, ST=Ohio, L=Kent,
O=KSU, OU=Computer Science, CN=radu at cs.kent.edu,
E=radu at cs.kent.edu]:17/68; unrouted; eroute owner: #0
000 "dhcp": CAs: 'C=US, ST=Ohio, L=Kent, O=KSU, OU=Computer Science,
CN=ipsec.cs.kent.edu, E=systems at cs.kent.edu'...'%any'
000 "dhcp": ike_life: 14400s; ipsec_life: 10s; rekey_margin: 5s;
rekey_fuzz: 100%; keyingtries: 3
000 "dhcp": policy: RSASIG+ENCRYPT+TUNNEL+DONTREKEY; prio: 0,32;
interface: eth0;
000 "dhcp": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "lab": 0.0.0.0/0===131.123.35.3[C=US, ST=Ohio, L=Kent, O=KSU,
OU=Computer Science, CN=ipsec.cs.kent.edu,
E=radu at cs.kent.edu]---131.123.35.1...%any[C=US, ST=Ohio, L=Kent, O=KSU,
OU=Computer Science, CN=radu at cs.kent.edu,
E=radu at cs.kent.edu]==={131.123.35.0/24}; unrouted; eroute owner: #0
000 "lab": CAs: 'C=US, ST=Ohio, L=Kent, O=KSU, OU=Computer Science,
CN=ipsec.cs.kent.edu, E=systems at cs.kent.edu'...'%any'
000 "lab": ike_life: 14400s; ipsec_life: 3600s; rekey_margin: 540s;
rekey_fuzz: 100%; keyingtries: 3
000 "lab": policy: RSASIG+ENCRYPT+TUNNEL+PFS; prio: 0,24; interface: eth0;
000 "lab": newest ISAKMP SA: #0; newest IPsec SA: #0;
So the 'lab' connection is up and loaded.
Here is the ipsec.conf :
# /etc/ipsec.conf - FreeS/WAN IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.12 2004/01/20 19:37:13 sam Exp $
# This file: /usr/local/share/doc/freeswan/ipsec.conf-sample
#
# Manual: ipsec.conf.5
#
# Help:
# http://www.freeswan.org/freeswan_trees/freeswan-cvs2002Mar11_19:19:03/doc/quickstart.html
# http://www.freeswan.org/freeswan_trees/freeswan-cvs2002Mar11_19:19:03/doc/config.html
# http://www.freeswan.org/freeswan_trees/freeswan-cvs2002Mar11_19:19:03/doc/adv_config.html
#
# Policy groups are enabled by default. See:
# http://www.freeswan.org/freeswan_trees/freeswan-cvs2002Mar11_19:19:03/doc/policygroups.html
#
# Examples:
# http://www.freeswan.org/freeswan_trees/freeswan-cvs2002Mar11_19:19:03/doc/examples
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
# Debug-logging controls: "none" for (almost) none, "all" for lots.
klipsdebug=none
plutodebug=none
interfaces=%defaultroute
uniqueids=yes
strictcrlpolicy=yes
virtual_private=%v4:192.168.0.0/16
#nat_traversal=yes
conn %default
keyingtries=3
authby=rsasig
keyexchange=ike
ikelifetime=240m
keylife=60m
pfs=yes
compress=no
disablearrivalcheck=no
left=%defaultroute
leftcert=ipsec_gateway.pem
#leftupdown=/usr/local/lib/ipsec/_updown_x509
right=%any
rightrsasigkey=%cert
auto=ignore
# Add connections here.
# DHCP incoming connections
conn dhcp
type=tunnel
rightid="C=US, ST=Ohio, L=Kent, O=KSU, OU=Computer Science, CN=radu at cs.kent.edu, E=radu at cs.kent.edu"
#right=%any
rekey=no
keylife=10s
rekeymargin=5s
leftsubnet=0.0.0.0/0
leftprotoport=udp/bootps
rightprotoport=udp/bootpc
pfs=no
auto=add
#
# From lab - VPN connection
conn lab
type=tunnel
rightid="C=US, ST=Ohio, L=Kent, O=KSU, OU=Computer Science, CN=radu at cs.kent.edu, E=radu at cs.kent.edu"
#right=%any
leftsubnet=0.0.0.0/0
leftupdown=/usr/local/lib/ipsec/_updown_x509
rightsubnetwithin=131.123.35.0/24
auto=add
# RoadWarrior VPN connection
conn roadwarrior
type=tunnel
rightid="C=US, ST=Ohio, L=Kent, O=KSU, OU=Computer Science, CN=radu at cs.kent.edu, E=radu at cs.kent.edu"
leftsubnet=0.0.0.0/0
leftupdown=/usr/local/lib/ipsec/_updown_x509
rightsubnet=vhost:%priv
rightsubnetwithin=131.123.35.0/24
pfs=no
#auto=add
# disabling OE connections
conn packetdefault
auto=ignore
conn block
auto=ignore
conn clear
auto=ignore
conn clear-or-private
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
The range of ips I am assigning : 131.123.35.155-159 / 255.255.255.0
Thanks,
Radu
More information about the Users
mailing list