[Openswan Users] dhcp over ipsec

Radu Brumariu radu at cs.kent.edu
Mon May 17 17:21:04 CEST 2004 

Ok,

it pulls a dhcp address but then it doesn't initialize the real tunnel .
Here is what I get in the logs :


cannot respond to IPsec SA request because no connection is known for
0.0.0.0/0===131.123.35.3[C=US, ST=Ohio, L=Kent, O=KSU, OU=Computer
Science, CN=ipsec.cs.kent.edu,
E=radu at cs.kent.edu]:17/0...131.123.33.179[C=US, ST=Ohio, L=Kent, O=KSU,
OU=Computer Science, CN=radu at cs.kent.edu,
E=radu at cs.kent.edu]:17/0===131.123.35.159/32

but I have this entry in my ipsec.conf :

conn lab
        type=tunnel
        rightid="C=US, ST=Ohio, L=Kent, O=KSU, OU=Computer Science,
CN=radu at cs.kent.edu, E=radu at cs.kent.edu"
        leftsubnet=0.0.0.0/0
        leftupdown=/usr/local/lib/ipsec/_updown_x509
        rightsubnetwithin=131.123.35.0/24
        auto=add

And here is what 'ipsec auto --status' shows :

000 "dhcp": 0.0.0.0/0===131.123.35.3[C=US, ST=Ohio, L=Kent, O=KSU,
OU=Computer Science, CN=ipsec.cs.kent.edu,
E=radu at cs.kent.edu]:17/67---131.123.35.1...%any[C=US, ST=Ohio, L=Kent,
O=KSU, OU=Computer Science, CN=radu at cs.kent.edu,
E=radu at cs.kent.edu]:17/68; unrouted; eroute owner: #0
000 "dhcp":   CAs: 'C=US, ST=Ohio, L=Kent, O=KSU, OU=Computer Science,
CN=ipsec.cs.kent.edu, E=systems at cs.kent.edu'...'%any'
000 "dhcp":   ike_life: 14400s; ipsec_life: 10s; rekey_margin: 5s;
rekey_fuzz: 100%; keyingtries: 3
000 "dhcp":   policy: RSASIG+ENCRYPT+TUNNEL+DONTREKEY; prio: 0,32;
interface: eth0;
000 "dhcp":   newest ISAKMP SA: #0; newest IPsec SA: #0;

000 "lab": 0.0.0.0/0===131.123.35.3[C=US, ST=Ohio, L=Kent, O=KSU,
OU=Computer Science, CN=ipsec.cs.kent.edu,
E=radu at cs.kent.edu]---131.123.35.1...%any[C=US, ST=Ohio, L=Kent, O=KSU,
OU=Computer Science, CN=radu at cs.kent.edu,
E=radu at cs.kent.edu]==={131.123.35.0/24}; unrouted; eroute owner: #0
000 "lab":   CAs: 'C=US, ST=Ohio, L=Kent, O=KSU, OU=Computer Science,
CN=ipsec.cs.kent.edu, E=systems at cs.kent.edu'...'%any'
000 "lab":   ike_life: 14400s; ipsec_life: 3600s; rekey_margin: 540s;
rekey_fuzz: 100%; keyingtries: 3
000 "lab":   policy: RSASIG+ENCRYPT+TUNNEL+PFS; prio: 0,24; interface: eth0;
000 "lab":   newest ISAKMP SA: #0; newest IPsec SA: #0;


So the 'lab' connection is up and loaded.

Here is the ipsec.conf :
# /etc/ipsec.conf - FreeS/WAN IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.12 2004/01/20 19:37:13 sam Exp $
 
# This file:  /usr/local/share/doc/freeswan/ipsec.conf-sample
#
# Manual:     ipsec.conf.5
#
# Help:
# http://www.freeswan.org/freeswan_trees/freeswan-cvs2002Mar11_19:19:03/doc/quickstart.html
# http://www.freeswan.org/freeswan_trees/freeswan-cvs2002Mar11_19:19:03/doc/config.html
# http://www.freeswan.org/freeswan_trees/freeswan-cvs2002Mar11_19:19:03/doc/adv_config.html
#
# Policy groups are enabled by default. See:
# http://www.freeswan.org/freeswan_trees/freeswan-cvs2002Mar11_19:19:03/doc/policygroups.html
#
# Examples:
# http://www.freeswan.org/freeswan_trees/freeswan-cvs2002Mar11_19:19:03/doc/examples
 
 
version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        # Debug-logging controls:  "none" for (almost) none, "all" for lots.
        klipsdebug=none
        plutodebug=none
        interfaces=%defaultroute
        uniqueids=yes
        strictcrlpolicy=yes
        virtual_private=%v4:192.168.0.0/16
        #nat_traversal=yes
 
conn %default
        keyingtries=3
        authby=rsasig
        keyexchange=ike
        ikelifetime=240m
        keylife=60m
        pfs=yes
        compress=no
        disablearrivalcheck=no
        left=%defaultroute
        leftcert=ipsec_gateway.pem
        #leftupdown=/usr/local/lib/ipsec/_updown_x509
        right=%any
        rightrsasigkey=%cert
        auto=ignore
 
# Add connections here.
 
# DHCP incoming connections
conn dhcp
        type=tunnel
        rightid="C=US, ST=Ohio, L=Kent, O=KSU, OU=Computer Science, CN=radu at cs.kent.edu, E=radu at cs.kent.edu"
        #right=%any
        rekey=no
        keylife=10s
        rekeymargin=5s
        leftsubnet=0.0.0.0/0
        leftprotoport=udp/bootps
        rightprotoport=udp/bootpc
        pfs=no
        auto=add
#
# From lab - VPN connection
conn lab
        type=tunnel
        rightid="C=US, ST=Ohio, L=Kent, O=KSU, OU=Computer Science, CN=radu at cs.kent.edu, E=radu at cs.kent.edu"
        #right=%any
        leftsubnet=0.0.0.0/0
        leftupdown=/usr/local/lib/ipsec/_updown_x509
        rightsubnetwithin=131.123.35.0/24
        auto=add
 
# RoadWarrior VPN connection
 conn roadwarrior
        type=tunnel
        rightid="C=US, ST=Ohio, L=Kent, O=KSU, OU=Computer Science, CN=radu at cs.kent.edu, E=radu at cs.kent.edu"
        leftsubnet=0.0.0.0/0
        leftupdown=/usr/local/lib/ipsec/_updown_x509
        rightsubnet=vhost:%priv
        rightsubnetwithin=131.123.35.0/24
        pfs=no
        #auto=add
 
# disabling OE connections
conn packetdefault
        auto=ignore
conn block
        auto=ignore
conn clear
        auto=ignore
conn clear-or-private
        auto=ignore
conn private
        auto=ignore
conn private-or-clear
        auto=ignore


The range of ips I am assigning : 131.123.35.155-159 / 255.255.255.0



Thanks,
Radu

More information about the Users mailing list