[Openswan Users] dhcp over ipsec
John A. Sullivan III
john.sullivan at nexusmgmt.com
Mon May 17 19:07:34 CEST 2004
I'll make a few spontaneous and not well thought out comments in your
e-mail in brackets [].
On Mon, 2004-05-17 at 12:21, Radu Brumariu wrote:
> Ok,
>
> it pulls a dhcp address but then it doesn't initialize the real tunnel .
> Here is what I get in the logs :
>
>
> cannot respond to IPsec SA request because no connection is known for
> 0.0.0.0/0===131.123.35.3[C=US, ST=Ohio, L=Kent, O=KSU, OU=Computer
> Science, CN=ipsec.cs.kent.edu,
> E=radu at cs.kent.edu]:17/0...131.123.33.179[C=US, ST=Ohio, L=Kent, O=KSU,
> OU=Computer Science, CN=radu at cs.kent.edu,
> E=radu at cs.kent.edu]:17/0===131.123.35.159/32
[JAS- I'm a little confused by the addresses but then again, I've not
spent much time with *swan log entries and may just be misreading it.
So your dhcp'd workstation is at 131.123.33.179 and is talking to a VPN
gateway with a termination point address of 131.123.35.3 and you are
assigning DHCP addresses out of the network which includes the
termination point of the gateway (131.123.35.0/24)?]
>
> but I have this entry in my ipsec.conf :
>
> conn lab
> type=tunnel
> rightid="C=US, ST=Ohio, L=Kent, O=KSU, OU=Computer Science,
> CN=radu at cs.kent.edu, E=radu at cs.kent.edu"
> leftsubnet=0.0.0.0/0
> leftupdown=/usr/local/lib/ipsec/_updown_x509
> rightsubnetwithin=131.123.35.0/24
> auto=add
>
> And here is what 'ipsec auto --status' shows :
>
> 000 "dhcp": 0.0.0.0/0===131.123.35.3[C=US, ST=Ohio, L=Kent, O=KSU,
> OU=Computer Science, CN=ipsec.cs.kent.edu,
> E=radu at cs.kent.edu]:17/67---131.123.35.1...%any[C=US, ST=Ohio, L=Kent,
> O=KSU, OU=Computer Science, CN=radu at cs.kent.edu,
> E=radu at cs.kent.edu]:17/68; unrouted; eroute owner: #0
> 000 "dhcp": CAs: 'C=US, ST=Ohio, L=Kent, O=KSU, OU=Computer Science,
> CN=ipsec.cs.kent.edu, E=systems at cs.kent.edu'...'%any'
> 000 "dhcp": ike_life: 14400s; ipsec_life: 10s; rekey_margin: 5s;
> rekey_fuzz: 100%; keyingtries: 3
> 000 "dhcp": policy: RSASIG+ENCRYPT+TUNNEL+DONTREKEY; prio: 0,32;
> interface: eth0;
> 000 "dhcp": newest ISAKMP SA: #0; newest IPsec SA: #0;
>
> 000 "lab": 0.0.0.0/0===131.123.35.3[C=US, ST=Ohio, L=Kent, O=KSU,
> OU=Computer Science, CN=ipsec.cs.kent.edu,
> E=radu at cs.kent.edu]---131.123.35.1...%any[C=US, ST=Ohio, L=Kent, O=KSU,
> OU=Computer Science, CN=radu at cs.kent.edu,
> E=radu at cs.kent.edu]==={131.123.35.0/24}; unrouted; eroute owner: #0
> 000 "lab": CAs: 'C=US, ST=Ohio, L=Kent, O=KSU, OU=Computer Science,
> CN=ipsec.cs.kent.edu, E=systems at cs.kent.edu'...'%any'
> 000 "lab": ike_life: 14400s; ipsec_life: 3600s; rekey_margin: 540s;
> rekey_fuzz: 100%; keyingtries: 3
> 000 "lab": policy: RSASIG+ENCRYPT+TUNNEL+PFS; prio: 0,24; interface: eth0;
> 000 "lab": newest ISAKMP SA: #0; newest IPsec SA: #0;
>
>
> So the 'lab' connection is up and loaded.
>
> Here is the ipsec.conf :
> # /etc/ipsec.conf - FreeS/WAN IPsec configuration file
> # RCSID $Id: ipsec.conf.in,v 1.12 2004/01/20 19:37:13 sam Exp $
>
> # This file: /usr/local/share/doc/freeswan/ipsec.conf-sample
> #
> # Manual: ipsec.conf.5
> #
> # Help:
> # http://www.freeswan.org/freeswan_trees/freeswan-cvs2002Mar11_19:19:03/doc/quickstart.html
> # http://www.freeswan.org/freeswan_trees/freeswan-cvs2002Mar11_19:19:03/doc/config.html
> # http://www.freeswan.org/freeswan_trees/freeswan-cvs2002Mar11_19:19:03/doc/adv_config.html
> #
> # Policy groups are enabled by default. See:
> # http://www.freeswan.org/freeswan_trees/freeswan-cvs2002Mar11_19:19:03/doc/policygroups.html
> #
> # Examples:
> # http://www.freeswan.org/freeswan_trees/freeswan-cvs2002Mar11_19:19:03/doc/examples
>
>
> version 2.0 # conforms to second version of ipsec.conf specification
>
> # basic configuration
> config setup
> # Debug-logging controls: "none" for (almost) none, "all" for lots.
> klipsdebug=none
> plutodebug=none
> interfaces=%defaultroute
> uniqueids=yes
> strictcrlpolicy=yes
> virtual_private=%v4:192.168.0.0/16
> #nat_traversal=yes
>
> conn %default
> keyingtries=3
> authby=rsasig
> keyexchange=ike
> ikelifetime=240m
> keylife=60m
> pfs=yes
> compress=no
> disablearrivalcheck=no
> left=%defaultroute
[JAS - Are you defining the leftid anywhere?]
> leftcert=ipsec_gateway.pem
> #leftupdown=/usr/local/lib/ipsec/_updown_x509
> right=%any
> rightrsasigkey=%cert
> auto=ignore
>
> # Add connections here.
>
> # DHCP incoming connections
> conn dhcp
> type=tunnel
> rightid="C=US, ST=Ohio, L=Kent, O=KSU, OU=Computer Science, CN=radu at cs.kent.edu, E=radu at cs.kent.edu"
> #right=%any
> rekey=no
> keylife=10s
> rekeymargin=5s
> leftsubnet=0.0.0.0/0
> leftprotoport=udp/bootps
> rightprotoport=udp/bootpc
> pfs=no
> auto=add
> #
> # From lab - VPN connection
> conn lab
> type=tunnel
[JAS - I normally leave the rightid undefined but I suppose it should
not matter if you are only bringing in one station for now.]
> rightid="C=US, ST=Ohio, L=Kent, O=KSU, OU=Computer Science, CN=radu at cs.kent.edu, E=radu at cs.kent.edu"
> #right=%any
> leftsubnet=0.0.0.0/0
> leftupdown=/usr/local/lib/ipsec/_updown_x509
> rightsubnetwithin=131.123.35.0/24
> auto=add
>
> # RoadWarrior VPN connection
> conn roadwarrior
> type=tunnel
> rightid="C=US, ST=Ohio, L=Kent, O=KSU, OU=Computer Science, CN=radu at cs.kent.edu, E=radu at cs.kent.edu"
> leftsubnet=0.0.0.0/0
> leftupdown=/usr/local/lib/ipsec/_updown_x509
> rightsubnet=vhost:%priv
[JAS - I believe the auto default is ignore so I suppose the similarity
of this connection record with conn lab is not an issue]
> rightsubnetwithin=131.123.35.0/24
> pfs=no
> #auto=add
>
> # disabling OE connections
> conn packetdefault
> auto=ignore
> conn block
> auto=ignore
> conn clear
> auto=ignore
> conn clear-or-private
> auto=ignore
> conn private
> auto=ignore
> conn private-or-clear
> auto=ignore
>
>
> The range of ips I am assigning : 131.123.35.155-159 / 255.255.255.0
>
>
>
> Thanks,
> Radu
>
> _______________________________________________
> Users mailing list
> Users at lists.openswan.org
> http://lists.openswan.org/mailman/listinfo/users
--
John A. Sullivan III
Chief Technology Officer
Nexus Management
+1 207-985-7880
john.sullivan at nexusmgmt.com
More information about the Users
mailing list