[Openswan Users] dhcp over ipsec

John A. Sullivan III john.sullivan at nexusmgmt.com
Mon May 17 19:07:34 CEST 2004 

I'll make a few spontaneous and not well thought out comments in your
e-mail in brackets [].

On Mon, 2004-05-17 at 12:21, Radu Brumariu wrote:
> Ok,
> 
> it pulls a dhcp address but then it doesn't initialize the real tunnel .
> Here is what I get in the logs :
> 
> 
> cannot respond to IPsec SA request because no connection is known for
> 0.0.0.0/0===131.123.35.3[C=US, ST=Ohio, L=Kent, O=KSU, OU=Computer
> Science, CN=ipsec.cs.kent.edu,
> E=radu at cs.kent.edu]:17/0...131.123.33.179[C=US, ST=Ohio, L=Kent, O=KSU,
> OU=Computer Science, CN=radu at cs.kent.edu,
> E=radu at cs.kent.edu]:17/0===131.123.35.159/32
[JAS- I'm a little confused by the addresses but then again, I've not
spent much time with *swan log entries and may just be misreading it. 
So your dhcp'd workstation is at 131.123.33.179 and is talking to a VPN
gateway with a termination point address of 131.123.35.3 and you are
assigning DHCP addresses out of the network which includes the
termination point of the gateway (131.123.35.0/24)?]
> 
> but I have this entry in my ipsec.conf :
> 
> conn lab
>         type=tunnel
>         rightid="C=US, ST=Ohio, L=Kent, O=KSU, OU=Computer Science,
> CN=radu at cs.kent.edu, E=radu at cs.kent.edu"
>         leftsubnet=0.0.0.0/0
>         leftupdown=/usr/local/lib/ipsec/_updown_x509
>         rightsubnetwithin=131.123.35.0/24
>         auto=add
> 
> And here is what 'ipsec auto --status' shows :
> 
> 000 "dhcp": 0.0.0.0/0===131.123.35.3[C=US, ST=Ohio, L=Kent, O=KSU,
> OU=Computer Science, CN=ipsec.cs.kent.edu,
> E=radu at cs.kent.edu]:17/67---131.123.35.1...%any[C=US, ST=Ohio, L=Kent,
> O=KSU, OU=Computer Science, CN=radu at cs.kent.edu,
> E=radu at cs.kent.edu]:17/68; unrouted; eroute owner: #0
> 000 "dhcp":   CAs: 'C=US, ST=Ohio, L=Kent, O=KSU, OU=Computer Science,
> CN=ipsec.cs.kent.edu, E=systems at cs.kent.edu'...'%any'
> 000 "dhcp":   ike_life: 14400s; ipsec_life: 10s; rekey_margin: 5s;
> rekey_fuzz: 100%; keyingtries: 3
> 000 "dhcp":   policy: RSASIG+ENCRYPT+TUNNEL+DONTREKEY; prio: 0,32;
> interface: eth0;
> 000 "dhcp":   newest ISAKMP SA: #0; newest IPsec SA: #0;
> 
> 000 "lab": 0.0.0.0/0===131.123.35.3[C=US, ST=Ohio, L=Kent, O=KSU,
> OU=Computer Science, CN=ipsec.cs.kent.edu,
> E=radu at cs.kent.edu]---131.123.35.1...%any[C=US, ST=Ohio, L=Kent, O=KSU,
> OU=Computer Science, CN=radu at cs.kent.edu,
> E=radu at cs.kent.edu]==={131.123.35.0/24}; unrouted; eroute owner: #0
> 000 "lab":   CAs: 'C=US, ST=Ohio, L=Kent, O=KSU, OU=Computer Science,
> CN=ipsec.cs.kent.edu, E=systems at cs.kent.edu'...'%any'
> 000 "lab":   ike_life: 14400s; ipsec_life: 3600s; rekey_margin: 540s;
> rekey_fuzz: 100%; keyingtries: 3
> 000 "lab":   policy: RSASIG+ENCRYPT+TUNNEL+PFS; prio: 0,24; interface: eth0;
> 000 "lab":   newest ISAKMP SA: #0; newest IPsec SA: #0;
> 
> 
> So the 'lab' connection is up and loaded.
> 
> Here is the ipsec.conf :
> # /etc/ipsec.conf - FreeS/WAN IPsec configuration file
> # RCSID $Id: ipsec.conf.in,v 1.12 2004/01/20 19:37:13 sam Exp $
>  
> # This file:  /usr/local/share/doc/freeswan/ipsec.conf-sample
> #
> # Manual:     ipsec.conf.5
> #
> # Help:
> # http://www.freeswan.org/freeswan_trees/freeswan-cvs2002Mar11_19:19:03/doc/quickstart.html
> # http://www.freeswan.org/freeswan_trees/freeswan-cvs2002Mar11_19:19:03/doc/config.html
> # http://www.freeswan.org/freeswan_trees/freeswan-cvs2002Mar11_19:19:03/doc/adv_config.html
> #
> # Policy groups are enabled by default. See:
> # http://www.freeswan.org/freeswan_trees/freeswan-cvs2002Mar11_19:19:03/doc/policygroups.html
> #
> # Examples:
> # http://www.freeswan.org/freeswan_trees/freeswan-cvs2002Mar11_19:19:03/doc/examples
>  
> 
> version 2.0     # conforms to second version of ipsec.conf specification
> 
> # basic configuration
> config setup
>         # Debug-logging controls:  "none" for (almost) none, "all" for lots.
>         klipsdebug=none
>         plutodebug=none
>         interfaces=%defaultroute
>         uniqueids=yes
>         strictcrlpolicy=yes
>         virtual_private=%v4:192.168.0.0/16
>         #nat_traversal=yes
>  
> conn %default
>         keyingtries=3
>         authby=rsasig
>         keyexchange=ike
>         ikelifetime=240m
>         keylife=60m
>         pfs=yes
>         compress=no
>         disablearrivalcheck=no
>         left=%defaultroute
[JAS - Are you defining the leftid anywhere?]
>         leftcert=ipsec_gateway.pem
>         #leftupdown=/usr/local/lib/ipsec/_updown_x509
>         right=%any
>         rightrsasigkey=%cert
>         auto=ignore
>  
> # Add connections here.
>  
> # DHCP incoming connections
> conn dhcp
>         type=tunnel
>         rightid="C=US, ST=Ohio, L=Kent, O=KSU, OU=Computer Science, CN=radu at cs.kent.edu, E=radu at cs.kent.edu"
>         #right=%any
>         rekey=no
>         keylife=10s
>         rekeymargin=5s
>         leftsubnet=0.0.0.0/0
>         leftprotoport=udp/bootps
>         rightprotoport=udp/bootpc
>         pfs=no
>         auto=add
> #
> # From lab - VPN connection
> conn lab
>         type=tunnel
[JAS - I normally leave the rightid undefined but I suppose it should
not matter if you are only bringing in one station for now.]
>         rightid="C=US, ST=Ohio, L=Kent, O=KSU, OU=Computer Science, CN=radu at cs.kent.edu, E=radu at cs.kent.edu"
>         #right=%any
>         leftsubnet=0.0.0.0/0
>         leftupdown=/usr/local/lib/ipsec/_updown_x509
>         rightsubnetwithin=131.123.35.0/24
>         auto=add
>  
> # RoadWarrior VPN connection
>  conn roadwarrior
>         type=tunnel
>         rightid="C=US, ST=Ohio, L=Kent, O=KSU, OU=Computer Science, CN=radu at cs.kent.edu, E=radu at cs.kent.edu"
>         leftsubnet=0.0.0.0/0
>         leftupdown=/usr/local/lib/ipsec/_updown_x509
>         rightsubnet=vhost:%priv
[JAS - I believe the auto default is ignore so I suppose the similarity
of this connection record with conn lab is not an issue]
>         rightsubnetwithin=131.123.35.0/24
>         pfs=no
>         #auto=add
>  
> # disabling OE connections
> conn packetdefault
>         auto=ignore
> conn block
>         auto=ignore
> conn clear
>         auto=ignore
> conn clear-or-private
>         auto=ignore
> conn private
>         auto=ignore
> conn private-or-clear
>         auto=ignore
> 
> 
> The range of ips I am assigning : 131.123.35.155-159 / 255.255.255.0
> 
> 
> 
> Thanks,
> Radu
> 
> _______________________________________________
> Users mailing list
> Users at lists.openswan.org
> http://lists.openswan.org/mailman/listinfo/users
-- 
John A. Sullivan III
Chief Technology Officer
Nexus Management
+1 207-985-7880
john.sullivan at nexusmgmt.com

More information about the Users mailing list