[Openswan Users] Getting nowehere with OpenS/WAN (dynamic IP) <-> FreeS/WAN

Itai Tavor itai at iinet.net.au
Mon Nov 15 11:29:19 CET 2004 

Hi,

I'm still experiencing total failure and many wasted hours trying to 
get a tunnel to work. I posted my barf output last week but the replies 
didn't solve the problem. So rather than continue to try to uselessly 
tweak settings and read through thousands of barf lines, could someone 
tell me the right way to define the tunnel for my desired setup and see 
if my config is sane? I've read through the howto's and example 
configs, and I can't see anything really wrong with the way I'm trying 
to do it, but it doesn't work. The connection is established 
successfully but no traffic is possible. I also can't figure out how to 
deal with the firewall - I have to exclude tunnel traffic from NAT, but 
I thought the ipsec updown script should take care of that - only it 
doesn't seem to do that...

My setup is:

Right: ADSL gateway with a dynamic IP running Fedora Core 2, kernel 
2.6.10-rc1, OpenS/WAN 2.2.0 and shorewall. Private net 10.0.1.0/24

Left: Fixed IP gateway running FC1, FreeS/WAN 2.0.4 and shorewall. 
Private net 10.0.2.0/24

Right ipsec.conf:

config setup
         interfaces=%defaultroute
         klipsdebug=none
         plutodebug=none

conn %default
         keyingtries=3

conn Tir-Na-Nogth-IM
         right=%defaultroute
         rightsubnet=10.0.1.0/24
         left=210.229.239.65
         leftsubnet=10.0.2.0/24
         auto=add
         rightupdown=/usr/lib/ipsec/_updown	# Using rightfirewall=yes 
here results in:
                                                                  #   
up-client command exited with status 127
         authby=rsasig
         rightid=@amber.tir-na-nogth.net
         leftid=@edo.insentiv.co.jp
         rightrsasigkey=...

Left ipsec.conf:

config setup
         interfaces="ipsec0=ppp0"
         klipsdebug=none
         plutodebug=none

conn %default
         keyingtries=1
         left=210.229.239.65
         leftsubnet=10.0.2.0/24
         leftnexthop=154.33.4.102
         auto=add
         leftfirewall=yes
         authby=rsasig
         leftid=@edo.insentiv.co.jp
         leftrsasigkey=...

conn Tir-Na-Nogth-IM
         right=%any				# Also tried right=0.0.0.0
         rightsubnet=10.0.1.0/24
         rightid=@amber.tir-na-nogth.net
         rightrsasigkey=...

Itai

More information about the Users mailing list