[Openswan Users]
Getting nowehere with OpenS/WAN (dynamic IP) <-> FreeS/WAN
Itai Tavor
itai at iinet.net.au
Mon Nov 15 11:29:19 CET 2004
Hi,
I'm still experiencing total failure and many wasted hours trying to
get a tunnel to work. I posted my barf output last week but the replies
didn't solve the problem. So rather than continue to try to uselessly
tweak settings and read through thousands of barf lines, could someone
tell me the right way to define the tunnel for my desired setup and see
if my config is sane? I've read through the howto's and example
configs, and I can't see anything really wrong with the way I'm trying
to do it, but it doesn't work. The connection is established
successfully but no traffic is possible. I also can't figure out how to
deal with the firewall - I have to exclude tunnel traffic from NAT, but
I thought the ipsec updown script should take care of that - only it
doesn't seem to do that...
My setup is:
Right: ADSL gateway with a dynamic IP running Fedora Core 2, kernel
2.6.10-rc1, OpenS/WAN 2.2.0 and shorewall. Private net 10.0.1.0/24
Left: Fixed IP gateway running FC1, FreeS/WAN 2.0.4 and shorewall.
Private net 10.0.2.0/24
Right ipsec.conf:
config setup
interfaces=%defaultroute
klipsdebug=none
plutodebug=none
conn %default
keyingtries=3
conn Tir-Na-Nogth-IM
right=%defaultroute
rightsubnet=10.0.1.0/24
left=210.229.239.65
leftsubnet=10.0.2.0/24
auto=add
rightupdown=/usr/lib/ipsec/_updown # Using rightfirewall=yes
here results in:
#
up-client command exited with status 127
authby=rsasig
rightid=@amber.tir-na-nogth.net
leftid=@edo.insentiv.co.jp
rightrsasigkey=...
Left ipsec.conf:
config setup
interfaces="ipsec0=ppp0"
klipsdebug=none
plutodebug=none
conn %default
keyingtries=1
left=210.229.239.65
leftsubnet=10.0.2.0/24
leftnexthop=154.33.4.102
auto=add
leftfirewall=yes
authby=rsasig
leftid=@edo.insentiv.co.jp
leftrsasigkey=...
conn Tir-Na-Nogth-IM
right=%any # Also tried right=0.0.0.0
rightsubnet=10.0.1.0/24
rightid=@amber.tir-na-nogth.net
rightrsasigkey=...
Itai
More information about the Users
mailing list