[Openswan Users] Problems connecting to office LAN
Cory S
fubeca at gmail.com
Wed Nov 24 06:40:08 CET 2004
Thanks for the help. I'll get with my admins.
On Tue, 23 Nov 2004 21:00:43 -0500, Ted Kaczmarek <tedkaz at optonline.net> wrote:
> On Tue, 2004-11-23 at 11:19 -0700, Cory S wrote:
>
>
> > Hi all,
> >
> > I've been working with this for weeks trying to get it to work but
> > I've finally given up and decided to ask the experts. Here is my
> > layout:
> >
> > home DSL modem/gateway Symantec
> > firewall work
> > 192.168.1.2 -------- 192.168.1.1/xxx.xxx.xxx.xxx ======
> > xxx.xxx.xxx.xxx ----------- 192.168.169.149
> >
> > I can connect just fine from Windows with the Symantec client but I
> > would like to connect with Linux using openswan (installed v. 2.2.0).
> > And yes, I got my settings from Andreas' mail post.
> >
> > Here is the config from Symantec's client:
> >
> > Tunnel Summary
> > Security gateway: xxx.xxx.xxx.xxx
> > Tunnel name:
> > IP address: 192.168.169.0
> > Network Mask: 255.255.255.0
> > Tunnel state: Connected
> > VPN policy: Custom
> >
> > Tunnel Settings
> > IPSec protocol: ESP
> > Data integrity: MD5
> > Data privacy: DES
> > Compression: Any
> > Encapsulation: Tunnel
> > Diffie-Hellman: None
> > Data volume limit: 2100000
> > Lifetime timeout: 480
> > Inactivity timeout: 0
> >
> > My ipsec.secrets
> > @#ID_IN_HEX <firewall address> : PSK "SECRET_IN_DECIMAL"
> >
> > My ipsec.conf
> >
> > version 2.0 # conforms to second version of ipsec.conf specification
> >
> > # basic configuration
> > config setup
> > # Debug-logging controls: "none" for (almost) none, "all" for lots.
> > # klipsdebug=all
> > # plutodebug=dns
> > interfaces=%defaultroute
> > klipsdebug=all
> > plutodebug=all
> > nat_traversal=yes
> >
> > # Equis connection
> > conn conn1
> > type= tunnel
> > left= 192.168.1.2
> > leftsubnet= 192.168.1.0/0
> > leftnexthop= 192.168.1.1
> > leftid=@#637363686d696474
> > right= 204.246.137.26
> > rightsubnet= 192.168.169.0/0
> > keyexchange= ike
> > authby= secret
> > auth= esp
> > auto= add
> >
> > #Disable Opportunistic Encryption
> > include /etc/ipsec.d/examples/no_oe.conf
> >
> > I start things up with the following commands:
> > ipsec pluto
> > ipsec auto --add conn1
> > ipsec auto --ready
> > ipsec auto --up conn1
> >
> > And get this in auth.log:
> >
> > Nov 22 18:42:37 kashmir pluto[2939]: Starting Pluto (Openswan Version
> > 2.2.0 X.509-1.5.
> > 4 PLUTO_USES_KEYRR)
> > Nov 22 18:42:37 kashmir pluto[2939]: including NAT-Traversal patch
> > (Version 0.6c) [d
> > isabled]
> > Nov 22 18:42:37 kashmir pluto[2939]: ike_alg_register_enc():
> > Activating OAKLEY_AES_CBC
> > : Ok (ret=0)
> > Nov 22 18:42:37 kashmir pluto[2939]: Using Linux 2.6 IPsec interface code
> > Nov 22 18:42:37 kashmir pluto[2939]: Changing to directory
> > '/etc/ipsec.d/cacerts'
> > Nov 22 18:42:37 kashmir pluto[2939]: Could not change to directory
> > '/etc/ipsec.d/aacer
> > ts'
> > Nov 22 18:42:37 kashmir pluto[2939]: Changing to directory
> > '/etc/ipsec.d/ocspcerts'
> > Nov 22 18:42:37 kashmir pluto[2939]: Changing to directory '/etc/ipsec.d/crls'
> > Nov 22 18:42:37 kashmir pluto[2939]: Warning: empty directory
> > Nov 22 18:42:50 kashmir pluto[2939]: added connection description "conn1"
> > Nov 22 18:42:58 kashmir pluto[2939]: listening for IKE messages
> > Nov 22 18:42:58 kashmir pluto[2939]: adding interface lo/lo 127.0.0.1
> > Nov 22 18:42:58 kashmir pluto[2939]: adding interface eth0/eth0 192.168.1.2
> > Nov 22 18:42:58 kashmir pluto[2939]: adding interface lo/lo ::1
> > Nov 22 18:42:58 kashmir pluto[2939]: loading secrets from "/etc/ipsec.secrets"
> > Nov 22 18:43:04 kashmir pluto[2939]: "conn1" #1: initiating Main Mode
> > Nov 22 18:43:04 kashmir pluto[2939]: packet from xxx.xxx.xxx.xxx:500:
> > ignoring informat
> > ional payload, type PAYLOAD_MALFORMED
> > Nov 22 18:43:04 kashmir pluto[2939]: packet from xxx.xxx.xxx.xxx:500:
> > received and igno
> > red informational message
> >
> > Can anyone help?
> >
> > Thanks!
>
> Openswan does not support single des , as it should. Make sure the
> symantec is doing 3des.
>
> If you do a tcpdump do you see it getting to phase 2?
>
> I don't see any policy in your symantec config to correlate to
> your Openswan as well. How does the symantec know to match
> 192.168.1.0/24?
>
> Have never defined leftid, does the symantec require that?
>
> What do the logs on the symantec tell you?
>
> What does ipsec barf on the openswan tell you?
>
> I would ask the symantec admin to set you up with polices to match your
> proposals.
>
> Good Luck,
>
> Ted
>
>
More information about the Users
mailing list