[Openswan Users] question from a newbie

Ted Kaczmarek tedkaz at optonline.net
Fri Nov 26 05:53:25 CET 2004


On Fri, 2004-11-26 at 01:46 -0800, Cihan Esen wrote: 
> Hi all!
> 
> I'm Cihan Esen, from Istanbul.
> 
> I am trying to set up a ipsec-based vpn network, that I still couldn't
> be able to:(...I am giving my configuration info and some logs below,
> and I would really appreciate any kind help, I'm really on a point that
> my mind can't produce any solution..
> 
> My simulation scheme looks like this:
> 
> LAN---IPSEC_GW---Router---IPSEC_GW---LAN
> 
> I am using freeswan2.01 and Linux Mandrake9.2 on both IPSEC_GW PCs..
> 
> /var/log/messages are the same on each ipsec_gw which looks like this:
> 
> Nov 26 10:59:32 ArgeCihan ipsec__plutorun: Starting Pluto subsystem...
> Nov 26 10:59:32 ArgeCihan pluto[30529]: Starting Pluto (FreeS/WAN
> Version 2.01 X.509-1.4.4 PLUTO_USES_KEYRR)
> Nov 26 10:59:32 ArgeCihan pluto[30529]: | opening /dev/urandom
> Nov 26 10:59:32 ArgeCihan pluto[30529]: | inserting event
> EVENT_REINIT_SECRET, timeout in 3600 seconds
> Nov 26 10:59:32 ArgeCihan pluto[30529]: | process 30529 listening for
> PF_KEY_V2 on file descriptor 6
> Nov 26 10:59:32 ArgeCihan pluto[30529]: | finish_pfkey_msg:
> SADB_REGISTER message 1 for AH
> Nov 26 10:59:32 ArgeCihan pluto[30529]: |   02 07 00 02  02 00 00 00 
> 01 00 00 00  41 77 00 00
> Nov 26 10:59:32 ArgeCihan pluto[30529]: | pfkey_get: SADB_REGISTER
> message 1
> Nov 26 10:59:32 ArgeCihan pluto[30529]: | AH registered with kernel.
> Nov 26 10:59:32 ArgeCihan pluto[30529]: | finish_pfkey_msg:
> SADB_REGISTER message 2 for ESP
> Nov 26 10:59:32 ArgeCihan pluto[30529]: |   02 07 00 03  02 00 00 00 
> 02 00 00 00  41 77 00 00
> Nov 26 10:59:32 ArgeCihan pluto[30529]: | pfkey_get: SADB_REGISTER
> message 2
> Nov 26 10:59:32 ArgeCihan pluto[30529]: | ESP registered with kernel.
> Nov 26 10:59:32 ArgeCihan pluto[30529]: | finish_pfkey_msg:
> SADB_REGISTER message 3 for IPCOMP
> Nov 26 10:59:32 ArgeCihan pluto[30529]: |   02 07 00 0a  02 00 00 00 
> 03 00 00 00  41 77 00 00
> Nov 26 10:59:32 ArgeCihan pluto[30529]: | pfkey_get: SADB_REGISTER
> message 3
> Nov 26 10:59:32 ArgeCihan pluto[30529]: | IPCOMP registered with
> kernel.
> Nov 26 10:59:32 ArgeCihan pluto[30529]: | finish_pfkey_msg:
> SADB_REGISTER message 4 for IPIP
> Nov 26 10:59:32 ArgeCihan pluto[30529]: |   02 07 00 09  02 00 00 00 
> 04 00 00 00  41 77 00 00
> Nov 26 10:59:32 ArgeCihan pluto[30529]: | pfkey_get: SADB_REGISTER
> message 4
> Nov 26 10:59:32 ArgeCihan pluto[30529]: | IPIP registered with kernel.
> Nov 26 10:59:32 ArgeCihan pluto[30529]: | inserting event
> EVENT_SHUNT_SCAN, timeout in 120 seconds
> Nov 26 10:59:32 ArgeCihan pluto[30529]: Could not change to directory
> '/etc/ipsec.d/cacerts'
> Nov 26 10:59:32 ArgeCihan pluto[30529]: Could not change to directory
> '/etc/ipsec.d/crls'
> Nov 26 10:59:33 ArgeCihan pluto[30529]: | inserting event 7??, timeout
> in 46827 seconds
> Nov 26 10:59:33 ArgeCihan pluto[30529]: | next event EVENT_SHUNT_SCAN
> in 119 seconds
> Nov 26 10:59:33 ArgeCihan pluto[30529]: |
> Nov 26 10:59:33 ArgeCihan pluto[30529]: | *received whack message
> Nov 26 10:59:33 ArgeCihan pluto[30529]: listening for IKE messages
> Nov 26 10:59:33 ArgeCihan pluto[30529]: | found lo with address
> 127.0.0.1
> Nov 26 10:59:33 ArgeCihan pluto[30529]: | found eth0 with address
> 122.122.122.141
> Nov 26 10:59:33 ArgeCihan pluto[30529]: | found eth1 with address
> 192.168.1.2
> Nov 26 10:59:33 ArgeCihan pluto[30529]: | found ipsec0 with address
> 122.122.122.141
> Nov 26 10:59:33 ArgeCihan pluto[30529]: | found ipsec1 with address
> 192.168.1.2
> Nov 26 10:59:33 ArgeCihan pluto[30529]: adding interface ipsec1/eth1
> 192.168.1.2
> Nov 26 10:59:33 ArgeCihan pluto[30529]: adding interface ipsec0/eth0
> 122.122.122.141
> Nov 26 10:59:33 ArgeCihan pluto[30529]: | IP interface lo 127.0.0.1 has
> no matching ipsec* interface -- ignored
> Nov 26 10:59:33 ArgeCihan pluto[30529]: | could not open
> /proc/net/if_inet6
> Nov 26 10:59:33 ArgeCihan pluto[30529]: loading secrets from
> "/etc/freeswan/ipsec.secrets"
> Nov 26 10:59:33 ArgeCihan pluto[30529]: | next event EVENT_SHUNT_SCAN
> in 119 seconds
> Nov 26 10:59:33 ArgeCihan pluto[30529]: |
> Nov 26 10:59:33 ArgeCihan pluto[30529]: | *received whack message
> Nov 26 10:59:33 ArgeCihan pluto[30529]: | next event EVENT_SHUNT_SCAN
> in 119 seconds
> Nov 26 10:59:33 ArgeCihan pluto[30529]: |
> Nov 26 10:59:33 ArgeCihan pluto[30529]: | *received whack message
> Nov 26 10:59:33 ArgeCihan pluto[30529]: | next event EVENT_SHUNT_SCAN
> in 119 seconds
> Nov 26 10:59:33 ArgeCihan pluto[30529]: |
> Nov 26 10:59:33 ArgeCihan pluto[30529]: | *received whack message
> Nov 26 10:59:33 ArgeCihan pluto[30529]: | next event EVENT_SHUNT_SCAN
> in 119 seconds
> Nov 26 11:01:32 ArgeCihan pluto[30529]: |
> Nov 26 11:01:32 ArgeCihan pluto[30529]: | *time to handle event
> Nov 26 11:01:32 ArgeCihan pluto[30529]: | event after this is
> EVENT_REINIT_SECRET in 3480 seconds
> Nov 26 11:01:32 ArgeCihan pluto[30529]: | inserting event
> EVENT_SHUNT_SCAN, timeout in 120 seconds
> Nov 26 11:01:32 ArgeCihan pluto[30529]: | scanning for shunt eroutes
> Nov 26 11:01:32 ArgeCihan pluto[30529]: | next event EVENT_SHUNT_SCAN
> in 120 seconds
> 
> 
> I am using the same ipsec.conf file on each ipsec_gw which looks like
> this:
> 
> 
> version 2.0     # conforms to second version of ipsec.conf
> specification
> 
> # basic configuration
> config setup
>         # Debug-logging controls:  "none" for (almost) none, "all" for
> lots.
>         #interfaces=%defaultroute
>     interfaces="ipsec0=eth0 ipsec1=eth1"
>         klipsdebug=all
>         plutodebug=all
>     plutoload=%search
>     plutostart=%search
> 
> 
> # Add connections here.
> 
> # sample VPN connection
> #sample#        conn sample
> #sample#                # Left security gateway, subnet behind it, next
> hop toward right.
> #sample#                left=10.0.0.1
> #sample#                leftsubnet=172.16.0.0/24
> #sample#                leftnexthop=10.22.33.44
> #sample#                # Right security gateway, subnet behind it,
> next hop toward left.
> #sample#                right=10.12.12.1
> #sample#                rightsubnet=192.168.0.0/24
> #sample#                rightnexthop=10.101.102.103
> #sample#                # To authorize this connection, but not
> actually start it, at startup,
> #sample#                # uncomment this.
> #sample#                #auto=start
> 
> conn block
>         auto=ignore
> 
> conn private
>         auto=ignore
> 
> conn private-or-clear
>         auto=ignore
> 
> conn clear
>         auto=ignore
> 
> conn packetdefault
>         auto=ignore
> 
> conn pc2pc
>                 left=122.122.122.141
>                 leftsubnet=192.168.1.0/24
>                 leftnexthop=122.122.122.254
>                 right=122.122.122.142
>                 rightsubnet=192.168.2.0/16
>                 rightnexthop=122.122.122.254
>                 authby=rsasig
>                 auto=start
>                
> leftrsasigkey=0x0sAQOpsvQthI6oSYBEvm8oaRB6x1aT0+zVzB+k41x98NRsCrFYLxeK6bLRtCa0QcmtLyxe+37KFxfnuNhfzXxzs+DZwSdV4yhdnefeJPr4xCVsbP1IHr1037wU3ugM3sOEyI+AtKnYJq9+o+tcQyPrB5ecgWc6MMqtIa2dZuMo98G/5Q==
>                
> rightrsasigkey=0x0sAQOJRA5oVM4gQNcCD8rhG8nnHQL+la6ADvnYj0N9opxTHDbs3JoiihZH/YsGI1zOI/2sG5rT4Tt34Otw7eXfy3386gxps4Lepz4f+BxOXZUgYqupBRFbFd6rq0Ett8IPsWvKysCTMKoVJNO5HoN78Ns/b2NxbOg4aK1VjcSVtAHAxw==
> 
> 
> thanks in advance,
> 
> Cihan Esen
> 
> 
> 
> 		
Is their a firewall rule or router acess-list  blocking anything in the
middle?

Tcpdump can be most helfpul.

Also if this is just a peer to peer setup, you may want to use PSK(pre-
shared-key) instead of rsasig.

Start with a simple setup and build on that. 

You only showed 1 half of the setup, make sure that your left and rights
are complements of each other.

left="Local ip of vpn gateways external ip
leftsubnet= "Subnet to be encapsulated, must be the same as rightsubnet
on remote vpn server"

right="remote vpn gateways external ip"
rightsubnet="Remote subnet to be encapsulated. must be the same as
leftsubnet on remote vpn server"

Ted



More information about the Users mailing list