[Openswan Users] question from a newbie

Frank Hubrach f.hubrach at spiekermann.de
Fri Nov 26 16:18:50 CET 2004


  			leftsubnet=192.168.1.0/24
>                 leftnexthop=122.122.122.254
>                 right=122.122.122.142
>                 rightsubnet=192.168.2.0/16

Maybee this is an error , because both of the sides seem to be in one 
Subnet ...
take

 rightsubnet=192.168.2.0/24

perhaps it works

try it.

greetings
fhuby

Ted Kaczmarek schrieb:

>On Fri, 2004-11-26 at 01:46 -0800, Cihan Esen wrote: 
>  
>
>>Hi all!
>>
>>I'm Cihan Esen, from Istanbul.
>>
>>I am trying to set up a ipsec-based vpn network, that I still couldn't
>>be able to:(...I am giving my configuration info and some logs below,
>>and I would really appreciate any kind help, I'm really on a point that
>>my mind can't produce any solution..
>>
>>My simulation scheme looks like this:
>>
>>LAN---IPSEC_GW---Router---IPSEC_GW---LAN
>>
>>I am using freeswan2.01 and Linux Mandrake9.2 on both IPSEC_GW PCs..
>>
>>/var/log/messages are the same on each ipsec_gw which looks like this:
>>
>>Nov 26 10:59:32 ArgeCihan ipsec__plutorun: Starting Pluto subsystem...
>>Nov 26 10:59:32 ArgeCihan pluto[30529]: Starting Pluto (FreeS/WAN
>>Version 2.01 X.509-1.4.4 PLUTO_USES_KEYRR)
>>Nov 26 10:59:32 ArgeCihan pluto[30529]: | opening /dev/urandom
>>Nov 26 10:59:32 ArgeCihan pluto[30529]: | inserting event
>>EVENT_REINIT_SECRET, timeout in 3600 seconds
>>Nov 26 10:59:32 ArgeCihan pluto[30529]: | process 30529 listening for
>>PF_KEY_V2 on file descriptor 6
>>Nov 26 10:59:32 ArgeCihan pluto[30529]: | finish_pfkey_msg:
>>SADB_REGISTER message 1 for AH
>>Nov 26 10:59:32 ArgeCihan pluto[30529]: |   02 07 00 02  02 00 00 00 
>>01 00 00 00  41 77 00 00
>>Nov 26 10:59:32 ArgeCihan pluto[30529]: | pfkey_get: SADB_REGISTER
>>message 1
>>Nov 26 10:59:32 ArgeCihan pluto[30529]: | AH registered with kernel.
>>Nov 26 10:59:32 ArgeCihan pluto[30529]: | finish_pfkey_msg:
>>SADB_REGISTER message 2 for ESP
>>Nov 26 10:59:32 ArgeCihan pluto[30529]: |   02 07 00 03  02 00 00 00 
>>02 00 00 00  41 77 00 00
>>Nov 26 10:59:32 ArgeCihan pluto[30529]: | pfkey_get: SADB_REGISTER
>>message 2
>>Nov 26 10:59:32 ArgeCihan pluto[30529]: | ESP registered with kernel.
>>Nov 26 10:59:32 ArgeCihan pluto[30529]: | finish_pfkey_msg:
>>SADB_REGISTER message 3 for IPCOMP
>>Nov 26 10:59:32 ArgeCihan pluto[30529]: |   02 07 00 0a  02 00 00 00 
>>03 00 00 00  41 77 00 00
>>Nov 26 10:59:32 ArgeCihan pluto[30529]: | pfkey_get: SADB_REGISTER
>>message 3
>>Nov 26 10:59:32 ArgeCihan pluto[30529]: | IPCOMP registered with
>>kernel.
>>Nov 26 10:59:32 ArgeCihan pluto[30529]: | finish_pfkey_msg:
>>SADB_REGISTER message 4 for IPIP
>>Nov 26 10:59:32 ArgeCihan pluto[30529]: |   02 07 00 09  02 00 00 00 
>>04 00 00 00  41 77 00 00
>>Nov 26 10:59:32 ArgeCihan pluto[30529]: | pfkey_get: SADB_REGISTER
>>message 4
>>Nov 26 10:59:32 ArgeCihan pluto[30529]: | IPIP registered with kernel.
>>Nov 26 10:59:32 ArgeCihan pluto[30529]: | inserting event
>>EVENT_SHUNT_SCAN, timeout in 120 seconds
>>Nov 26 10:59:32 ArgeCihan pluto[30529]: Could not change to directory
>>'/etc/ipsec.d/cacerts'
>>Nov 26 10:59:32 ArgeCihan pluto[30529]: Could not change to directory
>>'/etc/ipsec.d/crls'
>>Nov 26 10:59:33 ArgeCihan pluto[30529]: | inserting event 7??, timeout
>>in 46827 seconds
>>Nov 26 10:59:33 ArgeCihan pluto[30529]: | next event EVENT_SHUNT_SCAN
>>in 119 seconds
>>Nov 26 10:59:33 ArgeCihan pluto[30529]: |
>>Nov 26 10:59:33 ArgeCihan pluto[30529]: | *received whack message
>>Nov 26 10:59:33 ArgeCihan pluto[30529]: listening for IKE messages
>>Nov 26 10:59:33 ArgeCihan pluto[30529]: | found lo with address
>>127.0.0.1
>>Nov 26 10:59:33 ArgeCihan pluto[30529]: | found eth0 with address
>>122.122.122.141
>>Nov 26 10:59:33 ArgeCihan pluto[30529]: | found eth1 with address
>>192.168.1.2
>>Nov 26 10:59:33 ArgeCihan pluto[30529]: | found ipsec0 with address
>>122.122.122.141
>>Nov 26 10:59:33 ArgeCihan pluto[30529]: | found ipsec1 with address
>>192.168.1.2
>>Nov 26 10:59:33 ArgeCihan pluto[30529]: adding interface ipsec1/eth1
>>192.168.1.2
>>Nov 26 10:59:33 ArgeCihan pluto[30529]: adding interface ipsec0/eth0
>>122.122.122.141
>>Nov 26 10:59:33 ArgeCihan pluto[30529]: | IP interface lo 127.0.0.1 has
>>no matching ipsec* interface -- ignored
>>Nov 26 10:59:33 ArgeCihan pluto[30529]: | could not open
>>/proc/net/if_inet6
>>Nov 26 10:59:33 ArgeCihan pluto[30529]: loading secrets from
>>"/etc/freeswan/ipsec.secrets"
>>Nov 26 10:59:33 ArgeCihan pluto[30529]: | next event EVENT_SHUNT_SCAN
>>in 119 seconds
>>Nov 26 10:59:33 ArgeCihan pluto[30529]: |
>>Nov 26 10:59:33 ArgeCihan pluto[30529]: | *received whack message
>>Nov 26 10:59:33 ArgeCihan pluto[30529]: | next event EVENT_SHUNT_SCAN
>>in 119 seconds
>>Nov 26 10:59:33 ArgeCihan pluto[30529]: |
>>Nov 26 10:59:33 ArgeCihan pluto[30529]: | *received whack message
>>Nov 26 10:59:33 ArgeCihan pluto[30529]: | next event EVENT_SHUNT_SCAN
>>in 119 seconds
>>Nov 26 10:59:33 ArgeCihan pluto[30529]: |
>>Nov 26 10:59:33 ArgeCihan pluto[30529]: | *received whack message
>>Nov 26 10:59:33 ArgeCihan pluto[30529]: | next event EVENT_SHUNT_SCAN
>>in 119 seconds
>>Nov 26 11:01:32 ArgeCihan pluto[30529]: |
>>Nov 26 11:01:32 ArgeCihan pluto[30529]: | *time to handle event
>>Nov 26 11:01:32 ArgeCihan pluto[30529]: | event after this is
>>EVENT_REINIT_SECRET in 3480 seconds
>>Nov 26 11:01:32 ArgeCihan pluto[30529]: | inserting event
>>EVENT_SHUNT_SCAN, timeout in 120 seconds
>>Nov 26 11:01:32 ArgeCihan pluto[30529]: | scanning for shunt eroutes
>>Nov 26 11:01:32 ArgeCihan pluto[30529]: | next event EVENT_SHUNT_SCAN
>>in 120 seconds
>>
>>
>>I am using the same ipsec.conf file on each ipsec_gw which looks like
>>this:
>>
>>
>>version 2.0     # conforms to second version of ipsec.conf
>>specification
>>
>># basic configuration
>>config setup
>>        # Debug-logging controls:  "none" for (almost) none, "all" for
>>lots.
>>        #interfaces=%defaultroute
>>    interfaces="ipsec0=eth0 ipsec1=eth1"
>>        klipsdebug=all
>>        plutodebug=all
>>    plutoload=%search
>>    plutostart=%search
>>
>>
>># Add connections here.
>>
>># sample VPN connection
>>#sample#        conn sample
>>#sample#                # Left security gateway, subnet behind it, next
>>hop toward right.
>>#sample#                left=10.0.0.1
>>#sample#                leftsubnet=172.16.0.0/24
>>#sample#                leftnexthop=10.22.33.44
>>#sample#                # Right security gateway, subnet behind it,
>>next hop toward left.
>>#sample#                right=10.12.12.1
>>#sample#                rightsubnet=192.168.0.0/24
>>#sample#                rightnexthop=10.101.102.103
>>#sample#                # To authorize this connection, but not
>>actually start it, at startup,
>>#sample#                # uncomment this.
>>#sample#                #auto=start
>>
>>conn block
>>        auto=ignore
>>
>>conn private
>>        auto=ignore
>>
>>conn private-or-clear
>>        auto=ignore
>>
>>conn clear
>>        auto=ignore
>>
>>conn packetdefault
>>        auto=ignore
>>
>>conn pc2pc
>>                left=122.122.122.141
>>                leftsubnet=192.168.1.0/24
>>                leftnexthop=122.122.122.254
>>                right=122.122.122.142
>>                rightsubnet=192.168.2.0/16
>>                rightnexthop=122.122.122.254
>>                authby=rsasig
>>                auto=start
>>               
>>leftrsasigkey=0x0sAQOpsvQthI6oSYBEvm8oaRB6x1aT0+zVzB+k41x98NRsCrFYLxeK6bLRtCa0QcmtLyxe+37KFxfnuNhfzXxzs+DZwSdV4yhdnefeJPr4xCVsbP1IHr1037wU3ugM3sOEyI+AtKnYJq9+o+tcQyPrB5ecgWc6MMqtIa2dZuMo98G/5Q==
>>               
>>rightrsasigkey=0x0sAQOJRA5oVM4gQNcCD8rhG8nnHQL+la6ADvnYj0N9opxTHDbs3JoiihZH/YsGI1zOI/2sG5rT4Tt34Otw7eXfy3386gxps4Lepz4f+BxOXZUgYqupBRFbFd6rq0Ett8IPsWvKysCTMKoVJNO5HoN78Ns/b2NxbOg4aK1VjcSVtAHAxw==
>>
>>
>>thanks in advance,
>>
>>Cihan Esen
>>
>>
>>
>>		
>>    
>>
>Is their a firewall rule or router acess-list  blocking anything in the
>middle?
>
>Tcpdump can be most helfpul.
>
>Also if this is just a peer to peer setup, you may want to use PSK(pre-
>shared-key) instead of rsasig.
>
>Start with a simple setup and build on that. 
>
>You only showed 1 half of the setup, make sure that your left and rights
>are complements of each other.
>
>left="Local ip of vpn gateways external ip
>leftsubnet= "Subnet to be encapsulated, must be the same as rightsubnet
>on remote vpn server"
>
>right="remote vpn gateways external ip"
>rightsubnet="Remote subnet to be encapsulated. must be the same as
>leftsubnet on remote vpn server"
>
>Ted
>
>_______________________________________________
>Users mailing list
>Users at openswan.org
>http://lists.openswan.org/mailman/listinfo/users
>
>  
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20041126/81ced396/attachment.htm


More information about the Users mailing list