[Openswan Users] net-to-net vpn setup

Vishal Dubey vishal at bbcllc.net
Thu Aug 11 15:51:18 CEST 2005


Ted Kaczmarek wrote:

>On Tue, 2005-08-09 at 08:16 -0400, Vishal Dubey wrote:
>  
>
>>Ted Kaczmarek wrote: 
>>    
>>
>>>On Mon, 2005-08-08 at 13:55 -0400, Vishal Dubey wrote:
>>>  
>>>      
>>>
>>>>can some point me to doc's that show how to setup net-to-net using 
>>>>openswan 2.4.0dr8 and shorewall?
>>>>
>>>>i am newbie and can use all the help i can get.
>>>>
>>>>my setup
>>>>
>>>>os is fc4 with kerenl 2.6.12.3 patched with netfilter+ipsec and policy 
>>>>match
>>>>openswan as stated earlier 2.4.0dr8 ( it seems to comile when you "make 
>>>>programs install" but does not compile KLIPS).
>>>>shorewall version is 2.4.2
>>>>here is what is happening:
>>>>
>>>>192.168.10.0/24 <---> firewall/vpn <----> internet <---> firewall/vpn<----> 192.168.100.0/24
>>>>         	 (vangogh11.11.11.20/24)              (kirchner 12.12.12.5/28)
>>>>

>>>>i generated public/private key's for vangogh and kirchner on a third 
>>>>system.
>>>>
>>>>on vangogh i installed the the folloing key's and cert's:
>>>>vangogh.bbcllc.net.req.key to /etc/ipsec.d/private
>>>>vangogh.bbcllc.net.cert.pem to /etc/ipsec.d/certs
>>>>kirchner.bbcllc.net.cert.pem to /etc/ipsec.d/certs
>>>>cacert.pem to /etc/ipsec.d/cacerts
>>>>crl.pem to /etc/ipsec.d/crls
>>>>
>>>>on kirchner  key and files are in their respective directory including  
>>>>cacert.pem and crl.pem. the only thing that is not on kirchner is the 
>>>>vangogh's .pem file.
>>>>*****
>>>>
>>>>i am geting the following error messages in the /var/log/messages file:
>>>>
>>>>Aug  8 09:42:24 vangogh ipsec__plutorun: restarting IPsec after pause...
>>>>Aug  8 09:42:34 vangogh rmmod: ERROR: Module af_key is in use
>>>>Aug  8 09:42:34 vangogh ipsec_setup: ...Openswan IPsec stopped
>>>>Aug  8 09:42:34 vangogh ipsec_setup: Stopping Openswan IPsec...
>>>>Aug  8 09:42:35 vangogh ipsec_setup: KLIPS ipsec0 on eth0 
>>>>11.11.11.20/255.255.255.0 broadcast 11.11.11.255
>>>>Aug  8 09:42:35 vangogh racoon: INFO: unsupported PF_KEY message REGISTER
>>>>Aug  8 09:42:35 vangogh last message repeated 2 times
>>>>Aug  8 09:42:35 vangogh ipsec_setup: ...Openswan IPsec started
>>>>Aug  8 09:42:35 vangogh ipsec_setup: Restarting Openswan IPsec 
>>>>U2.4.0dr8/K2.6.12.3-bc-20050805-1...
>>>>Aug  8 09:42:35 vangogh ipsec_setup: insmod 
>>>>/lib/modules/2.6.12.3-bc-20050805-1/kernel/net/ipv4/xfrm4_tunnel.ko
>>>>Aug  8 09:42:35 vangogh ipsec__plutorun: 003 FATAL ERROR: bind() failed 
>>>>in find_raw_ifaces4(). Errno 98: Address already in use
>>>>Aug  8 09:42:35 vangogh ipsec__plutorun: !pluto failure!:  exited with 
>>>>error status 1
>>>>
>>>>please help!
>>>>
>>>>
>>>>_______________________________________________
>>>>    
>>>>        
>>>>
>>>netstat -an | grep 500
>>>
>>>If you have the same issue as me, it is left over racoon connection,
>>>they don't like to go away properly.
>>>
>>>rpm -e ipsec-tools
>>>reboot 
>>>that was the cleanest for me testing with Centos 4.1(ES4 clone).
>>>
>>>The blows away the racoon stuff, based upon what I have seen with FC3
>>>and Centos 4, ipsec-tools and openswan don't mix well at this time.
>>>
>>>Ted
>>>  
>>>      
>>>
>>thanks Ted, i'll try to remove raccon.
>>btw, is there a way to remove racoon when it is installed using
>>source?
>>    
>>
>
>Hopefully make uninstall cleans it all out. As long as you didn't
>compile anything into the kernel you should be able to remove it. It
>doesn't have to be removed as long as you make sure it doesn't run, but
>removing it will prevent any chance of that :-)
>
>Ted
>  
>
i finaly got around to removing and reinstalling ipsec-tools-0.6 and 
openswan2.4.0.dr8
 now - i think, both gateway see each other but i don't see any tunnels 
being created.
what am i missing?

following are the log files, netstat and ipsec.conf from both gateway:


+++/var/log/secure from kirchner:
Aug 11 14:05:32 kirchner pluto[1906]: "bc2sun" #59: transition from 
state STATE_MAIN_R0 to state STATE_MAIN_R1
Aug 11 14:05:32 kirchner pluto[1906]: "bc2sun" #59: STATE_MAIN_R1: sent 
MR1, expecting MI2
Aug 11 14:05:32 kirchner pluto[1906]: "bc2sun" #59: NAT-Traversal: 
Result using RFC 3947 (NAT-Traversal): no NAT detected
Aug 11 14:05:32 kirchner pluto[1906]: "bc2sun" #59: transition from 
state STATE_MAIN_R1 to state STATE_MAIN_R2
Aug 11 14:05:32 kirchner pluto[1906]: "bc2sun" #59: STATE_MAIN_R2: sent 
MR2, expecting MI3
Aug 11 14:05:32 kirchner pluto[1906]: "bc2sun" #59: Main mode peer ID is 
ID_FQDN: '@vangogh.bbcllc.net'
Aug 11 14:05:32 kirchner pluto[1906]: "bc2sun" #59: I did not send a 
certificate because I do not have one.
Aug 11 14:05:32 kirchner pluto[1906]: "bc2sun" #59: transition from 
state STATE_MAIN_R2 to state STATE_MAIN_R3
Aug 11 14:05:32 kirchner pluto[1906]: "bc2sun" #59: STATE_MAIN_R3: sent 
MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG 
cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1536}
Aug 11 14:09:27 kirchner pluto[1906]: packet from 12.12.12.20:500: 
Informational Exchange is for an unknown (expired?) SA

+++netstat from kirchner:
Destination     Gateway         Genmask         Flags   MSS Window  irtt 
Iface
12.12.12.0.0     0.0.0.0         255.255.255.240 U         0 0          
0 eth0
192.168.100.0   0.0.0.0         255.255.255.0   U         0 0          0 
eth1
192.168.10.0    12.38.202.1     255.255.255.0   UG        0 0          0 
eth0
169.254.0.0     0.0.0.0         255.255.0.0     U         0 0          0 
eth1
0.0.0.0         12.12.12.1     0.0.0.0         UG        0 0          0 eth0

+++ ipsec.conf from kirchner:
version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration

config setup
        interfaces=%defaultroute
        nat_traversal=yes
        virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16


conn bc2sun
        left=12.12.12.5
        leftsubnet=192.168.100.0/24
        leftid=@kirchner.bbcllc.net
        leftnexthop=%defaultroute
        leftrsasigkey=0sAQPk6fHF+yOLUoF2pW2DK/cai4Kx/EH84i3xbEjL2...
        right=11.11.11.20
        rightsubnet=192.168.10.0/24
        rightid=@vangogh.bbcllc.net
        rightrsasigkey=0sAQOen5ZRzSbWRKTFlXWWIz0jPaYBLmyzcoMGVr...
        rightnexthop=%defaultroute
        auto=add

conn block
        auto=ignore

conn private
        auto=ignore

conn private-or-clear
        auto=ignore

conn clear-or-private
        auto=ignore

conn clear
        auto=ignore

conn packetdefault
        auto=ignore

=====================================================

***/var/log/secure from vangogh:
Aug 11 10:00:30 vangogh pluto[2016]: "bc2sun" #72: transition from state 
STATE_MAIN_I1 to state STATE_MAIN_I2
Aug 11 10:00:30 vangogh pluto[2016]: "bc2sun" #72: STATE_MAIN_I2: sent 
MI2, expecting MR2
Aug 11 10:00:30 vangogh pluto[2016]: "bc2sun" #72: I did not send a 
certificate because I do not have one.
Aug 11 10:00:30 vangogh pluto[2016]: "bc2sun" #72: NAT-Traversal: Result 
using RFC 3947 (NAT-Traversal): no NAT detected
Aug 11 10:00:30 vangogh pluto[2016]: "bc2sun" #72: transition from state 
STATE_MAIN_I2 to state STATE_MAIN_I3
Aug 11 10:00:30 vangogh pluto[2016]: "bc2sun" #72: STATE_MAIN_I3: sent 
MI3, expecting MR3
Aug 11 10:00:31 vangogh pluto[2016]: "bc2sun" #72: Main mode peer ID is 
ID_FQDN: '@kirchner.bbcllc.net'
Aug 11 10:00:31 vangogh pluto[2016]: "bc2sun" #72: transition from state 
STATE_MAIN_I3 to state STATE_MAIN_I4
Aug 11 10:00:31 vangogh pluto[2016]: "bc2sun" #72: STATE_MAIN_I4: ISAKMP 
SA established {auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 
prf=oakley_md5 group=modp1536}
Aug 11 10:04:51 vangogh pluto[2016]: packet from 11.11.11.5:500: 
Informational Exchange is for an unknown (expired?) SA

***here is a netstat from vangogh:
Destination     Gateway         Genmask         Flags   MSS Window  irtt 
Iface
192.168.100.0   11.11.11.1    255.255.255.0   UG        0 0          0 eth0
11.11.11.0    0.0.0.0         255.255.255.0   U         0 0          0 eth0
192.168.10.0    0.0.0.0         255.255.255.0   U         0 0          0 
eth1
169.254.0.0     0.0.0.0         255.255.0.0     U         0 0          0 
eth1
0.0.0.0         11.11.11.1    0.0.0.0         UG        0 0          0 eth0

*** ipsec.conf from vangogh:

version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration

config setup
        interfaces=%defaultroute
        nat_traversal=yes
        virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16


conn bc2sun
        left=12.12.12.5
        leftsubnet=192.168.100.0/24
        leftid=@kirchner.bbcllc.net
        leftrsasigkey=0sAQPk6fHF+yOLUoF2pW2DK/c....       
        leftnexthop=12.12.12.1
        right=11.11.11.20
        rightsubnet=192.168.10.0/24
        rightid=@vangogh.bbcllc.net
        rightrsasigkey=0sAQOen5ZRzSbWRK.....
        rightnexthop=11.11.11.1
        auto=add

conn private
        auto=ignore

conn private-or-clear
        auto=ignore

conn clear-or-private
        auto=ignore

conn clear
        auto=ignore

conn packetdefault
        auto=ignore

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20050811/9f98eeed/attachment-0001.htm


More information about the Users mailing list