[Openswan Users] net-to-net vpn setup
Vishal Dubey
vishal at bbcllc.net
Thu Aug 11 15:51:18 CEST 2005
Ted Kaczmarek wrote:
>On Tue, 2005-08-09 at 08:16 -0400, Vishal Dubey wrote:
>
>
>>Ted Kaczmarek wrote:
>>
>>
>>>On Mon, 2005-08-08 at 13:55 -0400, Vishal Dubey wrote:
>>>
>>>
>>>
>>>>can some point me to doc's that show how to setup net-to-net using
>>>>openswan 2.4.0dr8 and shorewall?
>>>>
>>>>i am newbie and can use all the help i can get.
>>>>
>>>>my setup
>>>>
>>>>os is fc4 with kerenl 2.6.12.3 patched with netfilter+ipsec and policy
>>>>match
>>>>openswan as stated earlier 2.4.0dr8 ( it seems to comile when you "make
>>>>programs install" but does not compile KLIPS).
>>>>shorewall version is 2.4.2
>>>>here is what is happening:
>>>>
>>>>192.168.10.0/24 <---> firewall/vpn <----> internet <---> firewall/vpn<----> 192.168.100.0/24
>>>> (vangogh11.11.11.20/24) (kirchner 12.12.12.5/28)
>>>>
>>>>i generated public/private key's for vangogh and kirchner on a third
>>>>system.
>>>>
>>>>on vangogh i installed the the folloing key's and cert's:
>>>>vangogh.bbcllc.net.req.key to /etc/ipsec.d/private
>>>>vangogh.bbcllc.net.cert.pem to /etc/ipsec.d/certs
>>>>kirchner.bbcllc.net.cert.pem to /etc/ipsec.d/certs
>>>>cacert.pem to /etc/ipsec.d/cacerts
>>>>crl.pem to /etc/ipsec.d/crls
>>>>
>>>>on kirchner key and files are in their respective directory including
>>>>cacert.pem and crl.pem. the only thing that is not on kirchner is the
>>>>vangogh's .pem file.
>>>>*****
>>>>
>>>>i am geting the following error messages in the /var/log/messages file:
>>>>
>>>>Aug 8 09:42:24 vangogh ipsec__plutorun: restarting IPsec after pause...
>>>>Aug 8 09:42:34 vangogh rmmod: ERROR: Module af_key is in use
>>>>Aug 8 09:42:34 vangogh ipsec_setup: ...Openswan IPsec stopped
>>>>Aug 8 09:42:34 vangogh ipsec_setup: Stopping Openswan IPsec...
>>>>Aug 8 09:42:35 vangogh ipsec_setup: KLIPS ipsec0 on eth0
>>>>11.11.11.20/255.255.255.0 broadcast 11.11.11.255
>>>>Aug 8 09:42:35 vangogh racoon: INFO: unsupported PF_KEY message REGISTER
>>>>Aug 8 09:42:35 vangogh last message repeated 2 times
>>>>Aug 8 09:42:35 vangogh ipsec_setup: ...Openswan IPsec started
>>>>Aug 8 09:42:35 vangogh ipsec_setup: Restarting Openswan IPsec
>>>>U2.4.0dr8/K2.6.12.3-bc-20050805-1...
>>>>Aug 8 09:42:35 vangogh ipsec_setup: insmod
>>>>/lib/modules/2.6.12.3-bc-20050805-1/kernel/net/ipv4/xfrm4_tunnel.ko
>>>>Aug 8 09:42:35 vangogh ipsec__plutorun: 003 FATAL ERROR: bind() failed
>>>>in find_raw_ifaces4(). Errno 98: Address already in use
>>>>Aug 8 09:42:35 vangogh ipsec__plutorun: !pluto failure!: exited with
>>>>error status 1
>>>>
>>>>please help!
>>>>
>>>>
>>>>_______________________________________________
>>>>
>>>>
>>>>
>>>netstat -an | grep 500
>>>
>>>If you have the same issue as me, it is left over racoon connection,
>>>they don't like to go away properly.
>>>
>>>rpm -e ipsec-tools
>>>reboot
>>>that was the cleanest for me testing with Centos 4.1(ES4 clone).
>>>
>>>The blows away the racoon stuff, based upon what I have seen with FC3
>>>and Centos 4, ipsec-tools and openswan don't mix well at this time.
>>>
>>>Ted
>>>
>>>
>>>
>>thanks Ted, i'll try to remove raccon.
>>btw, is there a way to remove racoon when it is installed using
>>source?
>>
>>
>
>Hopefully make uninstall cleans it all out. As long as you didn't
>compile anything into the kernel you should be able to remove it. It
>doesn't have to be removed as long as you make sure it doesn't run, but
>removing it will prevent any chance of that :-)
>
>Ted
>
>
i finaly got around to removing and reinstalling ipsec-tools-0.6 and
openswan2.4.0.dr8
now - i think, both gateway see each other but i don't see any tunnels
being created.
what am i missing?
following are the log files, netstat and ipsec.conf from both gateway:
+++/var/log/secure from kirchner:
Aug 11 14:05:32 kirchner pluto[1906]: "bc2sun" #59: transition from
state STATE_MAIN_R0 to state STATE_MAIN_R1
Aug 11 14:05:32 kirchner pluto[1906]: "bc2sun" #59: STATE_MAIN_R1: sent
MR1, expecting MI2
Aug 11 14:05:32 kirchner pluto[1906]: "bc2sun" #59: NAT-Traversal:
Result using RFC 3947 (NAT-Traversal): no NAT detected
Aug 11 14:05:32 kirchner pluto[1906]: "bc2sun" #59: transition from
state STATE_MAIN_R1 to state STATE_MAIN_R2
Aug 11 14:05:32 kirchner pluto[1906]: "bc2sun" #59: STATE_MAIN_R2: sent
MR2, expecting MI3
Aug 11 14:05:32 kirchner pluto[1906]: "bc2sun" #59: Main mode peer ID is
ID_FQDN: '@vangogh.bbcllc.net'
Aug 11 14:05:32 kirchner pluto[1906]: "bc2sun" #59: I did not send a
certificate because I do not have one.
Aug 11 14:05:32 kirchner pluto[1906]: "bc2sun" #59: transition from
state STATE_MAIN_R2 to state STATE_MAIN_R3
Aug 11 14:05:32 kirchner pluto[1906]: "bc2sun" #59: STATE_MAIN_R3: sent
MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG
cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1536}
Aug 11 14:09:27 kirchner pluto[1906]: packet from 12.12.12.20:500:
Informational Exchange is for an unknown (expired?) SA
+++netstat from kirchner:
Destination Gateway Genmask Flags MSS Window irtt
Iface
12.12.12.0.0 0.0.0.0 255.255.255.240 U 0 0
0 eth0
192.168.100.0 0.0.0.0 255.255.255.0 U 0 0 0
eth1
192.168.10.0 12.38.202.1 255.255.255.0 UG 0 0 0
eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0
eth1
0.0.0.0 12.12.12.1 0.0.0.0 UG 0 0 0 eth0
+++ ipsec.conf from kirchner:
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
interfaces=%defaultroute
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16
conn bc2sun
left=12.12.12.5
leftsubnet=192.168.100.0/24
leftid=@kirchner.bbcllc.net
leftnexthop=%defaultroute
leftrsasigkey=0sAQPk6fHF+yOLUoF2pW2DK/cai4Kx/EH84i3xbEjL2...
right=11.11.11.20
rightsubnet=192.168.10.0/24
rightid=@vangogh.bbcllc.net
rightrsasigkey=0sAQOen5ZRzSbWRKTFlXWWIz0jPaYBLmyzcoMGVr...
rightnexthop=%defaultroute
auto=add
conn block
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear-or-private
auto=ignore
conn clear
auto=ignore
conn packetdefault
auto=ignore
=====================================================
***/var/log/secure from vangogh:
Aug 11 10:00:30 vangogh pluto[2016]: "bc2sun" #72: transition from state
STATE_MAIN_I1 to state STATE_MAIN_I2
Aug 11 10:00:30 vangogh pluto[2016]: "bc2sun" #72: STATE_MAIN_I2: sent
MI2, expecting MR2
Aug 11 10:00:30 vangogh pluto[2016]: "bc2sun" #72: I did not send a
certificate because I do not have one.
Aug 11 10:00:30 vangogh pluto[2016]: "bc2sun" #72: NAT-Traversal: Result
using RFC 3947 (NAT-Traversal): no NAT detected
Aug 11 10:00:30 vangogh pluto[2016]: "bc2sun" #72: transition from state
STATE_MAIN_I2 to state STATE_MAIN_I3
Aug 11 10:00:30 vangogh pluto[2016]: "bc2sun" #72: STATE_MAIN_I3: sent
MI3, expecting MR3
Aug 11 10:00:31 vangogh pluto[2016]: "bc2sun" #72: Main mode peer ID is
ID_FQDN: '@kirchner.bbcllc.net'
Aug 11 10:00:31 vangogh pluto[2016]: "bc2sun" #72: transition from state
STATE_MAIN_I3 to state STATE_MAIN_I4
Aug 11 10:00:31 vangogh pluto[2016]: "bc2sun" #72: STATE_MAIN_I4: ISAKMP
SA established {auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192
prf=oakley_md5 group=modp1536}
Aug 11 10:04:51 vangogh pluto[2016]: packet from 11.11.11.5:500:
Informational Exchange is for an unknown (expired?) SA
***here is a netstat from vangogh:
Destination Gateway Genmask Flags MSS Window irtt
Iface
192.168.100.0 11.11.11.1 255.255.255.0 UG 0 0 0 eth0
11.11.11.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
192.168.10.0 0.0.0.0 255.255.255.0 U 0 0 0
eth1
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0
eth1
0.0.0.0 11.11.11.1 0.0.0.0 UG 0 0 0 eth0
*** ipsec.conf from vangogh:
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
interfaces=%defaultroute
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16
conn bc2sun
left=12.12.12.5
leftsubnet=192.168.100.0/24
leftid=@kirchner.bbcllc.net
leftrsasigkey=0sAQPk6fHF+yOLUoF2pW2DK/c....
leftnexthop=12.12.12.1
right=11.11.11.20
rightsubnet=192.168.10.0/24
rightid=@vangogh.bbcllc.net
rightrsasigkey=0sAQOen5ZRzSbWRK.....
rightnexthop=11.11.11.1
auto=add
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear-or-private
auto=ignore
conn clear
auto=ignore
conn packetdefault
auto=ignore
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20050811/9f98eeed/attachment-0001.htm
More information about the Users
mailing list