[Openswan Users] Simple road-warrior setup

Harold Naparst hnaparst at gmail.com
Tue Aug 16 01:20:54 CEST 2005 

I'm trying to connect a laptop to a network. Here's where I am:

conn road
right=206.180.155.86 <http://206.180.155.86> # Dad's information
rightsubnet=192.168.37.0/24 <http://192.168.37.0/24> # Dad's network 
rightid=@gnapold.naparst.com <http://gnapold.naparst.com> # Dad's 
information
rightrsasigkey=0sAQOCOvabV...
left=%defaultroute # Picks up our dynamic IP
leftid=@emigration.naparst.com <http://emigration.naparst.com> #

The file is the same on the host's gateway, which is
192.168.37.2<http://192.168.37.2>
.
The router, 192.168.37.1 <http://192.168.37.1> has ports 500 and 4500 
forwarded to 192.168.37.2 <http://192.168.37.2>,
which as I said is the computer running openswan.

ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.3.1/K2.6.12-gentoo-r6 (netkey)
Checking for IPsec support in kernel [OK]
Checking for RSA private key (/etc/ipsec/ipsec.secrets) [OK]
Checking that pluto is running [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing [OK]
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Checking for 'setkey' command for NETKEY IPsec stack support [OK]

Opportunistic Encryption DNS checks:
Looking for TXT in forward dns zone: emigration [MISSING]
Does the machine have at least one non-private address? [OK]
Looking for TXT in reverse dns zone: 124.227.132.64.in-addr.arpa. [MISSING]

That looks OK. And I think the tunnel looks OK...

ipsec auto --status
000 interface lo/lo 127.0.0.1 <http://127.0.0.1>
000 interface lo/lo 127.0.0.1 <http://127.0.0.1>
000 interface eth0/eth0 64.132.227.124 <http://64.132.227.124>
000 interface eth0/eth0 64.132.227.124 <http://64.132.227.124>
000 %myid = (none)
000 debug none
000 
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, 
keysizema
x=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, 
keysize
max=192
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, 
keysizemin=128,
keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, 
keysizemin=160
, keysizemax=160
000 
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, 
keydeflen=12
8
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, 
keydeflen=19
2
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000 
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,0,0} 
trans={0,0,0} 
attrs={0,0,0} 
000 
000 "road": 64.132.227.124[@emigration.naparst.com<http://emigration.naparst.com>
]---64.132.227.126...206.180.1
55.86[@gnapold.naparst.com
<http://gnapold.naparst.com>]===192.168.37.0/24<http://192.168.37.0/24>;
unrouted; eroute owner: #0
000 "road": srcip=unset; dstip=unset
000 "road": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; 
rekey_fuz
z: 100%; keyingtries: 0
000 "road": policy: RSASIG+ENCRYPT+TUNNEL+PFS; prio: 32,24; interface: eth0; 

000 "road": newest ISAKMP SA: #0; newest IPsec SA: #0; 
000 
000 

However, when I try to ping the router, I get nothing.

# ping 192.168.37.1 <http://192.168.37.1>
PING 192.168.37.1 <http://192.168.37.1> (192.168.37.1 <http://192.168.37.1>) 
56(84) bytes of data.

--- 192.168.37.1 <http://192.168.37.1> ping statistics ---
10 packets transmitted, 0 received, 100% packet loss, time 8999ms

Interestingly, when I try to ping microsoft, I also get nothing:

ping www.microsoft.com <http://www.microsoft.com>
PING lb1.www.ms.akadns.net <http://lb1.www.ms.akadns.net>
(207.46.199.30<http://207.46.199.30>)
56(84) bytes of data.
--- lb1.www.ms.akadns.net <http://lb1.www.ms.akadns.net> ping statistics ---
16 packets transmitted, 0 received, 100% packet loss, time 15000ms

However, when I ping the router's public IP address, that works:

ping naparst.homelinux.com <http://naparst.homelinux.com>
PING naparst.homelinux.com <http://naparst.homelinux.com>
(206.180.155.86<http://206.180.155.86>)
56(84) bytes of data.
64 bytes from 206.180.155.86.adsl.hal-pc.org<http://206.180.155.86.adsl.hal-pc.org>(
206.180.155.86 <http://206.180.155.86>): icmp_seq=1 ttl=53 time=44.8 ms
64 bytes from 206.180.155.86.adsl.hal-pc.org<http://206.180.155.86.adsl.hal-pc.org>(
206.180.155.86 <http://206.180.155.86>): icmp_seq=2 ttl=53 time=71.6 ms
64 bytes from 206.180.155.86.adsl.hal-pc.org<http://206.180.155.86.adsl.hal-pc.org>(
206.180.155.86 <http://206.180.155.86>): icmp_seq=3 ttl=53 time=61.2 ms

I'm lost.

Harold
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20050816/a744e399/attachment-0001.htm

More information about the Users mailing list