[Openswan Users] Setup ipsec tunnel between two natted machines and two dynamic ip's

Geert Janssens info at kobaltwit.be
Fri Dec 30 16:17:23 CET 2005 

Hi,

I have been digging through information about openswan/freeswan on the web and 
locally, but I didn't find a solution for the following problem:

I have a network setup as follows:

IpsecPeer1
192.168.0.2
     |
     |
192.168.0.1
Firewall/nat 1
84.x.x.x (dynamic ip, accessible with dyndns "kobaltwit.homelinux.com")
     .
     .  (internet)
     . 
84.y.y.y (dynamic ip, accessible with dyndns "auxima.homeip.net")
Firewall/nat 2
192.168.2.1
     |
     |
192.168.2.2
IpsecPeer2

Or described in words: I have two computers in two private networks I would 
like to connect via a secure tunnel. Both are behind a firewall doing NAT, 
and both firewalls' external ip address is dynamically allocated by the 
respective ISP's. For both dynamic ip's, a dyndns name is allocated.
Additionally, I have created a certificate for both Ipsec peers.

Both IpsecPeers are running Mandrake 2005 LE (kernel 2.6.8.1, openswan 
2.2.0-2).

I can't figure out how to configure ipsec on the two servers such that I can 
connect to the services on one ipsec peer (for example the mail system) from 
the other peer via a secure tunnel. So for example, I would like to connect 
to the mail server running on IpsecPeer2 with a mail client running on 
IpsecPeer1

The closest I got was with this configuration:
-------------------------------
-ipsec.conf on IpsecPeer1
-------------------------------
# /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.13 2004/03/24 04:14:39 ken Exp $

# This file:  /usr/share/doc/openswan/ipsec.conf-sample
#
# Manual:     ipsec.conf.5


version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        # Debug-logging controls:  "none" for (almost) none, "all" for lots.
        # klipsdebug=none
        # plutodebug="control parsing"
        plutodebug=all
        interfaces=%defaultroute
        nat_traversal=yes

# Add connections here

#Disable Opportunistic Encryption
include /etc/openswan/ipsec.d/examples/no_oe.conf

conn kobaltwit-to-auxima
     # Left security gateway, subnet behind it, next hop toward right.
     left=auxima.homeip.net
     leftsubnet=192.168.2.0/24
     leftid="C=BE, L=Grimbergen, O=Kobalt W.I.T., CN=auxima.homeip.net"
     leftrsasigkey=%cert
     leftcert=/etc/openswan/ipsec.d/certs/auxima-kobaltwit-vpn.pem
     # Right security gateway, subnet behind it, next hop toward left.
     right=%defaultroute
     rightsubnet=192.168.0.0/24
     rightid="C=BE, L=Grimbergen, O=Kobalt W.I.T., CN=kobaltwit.homelinux.com"
     rightrsasigkey=%cert
     rightcert=/etc/openswan/ipsec.d/certs/kobaltwit-auxima-vpn.pem
     auto=add

-------------------------------
-ipsec.conf on IpsecPeer2
-------------------------------
# /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.13 2004/03/24 04:14:39 ken Exp $

# This file:  /usr/share/doc/openswan/ipsec.conf-sample
#
# Manual:     ipsec.conf.5


version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        # Debug-logging controls:  "none" for (almost) none, "all" for lots.
        # klipsdebug=none
        # plutodebug="control parsing"
        plutodebug=all
        interfaces=%defaultroute
        nat_traversal=yes

# Add connections here

#Disable Opportunistic Encryption
include /etc/openswan/ipsec.d/examples/no_oe.conf

conn kobaltwit-to-auxima
     # Left security gateway, subnet behind it, next hop toward right.
     left=%defaultroute
     leftsubnet=192.168.2.0/24
     leftid="C=BE, L=Grimbergen, O=Kobalt W.I.T., CN=auxima.homeip.net"
     leftrsasigkey=%cert
     leftcert=/etc/openswan/ipsec.d/certs/auxima-kobaltwit-vpn.pem
     # Right security gateway, subnet behind it, next hop toward left.
     right=kobaltwit.homelinux.com
     rightsubnet=192.168.0.0/24
     rightid="C=BE, L=Grimbergen, O=Kobalt W.I.T., CN=kobaltwit.homelinux.com"
     rightrsasigkey=%cert
     rightcert=/etc/openswan/ipsec.d/certs/kobaltwit-auxima-vpn.pem
     auto=add

With this setup, a tunnel is established (I get the message "sent QI2, IPsec 
SA established". However, this configuration is for a network to network 
tunnel, and I can't even test if it really works, because there is no network 
behind IpsecPeer2. There is a network behind IpsecPeer1 and in a second phase 
I would like this network to use the tunnel also, but first I need the two 
peers to be able to communicate).

As far as I could understand the ipsec documentation, to setup a peer to peer 
connection, the leftsubnet and rightsubnet entries should be removed. 
However, if I remove the *subnet entries, the connection no longer gets 
established.

Here is the console output on IpsecPeer1, from which the connection setup is 
started:
[root at aragorn openswan]# ipsec auto --verbose --up kobaltwit-to-auxima
002 "kobaltwit-to-auxima" #1: initiating Main Mode
104 "kobaltwit-to-auxima" #1: STATE_MAIN_I1: initiate
003 "kobaltwit-to-auxima" #1: received Vendor ID payload 
[draft-ietf-ipsec-nat-t-ike-03]
002 "kobaltwit-to-auxima" #1: enabling possible NAT-traversal with method RFC 
XXXX (NAT-Traversal)
002 "kobaltwit-to-auxima" #1: transition from state STATE_MAIN_I1 to state 
STATE_MAIN_I2
106 "kobaltwit-to-auxima" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "kobaltwit-to-auxima" #1: NAT-Traversal: Result using 
draft-ietf-ipsec-nat-t-ike-02/03: both are NATed
002 "kobaltwit-to-auxima" #1: I am sending my cert
002 "kobaltwit-to-auxima" #1: I am sending a certificate request
002 "kobaltwit-to-auxima" #1: transition from state STATE_MAIN_I2 to state 
STATE_MAIN_I3
108 "kobaltwit-to-auxima" #1: STATE_MAIN_I3: sent MI3, expecting MR3
010 "kobaltwit-to-auxima" #1: STATE_MAIN_I3: retransmission; will wait 20s for 
response
002 "kobaltwit-to-auxima" #1: Peer ID is ID_DER_ASN1_DN: 'C=BE, L=Grimbergen, 
O=Kobalt W.I.T., CN=auxima.homeip.net'
002 "kobaltwit-to-auxima" #1: no crl from issuer "C=BE, L=Grimbergen, O=Kobalt 
W.I.T., CN=Geert Janssens, E=info at kobaltwit.be" found (strict=no)
002 "kobaltwit-to-auxima" #1: transition from state STATE_MAIN_I3 to state 
STATE_MAIN_I4
002 "kobaltwit-to-auxima" #1: ISAKMP SA established
004 "kobaltwit-to-auxima" #1: STATE_MAIN_I4: ISAKMP SA established
002 "kobaltwit-to-auxima" #2: initiating Quick Mode 
RSASIG+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1}
112 "kobaltwit-to-auxima" #2: STATE_QUICK_I1: initiate
010 "kobaltwit-to-auxima" #2: STATE_QUICK_I1: retransmission; will wait 20s 
for response
010 "kobaltwit-to-auxima" #2: STATE_QUICK_I1: retransmission; will wait 40s 
for response
031 "kobaltwit-to-auxima" #2: max number of retransmissions (2) reached 
STATE_QUICK_I1.  No acceptable response to our first Quick Mode message: 
perhaps peer likes no proposal
000 "kobaltwit-to-auxima" #2: starting keying attempt 2 of at most 2, but 
releasing whack

In the QUICK_I1 phase, the log on IpsecPeer2 (the "receiving end") these 
messages pop up:
pluto[3724]: | peer client is subnet 192.168.0.2/32
pluto[3724]: | peer client protocol/port is 0/0
pluto[3724]: | our client is subnet 81.83.108.106/32
pluto[3724]: | our client protocol/port is 0/0
pluto[3724]: | find_client_connection starting with kobaltwit-to-auxima
pluto[3724]: |   looking for 81.83.108.106/32:0/0 -> 192.168.0.2/32:0/0
pluto[3724]: |   concrete checking against sr#0 192.168.2.2/32 ->
                 84.195.167.62/32
pluto[3724]: |    match_id a=C=BE, L=Grimbergen, O=Kobalt W.I.T., 
                           CN=kobaltwit.homelinux.com b=C=BE, 
                           L=Grimbergen, O=Kobalt W.I.T., C
                           N=kobaltwit.homelinux.com
pluto[3724]: |   match_id called with a=C=BE, L=Grimbergen, O=Kobalt W.I.T., 
                           CN=kobaltwit.homelinux.com b=C=BE, 
                           L=Grimbergen, O=Kobalt W.I.T., 
                           CN=kobaltwit.homelinux.com
pluto[3724]: |   trusted_ca called with a=(empty) b=(empty)
pluto[3724]: |   fc_try trying kobaltwit-to-auxima:81.83.108.106/32:0/0 -> 
                     192.168.0.2/32:0/0 vs 
                 kobaltwit-to-auxima:192.168.2.2/32:0/0 ->
                     84.195.167.62/32:0/0
pluto[3724]: |   fc_try concluding with none [0]
pluto[3724]: |   fc_try kobaltwit-to-auxima gives none
pluto[3724]: |   checking hostpair 192.168.2.2/32 -> 84.195.167.62/32 is not 
                     found
pluto[3724]: |   concluding with d = none
pluto[3724]: "kobaltwit-to-auxima" #1: cannot respond to IPsec SA request 
              because no connection is known for 
     81.83.108.106/32===192.168.2.2:4500[C=BE, L=Grimbergen, O=Kobalt W.I.T.,
     CN=auxima.homeip.net]...84.195.167.62:4500[C=BE, L=Grimbergen, O=Kobalt 
     W.I.T., CN=kobaltwit.homelinux.com]===192.168.0.2/32
pluto[3724]: "kobaltwit-to-auxima" #1: sending encrypted notification 
             INVALID_ID_INFORMATION to 84.195.167.62:4500

I can see the network chain ipsec is looking for doesn't match my chain, but I 
can't figure out what's needed to fix this.

Can anybody help here ? If needed, I'll gladly provide more information.


Thank you,

Geert Janssens

More information about the Users mailing list