[Openswan Users] Trouble establishing tunnel

Prashanth Ninan prashanthninan at gmail.com
Wed Feb 16 13:56:26 CET 2005 

Hi,

This could be a long post, but as I am new to IPsec as a concept and
to OpenSWAN too, I am posting just about everything that I can to
request help.

My setup is supposed to be a typical net-to-net one with details like
the following:

[ 192.168.1.0/24 ] <==> [ aa.bb.cc.dd ] <== internet ==> [ ww.xx.yy.zz
]  <==> [192.168.0.0/24 ]

with aa.bb.cc.dd and ww.xx.yy.zz being the registered IP addressed on
the internet.

My /etc/ipsec.conf file is as below:
<ipsec.conf>
version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        interfaces="ipsec0=eth1"
        # Debug-logging controls:  "none" for (almost) none, "all" for lots.
        klipsdebug=none
        plutodebug=none

conn %default
        keyingtries=0

conn net-to-net
        left=aa.bb.cc.dd
        leftsubnet=192.168.1.0/24
        right=ww.xx.yy.zz
        rightsubnet=192.168.0.1/24
        auto=start
        authby=rsasig
        leftid=@somenetwork
        rightid=@someothernetwork
        rightrsasigkey=0sAQO7...
        leftrsasigkey=0sAQNU...
</ipsec.conf>

aa.bb.cc.dd runs on Debian Linux with a 2.4 kernel, while ww.xx.yy.zz
runs on a Fedora Core 2 Linux box with a 2.6 kernel.

My problem is that on aa.bb.cc.dd, on starting up the ipsec service, I
see an ipsec0 interface when I use ifconfig, while on ww.xx.yy.zz, on
system boot-up I see that it is bringing up the ipsec0 interface OK,
but I am not able to see anything about it when I issue an ifconfig
command.

Also, if I issue an "ipsec setup --status", on the aa.bb.cc.dd box, I see:
IPsec running
pluto pid 12345
1 tunnels up

But on the ww.xx.yy.zz server, I see:
IPsec running
pluto pid 12345
No tunnels up

Beyond that, the tunnel itself does not work. I am unable to ping or
telnet or anything.

My firewall rules are set as follows:

On aa.bb.cc.dd:
${IPFW} -A INPUT -p tcp --dport 500 -s ww.xx.yy.zz --sport 500 -j ACCEPT
${IPFW} -A INPUT -p udp --dport 500 -s ww.xx.yy.zz --sport 500 -j ACCEPT
${IPFW} -A INPUT -p 50 -s ww.xx.yy.zz -d aa.bb.cc.dd -j ACCEPT
${IPFW} -A INPUT -p 51 -s ww.xx.yy.zz -d aa.bb.cc.dd -j ACCEPT

On ww.xx.yy.zz:
${IPFW} -A INPUT -p tcp --dport 500 -s aa.bb.cc.dd --sport 500 -j ACCEPT
${IPFW} -A INPUT -p udp --dport 500 -s aa.bb.cc.dd --sport 500 -j ACCEPT
${IPFW} -A INPUT -p 50 -s aa.bb.cc.dd -d ww.xx.yy.zz -j ACCEPT
${IPFW} -A INPUT -p 51 -s aa.bb.cc.dd -d ww.xx.yy.zz -j ACCEPT

where ${IPFW}=/sbin/iptables

Please show me where I am wrong; if there is any more information that
you require from me, I can send that too.

Thanks in advance,
Prashanth

More information about the Users mailing list