[Openswan Users] Trouble establishing tunnel
Prashanth Ninan
prashanthninan at gmail.com
Wed Feb 16 13:56:26 CET 2005
Hi,
This could be a long post, but as I am new to IPsec as a concept and
to OpenSWAN too, I am posting just about everything that I can to
request help.
My setup is supposed to be a typical net-to-net one with details like
the following:
[ 192.168.1.0/24 ] <==> [ aa.bb.cc.dd ] <== internet ==> [ ww.xx.yy.zz
] <==> [192.168.0.0/24 ]
with aa.bb.cc.dd and ww.xx.yy.zz being the registered IP addressed on
the internet.
My /etc/ipsec.conf file is as below:
<ipsec.conf>
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
interfaces="ipsec0=eth1"
# Debug-logging controls: "none" for (almost) none, "all" for lots.
klipsdebug=none
plutodebug=none
conn %default
keyingtries=0
conn net-to-net
left=aa.bb.cc.dd
leftsubnet=192.168.1.0/24
right=ww.xx.yy.zz
rightsubnet=192.168.0.1/24
auto=start
authby=rsasig
leftid=@somenetwork
rightid=@someothernetwork
rightrsasigkey=0sAQO7...
leftrsasigkey=0sAQNU...
</ipsec.conf>
aa.bb.cc.dd runs on Debian Linux with a 2.4 kernel, while ww.xx.yy.zz
runs on a Fedora Core 2 Linux box with a 2.6 kernel.
My problem is that on aa.bb.cc.dd, on starting up the ipsec service, I
see an ipsec0 interface when I use ifconfig, while on ww.xx.yy.zz, on
system boot-up I see that it is bringing up the ipsec0 interface OK,
but I am not able to see anything about it when I issue an ifconfig
command.
Also, if I issue an "ipsec setup --status", on the aa.bb.cc.dd box, I see:
IPsec running
pluto pid 12345
1 tunnels up
But on the ww.xx.yy.zz server, I see:
IPsec running
pluto pid 12345
No tunnels up
Beyond that, the tunnel itself does not work. I am unable to ping or
telnet or anything.
My firewall rules are set as follows:
On aa.bb.cc.dd:
${IPFW} -A INPUT -p tcp --dport 500 -s ww.xx.yy.zz --sport 500 -j ACCEPT
${IPFW} -A INPUT -p udp --dport 500 -s ww.xx.yy.zz --sport 500 -j ACCEPT
${IPFW} -A INPUT -p 50 -s ww.xx.yy.zz -d aa.bb.cc.dd -j ACCEPT
${IPFW} -A INPUT -p 51 -s ww.xx.yy.zz -d aa.bb.cc.dd -j ACCEPT
On ww.xx.yy.zz:
${IPFW} -A INPUT -p tcp --dport 500 -s aa.bb.cc.dd --sport 500 -j ACCEPT
${IPFW} -A INPUT -p udp --dport 500 -s aa.bb.cc.dd --sport 500 -j ACCEPT
${IPFW} -A INPUT -p 50 -s aa.bb.cc.dd -d ww.xx.yy.zz -j ACCEPT
${IPFW} -A INPUT -p 51 -s aa.bb.cc.dd -d ww.xx.yy.zz -j ACCEPT
where ${IPFW}=/sbin/iptables
Please show me where I am wrong; if there is any more information that
you require from me, I can send that too.
Thanks in advance,
Prashanth
More information about the Users
mailing list