[Openswan Users] Roadwarrior setup

J Zakhar jzakhar at gmail.com
Sun Feb 20 20:20:40 CET 2005 

Good evening folks, 

I am working on getting a roadwarrior setup working here. I followed
nate carlson's examples listed here
http://www.natecarlson.com/linux/ipsec-x509.php

The only change I made was to use a pre shared key until I can see it
work, then I will go through the process of generating certs.

my network setup looks like this


192.168.42.0/24 ---- linux VPN gateway -----internet ------- cisco4700
---- 172.28.42.0/

the cisco 4700 is doing NAT. the roadwarrior client is on the 172
network and I am trying to connect to the 192 network, at the moment
the linux gateway does not have any iptables nat rules associated with
it. it does however have a 192 interface that I was trying to ping.


ipsec.conf on linux gateway
 
config setup
        interfaces=%defaultroute
        nat_traversal=yes
        strictcrlpolicy=no
        klipsdebug=none
        plutodebug=none
        virtual_private=%v4:10.0.0.0/8,%v4:172.28.0.0/14

conn %default
        leftrsasigkey=%cert
        rightrsasigkey=%cert
        keyexchange=ike
        ikelifetime=28800s
        keylife=86400s
        compress=yes

conn roadwarrior-all
        leftsubnet=0.0.0.0/0
        also=roadwarrior

conn roadwarrior-net
        leftsubnet=192.168.42.0/24
        also=roadwarrior

conn roadwarrior
        authby=secret
        left=%defaultroute
        right=%any
        rightsubnet=vhost:%no,%priv
        auto=add
        pfs=yes



ipsec.conf on roadwarrior:

conn roadwarrior
	left=%any
	right=68.46.xxx.xxx
	rightsubnet=192.168.42.0/24
	network=auto
                auto=start
	pfs=yes


conn roadwarrior-net
	left=%any
	right=68.46.xxx.xxx
	rightsubnet=192.168.42.0/24
	network=auto
	auto=start	
	pfs=yes

I used the MMC snap in to add the preshared key to these connections.


the lod entrys in /var/log/messages

Feb 20 20:11:41 pcp03822184pcs pluto[2959]: packet from
68.54.xxx.xxx:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY
00000003]
Feb 20 20:11:41 pcp03822184pcs pluto[2959]: "roadwarrior"[5]
68.54.xxx.xxx #6: responding to Main Mode from unknown peer
68.54.xxx.xxx
Feb 20 20:11:41 pcp03822184pcs pluto[2959]: "roadwarrior"[5]
68.54.xxx.xxx #6: Peer ID is ID_IPV4_ADDR: '172.28.42.170'
Feb 20 20:11:41 pcp03822184pcs pluto[2959]: "roadwarrior"[6]
68.54.xxx.xxx #6: deleting connection "roadwarrior" instance with peer
68.54.xxx.xxx {isakmp=#0/ipsec=#0}
Feb 20 20:11:41 pcp03822184pcs pluto[2959]: "roadwarrior"[6]
68.54.xxx.xxx #6: sent MR3, ISAKMP SA established
Feb 20 20:11:41 pcp03822184pcs pluto[2959]: "roadwarrior-net"[3]
68.54.xxx.xxx #7: responding to Quick Mode
Feb 20 20:11:41 pcp03822184pcs pluto[2959]: "roadwarrior-net"[3]
68.54.xxx.xxx #7: IPsec SA established {ESP=>0xa42bf2ad <0x032fce0a}
Feb 20 20:11:57 pcp03822184pcs pluto[2959]: "roadwarrior"[6]
68.54.xxx.xxx #6: received Delete SA(0xa42bf2ad) payload: deleting
IPSEC State #7
Feb 20 20:11:57 pcp03822184pcs pluto[2959]: "roadwarrior"[6]
68.54.xxx.xxx #6: deleting connection "roadwarrior-net" instance with
peer 68.54.xxx.xxx {isakmp=#0/ipsec=#0}
Feb 20 20:11:57 pcp03822184pcs pluto[2959]: "roadwarrior"[6]
68.54.xxx.xxx #6: received Delete SA payload: deleting ISAKMP State #6
Feb 20 20:11:57 pcp03822184pcs pluto[2959]: "roadwarrior"[6]
68.54.xxx.xxx: deleting connection "roadwarrior" instance with peer
68.54.xxx.xxx {isakmp=#0/ipsec=#0}

ipsec auto status
ipsec auto: warning: obsolete command syntax used
000 interface lo/lo ::1
000 interface lo/lo ::1
000 interface lo/lo 127.0.0.1
000 interface lo/lo 127.0.0.1
000 interface eth0/eth0 192.168.42.10
000 interface eth0/eth0 192.168.42.10
000 interface eth1/eth1 68.46.xxx.xxx
000 interface eth1/eth1 68.46.xxx.xxx
000 %myid = (none)
000 debug none
000
000 "roadwarrior": 68.46.xxx.xxx---68.46.xxx.xxx...%virtual===?;
unrouted; eroute owner: #0
000 "roadwarrior":   ike_life: 28800s; ipsec_life: 86400s;
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "roadwarrior":   policy: PSK+ENCRYPT+COMPRESS+TUNNEL+PFS; prio:
32,32; interface: eth1;
000 "roadwarrior":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "roadwarrior-all":
0.0.0.0/0===68.46.xxx.xxx---68.46.xxx.xxx...%virtual===?; unrouted;
eroute owner: #0
000 "roadwarrior-all":   ike_life: 28800s; ipsec_life: 86400s;
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "roadwarrior-all":   policy: PSK+ENCRYPT+COMPRESS+TUNNEL+PFS;
prio: 0,32; interface: eth1;
000 "roadwarrior-all":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "roadwarrior-net":
192.168.42.0/24===68.46.xxx.xxx---68.46.xxx.xxx...%virtual===?;
unrouted; eroute owner: #0
000 "roadwarrior-net":   ike_life: 28800s; ipsec_life: 86400s;
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "roadwarrior-net":   policy: PSK+ENCRYPT+COMPRESS+TUNNEL+PFS;
prio: 24,32; interface: eth1;
000 "roadwarrior-net":   newest ISAKMP SA: #0; newest IPsec SA: #0;

 
I can get the tunnel/SA established, however there is no routing going
on at all, i cannot ping any hosts behind he VPN gateway nor can the
vpn gateway or a host behind it ping the 172 host.

any help, or advice would be appreciated

More information about the Users mailing list