[Openswan Users] Roadwarrior setup
J Zakhar
jzakhar at gmail.com
Sun Feb 20 20:20:40 CET 2005
Good evening folks,
I am working on getting a roadwarrior setup working here. I followed
nate carlson's examples listed here
http://www.natecarlson.com/linux/ipsec-x509.php
The only change I made was to use a pre shared key until I can see it
work, then I will go through the process of generating certs.
my network setup looks like this
192.168.42.0/24 ---- linux VPN gateway -----internet ------- cisco4700
---- 172.28.42.0/
the cisco 4700 is doing NAT. the roadwarrior client is on the 172
network and I am trying to connect to the 192 network, at the moment
the linux gateway does not have any iptables nat rules associated with
it. it does however have a 192 interface that I was trying to ping.
ipsec.conf on linux gateway
config setup
interfaces=%defaultroute
nat_traversal=yes
strictcrlpolicy=no
klipsdebug=none
plutodebug=none
virtual_private=%v4:10.0.0.0/8,%v4:172.28.0.0/14
conn %default
leftrsasigkey=%cert
rightrsasigkey=%cert
keyexchange=ike
ikelifetime=28800s
keylife=86400s
compress=yes
conn roadwarrior-all
leftsubnet=0.0.0.0/0
also=roadwarrior
conn roadwarrior-net
leftsubnet=192.168.42.0/24
also=roadwarrior
conn roadwarrior
authby=secret
left=%defaultroute
right=%any
rightsubnet=vhost:%no,%priv
auto=add
pfs=yes
ipsec.conf on roadwarrior:
conn roadwarrior
left=%any
right=68.46.xxx.xxx
rightsubnet=192.168.42.0/24
network=auto
auto=start
pfs=yes
conn roadwarrior-net
left=%any
right=68.46.xxx.xxx
rightsubnet=192.168.42.0/24
network=auto
auto=start
pfs=yes
I used the MMC snap in to add the preshared key to these connections.
the lod entrys in /var/log/messages
Feb 20 20:11:41 pcp03822184pcs pluto[2959]: packet from
68.54.xxx.xxx:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY
00000003]
Feb 20 20:11:41 pcp03822184pcs pluto[2959]: "roadwarrior"[5]
68.54.xxx.xxx #6: responding to Main Mode from unknown peer
68.54.xxx.xxx
Feb 20 20:11:41 pcp03822184pcs pluto[2959]: "roadwarrior"[5]
68.54.xxx.xxx #6: Peer ID is ID_IPV4_ADDR: '172.28.42.170'
Feb 20 20:11:41 pcp03822184pcs pluto[2959]: "roadwarrior"[6]
68.54.xxx.xxx #6: deleting connection "roadwarrior" instance with peer
68.54.xxx.xxx {isakmp=#0/ipsec=#0}
Feb 20 20:11:41 pcp03822184pcs pluto[2959]: "roadwarrior"[6]
68.54.xxx.xxx #6: sent MR3, ISAKMP SA established
Feb 20 20:11:41 pcp03822184pcs pluto[2959]: "roadwarrior-net"[3]
68.54.xxx.xxx #7: responding to Quick Mode
Feb 20 20:11:41 pcp03822184pcs pluto[2959]: "roadwarrior-net"[3]
68.54.xxx.xxx #7: IPsec SA established {ESP=>0xa42bf2ad <0x032fce0a}
Feb 20 20:11:57 pcp03822184pcs pluto[2959]: "roadwarrior"[6]
68.54.xxx.xxx #6: received Delete SA(0xa42bf2ad) payload: deleting
IPSEC State #7
Feb 20 20:11:57 pcp03822184pcs pluto[2959]: "roadwarrior"[6]
68.54.xxx.xxx #6: deleting connection "roadwarrior-net" instance with
peer 68.54.xxx.xxx {isakmp=#0/ipsec=#0}
Feb 20 20:11:57 pcp03822184pcs pluto[2959]: "roadwarrior"[6]
68.54.xxx.xxx #6: received Delete SA payload: deleting ISAKMP State #6
Feb 20 20:11:57 pcp03822184pcs pluto[2959]: "roadwarrior"[6]
68.54.xxx.xxx: deleting connection "roadwarrior" instance with peer
68.54.xxx.xxx {isakmp=#0/ipsec=#0}
ipsec auto status
ipsec auto: warning: obsolete command syntax used
000 interface lo/lo ::1
000 interface lo/lo ::1
000 interface lo/lo 127.0.0.1
000 interface lo/lo 127.0.0.1
000 interface eth0/eth0 192.168.42.10
000 interface eth0/eth0 192.168.42.10
000 interface eth1/eth1 68.46.xxx.xxx
000 interface eth1/eth1 68.46.xxx.xxx
000 %myid = (none)
000 debug none
000
000 "roadwarrior": 68.46.xxx.xxx---68.46.xxx.xxx...%virtual===?;
unrouted; eroute owner: #0
000 "roadwarrior": ike_life: 28800s; ipsec_life: 86400s;
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "roadwarrior": policy: PSK+ENCRYPT+COMPRESS+TUNNEL+PFS; prio:
32,32; interface: eth1;
000 "roadwarrior": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "roadwarrior-all":
0.0.0.0/0===68.46.xxx.xxx---68.46.xxx.xxx...%virtual===?; unrouted;
eroute owner: #0
000 "roadwarrior-all": ike_life: 28800s; ipsec_life: 86400s;
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "roadwarrior-all": policy: PSK+ENCRYPT+COMPRESS+TUNNEL+PFS;
prio: 0,32; interface: eth1;
000 "roadwarrior-all": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "roadwarrior-net":
192.168.42.0/24===68.46.xxx.xxx---68.46.xxx.xxx...%virtual===?;
unrouted; eroute owner: #0
000 "roadwarrior-net": ike_life: 28800s; ipsec_life: 86400s;
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "roadwarrior-net": policy: PSK+ENCRYPT+COMPRESS+TUNNEL+PFS;
prio: 24,32; interface: eth1;
000 "roadwarrior-net": newest ISAKMP SA: #0; newest IPsec SA: #0;
I can get the tunnel/SA established, however there is no routing going
on at all, i cannot ping any hosts behind he VPN gateway nor can the
vpn gateway or a host behind it ping the 172 host.
any help, or advice would be appreciated
More information about the Users
mailing list