[Openswan Users] Openswan 1.0.8rc2 tunnel between two DSL gateways with dynamic IPs

Fabian Aichele faichele at hilarenhaus.hilaritas.de
Wed Jan 5 12:41:44 CET 2005 

Hello!

I am trying to connect two OpenSwan IPSec gateways (where both gateways
use a DSL connection with a dynamic IP address) in a gateway-to-gateway
setup. Both are Debian Linux machines with a patched 2.4.20 kernel and
OpenSwan 1.0.8rc2 compiled from source.
The situation looks like this:

192.168.1.128/25 subnet|---|"left" gateway|=============|"right"
gateway|192.168.2.0/25 subnet
				    (DSL)		  Internet
(DSL)


I am using X509 certificates for authentication; when I try to bring up
the tunnel I configured, the both machines seem to negotiate IPSec
encryption successfully, i. e. ipsec auto --status shows the tunnel has
reached "STATE_MAIN_I4: ISAKMP SA established", but then:

- if I bring up the connection from the left gateway, STATE_QUICK_I1
times out after two retransmissions, and the error message is "No
acceptable response to our first Quick Mode message: perhaps peer likes
no proposal"

- if I bring up the connection from the right gateway, the error message
"route-host command exited with status 7" (appearing totally three
times), followed by "No acceptable response to our first Quick Mode
message: perhaps peer likes no proposal".

I probably got something wrong with the left/rightsubnet and/or
left/right and/or left/rightnexthop connection parameters, but I can't
figure out what is wrong exactly, and II am out of ideas.

ipsec.conf on both gateways:
config setup
        interfaces=%defaultroute
        #interfaces="ipsec0=ppp0"
        nat_traversal=no
 
#virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16
        klipsdebug=all
        plutodebug=all
        plutoload=%search
        plutostart=%search

conn %default
        keyingtries=1
        compress=yes
        disablearrivalcheck=no
        authby=rsasig
        leftrsasigkey=%cert
        rightrsasigkey=%cert
        auto=add

conn meintranet
        left=nexus-hv.homelinux.com
        #left=84.130.70.250
        leftnexthop=%defaultroute
        #leftnexthop=217.5.98.110
        x_leftdynamic=yes
        leftcert="/etc/ipsec.d/certs/nexus_ipsec_cert.pem"
        leftid="C=DE, ST=Baden-Wuerttemberg, L=Stuttgart,
O=Burschenschaft Hilaritas Stuttgart, OU=Aktivitas,
CN=nexus.hilarenhaus.hilaritas.de, E=root at hilarenhaus.hilaritas.de"
        leftsubnet=192.168.1.128/25
        #right=80.138.171.210
        right=me-intranet.homelinux.com
        #rightnexthop=217.5.98.157
        rightcert="/etc/ipsec.d/certs/comstation_ipsec_cert.pem"
        rightid="C=DE, ST=Baden-Wuerttemberg, L=Stuttgart, O=M+E
Architekten, OU=Buero Stuttgart,
CN=me-intranet.homelinux.com/emailAddress=root at hilarenhaus.hilaritas.de"
        #rightsubnet=192.168.2.0/25
        x_rightdynamic=yes
        auto=add

I am not sure if I configured the connection correctly, since the
documentation only mentions gateway-to-gateway connections with static
IP addresses, whereas my two gateways are connected via a "dial-up" DSL
connection with dynamic IP addresses.

I'd be grateful for any hints or suggestions.

Regards,
Fabian Aichele

More information about the Users mailing list