[Openswan Users] OpenSwan and Cisco. connection fails
lars
lars at hfk-bremen.de
Mon Jul 11 13:56:31 CEST 2005
Hi,
I have an OpenSwan Gateway (based on Debian sarge) that works well when
I am establishing connections to another (similar) openswan-box.
- Openswan was both self compiled 2.3.1 and Debians OpenSwan form
apt-get (testing).
kernel is a 2.6.11 with the parameters necessary for ipsec:
Jul 11 10:29:39 localhost ipsec__plutorun: Starting Pluto subsystem...
Jul 11 10:29:39 localhost pluto[4052]: Starting Pluto (Openswan Version
2.2.0 X.509-1.5.4 PLUTO_USES_KEYRR)
Jul 11 10:29:39 localhost pluto[4052]: including NAT-Traversal patch
(Version 0.6c) [disabled]
Jul 11 10:29:39 localhost pluto[4052]: ike_alg_register_enc():
Activating OAKLEY_AES_CBC: Ok (ret=0)
Jul 11 10:29:39 localhost pluto[4052]: Using Linux 2.6 IPsec interface
code
When trying to build a tunnel between a cisco 3600 and the OpenSwanbox
the connections always hangs in phase 1 with this errormessage:
no suitable connection for peer '10.232.254.254'
Jul 11 11:06:47 localhost pluto[5468]: "remote" #1: sending encrypted
notification INVALID_ID_INFORMATION to x.x.x.x:500
this happens when a client with the IP 10.232.254.254 sets an
icmp-message to one of our subnetadresses.
- my ipsec.conf is:
version 2.0 # conforms to second version of ipsec.conf specification
config setup
# klipsdebug=none
#plutodebug="all"
plutodebug="none"
conn remote
left=1.2.3.4
leftsubnet=10.244.3.0/28
right=x.x.x.x
# rightsubnetwithin=10.232.100.240
# I tried different subnetdeclarations - including rightsubnetwithin -
without success
rightsubnet=10.232.100.0/24
authby=secret
pfs=no
auto=add
include /etc/ipsec.d/examples/no_oe.conf
- the szenario is:
our subnet = 192.168.0.0/24
||
\/
router:
internal IP: 192.168.0.8
external IP: 10.244.3.3
||
\/
OpenSwan-Gateway:
internal IP: 10.244.3.1
external IP: 1.2.3.4
||
\/
Internet
||
\/
Cisco-PIX:
external IP: x.x.x.x
S-Nat -IP: 10.232.100.240
the remote subnet
= I don not know much about it. everything should be natted via
10.232.100.240
now a client with 10.232.254.254 situated in the remote subnet tries to
connect to, let´s say, 10.244.3.6; our internal router switches this
address to 192.168.0.6.
the tunnel isnt building between the cisco-box and our openswan-box.
I have sat up another openswan-box for testing proposal with the
external IP 1.2.3.5 and an internal SNAT-address 10.232.100.240.
with this machine I can build the tunnel and connect from a client f.
ex. 10.232.100.5 to 10.244.3.6.
so it should not be a problem of the structure, the firewall or so.
the cisco´s admin has tried to set up a testing tunnel with openswan
and his cisco - he is getting the same error message.
I think it must be something with the routing from the remote client;
my openswan-box won´t build a connection to the peer with the IP
10.232.254.254. I was unfortunately not able to find the right settings
in the ipsec.conf. I tried it with rightsubnetwithin, with other
subnetmasks - nothing worked :-(
anyone a suggest...?!
thanx a lot in advance!
greetings
lars
More information about the Users
mailing list