[Openswan Users] configuration issues
George Fitz
george at brickyardvfx.com
Tue Jul 19 22:51:40 CEST 2005
Hello fellow IPSEC'ers. If there are any gurus out there who can
help me with a problem, I would be much obliged, as I'm about to put
my head in a bench vice after 10 days of trying unsuccessfully to fix
my network problems.
I have two router/NAT/VPN systems (Fedora core 2) that had been
running Openswan successfully for over a year with a setup like:
LAN1 -- router/VPN1 -- internet -- router/VPN2 -- LAN2. The original
install/setup was fairly painless.
I recently added an additional NIC into VPN1 that was going to be
used for a fallback DSL connection in case our primary internet went
down. I also switched the LAN NIC to a different/newer card. When I
did this, the IPSEC functionality ceased to operate. Now I have no
communications from LAN1-LAN2 and vice-versa. I can't ping and
traceroute doesn't get any farther than the gateway on the machines.
I de-installed the new NIC and the DSL NIC, rechecked my routes and
iptables, but can't seem to get the two networks talking. I've also
upgraded Openswan to 2.3.1 on both machines. I think I have a good
connection through the ipsec software, the logs are below. I've also
made sure that I'm not NATing the packets bound for the other LAN.
I've checked and rechecked my iptables but still no luck. If anyone
sees anything strange in the configs or logs, or has any suggestions,
please let me know. FYI, the NAT functionality continues to work
fine on these machines.
Thanks so much,
George
--------------------------------------------------
router/VPN1:
--------------------------------------------------
# /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.13 2004/03/24 04:14:39 ken Exp $
# This file: /usr/share/doc/openswan/ipsec.conf-sample
#
# Manual: ipsec.conf.5
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
# Debug-logging controls: "none" for (almost) none, "all"
for lots.
# klipsdebug=all
# plutodebug=all
nat_traversal=yes
interfaces="ipsec0=eth0"
# Add connections here.
conn net-to-net
left=xxx.xxx.xxx.198
leftsubnet=192.168.41.0/24
leftrsasigkey=rsa..............
leftnexthop=xxx.xxx.xxx.193
right=xxx.xxx.xxx.235
rightsubnet=192.168.1.0/24
rightrsasigkey=rsa..............
rightnexthop=xxx.xxx.xxx.233
authby=rsasig
auto=start
#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf
--------------------------------------------------
router/VPN2:
--------------------------------------------------
# /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.13 2004/03/24 04:14:39 ken Exp $
# This file: /usr/share/doc/openswan/ipsec.conf-sample
#
# Manual: ipsec.conf.5
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
# Debug-logging controls: "none" for (almost) none, "all"
for lots.
# klipsdebug=all
# plutodebug=all
nat_traversal=yes
interfaces="ipsec0=eth0"
# Add connections here
conn net-to-net
left=xxx.xxx.xxx.235
leftsubnet=192.168.1.0/24
leftrsasigkey=rsa..............
leftnexthop=xxx.xxx.xxx.233
right=xxx.xxx.xxx.198
rightsubnet=192.168.41.0/24
rightrsasigkey=rsa..............
rightnexthop=xxx.xxx.xxx.193
authby=rsasig
auto=start
#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf
---------------------------------------------------------
ipsec auto --status from router/VPN1:
--------------------------------------------------------
000 "net-to-net": 192.168.41.0/24===xxx.xxx.xxx.198---xxx.xxx.xxx.
193...xxx.xxx.xxx.233---xxx.xxx.xxx.235===192.168.1.0/24; erouted;
eroute owner: #4
000 "net-to-net": srcip=unset; dstip=unset
000 "net-to-net": ike_life: 3600s; ipsec_life: 28800s;
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "net-to-net": policy: RSASIG+ENCRYPT+TUNNEL+PFS+UP; prio:
24,24; interface: eth0;
000 "net-to-net": newest ISAKMP SA: #3; newest IPsec SA: #4;
000 "net-to-net": IKE algorithm newest: 3DES_CBC_192-MD5-MODP1536
000
000 #4: "net-to-net":500 STATE_QUICK_R2 (IPsec SA established);
EVENT_SA_REPLACE in 27470s; newest IPSEC; eroute owner
000 #4: "net-to-net" esp.6e8012e2 at xxx.xxx.xxx.235
esp.f5d79d85 at xxx.xxx.xxx.198 tun.0 at xxx.xxx.xxx.235 tun.0 at xxx.xxx.xxx.198
000 #3: "net-to-net":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA
established); EVENT_SA_REPLACE in 2269s; newest ISAKMP; lastdpd=-1s
(seq in:0 out:0)
000 #2: "net-to-net":500 STATE_QUICK_I2 (sent QI2, IPsec SA
established); EVENT_SA_REPLACE in 26965s
000 #2: "net-to-net" esp.2facde6d at xxx.xxx.xxx.235 esp.
84aa6e46 at xxx.xxx.xxx.198 tun.0 at xxx.xxx.xxx.235 tun.0 at xxx.xxx.xxx.198
000 #1: "net-to-net":500 STATE_MAIN_I4 (ISAKMP SA established);
EVENT_SA_REPLACE in 1771s; lastdpd=-1s(seq in:0 out:0)
000
---------------------------------------------------------
ipsec auto --status from router/VPN2:
--------------------------------------------------------
000 "net-to-net": 192.168.1.0/24===xxx.xxx.xxx.235---xxx.xxx.xxx.
233...xxx.xxx.xxx.193---xxx.xxx.xxx.198===192.168.41.0/24; erouted;
eroute owner: #4
000 "net-to-net": srcip=unset; dstip=unset
000 "net-to-net": ike_life: 3600s; ipsec_life: 28800s;
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "net-to-net": policy: RSASIG+ENCRYPT+TUNNEL+PFS+UP; prio:
24,24; interface: eth0;
000 "net-to-net": newest ISAKMP SA: #1; newest IPsec SA: #4;
000 "net-to-net": IKE algorithm newest: 3DES_CBC_192-MD5-MODP1536
000
000 #4: "net-to-net":500 STATE_QUICK_I2 (sent QI2, IPsec SA
established); EVENT_SA_REPLACE in 27034s; newest IPSEC; eroute owner
000 #4: "net-to-net" esp.f5d79d85 at xxx.xxx.xxx.198 esp.
6e8012e2 at xxx.xxx.xxx.235 tun.0 at xxx.xxx.xxx.198 tun.0 at xxx.xxx.xxx.235
000 #1: "net-to-net":500 STATE_MAIN_I4 (ISAKMP SA established);
EVENT_SA_REPLACE in 1824s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0)
000 #3: "net-to-net":500 STATE_QUICK_R2 (IPsec SA established);
EVENT_SA_REPLACE in 27667s
000 #3: "net-to-net" esp.84aa6e46 at xxx.xxx.xxx.198 esp.
2facde6d at xxx.xxx.xxx.235 tun.0 at xxx.xxx.xxx.198 tun.0 at xxx.xxx.xxx.235
000 #2: "net-to-net":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA
established); EVENT_SA_REPLACE in 2467s; lastdpd=-1s(seq in:0 out:0)
More information about the Users
mailing list