[Openswan Users] help for site-to-site vpn

Yang Xu yang at amvia.co.nz
Tue Jun 7 13:02:14 CEST 2005 

hi
 
I'm new to Openswan VPN connection, but alreay struggle with it for a
few days, please help!
 
I want to set up a VPN connection between two sites and authenticate by
PSK.
 
Both side are running Fedora core 3
Kernel -version: 2.6.11
Openswan 2.3.0
ipsec-tools: 0.5.2
 
I can get the host-host connection up with correct encryption. I use
tcpdump and ping to get the output below:
[root at racoon ~]# tcpdump dst host 194.0.1.138
tcpdump: verbose output suppressed, use -v or -vv for full protocol
decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
11:52:24.571218 IP 194.0.1.166 > 194.0.1.138:
ESP(spi=0xaeaa277f,seq=0x1)
11:52:26.500382 IP 194.0.1.166 > 194.0.1.138:
ESP(spi=0xaeaa277f,seq=0x2)
11:52:28.415432 IP 194.0.1.166 > 194.0.1.138:
ESP(spi=0xaeaa277f,seq=0x3)
And I assume it means the VPN is fine
 
The ipsec.conf is belwo: and both side have exactly the same ipsec.conf
[root at racoon ~]# cat /etc/ipsec.conf
version 2.0
config setup
        interfaces=%defaultroute
        klipsdebug=none
        plutodebug=none
        overridemtu=1410
        nat_traversal=yes
 
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16
        uniqueids=no
 
conn %default
        #keyingtries=3
        keyingtries=0
        #compress=yes
        #disablearrivalcheck=no
        #authby=secret
        #type=tunnel
        #keyexchange=ike
        #ikelifetime=240m
        #keylife=60m
        spi=0X200
        esp=3des-md5-96
        espenckey=0X123456789abcd
        espauthkey=0X1234567
        authby=rsasig
 
#VPN connection between sites
conn sitevpn
       authby=secret
       auto=start
       left=194.0.1.166
       #leftsubnet=192.168.2.0/24
       leftnexthop=194.0.1.138
       right=194.0.1.138
       #rightsubnet=192.168.0.0/24
       rightnexthop=194.0.1.166
       type=tunnel
 
#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf
 
However, as soon as I uncomment the two lines for leftsubnet and
rightsubnet and restart the ipsec service, it seems don't work any more.

I test with the tcpdump and ping command, the output is below
[root at racoon ~]# tcpdump dst host 194.0.1.138
tcpdump: verbose output suppressed, use -v or -vv for full protocol
decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
11:58:43.151349 IP 194.0.1.166 > 194.0.1.138: icmp 64: echo reply seq 0
11:58:45.059510 IP 194.0.1.166 > 194.0.1.138: icmp 64: echo reply seq 1
11:58:46.991116 IP 194.0.1.166 > 194.0.1.138: icmp 64: echo reply seq 2
 
sorry about the long post, and I really appreciate for any hints,
because I don't have much knowledge about VPN and IPSEC, and actually
just modified the script from some tutorial and example in google.
 
Thanks in advance
 
willis
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20050607/fcd18e80/attachment-0001.htm

More information about the Users mailing list