[Openswan Users] IPSEC connectivity prob

Craig Schneider craigsc at zdata.co.za
Wed Sep 14 15:59:20 CEST 2005 

Hi Guys

I am try to setup a VPN between two networks via ADSL. There are to
NetGear DG834 routers on either side and I have set them up so they
forward port 500 traffic to the Linux servers on both ends that are
running Debian Woody with FreeSwan.

196.1.2.0/24===196.1.2.254[@toti.barkers.co.za]---196.1.2.100...196.1.1.
101---165.165.153.106[@dbn.barkers.co.za]===196.1.1.0/24

Here are my configs for both sides:
----------------------------------------

# /etc/ipsec.conf - FreeS/WAN IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.11 2003/06/13 23:28:41 sam Exp $

# This file:  /usr/share/doc/freeswan/ipsec.conf-sample
#
# Manual:     ipsec.conf.5
#
# Help:
#
http://www.freeswan.org/freeswan_trees/freeswan-2.04/doc/quickstart.html
# http://www.freeswan.org/freeswan_trees/freeswan-2.04/doc/config.html
#
http://www.freeswan.org/freeswan_trees/freeswan-2.04/doc/adv_config.html
#
# Policy groups are enabled by default. See:
#
http://www.freeswan.org/freeswan_trees/freeswan-2.04/doc/policygroups.ht
ml
#
# Examples:
# http://www.freeswan.org/freeswan_trees/freeswan-2.04/doc/examples


version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        # Debug-logging controls:  "none" for (almost) none, "all" for
lots.
        #klipsdebug=all
        #plutodebug=all
        interfaces="ipsec0=eth1"


# Add connections here.

# sample VPN connection
#sample#        conn sample
#sample#                # Left security gateway, subnet behind it, next
hop toward right.
#sample#                left=10.0.0.1
#sample#                leftsubnet=172.16.0.0/24
#sample#                leftnexthop=10.22.33.44
#sample#                # Right security gateway, subnet behind it, next
hop toward left.
#sample#                right=10.12.12.1
#sample#                rightsubnet=192.168.0.0/24
#sample#                rightnexthop=10.101.102.103
#sample#                # To authorize this connection, but not actually
start it, at startup,
#sample#                # uncomment this.
#sample#                #auto=start

conn block
    auto=ignore

conn private
    auto=ignore

conn private-or-clear
    auto=ignore

conn clear-or-private
    auto=ignore

conn clear
    auto=ignore

conn packetdefault
    auto=ignore

conn toti
     left=196.1.1.254
     leftsubnet=196.1.1.0/24
     leftid=@dbn.barkers.co.za
     leftrsasigkey=0sAQN...
     leftnexthop=196.1.1.101
     right=barkerstoti.dyndns.org
     rightsubnet=196.1.2.0/24
     rightid=@toti.barkers.co.za
     rightrsasigkey=0SAQPC...
     rightnexthop=196.1.2.100
     auto=start

Other side:
-------------

# /etc/ipsec.conf - FreeS/WAN IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.11 2003/06/13 23:28:41 sam Exp $

# This file:  /usr/share/doc/freeswan/ipsec.conf-sample
#
# Manual:     ipsec.conf.5
#
# Help:
#
http://www.freeswan.org/freeswan_trees/freeswan-2.04/doc/quickstart.html
# http://www.freeswan.org/freeswan_trees/freeswan-2.04/doc/config.html
#
http://www.freeswan.org/freeswan_trees/freeswan-2.04/doc/adv_config.html
#
# Policy groups are enabled by default. See:
#
http://www.freeswan.org/freeswan_trees/freeswan-2.04/doc/policygroups.ht
ml
#
# Examples:
# http://www.freeswan.org/freeswan_trees/freeswan-2.04/doc/examples


version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        # Debug-logging controls:  "none" for (almost) none, "all" for
lots.
        klipsdebug=all
        plutodebug=all


# Add connections here.

# sample VPN connection
#sample#        conn sample
#sample#                # Left security gateway, subnet behind it, next
hop toward right.
#sample#                left=10.0.0.1
#sample#                leftsubnet=172.16.0.0/24
#sample#                leftnexthop=10.22.33.44
#sample#                # Right security gateway, subnet behind it, next
hop toward left.
#sample#                right=10.12.12.1
#sample#                rightsubnet=192.168.0.0/24
#sample#                rightnexthop=10.101.102.103
#sample#                # To authorize this connection, but not actually
start it, at startup,
#sample#                # uncomment this.
#sample#                #auto=start

conn block
    auto=ignore

conn private
    auto=ignore

conn private-or-clear
    auto=ignore

conn clear-or-private
    auto=ignore

conn clear
    auto=ignore

conn packetdefault
    auto=ignore

conn durbs
     left=196.1.2.254
     leftsubnet=196.1.2.0/24
     leftid=@toti.barkers.co.za
     leftrsasigkey=0sAQPC...
     leftnexthop=196.1.2.100
     right=barkersdbn.dyndns.org
     rightsubnet=196.1.1.0/24
     rightid=@dbn.barkers.co.za
     rightrsasigkey=0sAQN...
     rightnexthop=196.1.1.101
     auto=start

Error message from auth.log:
----------------------------------

Sep 14 12:35:26 gw pluto[7516]: "durbs" #1: ERROR: asynchronous network
error report on eth0 for message to 165.165.171.126 port 500,
complainant 165.165.171.126: Connection refused [errno 111, origin ICMP
type 3 code 3 (not authenticated)]
Sep 14 12:35:26 gw pluto[7516]: | next event EVENT_RETRANSMIT in 20
seconds for #1

More information about the Users mailing list