[Openswan Users]

Paul Wouters paul at xelerance.com
Tue Apr 25 06:07:42 CEST 2006 

On Tue, 25 Apr 2006, Gbenga wrote:

> I have been working more on my vpn issue and I am able to establish connection now (atleast from the colour and info from lsipsectool). However, I cannot ping nor pass any kind of traffic on the tunnel.
>
> I did ipsec eroute and nothing show up.

That's odd. Though it could be it establishes and then gets deleted again.
Can you check the openswan logs to see what happened? (Don't add plutodebug=
or klipsdebug= statements!)

> On the lsipsectool configuration page, I had to have the Private Address/Network Mask as the same Remote Internal IP otherwise, I could not establish connection. I wonder why?? I thought that should be the internal network address.

It needs to be the INTERNAL IP address of the remote VPN server. The reason
for this is that Microsoft only loads the connection (aka auto=add) and only
brings the vpn up (aka auto=start or ipsec auto --up conn) when there is
traffic for the tunnel. Lsipsectool uses this IP address to generate tunnel
traffic (and check to see if the tunnel is still up)

> The following are the only messages coming into /var/log/messages:

Please disable all this debugging and check again, then show us those logs.
Using klipsdebug=all causes a HUGE amount of logs, mostly unneeded, and
you did not provide it all. (and please don't)

>
> And this from the /var/log/auth.log:

Same here. Lots of pluto debug, but not what we need. Please disable the
debug logging and show us a complete log of a windows connection attempt.

>         klipsdebug="all"
>         plutodebug="all"

We mean it when we say "do not enable this unless a developer tells you to"

> conn syseng
>         left=10.10.1.57
>         leftsubnet=10.10.0.0/16

You cannot do this. left cannot be part of leftsubnet, since you need to be
able to reach left to GET to leftsubnet. But you cannot reach left now
because it is in leftsubnet... you create a loop.

>         leftnexthop=193.95.xxx.xxx
>         leftsourceip=10.10.1.57
>         type=tunnel
>         right=%any
>         rightid=@gbenga
>         rekey=no
>         auto=add

I fear that you might be using port forwarding on this server too, amking
it even harder to properly configure.

Paul
-- 
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

More information about the Users mailing list