[Openswan Users]

Gbenga stjames08 at yahoo.co.uk
Tue Apr 25 10:46:49 CEST 2006 

Thanks Paul,

All I am trying to achieve is a vpn connection to that 10.10.0.0/16 network, the vpn server obviously from my config is part of the subnet. I have an Internet firewall (iptables) FW to this network and from there I can nat ip addresses from the Internet. On this firewall, I have natted port 500 & 4500 udp only to the vpn server, since it is only passing on those ports to the vpn server.

The firewall on the vpn server has been completely disabled until this works.

What is the workable setup for this? I cannot run the vpn on the firewall, it has to be inside network.

I have changed the parameters you mentioned, actually commented them out and restarted ipsec.

>From the lsipsectool debug page:

09:31:30: Starting Tunnel

09:31:31: IKE Encryption: 3des
IKE Integrity: sha1
Remote Gateway Address: 193.95.xxx.xxx
Remote Monitor Address: 10.10.1.57
Remote Network: 10.10.1.57/255.255.0.0
Local Address: 194.165.176.169
Local Network: 194.165.176.169/255.255.255.255

09:31:31: WinSock Version High : 514 Version : 2

09:31:31: Init checkconnThread::Entry()

09:31:34: Comparing 193.95.xxx.xxx = 193.95.xxx.xxx
09:31:36: 0 ECHO REQUEST TO 10.10.1.57 [ FAILED #0 ] [ Unknow Error Code 11010 ]

09:31:36: Comparing 193.95.xxx.xxx = 193.95.xxx.xxx
09:31:36: 1 ECHO REQUEST TO 10.10.1.57 [ OK ]

09:31:36: Comparing 193.95.xxx.xxx = 193.95.xxx.xxx
09:31:39: 2 ECHO REQUEST TO 10.10.1.57 [ FAILED #0 ] [ Unknow Error Code 11010 ]

09:31:39: Comparing 193.95.xxx.xxx = 193.95.xxx.xxx
09:31:41: 3 ECHO REQUEST TO 10.10.1.57 [ FAILED #1 ] [ Unknow Error Code 11010 ]

09:31:41: Comparing 193.95.xxx.xxx = 193.95.xxx.xxx
09:31:44: 4 ECHO REQUEST TO 10.10.1.57 [ FAILED #2 ] [ Unknow Error Code 11010 ]

09:31:44: Comparing 193.95.xxx.xxx = 193.95.xxx.xxx
09:31:46: 5 ECHO REQUEST TO 10.10.1.57 [ FAILED #3 ] [ Unknow Error Code 11010 ]

09:31:46: Comparing 193.95.xxx.xxx = 193.95.xxx.xxx
09:31:46: 6 ECHO REQUEST TO 10.10.1.57 [ OK ]

new ipsec.conf:
# Specify the version of Openswan we are running

version 2

# Global configuration section:
config setup
        interfaces="ipsec0=eth1"
        nat_traversal=yes
#       klipsdebug="all"
#       plutodebug="all"

# General connection section:
conn %default
        authby=secret
        #authby=secret|rsasig

# Systems Engineering vpn connection definition:
conn syseng
        left=10.10.1.57
        leftnexthop=193.95.xxx.xxx
        leftsourceip=10.10.1.57
        type=tunnel
        right=%any
        rightid=@gbenga
        rekey=no
        auto=add

conn block
         auto=ignore

conn private
         auto=ignore

conn private-or-clear
         auto=ignore

conn clear
         auto=ignore

conn packetdefault
         auto=ignore

include /etc/ipsec.d/examples/no_oe.conf
#       virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!10.10.0.0/16
#       leftsubnet=10.10.0.0/16

Shuold this be ok?

</var/log/message:>
Apr 25 10:42:07 aparo pluto[5418]: Changing to directory '/etc/ipsec.d/aacerts'
Apr 25 10:42:07 aparo pluto[5418]: Changing to directory '/etc/ipsec.d/ocspcerts'
Apr 25 10:42:07 aparo pluto[5418]: Changing to directory '/etc/ipsec.d/crls'
Apr 25 10:42:07 aparo pluto[5418]:   Warning: empty directory
Apr 25 10:42:08 aparo pluto[5418]: added connection description "syseng"
Apr 25 10:42:08 aparo pluto[5418]: listening for IKE messages
Apr 25 10:42:08 aparo pluto[5418]: adding interface ipsec0/eth1 10.10.1.57:500
Apr 25 10:42:08 aparo pluto[5418]: adding interface ipsec0/eth1 10.10.1.57:4500
Apr 25 10:42:08 aparo pluto[5418]: loading secrets from "/etc/ipsec.secrets"
Apr 25 10:42:19 aparo pluto[5418]: attempt to redefine connection "syseng"

thanks again.
Gbenga


On Tue, 25 Apr 2006, Gbenga wrote:

> I have been working more on my vpn issue and I am able to establish connection now (atleast from the colour and info from lsipsectool). However, I cannot ping nor pass any kind of traffic on the tunnel.
>
> I did ipsec eroute and nothing show up.

That's odd. Though it could be it establishes and then gets deleted again.
Can you check the openswan logs to see what happened? (Don't add plutodebug=
or klipsdebug= statements!)

> On the lsipsectool configuration page, I had to have the Private Address/Network Mask as the same Remote Internal IP otherwise, I could not establish connection. I wonder why?? I thought that should be the internal network address.

More information about the Users mailing list