[Openswan Users] RE : Openswan 2.4.7 and juniper ns208
Didine
didinux at gmail.com
Thu Dec 7 13:35:08 EST 2006
> Hello,
Salut Jean-Charles,
> According to the logs phase 1 and phase 2 are established.
> Is 194.250.x.x the address of the Juniper or a host address behind the Juniper ?
yep it's the address of the juniper.
> If it is the Juniper address it is normal that you see packets in clear but if it is a host address defined in your "lt85_to_centre" connection configuration, you may have to check the "leftsubnet=" line.
my connexion configuration is :
conn lt85_to_centre
#
#lt85
#
left=212.121.x.x
leftsubnet=10.24.0.0/16
leftnexthop=212.121.x.x
#
#destination
#
right=194.250.x.x
rightsubnet=10.20.1.200/16
auto=start
#type=tunnel
authby=secret
esp=aes128-sha1
#esp=3des-sha1
#keyexchange=ike
#ike=3des-sha1
#ike=aes128-sha-modp1024
ikelifetime=60s
keylife=120s
rekeymargin=10s
#pfs=no
#aggrmode=no
#spi=0x500
#esp=3des-md5-96
>
> As you use netkey, as far as I remember, doing a "tcpdump host xxx" will show you only decrypted packets incoming/coming back to your gateway, for example you will see only replies to ping initiated from your openswan gateway... It is a netkey behavior :s
>
Okay :)
> Anyway... What is the original question ? :)
My question is how can i setup the connexion between my openswan box
and the juniper :) and why my config doesn't work :)
> Cheers,
Thank you :)
> JC
--
Didine
>
> Didine <didinux at gmail.com> a écrit :
>
> Hello,
> I'm a new user of openswan.
> I try to set up a connexion between openswan (Linux Openswan U2.4.7/K2.6.18-1.2798.fc6 (netkey)) and a Juniper ns208.
> When i try to setup the link i have the folowing messages.
>
> =====================================================================
> [root at lt85 ~]# ipsec auto --verbose --up lt85_to_centre
> 002 "lt85_to_centre" #11: initiating Main Mode
> 104 "lt85_to_centre" #11: STATE_MAIN_I1: initiate
> 003 "lt85_to_centre" #11: ignoring unknown Vendor ID payload [166f932d55eb64d8e4df4fd37e2313f0d0fd84510000000000000000]
> 003 "lt85_to_centre" #11: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
> 003 "lt85_to_centre" #11: received Vendor ID payload [Dead Peer Detection]
> 003 "lt85_to_centre" #11: ignoring Vendor ID payload [HeartBeat Notify 386b0100]
> 002 "lt85_to_centre" #11: enabling possible NAT-traversal with method draft-ietf-ipsec-nat-t-ike-02/03
> 002 "lt85_to_centre" #11: discarding packet received during asynchronous work (DNS or crypto) in STATE_MAIN_I1
> 002 "lt85_to_centre" #11: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
> 106 "lt85_to_centre" #11: STATE_MAIN_I2: sent MI2, expecting MR2
> 003 "lt85_to_centre" #11: discarding duplicate packet; already STATE_MAIN_I2
> 002 "lt85_to_centre" #11: I did not send a certificate because I do not have one.
> 003 "lt85_to_centre" #11: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: no NAT detected
> 002 "lt85_to_centre" #11: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
> 108 "lt85_to_centre" #11: STATE_MAIN_I3: sent MI3, expecting MR3
> 003 "lt85_to_centre" #11: discarding duplicate packet; already STATE_MAIN_I3
> 002 "lt85_to_centre" #11: Main mode peer ID is ID_IPV4_ADDR: '194.250.x.x'
> 002 "lt85_to_centre" #11: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
> 004 "lt85_to_centre" #11: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
> 002 "lt85_to_centre" #12: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#11}
> 117 "lt85_to_centre" #12: STATE_QUICK_I1: initiate
> 002 "lt85_to_centre" #12: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
> 004 "lt85_to_centre" #12: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x7593622b <0x6859dbc5 xfrm=AES_128-HMAC_SHA1 NATD=none DPD=none}
> =====================================================================
> IPsec SA established ?!
>
> A made a test by sending a ping to the 194.250.x.x.
> A tcpdump shows the following (no ESP msg):
>
> =====================================================================
> [root at lt85 ~]# tcpdump host 194.250.x.x
> 19:48:37.441373 IP lt85.xxx.xxx > 194.250.x.x : ICMP echo request, id 1024, seq 55960, length 24
> =====================================================================
>
> Any help is appreciated.
> Thanks a lot.
>
> --
> Didine _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
>
>
> ________________________________
Yahoo! Mail réinvente le mail ! Découvrez le nouveau Yahoo! Mail et
son interface révolutionnaire.
>
>
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
>
>
More information about the Users
mailing list