[Openswan Users] RE : Openswan 2.4.7 and juniper ns208

Didine didinux at gmail.com
Thu Dec 7 13:35:08 EST 2006 

> Hello,

Salut  Jean-Charles,

> According to the logs phase 1 and phase 2 are established.
> Is 194.250.x.x the address of the Juniper or a host address behind the Juniper ?

yep it's the address of the juniper.

> If it is the Juniper address it is normal that you see packets in clear but if it is a host address defined in your "lt85_to_centre" connection configuration, you may have to check the "leftsubnet=" line.

my connexion configuration is :

conn lt85_to_centre
        #
        #lt85
        #
        left=212.121.x.x
        leftsubnet=10.24.0.0/16
        leftnexthop=212.121.x.x
        #
        #destination
        #
        right=194.250.x.x
        rightsubnet=10.20.1.200/16
        auto=start
        #type=tunnel
        authby=secret
        esp=aes128-sha1
        #esp=3des-sha1
        #keyexchange=ike
        #ike=3des-sha1
        #ike=aes128-sha-modp1024
        ikelifetime=60s
        keylife=120s
        rekeymargin=10s
        #pfs=no
        #aggrmode=no
        #spi=0x500
        #esp=3des-md5-96



>
> As you use netkey, as far as I remember, doing a "tcpdump host xxx" will show you only decrypted packets incoming/coming back to your gateway, for example you will see only replies to ping initiated from your openswan gateway... It is a netkey behavior :s
>

Okay :)

> Anyway... What is the original question ? :)

My question is how can i setup the connexion between my openswan box
and the juniper :) and why my config doesn't work :)

> Cheers,

Thank you :)

> JC

-- 
Didine

>
> Didine <didinux at gmail.com> a écrit :
>
>  Hello,
> I'm a new user of openswan.
> I try to set up a connexion between openswan  (Linux Openswan U2.4.7/K2.6.18-1.2798.fc6 (netkey)) and a Juniper ns208.
> When i try to setup the link i have the folowing messages.
>
> =====================================================================
> [root at lt85 ~]# ipsec auto --verbose --up lt85_to_centre
> 002 "lt85_to_centre" #11: initiating Main Mode
> 104 "lt85_to_centre" #11: STATE_MAIN_I1: initiate
> 003 "lt85_to_centre" #11: ignoring unknown Vendor ID payload [166f932d55eb64d8e4df4fd37e2313f0d0fd84510000000000000000]
> 003 "lt85_to_centre" #11: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
> 003 "lt85_to_centre" #11: received Vendor ID payload [Dead Peer Detection]
> 003 "lt85_to_centre" #11: ignoring Vendor ID payload [HeartBeat Notify 386b0100]
> 002 "lt85_to_centre" #11: enabling possible NAT-traversal with method draft-ietf-ipsec-nat-t-ike-02/03
> 002 "lt85_to_centre" #11: discarding packet received during asynchronous work (DNS or crypto) in  STATE_MAIN_I1
> 002 "lt85_to_centre" #11: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
> 106 "lt85_to_centre" #11: STATE_MAIN_I2: sent MI2, expecting MR2
> 003 "lt85_to_centre" #11: discarding duplicate packet; already STATE_MAIN_I2
> 002 "lt85_to_centre" #11: I did not send a certificate because I do not have one.
> 003 "lt85_to_centre" #11: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: no NAT detected
> 002 "lt85_to_centre" #11: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
> 108 "lt85_to_centre" #11: STATE_MAIN_I3: sent MI3, expecting MR3
> 003 "lt85_to_centre" #11: discarding duplicate packet; already STATE_MAIN_I3
> 002 "lt85_to_centre" #11: Main mode peer ID is ID_IPV4_ADDR: '194.250.x.x'
> 002 "lt85_to_centre" #11: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
> 004 "lt85_to_centre" #11: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha  group=modp1024}
> 002 "lt85_to_centre" #12: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#11}
> 117 "lt85_to_centre" #12: STATE_QUICK_I1: initiate
> 002 "lt85_to_centre" #12: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
> 004 "lt85_to_centre" #12: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x7593622b <0x6859dbc5 xfrm=AES_128-HMAC_SHA1 NATD=none DPD=none}
> =====================================================================
> IPsec SA established ?!
>
> A made a test by sending a ping to the  194.250.x.x.
> A tcpdump shows the following (no ESP msg):
>
> =====================================================================
> [root at lt85 ~]# tcpdump host 194.250.x.x
> 19:48:37.441373 IP lt85.xxx.xxx > 194.250.x.x : ICMP echo request, id 1024, seq 55960, length 24
> =====================================================================
>
> Any help is appreciated.
> Thanks a lot.
>
> --
> Didine  _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
>
>
>   		________________________________
  Yahoo! Mail réinvente le mail ! Découvrez le nouveau Yahoo! Mail et
son interface révolutionnaire.
>
>
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
>
>

More information about the Users mailing list