[Openswan Users]

Geert Janssens info at kobaltwit.be
Wed Jan 11 16:41:04 CET 2006 

On Friday 30 December 2005 20:38, Paul Wouters wrote:
> On Fri, 30 Dec 2005, Geert Janssens wrote:
> > With this setup, a tunnel is established (I get the message "sent QI2,
> > IPsec SA established". However, this configuration is for a network to
> > network tunnel, and I can't even test if it really works, because there
> > is no network behind IpsecPeer2. There is a network behind IpsecPeer1 and
> > in a second phase I would like this network to use the tunnel also, but
> > first I need the two peers to be able to communicate).
> >
> > As far as I could understand the ipsec documentation, to setup a peer to
> > peer connection, the leftsubnet and rightsubnet entries should be
> > removed. However, if I remove the *subnet entries, the connection no
> > longer gets established.
>
Hi,

Thank you for your reply. I tried your suggestions, but I still can't get it 
to work.

> That is because there is a special subnet entry for NAT-Traversal. I assume
> you are using portforwarding on one or both sides. So add
Portforwarding is setup on both sides indeed.

> rightsubnet=vhost:%priv,%no on both ends (where right is the remote end)
> and enable nat_traversal=yes in config setup.
>
Nat_traversal was set already.

First I added rightsubnet=vhost:%priv,%no on both sides. When I restarted 
ipsec, the tunnel didn't show up in ipsec auto --status.
So I tried to manually add the routes with 
# ipsec auto --add kobaltwit-to-auxima

This returned an error:
023 virtual IP must only be used with %any and without client

So I also replaced rightid with %any (it was the remote firewall's public 
interface until now). After restarting the routes appear again in ipsec auto 
--status, but I can't up the connection:
[root at chief openswan]# ipsec auto --verbose --up kobaltwit-to-auxima
029 "kobaltwit-to-auxima": cannot initiate connection without knowing peer IP 
address (kind=CK_TEMPLATE)
This at least seems to make sense. Ipsec no longer has a means to figure out 
what remote machine to contact. But how to solve my issue ?
Next I tried to add a rightnexthop parameter to indicate at least the public 
interface of the remote firewall, but the error stays.
I also tried adding a
virtual_private=%v192.168.0.0/24 (or 2.0/24 on the other machine), but this 
doesn't seem to change anything.

At this moment my configurations are setup as follows now:
-------------------------------
-ipsec.conf on IpsecPeer1
-------------------------------
# /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.13 2004/03/24 04:14:39 ken Exp $

# This file:  /usr/share/doc/openswan/ipsec.conf-sample
#
# Manual:     ipsec.conf.5


version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        # Debug-logging controls:  "none" for (almost) none, "all" for lots.
        # klipsdebug=none
        # plutodebug="control parsing"
        plutodebug=all
        interfaces=%defaultroute
        nat_traversal=yes
	virtual_private=%v4:192.168.2.0/24

# Add connections here

#Disable Opportunistic Encryption
include /etc/openswan/ipsec.d/examples/no_oe.conf

conn kobaltwit-to-auxima
     # Left security gateway, subnet behind it, next hop toward right.
     left=%any
     leftsubnet=vhost:%priv,%no
     leftnexthop=auxima.homeip.net
     leftid="C=BE, L=Grimbergen, O=Kobalt W.I.T., CN=auxima.homeip.net"
     leftrsasigkey=%cert
     leftcert=/etc/openswan/ipsec.d/certs/auxima-kobaltwit-vpn.pem
     # Right security gateway, subnet behind it, next hop toward left.
     right=%defaultroute
     rightsubnet=192.168.0.0/24
     rightid="C=BE, L=Grimbergen, O=Kobalt W.I.T., CN=kobaltwit.homelinux.com"
     rightrsasigkey=%cert
     rightcert=/etc/openswan/ipsec.d/certs/kobaltwit-auxima-vpn.pem
     auto=add

-------------------------------
-ipsec.conf on IpsecPeer2
-------------------------------
# /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.13 2004/03/24 04:14:39 ken Exp $

# This file:  /usr/share/doc/openswan/ipsec.conf-sample
#
# Manual:     ipsec.conf.5


version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        # Debug-logging controls:  "none" for (almost) none, "all" for lots.
        # klipsdebug=none
        # plutodebug="control parsing"
        plutodebug=all
        interfaces=%defaultroute
        nat_traversal=yes
	virtual_private=%v4:192.168.0.0/24

# Add connections here

#Disable Opportunistic Encryption
include /etc/openswan/ipsec.d/examples/no_oe.conf

conn kobaltwit-to-auxima
     # Left security gateway, subnet behind it, next hop toward right.
     left=%defaultroute
     leftsubnet=192.168.2.0/24
     leftid="C=BE, L=Grimbergen, O=Kobalt W.I.T., CN=auxima.homeip.net"
     leftrsasigkey=%cert
     leftcert=/etc/openswan/ipsec.d/certs/auxima-kobaltwit-vpn.pem
     # Right security gateway, subnet behind it, next hop toward left.
     right=%any
     rightsubnet=vhost:%priv,%no
     rightnexthop=kobaltwit.homelinux.com
     rightid="C=BE, L=Grimbergen, O=Kobalt W.I.T., CN=kobaltwit.homelinux.com"
     rightrsasigkey=%cert
     rightcert=/etc/openswan/ipsec.d/certs/kobaltwit-auxima-vpn.pem
     auto=add

What do I do wrong ?

Additionally, is there some good documentation on nat traversal and port 
forwarding with ipsec ? I've searched a lot on the web, but only found two 
small references to it, which don't explain much.

Thank you,

Geert

More information about the Users mailing list