[Openswan Users]
Gateway-to-gateway VPN (openswan 2.x linux box / checkpoint vpn-1
r55 / ipsec / psk)
Rivanor Soares (web_knows)
rivanor at gmail.com
Wed Jun 28 23:35:51 CEST 2006
Hello,
I have the following scenario:
openswan linux box checkpoint
vpn-1 (r55)
192.168.41.0/24========69.a.b.c..................69.x.y.z========69.q.w.e/32
and another tunnel:
openswan linux box checkpoint vpn-1 (r55)
192.168.41.0/24========69.a.b.c..................69.x.y.z========69.p.o.i/32
In thist environment 192.168.41.0/24 must access 69.q.w.e/32 and 69.p.o.i/32
must access 192.168.41.0/24
With this 'ipsec.conf':
version 2.0 # conforms to second version of ipsec.conf specification
config setup
# Debug-logging controls: "none" for (almost) none, "all" for lots.
interfaces="ipsec0=eth0"
klipsdebug="none"
plutodebug="control parsing"
conn net-sercom-net-dedalus
type=tunnel
left=69.x.y.z
leftsubnet=69.q.w.e/32
right=69.a.b.c
rightsubnet=192.168.41.0/24
keyexchange=ike
ikelifetime=1440m
auth=esp
pfs=no
esp=3des-md5-96
authby=secret
auto=start
ike=3des-md5-modp1024
conn net-dedalus-net-sercom
type=tunnel
left=69.x.y.z
leftsubnet=69.p.o.i/32
right=69.a.b.c
rightsubnet=192.168.41.0/24
keyexchange=ike
ikelifetime=1440m
auth=esp
pfs=no
esp=3des-md5-96
authby=secret
auto=start
ike=3des-md5-modp1024
include /etc/ipsec.d/examples/no_oe.conf
I got the following with 'ipsec auto --status':
000 #30: "net-dedalus-net-company":500 STATE_QUICK_I2 (sent QI2, IPsec SA
established); EVENT_SA_REPLACE in 27203s; newest IPSEC; eroute owner
000 #30: "net-dedalus-net-company" esp.8ce2537c at 69.x.y.z esp.4ce235c5@
69.a.b.c tun.1004 at 69.x.y.z tun.1003 at 69.a.b.c
000 #25: "net-company-net-dedalus":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA
established); EVENT_SA_REPLACE in 85086s; nodpd
000 #5: "net-company-net-dedalus":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA
established); EVENT_SA_REPLACE in 84445s; nodpd
000 #1: "net-company-net-dedalus":500 STATE_MAIN_I4 (ISAKMP SA established);
EVENT_SA_REPLACE in 83780s; nodpd
000 #29: "net-company-net-dedalus":500 STATE_QUICK_I2 (sent QI2, IPsec SA
established); EVENT_SA_REPLACE in 26998s; newest IPSEC; eroute owner
000 #29: "net-company-net-dedalus" used 622s ago; esp.ed030061 at 69.x.y.z
esp.4ce235c4 at 69.a.b.c tun.1002 at 69.x.y.z tun.1001 at 69.a.b.c
000 #28: "net-sercom-net-dedalus":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA
established); EVENT_SA_REPLACE in 85171s; nodpd
000 #33: "net-sercom-net-dedalus":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA
established); EVENT_SA_REPLACE in 85856s; newest ISAKMP; nodpd
000 #32: "net-sercom-net-dedalus":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA
established); EVENT_SA_REPLACE in 85554s; nodpd
000 #31: "net-sercom-net-dedalus":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA
established); EVENT_SA_REPLACE in 85215s; nodpd
000 #4: "net-sercom-net-dedalus":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA
established); EVENT_SA_REPLACE in 84430s; nodpd
000 #16: "net-sercom-net-dedalus":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA
established); EVENT_SA_REPLACE in 84784s; nodpd
And ipsec barf says:
Jun 28 22:29:05 ligerinho pluto[12798]: "net-company-net-dedalus" #35: Quick
Mode I1 message is unacceptable because it uses a previously used Message ID
0x1d5dc313 (perhaps this is a duplicated packet)
Jun 28 22:29:05 ligerinho pluto[12798]: "net-company-net-dedalus" #35:
sending encrypted notification INVALID_MESSAGE_ID to 69.x.y.z:500
Jun 28 22:29:05 ligerinho pluto[12798]: | sending 60 bytes for notification
packet through eth0:500 to 69.x.y.z:500:
The actual status is:
I can't ping peers (69.q.w.e/32) but I can see the ESP packets passing
between the gateways. I don't have any firewall rule that may drop packets,
so all protocols and ports are guaranteed in these tunnels. The chekpoint
gateway receives packets saying the 'INVALID_MESSAGE_ID'.
So my question is:
How can I avoid this ? What's wrong that the traffic is not flowing ?
Thanks in advance.
--
Rivanor
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20060628/dfbced7f/attachment-0001.htm
More information about the Users
mailing list