[Openswan Users] Problem to establish VPN connection

Alain JUPIN ajupin at sigmapole.fr
Wed May 10 13:51:19 CEST 2006 

Hi,

I've some problems to connect a remote site to my LAN. This is some 
explanations

On site A, the VPN server is OpenSwan 2.4.4 running on a Gentoo Linux 
(with kernel 2.6.15).
I've an another site (site B). It can connect to my VPN and VPN works fine.
So the configuration of OpenSwan (on site A) seems to be OK.

On site C (located in Morocco), impossible to connect to site A. I want 
to create a LAN to LAN connection.
The client is OpenSwan 2.4.4 running on RedHat 9 (kernel 2.4.32 patched 
with IPSEC for OpenSwan)
For information, this is the network configuration

 Internet <---> Modem/Router ADSL <---> Switch -----> Linux Server
                                                |---> Computer A
                                                |        ...
                                                |---> Computer n

So the Linux server for site C is not a gateway between Internet and 
site C LAN. With this configuration, can I create a LAN to LAN VPN ?

Actually, when I try to connect to site A from site C, the first step fail.

When I do "/etc/init.d/ipsec start", I've the following in /var/log/messages
May 10 10:29:44 temara ipsec_setup: KLIPS debug `none'
May 10 10:29:44 temara kernel:
May 10 10:29:44 temara ipsec_setup: KLIPS ipsec0 on eth0 
192.168.2.1/255.255.255.0 broadcast 192.168.2.255
May 10 10:29:44 temara ipsec_setup: ...Openswan IPsec started
May 10 10:29:44 temara ipsec_setup: Starting Openswan IPsec 2.4.4...

And when I do "ipsec auto --up sigma-assio"
104 "sigma-assio" #1: STATE_MAIN_I1: initiate   (on console)
and nothing else in /var/log/messages.
But in /var/log/messages on site A, Ive the following
May 10 12:38:04 meissa pluto[7314]: packet from 196.206.69.203:500: 
received Vendor ID payload [Openswan (this version) 2.4.4  X.509-1.5.4 
PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR]
May 10 12:38:04 meissa pluto[7314]: packet from 196.206.69.203:500: 
received Vendor ID payload [Dead Peer Detection]
May 10 12:38:04 meissa pluto[7314]: packet from 196.206.69.203:500: 
received Vendor ID payload [RFC 3947] method set to=109
May 10 12:38:04 meissa pluto[7314]: packet from 196.206.69.203:500: 
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but 
already using method 109
May 10 12:38:04 meissa pluto[7314]: packet from 196.206.69.203:500: 
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but 
already using method 109
May 10 12:38:04 meissa pluto[7314]: packet from 196.206.69.203:500: 
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
May 10 12:38:04 meissa pluto[7314]: packet from 196.206.69.203:500: 
initial Main Mode message received on 83.206.137.225:500 but no 
connection has been authorized

On the site A, this is the configuration :
conn sigma-assio
        left=83.206.137.225
        leftsubnet=192.168.1.0/24
        leftnexthop=%defaultroute
        leftid=@meissa.sigmapole.inet
        leftrsasigkey=0sAQN/o....
        right=%any
        rightsubnet=192.168.2.0/24
        rightnexthop=%defaultroute
        rightid=@temara.sigmapole.net
        rightrsasigkey=0sAQN0....
        authby=rsasig
        auto=add

And on site C
conn sigma-assio
        left=83.206.137.225
        leftsubnet=192.168.1.0/24
        leftnexthop=%defaultroute
        leftid=@meissa.sigmapole.inet
        leftrsasigkey=0sAQN/o....
        right=%any
        rightsubnet=192.168.2.0/24
        rightnexthop=%defaultroute
        rightid=@temara.sigmapole.net
        rightrsasigkey=0sAQN0iI....
        authby=rsasig
        auto=add

An idée to solve my troubles ?

Cordially

Alain JUPIN

More information about the Users mailing list