[Openswan Users] Host-to-Host tunnel problem

Ian Brown ianbrn at gmail.com
Mon Aug 6 06:42:03 EDT 2007


Hello,
I am following the Host-to-Host tunnel example from chapter 4 of
the book:
"Building And Integrating Virtual Private Networks With Openswan" by
P. Wouters and K. Bantoft.

I have two hosts with external IP addresses, but on
**different** networks.
though the prefix is the same, the range of addresses is different ;
since each host belong to a different range. (each range consists of
16 addresses).

I explain what I mean:


To demonstrate what I have:
one is
200.100.150.108 on 200.100.150.96/28
and the second is:
200.100.150.122 on 200.100.150.112/28


now my /etc/ipsec.conf is this (on both machines):
conn west-east
	left=200.100.150.122
	leftsubnet=200.100.150.112/28
	right=200.100.150.108
 	rightsubnet=200.100.150.96/28
	type=tunnel
	leftrsasigkey=0sAQ...
	rightrsasigkey=0sAQN...
	auto=start


In the begining , when on both machines the ipsec service is
stopped, I can ping each machine from the other.

Now I start the service on both machines:
"service ipsec start"

and runing "ip auto --status" shows:
---------
on 200.100.150.122
...
...
000 "west-east":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000
000 #1: "west-east":500 STATE_MAIN_I1 (sent MI1, expecting MR1);
EVENT_RETRANSMIT in 17s; nodpd
000 #1: pending Phase 2 for "west-east" replacing #0
000
...
...

---------
and on 200.100.150.108
000
000 #1: "west-east":500 STATE_MAIN_I1 (sent MI1, expecting MR1);
EVENT_RETRANSMIT in 5s; nodpd
000 #1: pending Phase 2 for "west-east" replacing #0
000 #2: "west-east":500 STATE_MAIN_R1 (sent MR1, expecting MI2);
EVENT_RETRANSMIT in 19s; lastdpd=-1s(seq in:0 out:0)
000

service ipsec status gives:
IPsec running  - pluto pid: 14879
pluto pid 14879
No tunnels up

I tried to create treaffic between the machines
but I cannot ping from one machine to the other.

more data :
on 122
running "ipsec verify" (on both machines) gives:

Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan U2.4.5/K2.6.21-rc7 (netkey)
Checking for IPsec support in kernel                            [OK]
NETKEY detected, testing for disabled ICMP send_redirects       [OK]
NETKEY detected, testing for disabled ICMP accept_redirects     [OK]
Checking for RSA private key (/etc/ipsec.secrets)               [OK]
Checking that pluto is running                                  [OK]
Two or more interfaces found, checking IP forwarding            [OK]
Checking NAT and MASQUERADEing                                  [N/A]
Checking for 'ip' command                                       [OK]
Checking for 'iptables' command                                 [OK]
Opportunistic Encryption Support                                [DISABLED]


And I made sure that iptables **DOES NOT** run on both machines.

What is wrong here ? any ideas?

Rgs,
Ian


More information about the Users mailing list