[Openswan Users] Connection to Netscreen 500, no communication

Michael Lavallee mlavalle at hotmail.com
Mon Dec 10 15:30:11 EST 2007 

On Thu, 2007-12-06 at 16:29 -0500, Peter McGill wrote:


> Off hand I don't see the problem in your conf or logs here.


We managed to get the VPN up.  At the suggestion of the other party, we
tried to make it a subnet VPN instead of host-to-host.  Here is my
updated /etc/ipsec.d/partner.conf file:

conn partner
  auto=add
  authby=secret
  compress=no
  ike=aes256-sha1-modp1024
  esp=aes256-sha1
  pfs=yes
  left=xxx.xxx.205.212
  leftsubnet=192.168.3.2/32
  right=xxx.xxx.94.73
  rightsubnet=xxx.xxx.220.100/32

This worked.  

117 "partner" #3: STATE_QUICK_I1: initiate
003 "partner" #3: ignoring informational payload, type
IPSEC_RESPONDER_LIFETIME
004 "partner" #3: STATE_QUICK_I2: sent QI2, IPsec SA established
{ESP=>0x7f9d974c <0x9fb4d162 xfrm=AES_256-HMAC_SHA1 NATD=none DPD=none}

Now the problem I have is that I can not actually send any packets
through. If I try to "telnet xxx.xxx.220.100" it will reply either that
their is no route to the host, or it will just sit there trying to
connect, and she can not see anything come through at her end of the
tunnel.

I tried adding "leftsourceip=192.168.3.2" and
"rightsourceip="xxx.xxx.220.100" after re-reading the Packt Publishing
book this weekend, but I don't think that's my problem.

I'm not sure if it is just a routing issue, or something else.  I'm
leaning towards one of two things, and I was hoping you might tell me
what you think.  I might be over-complicating things and may just need
to focus on routing for all I know!

The first.  I saw in her netscreen setup the following statement:  
set vpn "mlavalle" gateway "mlavalle" no-replay tunnel idletime 0
proposal "mlavalle"

The no-replay caught my eye, because my box shows a "replay-window 32"
when I run "ip xfrm state".  However, I can't seem to find any way of
changing that.  

The second thing is, the book and some comments I've seen in this
mailing list's history seem to indicate that KLIPS is better than
NETKEY, and I am pretty sure my Fedora 6 box is using NETKEY.  So, I
could either upgrade from Fedora 6 to Fedora 8 and see if there is a bug
that worked itself out, or I could figure out how to recompile the
kernel with KLIPS instead of NETKEY.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20071210/87114e3f/attachment.html

More information about the Users mailing list