[Openswan Users] Tunnel between router and web server running openswan

Langdon Stevenson langdon at lindenrow.com.au
Wed Jul 4 23:01:36 EDT 2007 

Hi Paul

Thanks for the feedback.  I have specified the webserver subnet as 
suggested and tried the connection.  No luck so far.

Below are my config files.  They are based on this web page (for a vigor 
2900 to Freeswan connection).  I assume that there will be some 
differences, but it seemed like a good starting point.

When I run:

[root at dedicated ~]# tcpdump -i eth0 -n -p udp port 500 or udp port 4500

I get the following output:
(note: "vigor" and "server" substituted for ip addresses

[root at dedicated ~]# tcpdump -i eth0 -n -p udp port 500 or udp port 4500
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
16:58:51.739338 IP vigor.isakmp > server.isakmp: isakmp: phase 1 I ident
16:58:57.724036 IP vigor.isakmp > server.isakmp: isakmp: phase 1 I ident

This output repeats forever.  So it looks like the Vigor is getting data 
past the firewall, but Openswan never moves on to phase 2.

I have included my config files below.  Any comments or suggestions 
would be welcomed.

Regards,
Langdon


/etc/ipsec.conf
# /etc/ipsec.conf - Openswan IPsec configuration file
#
# Manual:     ipsec.conf.5
#
# Please place your own config files in /etc/ipsec.d/ ending in .conf
version 2.0     # conforms to second version of ipsec.conf specification
# basic configuration
config setup
         interfaces=%defaultroute
         klipsdebug=none
         plutodebug=none
conn %default
         auto=start
         auth=esp
         authby=secret
         keyingtries=%forever
include /etc/ipsec.d/*.conf


/etc/ipsec.d/webserver-to-vigor.conf
conn vigor
         # LOCAL
         left=$defaultroute
         leftsubnet=webserver/32
         # REMOTE
         right=vigor
         rightsubnet=192.168.8.0/32
         pfs=no


/etc/ipsec.secrets
server vigor: PSK "my_shared_key"

This key has been set on the Vigor router as well.


>> I am new to openswan and need advice on how to proceed.
>>
>> I have a Vigor 2900 router (with static IP) that connects my office's
>> LAN to the Internet.
> 
> Vigors have known problems, ensure to run the latest firmware.
> 
>> I have a dedicated web server hosted by my ISP (running Fedora Core 4
>> with Openswan 2.4.4-1.0FC4.1 and a static IP)
>>
>> What I would like is to create a VPN tunnel between the Vigor router and
>> the Fedora box, so that I can transfer files to the web server without
>> having to rely on FTP, sshfs or similar (lots of problems with ssh
>> connections dropping out).
>>
>> I spent some time Googling the problem and worked through the examples
>> that I can find.  However I have not been able to work out how to
>> configure the connection.  Given that there is no LAN behind the web
>> server I am stumped as to how I should proceed.
> 
> Configure a subnet-subnet tunnel with yourwebserverip/32 as one of the
> subnets.
> 
>> Any advice or pointers to documentation would be greatly appreciated.
> 
> The Openswan book (see link below) has a few pages on Vigor's and their
> oddities and bugs.
> 
> Paul

More information about the Users mailing list