[Openswan Users] Subnets conmunication?

Peter McGill petermcgill at goco.net
Tue Jun 5 14:36:40 EDT 2007 

> -----Original Message-----
> From: IT Dept. [mailto:it at technovation.com.sv] 
> Sent: June 5, 2007 2:00 PM
> To: petermcgill at goco.net
> Cc: users at openswan.org
> Subject: RE: [Openswan Users] Subnets conmunication?
> Importance: High
> 
> Hi again...
> 
> 	Thanks for the your help....i cant get communication yet.
> 
> 	Here is my last conf...im only using two branches to 
> make it more
> simple...
> 
> 	# /etc/ipsec.conf - Openswan IPsec configuration file
> # RCSID $Id: ipsec.conf.in,v 1.15.2.2 2005/11/14 20:10:27 paul Exp $
> 
> # This file:  /usr/share/doc/openswan/ipsec.conf-sample
> #
> # Manual:     ipsec.conf.5
> 
> 
> version	2.0	# conforms to second version of 
> ipsec.conf specification
> 
> # basic configuration
> config setup
> 	forwardcontrol=yes
> 	nat_traversal=yes
> 	# plutodebug / klipsdebug = "all", "none" or a 
> combation from below:
> 	# "raw crypt parsing emitting control klips pfkey natt 
> x509 private"
> 	# eg:
> 	# plutodebug="control parsing"
> 	#
> 	# Only enable klipsdebug=all if you are a developer
> 	#
> 	# NAT-TRAVERSAL support, see README.NAT-Traversal
> 	# nat_traversal=yes
> 	# 
> virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%4:172.16.0.0/12
> 
> #Disable Opportunistic Encryption
> include /etc/ipsec.d/examples/no_oe.conf
> 
> conn branch_40
> 	also=branch_40_shared
> 	rightsubnet=192.168.40.0/24
> 	auto=start
> 
> conn centralbw_50
> 	also=centralbw_50_shared
>  	rightsubnet=192.168.50.0/24
>  	auto=add
> 
> conn branch_40_to_centralbw_50
> 	also=branch_40_shared
>  	leftsubnet=192.168.50.0/24
> 	rightsubnet=192.168.40.0/24
> 	auto=start
> 
> conn centralbw_50_to_branch_40
> 	also=centralbw_50_shared
> 	leftsubnet=192.168.40.0/24
>  	rightsubnet=192.168.50.0/24
>  	auto=add
> 
> conn branch_40_shared
>  	authby=secret
>  	compress=no
>  	ikelifetime=240m
>  	keyexchange=ike
>  	keylife=60m
>  	left=208.70.149.161
>  	leftnexthop=208.70.149.166
>  	pfs=yes
>  	right=190.53.0.113
>  	rightnexthop=190.53.0.1
> 
> conn centralbw_50_shared
>  	authby=secret
>  	compress=no
>  	ikelifetime=240m
>  	keyexchange=ike
>  	keylife=60m
>  	left=208.70.149.161
>  	leftnexthop=208.70.149.166
>         pfs=yes
>  	right=%any
> 
> 
> in auth.log I get that conn branch_40_shared starts fine, but 
> I need to
> manually start conn centralbw_50_shared from the linksys 
> router, and them
> the conn´s between dosent start...

First off the shared conn's should never be started, they're not
Real conn's just shared information used by other conn's.
Also it would be easier to test with the static ip sites, rather than
Centralbw. With centralbw linksys must initiate the connection for it to work.

Show us these outputs.
ipsec version
ipsec verify
ipsec eroute

Lastly, restart openswan, and reconnect the linksys tunnels.
Get the restart and connect logs by...
egrep -e 'pluto' /var/log/*
Filter by date/time to only get the recent restart and connections.

Peter

More information about the Users mailing list