[Openswan Users] Subnets conmunication?

IT Dept. it at technovation.com.sv
Tue Jun 5 14:42:48 EDT 2007 

Thanks



root at vpn:~# ipsec version
Linux Openswan U2.4.4/K2.6.16.29-xen (netkey)
See `ipsec --copyright' for copyright information.
root at vpn:~#


root at vpn:~# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan U2.4.4/K2.6.16.29-xen (netkey)
Checking for IPsec support in kernel                            [OK]
Checking for RSA private key (/etc/ipsec.secrets)               [OK]
Checking that pluto is running                                  [OK]
Two or more interfaces found, checking IP forwarding            [OK]
Checking NAT and MASQUERADEing                                  [N/A]
Checking for 'ip' command                                       [OK]
Checking for 'iptables' command                                 [OK]
Checking for 'setkey' command for NETKEY IPsec stack support    [OK]
Opportunistic Encryption Support                                [DISABLED]
root at vpn:~#


root at vpn:~# ipsec eroute
/usr/lib/ipsec/eroute: NETKEY does not support eroute table.
root at vpn:~#


Ill be wait for your help....my boss wanna hang me...LOL

Regards

	Hector
	

-----Mensaje original-----
De: Peter McGill [mailto:petermcgill at goco.net] 
Enviado el: Martes, 05 de Junio de 2007 12:37 p.m.
Para: 'IT Dept.'
CC: users at openswan.org
Asunto: RE: [Openswan Users] Subnets conmunication?

> -----Original Message-----
> From: IT Dept. [mailto:it at technovation.com.sv] 
> Sent: June 5, 2007 2:00 PM
> To: petermcgill at goco.net
> Cc: users at openswan.org
> Subject: RE: [Openswan Users] Subnets conmunication?
> Importance: High
> 
> Hi again...
> 
> 	Thanks for the your help....i cant get communication yet.
> 
> 	Here is my last conf...im only using two branches to 
> make it more
> simple...
> 
> 	# /etc/ipsec.conf - Openswan IPsec configuration file
> # RCSID $Id: ipsec.conf.in,v 1.15.2.2 2005/11/14 20:10:27 paul Exp $
> 
> # This file:  /usr/share/doc/openswan/ipsec.conf-sample
> #
> # Manual:     ipsec.conf.5
> 
> 
> version	2.0	# conforms to second version of 
> ipsec.conf specification
> 
> # basic configuration
> config setup
> 	forwardcontrol=yes
> 	nat_traversal=yes
> 	# plutodebug / klipsdebug = "all", "none" or a 
> combation from below:
> 	# "raw crypt parsing emitting control klips pfkey natt 
> x509 private"
> 	# eg:
> 	# plutodebug="control parsing"
> 	#
> 	# Only enable klipsdebug=all if you are a developer
> 	#
> 	# NAT-TRAVERSAL support, see README.NAT-Traversal
> 	# nat_traversal=yes
> 	# 
> virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%4:172.16.0.0/12
> 
> #Disable Opportunistic Encryption
> include /etc/ipsec.d/examples/no_oe.conf
> 
> conn branch_40
> 	also=branch_40_shared
> 	rightsubnet=192.168.40.0/24
> 	auto=start
> 
> conn centralbw_50
> 	also=centralbw_50_shared
>  	rightsubnet=192.168.50.0/24
>  	auto=add
> 
> conn branch_40_to_centralbw_50
> 	also=branch_40_shared
>  	leftsubnet=192.168.50.0/24
> 	rightsubnet=192.168.40.0/24
> 	auto=start
> 
> conn centralbw_50_to_branch_40
> 	also=centralbw_50_shared
> 	leftsubnet=192.168.40.0/24
>  	rightsubnet=192.168.50.0/24
>  	auto=add
> 
> conn branch_40_shared
>  	authby=secret
>  	compress=no
>  	ikelifetime=240m
>  	keyexchange=ike
>  	keylife=60m
>  	left=208.70.149.161
>  	leftnexthop=208.70.149.166
>  	pfs=yes
>  	right=190.53.0.113
>  	rightnexthop=190.53.0.1
> 
> conn centralbw_50_shared
>  	authby=secret
>  	compress=no
>  	ikelifetime=240m
>  	keyexchange=ike
>  	keylife=60m
>  	left=208.70.149.161
>  	leftnexthop=208.70.149.166
>         pfs=yes
>  	right=%any
> 
> 
> in auth.log I get that conn branch_40_shared starts fine, but 
> I need to
> manually start conn centralbw_50_shared from the linksys 
> router, and them
> the conn´s between dosent start...

First off the shared conn's should never be started, they're not
Real conn's just shared information used by other conn's.
Also it would be easier to test with the static ip sites, rather than
Centralbw. With centralbw linksys must initiate the connection for it to
work.

Show us these outputs.
ipsec version
ipsec verify
ipsec eroute

Lastly, restart openswan, and reconnect the linksys tunnels.
Get the restart and connect logs by...
egrep -e 'pluto' /var/log/*
Filter by date/time to only get the recent restart and connections.

Peter



-- 
No virus found in this incoming message.
Checked by AVG Free Edition. 
Version: 7.5.472 / Virus Database: 269.8.9/832 - Release Date: 04/06/2007
06:43 p.m.

More information about the Users mailing list