[Openswan Users] Subnets conmunication?

Peter McGill petermcgill at goco.net
Tue Jun 5 14:54:40 EDT 2007 

> -----Original Message-----
> From: IT Dept. [mailto:it at technovation.com.sv] 
> Sent: June 5, 2007 2:43 PM
> To: petermcgill at goco.net
> Cc: users at openswan.org
> Subject: RE: [Openswan Users] Subnets conmunication?
> 
> root at vpn:~# ipsec version
> Linux Openswan U2.4.4/K2.6.16.29-xen (netkey)
> See `ipsec --copyright' for copyright information.
> root at vpn:~#
> 
> root at vpn:~# ipsec verify
> Checking your system to see if IPsec got installed and 
> started correctly:
> Version check and ipsec on-path                                 [OK]
> Linux Openswan U2.4.4/K2.6.16.29-xen (netkey)
> Checking for IPsec support in kernel                            [OK]
> Checking for RSA private key (/etc/ipsec.secrets)               [OK]
> Checking that pluto is running                                  [OK]
> Two or more interfaces found, checking IP forwarding            [OK]
> Checking NAT and MASQUERADEing                                  [N/A]
> Checking for 'ip' command                                       [OK]
> Checking for 'iptables' command                                 [OK]
> Checking for 'setkey' command for NETKEY IPsec stack support    [OK]
> Opportunistic Encryption Support                              
>   [DISABLED]
> root at vpn:~#
> 
> root at vpn:~# ipsec eroute
> /usr/lib/ipsec/eroute: NETKEY does not support eroute table.
> root at vpn:~#

The above look ok, we don't need eroute it's just a easy way to check
Tunnel status. But I will need some log info to determine where error is.

egrep -e 'pluto' /var/log/*
Filter by date/time to only get the recent restart and connections.

> Ill be wait for your help....my boss wanna hang me...LOL
> 
> Regards
> 
> 	Hector
> 
> -----Mensaje original-----
> De: Peter McGill [mailto:petermcgill at goco.net] 
> Enviado el: Martes, 05 de Junio de 2007 12:37 p.m.
> Para: 'IT Dept.'
> CC: users at openswan.org
> Asunto: RE: [Openswan Users] Subnets conmunication?
> 
> > -----Original Message-----
> > From: IT Dept. [mailto:it at technovation.com.sv] 
> > Sent: June 5, 2007 2:00 PM
> > To: petermcgill at goco.net
> > Cc: users at openswan.org
> > Subject: RE: [Openswan Users] Subnets conmunication?
> > Importance: High
> > 
> > Hi again...
> > 
> > 	Thanks for the your help....i cant get communication yet.
> > 
> > 	Here is my last conf...im only using two branches to 
> > make it more
> > simple...
> > 
> > 	# /etc/ipsec.conf - Openswan IPsec configuration file
> > # RCSID $Id: ipsec.conf.in,v 1.15.2.2 2005/11/14 20:10:27 paul Exp $
> > 
> > # This file:  /usr/share/doc/openswan/ipsec.conf-sample
> > #
> > # Manual:     ipsec.conf.5
> > 
> > 
> > version	2.0	# conforms to second version of 
> > ipsec.conf specification
> > 
> > # basic configuration
> > config setup
> > 	forwardcontrol=yes
> > 	nat_traversal=yes
> > 	# plutodebug / klipsdebug = "all", "none" or a 
> > combation from below:
> > 	# "raw crypt parsing emitting control klips pfkey natt 
> > x509 private"
> > 	# eg:
> > 	# plutodebug="control parsing"
> > 	#
> > 	# Only enable klipsdebug=all if you are a developer
> > 	#
> > 	# NAT-TRAVERSAL support, see README.NAT-Traversal
> > 	# nat_traversal=yes
> > 	# 
> > virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%4:172.16.0.0/12
> > 
> > #Disable Opportunistic Encryption
> > include /etc/ipsec.d/examples/no_oe.conf
> > 
> > conn branch_40
> > 	also=branch_40_shared
> > 	rightsubnet=192.168.40.0/24
> > 	auto=start
> > 
> > conn centralbw_50
> > 	also=centralbw_50_shared
> >  	rightsubnet=192.168.50.0/24
> >  	auto=add
> > 
> > conn branch_40_to_centralbw_50
> > 	also=branch_40_shared
> >  	leftsubnet=192.168.50.0/24
> > 	rightsubnet=192.168.40.0/24
> > 	auto=start
> > 
> > conn centralbw_50_to_branch_40
> > 	also=centralbw_50_shared
> > 	leftsubnet=192.168.40.0/24
> >  	rightsubnet=192.168.50.0/24
> >  	auto=add
> > 
> > conn branch_40_shared
> >  	authby=secret
> >  	compress=no
> >  	ikelifetime=240m
> >  	keyexchange=ike
> >  	keylife=60m
> >  	left=208.70.149.161
> >  	leftnexthop=208.70.149.166
> >  	pfs=yes
> >  	right=190.53.0.113
> >  	rightnexthop=190.53.0.1
> > 
> > conn centralbw_50_shared
> >  	authby=secret
> >  	compress=no
> >  	ikelifetime=240m
> >  	keyexchange=ike
> >  	keylife=60m
> >  	left=208.70.149.161
> >  	leftnexthop=208.70.149.166
> >         pfs=yes
> >  	right=%any
> > 
> > 
> > in auth.log I get that conn branch_40_shared starts fine, but 
> > I need to
> > manually start conn centralbw_50_shared from the linksys 
> > router, and them
> > the conn´s between dosent start...
> 
> First off the shared conn's should never be started, they're not
> Real conn's just shared information used by other conn's.
> Also it would be easier to test with the static ip sites, rather than
> Centralbw. With centralbw linksys must initiate the 
> connection for it to
> work.
> 
> Show us these outputs.
> ipsec version
> ipsec verify
> ipsec eroute
> 
> Lastly, restart openswan, and reconnect the linksys tunnels.
> Get the restart and connect logs by...
> egrep -e 'pluto' /var/log/*
> Filter by date/time to only get the recent restart and connections.

More information about the Users mailing list