[Openswan Users] Subnets conmunication?
Peter McGill
petermcgill at goco.net
Wed Jun 6 09:39:37 EDT 2007
> -----Original Message-----
> Date: Tue, 5 Jun 2007 15:23:00 -0600
> From: "IT Dept." <it at technovation.com.sv>
> Subject: Re: [Openswan Users] Subnets conmunication?
> To: <users at openswan.org>
>
> Can i change my subnets to 192.168.40.x/24 i mean in all
> branches...we are using DHCP:
>
> Branch A 192.168.50.10-20
> Branch B 192.168.50.21-30
> Branco C 192.168.50.31-40
>
> An just set my conn to:
> leftsubnet=192.168.50/24
> rightsubnet=192.168.50/24
>
> In all linksys..
>
> What do u think?
>
> Hector
The subnet's need to be unique, non-overlapping and if you want
Only one tunnel to/from each site, they need to be binary aligned.
Otherwise routing/tunneling will not work correctly.
You could do this:
leftsubnet=192.168.0.0/16
rightsubnet=192.168.40.0/24
leftsubnet=192.168.0.0/16
rightsubnet=192.168.50.0/24
leftsubnet=192.168.0.0/16
rightsubnet=192.168.60.0/24
Or you could do this:
leftsubnet=192.168.50.0/24
rightsubnet=192.168.50.0/28 # 192.168.50.1-14
leftsubnet=192.168.50.0/24
rightsubnet=192.168.50.16/28 # 192.168.50.17-30
leftsubnet=192.168.50.0/24
rightsubnet=192.168.60.32/28 # 192.168.50.33-46
But be sure to change the subnet masks at your sites too.
/28 or 255.255.255.239
Using the overlapping "larger" subnet to route traffic to the
Central router works because routers choose the most specific route
First, but you must keep the routes to your linksys sites unique.
For example traffic going from site C to site A...
Source: 192.168.60.10 Dest: 192.168.40.20
C's router compares packet's destination to C router's routes.
192.168.60.0/24 (lan, no match)
192.168.0.0/16 (ipsec, match, use this one) And the packet is tunneled to openswan.
Openswan compares packet's destination to openswan's routes.
192.168.40.0/24 (ipsec, match, use this one) And the packet is tunneled to site A.
192.168.50.0/24 (ipsec, no match)
192.168.60.0/24 (ipsec, no match)
A's router compares packet's destination to A router's routes.
192.168.40.0/24 (lan, match, use this one) And the packet is sent to lan A.
192.168.0.0/16 (ipsec, match but not as specific as /24 don't use this one)
Peter
> -----Mensaje original-----
> De: Peter McGill [mailto:petermcgill at goco.net]
> Enviado el: Martes, 05 de Junio de 2007 02:19 p.m.
> Para: it at technovation.com.sv
> Asunto: RE: [Openswan Users] Subnets conmunication?
>
> If you put leftsubnet=192.168.0.0/16 in both it would work.
> You would not be able to ping the openswan machine from,
> Centralbw or vise versa, but they probably only need to
> Pass traffic to the other sites, not each other right?
>
> Peter McGill
>
>
> > -----Original Message-----
> > Date: Tue, 5 Jun 2007 14:10:38 -0600
> > From: "IT Dept." <it at technovation.com.sv>
> > Subject: Re: [Openswan Users] Subnets conmunication?
> > To: <users at openswan.org>
> >
> > Just a question, what if i only put as a left subset at linksys in
> > centralbw_50 a 192.168.0.0/24 subent, same in Openswan???
> >
> > Hector
> >
> > -----Mensaje original-----
> > De: Peter McGill [mailto:petermcgill at goco.net]
> > Enviado el: Martes, 05 de Junio de 2007 02:05 p.m.
> > Para: it at technovation.com.sv
> > Asunto: RE: [Openswan Users] Subnets conmunication?
> >
> > Hector,
> >
> > I've never used a linksys myself, but perhaps if
> > You sent me a screen capture of the configuration
> > Interface, I might figure it out.
> > That is if it's a gui or webinterface. If it's a
> > Text conf like openswan, then just copy to email body.
> >
> > Essentially on the linksys, you will have either,
> > One connection with two subnets, or two connections.
> > One subnet is the ip of the openswan router. (centralbw_50 conn)
> > One subnet is the 40 net, 192.168.40.0/24.
> > (centralbw_50_to_branch_40 conn)
> > Both subnet's or connections need to be initiated by linksys router,
> > For the connection to work.
> >
> > Peter McGill
> >
> >
> > > -----Original Message-----
> > > Date: Tue, 5 Jun 2007 13:52:39 -0600
> > > From: "IT Dept." <it at technovation.com.sv>
> > > Subject: Re: [Openswan Users] Subnets conmunication?
> > > To: <users at openswan.org>
> > >
> > > Any idea on how to do that???
> > >
> > > Im very confussed
> > >
> > > Hector
> > >
> > > -----Mensaje original-----
> > > De: Peter McGill [mailto:petermcgill at goco.net]
> > > Enviado el: Martes, 05 de Junio de 2007 01:43 p.m.
> > > Para: 'IT Dept.'
> > > Asunto: RE: [Openswan Users] Subnets conmunication?
> > >
> > > According to these logs, branch40, branch40_to_centralbw_50 and
> > > centralbw_50 all connected but centralbw_50_to_branch_40
> is missing.
> > > You need that for traffic flow between branch_40 and centralbw_50.
> > > It needs to be initiated by centralbw's linksys router.
> > >
> > > Peter McGill
> > >
> > >
> > > > -----Original Message-----
> > > > From: IT Dept. [mailto:it at technovation.com.sv]
> > > > Sent: June 5, 2007 3:34 PM
> > > > To: petermcgill at goco.net
> > > > Subject: RE: [Openswan Users] Subnets conmunication?
> > > >
> > > > Here is my last log....connections up but no ping between
> > > > 192.168.40.x and
> > > > 192.168.50.x...
> > > >
> > > > Jun 5 14:29:02 vpn pluto[1165]: "branch_40_to_centralbw_50" #1:
> > > > STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
> > > > cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
> > > > Jun 5 14:29:05 vpn pluto[1165]: "branch_40" #2:
> > > > STATE_QUICK_I2: sent QI2,
> > > > IPsec SA established {ESP=>0x44688997 <0xf45725dc
> > > xfrm=3DES_0-HMAC_MD5
> > > > NATD=none DPD=none}
> > > > Jun 5 14:29:15 vpn pluto[1165]: "branch_40_to_centralbw_50" #3:
> > > > STATE_QUICK_I2: sent QI2, IPsec SA established
> > > > {ESP=>0x9a8a16a3 <0x4b0ae507
> > > > xfrm=3DES_0-HMAC_MD5 NATD=none DPD=none}
> > > > Jun 5 14:31:25 vpn pluto[1165]: "centralbw_50"[1]
> > 66.201.165.11 #4:
> > > > STATE_MAIN_R3: sent MR3, ISAKMP SA established
> > > > {auth=OAKLEY_PRESHARED_KEY
> > > > cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1024}
> > > > Jun 5 14:31:25 vpn pluto[1165]: "centralbw_50"[1]
> > 66.201.165.11 #5:
> > > > STATE_QUICK_R2: IPsec SA established {ESP=>0x80f41e9f
> <0xf2757211
> > > > xfrm=3DES_0-HMAC_MD5 NATD=none DPD=none}
> > > >
> > > > Hector
> > > >
> > > > -----Mensaje original-----
> > > > De: Peter McGill [mailto:petermcgill at goco.net]
> > > > Enviado el: Martes, 05 de Junio de 2007 01:18 p.m.
> > > > Para: 'IT Dept.'
> > > > CC: users at openswan.org
> > > > Asunto: RE: [Openswan Users] Subnets conmunication?
> > > >
> > > > Forgot to mention you'll also need to update your,
> > > > Ipsec secrets for centralbw like this.
> > > >
> > > > 208.70.149.161 @centralbw : PSK "secret..."
> > > >
> > > > Peter McGill
> > > >
> > > > > -----Original Message-----
> > > > > From: Peter McGill [mailto:petermcgill at goco.net]
> > > > > Sent: June 5, 2007 3:15 PM
> > > > > To: 'IT Dept.'
> > > > > Cc: 'users at openswan.org'
> > > > > Subject: RE: [Openswan Users] Subnets conmunication?
> > > > >
> > > > > That's what we need.
> > > > > It looks like there is a problem with centralbw connecting.
> > > > > Because it's dynamic ip, it doesn't know how to identify the
> > > > > Connecting router, needs an id field.
> > > > >
> > > > > Update this conn in your conf add rightid line.
> > > > > conn centralbw_50_shared
> > > > > authby=secret
> > > > > compress=no
> > > > > ikelifetime=240m
> > > > > keyexchange=ike
> > > > > keylife=60m
> > > > > left=208.70.149.161
> > > > > leftnexthop=208.70.149.166
> > > > > pfs=yes
> > > > > right=%any
> > > > > rightid=@centralbw
> > > > >
> > > > > Also add id to linksys conf, sorry don't know how to do that.
> > > > >
> > > > > Peter McGill
> > > > >
> > > > >
> > > > > > -----Original Message-----
> > > > > > From: IT Dept. [mailto:it at technovation.com.sv]
> > > > > > Sent: June 5, 2007 3:06 PM
> > > > > > To: petermcgill at goco.net
> > > > > > Cc: users at openswan.org
> > > > > > Subject: RE: [Openswan Users] Subnets conmunication?
> > > > > >
> > > > > > Here is auth.log
> > > > > >
> > > > > > Jun 5 13:54:13 vpn pluto[1165]: "centralbw_50"[1]
> > > > > > 66.201.165.11 #4: Main
> > > > > > mode peer ID is ID_IPV4_ADDR: '10.8.213.31'
> > > > > > Jun 5 13:54:13 vpn pluto[1165]: "centralbw_50"[2]
> > > > 66.201.165.11 #4:
> > > > > > deleting connection "centralbw_50" instance with peer
> > > > 66.201.165.11
> > > > > > {isakmp=#0/ipsec=#0}
> > > > > > Jun 5 13:54:13 vpn pluto[1165]: "centralbw_50"[2]
> > > > 66.201.165.11 #4:
> > > > > > STATE_MAIN_R3: sent MR3, ISAKMP SA established
> > > > > > {auth=OAKLEY_PRESHARED_KEY
> > > > > > cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1024}
> > > > > > Jun 5 13:54:13 vpn pluto[1165]: "centralbw_50"[2]
> > > > > > 66.201.165.11 #4: cannot
> > > > > > respond to IPsec SA request because no connection
> is known for
> > > > > >
> 192.168.0.0/24===208.70.149.161...66.201.165.11[10.8.213.31]==
> > > > > > =192.168.50.0/
> > > > > > 24
> > > > > > Jun 5 13:54:13 vpn pluto[1165]: "centralbw_50"[2]
> > > > > > 66.201.165.11 #4: sending
> > > > > > encrypted notification INVALID_ID_INFORMATION to
> > > 66.201.165.11:500
> > > > > > Jun 5 13:58:05 vpn pluto[1164]:
> > "branch_40_to_centralbw_50" #1:
> > > > > > STATE_MAIN_I4: ISAKMP SA established
> > {auth=OAKLEY_PRESHARED_KEY
> > > > > > cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
> > > > > > Jun 5 13:58:08 vpn pluto[1164]: "branch_40" #2:
> > > > > > STATE_QUICK_I2: sent QI2,
> > > > > > IPsec SA established {ESP=>0xc3ad781f <0xf5001af0
> > > > > xfrm=3DES_0-HMAC_MD5
> > > > > > NATD=none DPD=none}
> > > > > > Jun 5 13:58:18 vpn pluto[1164]:
> > "branch_40_to_centralbw_50" #3:
> > > > > > STATE_QUICK_I2: sent QI2, IPsec SA established
> > > > > > {ESP=>0x433730c7 <0xe3efe176
> > > > > > xfrm=3DES_0-HMAC_MD5 NATD=none DPD=none}
> > > > > >
> > > > > > -----Mensaje original-----
> > > > > > De: users-bounces at openswan.org
> > > > > > [mailto:users-bounces at openswan.org] En nombre
> > > > > > de IT Dept.
> > > > > > Enviado el: Martes, 05 de Junio de 2007 01:00 p.m.
> > > > > > Para: petermcgill at goco.net
> > > > > > CC: users at openswan.org
> > > > > > Asunto: Re: [Openswan Users] Subnets conmunication?
> > > > > >
> > > > > > Here is:
> > > > > >
> > > > > >
> > > > > > Jun 5 13:58:02 vpn syslogd 1.4.1#17ubuntu7: restart.
> > > > > > Jun 5 13:58:02 vpn kernel: Cannot find map file.
> > > > > > Jun 5 13:58:02 vpn kernel: No module symbols
> loaded - kernel
> > > > > > modules not
> > > > > > enabled.
> > > > > > Jun 5 13:58:02 vpn kernel: Bootdata ok (command line is
> > > > > > root=/dev/sda1 ro
> > > > > > 3)
> > > > > > Jun 5 13:58:02 vpn kernel: Linux version 2.6.16.29-xen
> > > > > > (shand at endor) (gcc
> > > > > > version 3.4.4 20050314 (prerelease) (Debian
> 3.4.3-13)) #3 SMP
> > > > > > Sun Oct 15
> > > > > > 13:15:34 BST 2006
> > > > > > Jun 5 13:58:02 vpn kernel: BIOS-provided physical RAM map:
> > > > > > Jun 5 13:58:02 vpn kernel: Xen: 0000000000000000 -
> > > > > 000000001f000000
> > > > > > (usable)
> > > > > > Jun 5 13:58:02 vpn kernel: On node 0 totalpages: 126976
> > > > > > Jun 5 13:58:02 vpn kernel: DMA zone: 126976 pages,
> > > > LIFO batch:31
> > > > > > Jun 5 13:58:02 vpn kernel: DMA32 zone: 0 pages,
> > LIFO batch:0
> > > > > > Jun 5 13:58:02 vpn kernel: Normal zone: 0 pages,
> > LIFO batch:0
> > > > > > Jun 5 13:58:02 vpn kernel: HighMem zone: 0 pages,
> > > LIFO batch:0
> > > > > > Jun 5 13:58:02 vpn kernel: No mptable found.
> > > > > > Jun 5 13:58:02 vpn kernel: Built 1 zonelists
> > > > > > Jun 5 13:58:02 vpn kernel: Kernel command line:
> > > > > root=/dev/sda1 ro 3
> > > > > > Jun 5 13:58:02 vpn kernel: Initializing CPU#0
> > > > > > Jun 5 13:58:02 vpn kernel: PID hash table entries: 2048
> > > > > > (order: 11, 65536
> > > > > > bytes)
> > > > > > Jun 5 13:58:02 vpn kernel: Xen reported: 1795.496 MHz
> > > processor.
> > > > > > Jun 5 13:58:02 vpn kernel: Dentry cache hash table
> entries:
> > > > > > 65536 (order:
> > > > > > 7, 524288 bytes)
> > > > > > Jun 5 13:58:02 vpn kernel: Inode-cache hash table entries:
> > > > > > 32768 (order: 6,
> > > > > > 262144 bytes)
> > > > > > Jun 5 13:58:02 vpn kernel: Software IO TLB disabled
> > > > > > Jun 5 13:58:02 vpn kernel: Memory: 483452k/507904k
> available
> > > > > > (1918k kernel
> > > > > > code, 15628k reserved, 809k data, 168k init)
> > > > > > Jun 5 13:58:02 vpn kernel: Calibrating delay using timer
> > > > > > specific routine..
> > > > > > 3592.77 BogoMIPS (lpj=17963870)
> > > > > > Jun 5 13:58:02 vpn kernel: Security Framework v1.0.0
> > > initialized
> > > > > > Jun 5 13:58:02 vpn kernel: Capability LSM initialized
> > > > > > Jun 5 13:58:02 vpn ipsec__plutorun: 104
> > > > > > "branch_40_to_centralbw_50" #1:
> > > > > > STATE_MAIN_I1: initiate
> > > > > > Jun 5 13:58:02 vpn ipsec__plutorun: ...could not start conn
> > > > > > "branch_40_to_centralbw_50"
> > > > > > Jun 5 13:58:02 vpn kernel: Mount-cache hash table
> > entries: 256
> > > > > > Jun 5 13:58:02 vpn kernel: CPU: L1 I Cache: 64K (64
> > > > > > bytes/line), D cache
> > > > > > 64K (64 bytes/line)
> > > > > > Jun 5 13:58:02 vpn kernel: CPU: L2 Cache: 1024K (64
> > bytes/line)
> > > > > > Jun 5 13:58:02 vpn kernel: Brought up 1 CPUs
> > > > > > Jun 5 13:58:02 vpn kernel: migration_cost=0
> > > > > > Jun 5 13:58:02 vpn kernel: checking if image is
> > > > initramfs... it is
> > > > > > Jun 5 13:58:02 vpn kernel: Freeing initrd memory:
> 1859k freed
> > > > > > Jun 5 13:58:02 vpn kernel: DMI not present or invalid.
> > > > > > Jun 5 13:58:02 vpn kernel: Grant table initialized
> > > > > > Jun 5 13:58:02 vpn kernel: NET: Registered
> protocol family 16
> > > > > > Jun 5 13:58:02 vpn kernel: Initializing CPU#1
> > > > > > Jun 5 13:58:02 vpn kernel: migration_cost=967
> > > > > > Jun 5 13:58:02 vpn kernel: Brought up 2 CPUs
> > > > > > Jun 5 13:58:02 vpn kernel: PCI: setting up Xen PCI
> > > frontend stub
> > > > > > Jun 5 13:58:02 vpn kernel: ACPI: Subsystem
> revision 20060127
> > > > > > Jun 5 13:58:02 vpn kernel: ACPI: Interpreter disabled.
> > > > > > Jun 5 13:58:02 vpn kernel: Linux Plug and Play
> Support v0.97
> > > > > > (c) Adam Belay
> > > > > > Jun 5 13:58:02 vpn kernel: pnp: PnP ACPI: disabled
> > > > > > Jun 5 13:58:02 vpn kernel: xen_mem: Initialising
> > > balloon driver.
> > > > > > Jun 5 13:58:02 vpn kernel: PCI: System does not support PCI
> > > > > > Jun 5 13:58:02 vpn kernel: PCI: System does not support PCI
> > > > > > Jun 5 13:58:02 vpn kernel: pnp: the driver
> 'system' has been
> > > > > > registered
> > > > > > Jun 5 13:58:02 vpn kernel: IA-32 Microcode Update
> > > > Driver: v1.14-xen
> > > > > > <tigran at veritas.com>
> > > > > > Jun 5 13:58:02 vpn kernel: IA32 emulation $Id:
> sys_ia32.c,v
> > > > > > 1.32 2002/03/24
> > > > > > 13:02:28 ak Exp $
> > > > > > Jun 5 13:58:02 vpn kernel: audit: initializing netlink
> > > > > > socket (disabled)
> > > > > > Jun 5 13:58:02 vpn kernel: audit(1181069856.905:1):
> > initialized
> > > > > > Jun 5 13:58:02 vpn kernel: VFS: Disk quotas dquot_6.5.1
> > > > > > Jun 5 13:58:02 vpn kernel: Dquot-cache hash table entries:
> > > > > > 512 (order 0,
> > > > > > 4096 bytes)
> > > > > > Jun 5 13:58:02 vpn kernel: Initializing Cryptographic API
> > > > > > Jun 5 13:58:02 vpn kernel: io scheduler noop registered
> > > > > > Jun 5 13:58:02 vpn kernel: io scheduler anticipatory
> > registered
> > > > > > Jun 5 13:58:02 vpn kernel: io scheduler deadline registered
> > > > > > Jun 5 13:58:02 vpn kernel: io scheduler cfq registered
> > > (default)
> > > > > > Jun 5 13:58:02 vpn kernel: rtc: IRQ 8 is not free.
> > > > > > Jun 5 13:58:02 vpn kernel: Non-volatile memory driver v1.2
> > > > > > Jun 5 13:58:02 vpn kernel: pnp: the driver 'i8042 kbd' has
> > > > > > been registered
> > > > > > Jun 5 13:58:02 vpn kernel: pnp: the driver 'i8042 aux' has
> > > > > > been registered
> > > > > > Jun 5 13:58:02 vpn kernel: pnp: the driver 'i8042
> > kbd' has been
> > > > > > unregistered
> > > > > > Jun 5 13:58:02 vpn kernel: pnp: the driver 'i8042
> > aux' has been
> > > > > > unregistered
> > > > > > Jun 5 13:58:02 vpn kernel: PNP: No PS/2 controller found.
> > > > > > Probing ports
> > > > > > directly.
> > > > > > Jun 5 13:58:02 vpn kernel: i8042.c: No controller found.
> > > > > > Jun 5 13:58:02 vpn kernel: RAMDISK driver initialized: 16
> > > > > > RAM disks of
> > > > > > 16384K size 1024 blocksize
> > > > > > Jun 5 13:58:02 vpn kernel: loop: loaded (max 8 devices)
> > > > > > Jun 5 13:58:02 vpn kernel: Xen virtual console
> successfully
> > > > > > installed as
> > > > > > tty1
> > > > > > Jun 5 13:58:02 vpn kernel: Event-channel device installed.
> > > > > > Jun 5 13:58:02 vpn kernel: netfront: Initialising virtual
> > > > > > ethernet driver.
> > > > > > Jun 5 13:58:02 vpn kernel: Uniform Multi-Platform E-IDE
> > > > > > driver Revision:
> > > > > > 7.00alpha2
> > > > > > Jun 5 13:58:02 vpn kernel: ide: Assuming 50MHz system bus
> > > > > > speed for PIO
> > > > > > modes; override with idebus=xx
> > > > > > Jun 5 13:58:02 vpn kernel: pnp: the driver 'ide' has been
> > > > > registered
> > > > > > Jun 5 13:58:02 vpn kernel: mice: PS/2 mouse device common
> > > > > > for all mice
> > > > > > Jun 5 13:58:02 vpn kernel: md: md driver 0.90.3
> > > MAX_MD_DEVS=256,
> > > > > > MD_SB_DISKS=27
> > > > > > Jun 5 13:58:02 vpn kernel: md: bitmap version 4.39
> > > > > > Jun 5 13:58:02 vpn kernel: NET: Registered
> protocol family 2
> > > > > > Jun 5 13:58:02 vpn kernel: netfront: device eth0 has
> > > > > > flipping receive path.
> > > > > > Jun 5 13:58:02 vpn kernel: IP route cache hash table
> > > > > > entries: 4096 (order:
> > > > > > 3, 32768 bytes)
> > > > > > Jun 5 13:58:02 vpn kernel: TCP established hash table
> > > > > entries: 16384
> > > > > > (order: 6, 262144 bytes)
> > > > > > Jun 5 13:58:02 vpn kernel: TCP bind hash table entries:
> > > > > > 16384 (order: 6,
> > > > > > 262144 bytes)
> > > > > > Jun 5 13:58:02 vpn kernel: TCP: Hash tables configured
> > > > > > (established 16384
> > > > > > bind 16384)
> > > > > > Jun 5 13:58:02 vpn kernel: TCP reno registered
> > > > > > Jun 5 13:58:02 vpn kernel: NET: Registered
> protocol family 1
> > > > > > Jun 5 13:58:02 vpn kernel: NET: Registered
> protocol family 17
> > > > > > Jun 5 13:58:02 vpn kernel: Registering block device major 8
> > > > > > Jun 5 13:58:02 vpn kernel: kjournald starting. Commit
> > > > > > interval 5 seconds
> > > > > > Jun 5 13:58:02 vpn kernel: EXT3-fs: mounted
> filesystem with
> > > > > > ordered data
> > > > > > mode.
> > > > > > Jun 5 13:58:02 vpn kernel: NET: Registered
> protocol family 10
> > > > > > Jun 5 13:58:02 vpn kernel: lo: Disabled Privacy Extensions
> > > > > > Jun 5 13:58:02 vpn kernel: IPv6 over IPv4 tunneling driver
> > > > > > Jun 5 13:58:02 vpn kernel: pnp: the driver
> 'parport_pc' has
> > > > > > been registered
> > > > > > Jun 5 13:58:02 vpn kernel: lp: driver loaded but no
> > > devices found
> > > > > > Jun 5 13:58:02 vpn kernel: Adding 999416k swap on
> /dev/sda2.
> > > > > > Priority:-1
> > > > > > extents:1 across:999416k
> > > > > > Jun 5 13:58:02 vpn kernel: EXT3 FS on sda1,
> internal journal
> > > > > > Jun 5 13:58:02 vpn kernel: device-mapper: 4.5.0-ioctl
> > > > (2005-10-04)
> > > > > > initialised: dm-devel at redhat.com
> > > > > > Jun 5 13:58:02 vpn kernel: NET: Registered
> protocol family 15
> > > > > > Jun 5 13:58:02 vpn kernel: Initializing IPsec
> netlink socket
> > > > > > Jun 5 13:58:02 vpn ipsec__plutorun: 029
> > > > > > "centralbw_50_to_branch_40": cannot
> > > > > > initiate connection without knowing peer IP address
> > > > > (kind=CK_TEMPLATE)
> > > > > > Jun 5 13:58:02 vpn ipsec__plutorun: ...could not start conn
> > > > > > "centralbw_50_to_branch_40"
> > > > > > Jun 5 13:58:03 vpn kernel: eth0: no IPv6 routers present
> > > > > > Jun 5 13:58:03 vpn ipsec_setup: Openswan IPsec apparently
> > > > > > already running,
> > > > > > start aborted
> > > > > > Jun 5 13:58:03 vpn /usr/sbin/cron[1554]: (CRON) INFO
> > > > > (pidfile fd = 3)
> > > > > > Jun 5 13:58:03 vpn /usr/sbin/cron[1555]: (CRON)
> > > STARTUP (fork ok)
> > > > > > Jun 5 13:58:03 vpn /usr/sbin/cron[1555]: (CRON) INFO
> > > > > > (Running @reboot jobs)
> > > > > >
> > > > > > Hector
> > > > > >
> > > > > >
> > > > > > -----Mensaje original-----
> > > > > > De: Peter McGill [mailto:petermcgill at goco.net]
> > > > > > Enviado el: Martes, 05 de Junio de 2007 12:55 p.m.
> > > > > > Para: 'IT Dept.'
> > > > > > CC: users at openswan.org
> > > > > > Asunto: RE: [Openswan Users] Subnets conmunication?
> > > > > >
> > > > > > > -----Original Message-----
> > > > > > > From: IT Dept. [mailto:it at technovation.com.sv]
> > > > > > > Sent: June 5, 2007 2:43 PM
> > > > > > > To: petermcgill at goco.net
> > > > > > > Cc: users at openswan.org
> > > > > > > Subject: RE: [Openswan Users] Subnets conmunication?
> > > > > > >
> > > > > > > root at vpn:~# ipsec version
> > > > > > > Linux Openswan U2.4.4/K2.6.16.29-xen (netkey)
> > > > > > > See `ipsec --copyright' for copyright information.
> > > > > > > root at vpn:~#
> > > > > > >
> > > > > > > root at vpn:~# ipsec verify
> > > > > > > Checking your system to see if IPsec got installed and
> > > > > > > started correctly:
> > > > > > > Version check and ipsec on-path
> > > > > [OK]
> > > > > > > Linux Openswan U2.4.4/K2.6.16.29-xen (netkey)
> > > > > > > Checking for IPsec support in kernel
> > > > > [OK]
> > > > > > > Checking for RSA private key (/etc/ipsec.secrets)
> > > > > [OK]
> > > > > > > Checking that pluto is running
> > > > > [OK]
> > > > > > > Two or more interfaces found, checking IP forwarding
> > > > > [OK]
> > > > > > > Checking NAT and MASQUERADEing
>
> > > > > > [N/A]
> > > > > > > Checking for 'ip' command
> > > > > [OK]
> > > > > > > Checking for 'iptables' command
> > > > > [OK]
> > > > > > > Checking for 'setkey' command for NETKEY IPsec stack
> > > > > support [OK]
> > > > > > > Opportunistic Encryption Support
> >
> > > > > > > [DISABLED]
> > > > > > > root at vpn:~#
> > > > > > >
> > > > > > > root at vpn:~# ipsec eroute
> > > > > > > /usr/lib/ipsec/eroute: NETKEY does not support
> eroute table.
> > > > > > > root at vpn:~#
> > > > > >
> > > > > > The above look ok, we don't need eroute it's just a easy
> > > > > way to check
> > > > > > Tunnel status. But I will need some log info to determine
> > > > > > where error is.
> > > > > >
> > > > > > egrep -e 'pluto' /var/log/*
> > > > > > Filter by date/time to only get the recent restart and
> > > > connections.
> > > > > >
> > > > > > > Ill be wait for your help....my boss wanna hang me...LOL
> > > > > > >
> > > > > > > Regards
> > > > > > >
> > > > > > > Hector
> > > > > > >
> > > > > > > -----Mensaje original-----
> > > > > > > De: Peter McGill [mailto:petermcgill at goco.net]
> > > > > > > Enviado el: Martes, 05 de Junio de 2007 12:37 p.m.
> > > > > > > Para: 'IT Dept.'
> > > > > > > CC: users at openswan.org
> > > > > > > Asunto: RE: [Openswan Users] Subnets conmunication?
> > > > > > >
> > > > > > > > -----Original Message-----
> > > > > > > > From: IT Dept. [mailto:it at technovation.com.sv]
> > > > > > > > Sent: June 5, 2007 2:00 PM
> > > > > > > > To: petermcgill at goco.net
> > > > > > > > Cc: users at openswan.org
> > > > > > > > Subject: RE: [Openswan Users] Subnets conmunication?
> > > > > > > > Importance: High
> > > > > > > >
> > > > > > > > Hi again...
> > > > > > > >
> > > > > > > > Thanks for the your help....i cant get
> > > > > communication yet.
> > > > > > > >
> > > > > > > > Here is my last conf...im only using
> two branches to
> > > > > > > > make it more
> > > > > > > > simple...
> > > > > > > >
> > > > > > > > # /etc/ipsec.conf - Openswan IPsec
> configuration file
> > > > > > > > # RCSID $Id: ipsec.conf.in,v 1.15.2.2
> 2005/11/14 20:10:27
> > > > > > paul Exp $
> > > > > > > >
> > > > > > > > # This file: /usr/share/doc/openswan/ipsec.conf-sample
> > > > > > > > #
> > > > > > > > # Manual: ipsec.conf.5
> > > > > > > >
> > > > > > > >
> > > > > > > > version 2.0 # conforms to second version of
> > > > > > > > ipsec.conf specification
> > > > > > > >
> > > > > > > > # basic configuration
> > > > > > > > config setup
> > > > > > > > forwardcontrol=yes
> > > > > > > > nat_traversal=yes
> > > > > > > > # plutodebug / klipsdebug = "all", "none" or a
> > > > > > > > combation from below:
> > > > > > > > # "raw crypt parsing emitting control
> klips pfkey natt
> > > > > > > > x509 private"
> > > > > > > > # eg:
> > > > > > > > # plutodebug="control parsing"
> > > > > > > > #
> > > > > > > > # Only enable klipsdebug=all if you are
> a developer
> > > > > > > > #
> > > > > > > > # NAT-TRAVERSAL support, see
> README.NAT-Traversal
> > > > > > > > # nat_traversal=yes
> > > > > > > > #
> > > > > > > >
> > > > >
> > virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%4:172.16.0.0/12
> > > > > > > >
> > > > > > > > #Disable Opportunistic Encryption
> > > > > > > > include /etc/ipsec.d/examples/no_oe.conf
> > > > > > > >
> > > > > > > > conn branch_40
> > > > > > > > also=branch_40_shared
> > > > > > > > rightsubnet=192.168.40.0/24
> > > > > > > > auto=start
> > > > > > > >
> > > > > > > > conn centralbw_50
> > > > > > > > also=centralbw_50_shared
> > > > > > > > rightsubnet=192.168.50.0/24
> > > > > > > > auto=add
> > > > > > > >
> > > > > > > > conn branch_40_to_centralbw_50
> > > > > > > > also=branch_40_shared
> > > > > > > > leftsubnet=192.168.50.0/24
> > > > > > > > rightsubnet=192.168.40.0/24
> > > > > > > > auto=start
> > > > > > > >
> > > > > > > > conn centralbw_50_to_branch_40
> > > > > > > > also=centralbw_50_shared
> > > > > > > > leftsubnet=192.168.40.0/24
> > > > > > > > rightsubnet=192.168.50.0/24
> > > > > > > > auto=add
> > > > > > > >
> > > > > > > > conn branch_40_shared
> > > > > > > > authby=secret
> > > > > > > > compress=no
> > > > > > > > ikelifetime=240m
> > > > > > > > keyexchange=ike
> > > > > > > > keylife=60m
> > > > > > > > left=208.70.149.161
> > > > > > > > leftnexthop=208.70.149.166
> > > > > > > > pfs=yes
> > > > > > > > right=190.53.0.113
> > > > > > > > rightnexthop=190.53.0.1
> > > > > > > >
> > > > > > > > conn centralbw_50_shared
> > > > > > > > authby=secret
> > > > > > > > compress=no
> > > > > > > > ikelifetime=240m
> > > > > > > > keyexchange=ike
> > > > > > > > keylife=60m
> > > > > > > > left=208.70.149.161
> > > > > > > > leftnexthop=208.70.149.166
> > > > > > > > pfs=yes
> > > > > > > > right=%any
> > > > > > > >
> > > > > > > >
> > > > > > > > in auth.log I get that conn branch_40_shared starts
> > > fine, but
> > > > > > > > I need to
> > > > > > > > manually start conn centralbw_50_shared from
> the linksys
> > > > > > > > router, and them
> > > > > > > > the conn?s between dosent start...
> > > > > > >
> > > > > > > First off the shared conn's should never be started,
> > > they're not
> > > > > > > Real conn's just shared information used by other conn's.
> > > > > > > Also it would be easier to test with the static ip sites,
> > > > > > rather than
> > > > > > > Centralbw. With centralbw linksys must initiate the
> > > > > > > connection for it to
> > > > > > > work.
> > > > > > >
> > > > > > > Show us these outputs.
> > > > > > > ipsec version
> > > > > > > ipsec verify
> > > > > > > ipsec eroute
> > > > > > >
> > > > > > > Lastly, restart openswan, and reconnect the
> linksys tunnels.
> > > > > > > Get the restart and connect logs by...
> > > > > > > egrep -e 'pluto' /var/log/*
> > > > > > > Filter by date/time to only get the recent restart and
> > > > > connections.
> > > > > >
> > > > > >
> > > > > >
> > > > > > --
> > > > > > No virus found in this incoming message.
> > > > > > Checked by AVG Free Edition.
> > > > > > Version: 7.5.472 / Virus Database: 269.8.9/832 - Release
> > > > > > Date: 04/06/2007
> > > > > > 06:43 p.m.
> > > > > >
> > > > > >
> > > > > > _______________________________________________
> > > > > > Users at openswan.org
> > > > > > http://lists.openswan.org/mailman/listinfo/users
> > > > > > Building and Integrating Virtual Private Networks with
> > > Openswan:
> > > > > >
> http://www.amazon.com/gp/product/1904811256/104-3099591-294632
> > > > > > 7?n=283155
> > > > > >
> > > > > >
> > > > > > --
> > > > > > No virus found in this incoming message.
> > > > > > Checked by AVG Free Edition.
> > > > > > Version: 7.5.472 / Virus Database: 269.8.9/832 - Release
> > > > > > Date: 04/06/2007
> > > > > > 06:43 p.m.
> > > > > >
> > > > > >
> > > >
> > > >
> > > >
> > > > --
> > > > No virus found in this incoming message.
> > > > Checked by AVG Free Edition.
> > > > Version: 7.5.472 / Virus Database: 269.8.9/832 - Release
> > > > Date: 04/06/2007
> > > > 06:43 p.m.
> > > >
> > > >
> > >
> > >
> > >
> > > --
> > > No virus found in this incoming message.
> > > Checked by AVG Free Edition.
> > > Version: 7.5.472 / Virus Database: 269.8.9/832 - Release
> > > Date: 04/06/2007
> > > 06:43 p.m.
> > >
> > >
> > >
> > >
> > > ------------------------------
> > >
> > > _______________________________________________
> > > Users mailing list
> > > Users at openswan.org
> > > http://lists.openswan.org/mailman/listinfo/users
> > >
> > >
> > > End of Users Digest, Vol 43, Issue 15
> > > *************************************
> >
> >
> >
> > --
> > No virus found in this incoming message.
> > Checked by AVG Free Edition.
> > Version: 7.5.472 / Virus Database: 269.8.9/832 - Release
> > Date: 04/06/2007
> > 06:43 p.m.
> >
> >
> >
> >
> > ------------------------------
> >
> > _______________________________________________
> > Users mailing list
> > Users at openswan.org
> > http://lists.openswan.org/mailman/listinfo/users
> >
> >
> > End of Users Digest, Vol 43, Issue 16
> > *************************************
>
>
>
> --
> No virus found in this incoming message.
> Checked by AVG Free Edition.
> Version: 7.5.472 / Virus Database: 269.8.9/832 - Release
> Date: 04/06/2007
> 06:43 p.m.
>
>
>
>
> ------------------------------
>
> _______________________________________________
> Users mailing list
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
>
>
> End of Users Digest, Vol 43, Issue 17
> *************************************
More information about the Users
mailing list