[Openswan Users] Subnets conmunication?

IT Dept. it at technovation.com.sv
Wed Jun 6 13:13:16 EDT 2007 

Ok i tryed

iptables -t filter -A FORWARD -s 192.168.0.0/16 -d 192.168.0.0/16 -j ACCEPT

But nothing change...

Hector


-----Mensaje original-----
De: Peter McGill [mailto:petermcgill at goco.net] 
Enviado el: Miércoles, 06 de Junio de 2007 10:47 a.m.
Para: it at technovation.com.sv
CC: users at openswan.org
Asunto: RE: [Openswan Users] Subnets conmunication?

> -----Original Message-----
> Date: Wed, 6 Jun 2007 09:04:58 -0600
> From: "IT Dept." <it at technovation.com.sv>
> Subject: Re: [Openswan Users] Subnets conmunication?
> To: <users at openswan.org>
> 
> Ok....here is my last conf
> 
> conn sucursal_40
> 	authby=secret
> 	auto=add
> 	esp=3des-md5
> 	ikelifetime=3600s
> 	keylife=3600s
> 	left=208.70.149.161
> 	leftrsasigkey=(the Key)
> 	leftsubnet=192.168.0.0/16
> 	pfs=yes
> 	right=190.53.0.113
> 	rightsubnet=192.168.40.0/24
> 
> conn sucursal_50
> 	authby=secret
> 	auto=add
> 	esp=3des-md5
> 	ikelifetime=3600s
> 	keylife=3600s
> 	left=208.70.149.161
> 	leftrsasigkey=(the Key)
> 	leftsubnet=192.168.0.0/16
> 	pfs=yes
> 	right=%any
> 	rightsubnet=192.168.50.0/24
> 
> and this is the log
> 
> Jun  6 09:59:29 vpn pluto[5269]: "sucursal_50"[1] 66.201.165.11 #1:
> responding to Main Mode from unknown peer 66.201.165.11
> Jun  6 09:59:29 vpn pluto[5269]: "sucursal_50"[1] 66.201.165.11 #1:
> transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
> Jun  6 09:59:30 vpn pluto[5269]: "sucursal_50"[1] 66.201.165.11 #1:
> STATE_MAIN_R1: sent MR1, expecting MI2
> Jun  6 09:59:30 vpn pluto[5269]: "sucursal_50"[1] 66.201.165.11 #1:
> transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
> Jun  6 09:59:30 vpn pluto[5269]: "sucursal_50"[1] 66.201.165.11 #1:
> STATE_MAIN_R2: sent MR2, expecting MI3
> Jun  6 09:59:30 vpn pluto[5269]: "sucursal_50"[1] 
> 66.201.165.11 #1: Main
> mode peer ID is ID_IPV4_ADDR: '10.8.213.31'
> Jun  6 09:59:30 vpn pluto[5269]: "sucursal_50"[2] 
> 66.201.165.11 #1: deleting
> connection "sucursal_50" instance with peer 66.201.165.11
> {isakmp=#0/ipsec=#0}
> Jun  6 09:59:30 vpn pluto[5269]: "sucursal_50"[2] 
> 66.201.165.11 #1: I did
> not send a certificate because I do not have one.
> Jun  6 09:59:30 vpn pluto[5269]: "sucursal_50"[2] 66.201.165.11 #1:
> transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
> Jun  6 09:59:30 vpn pluto[5269]: "sucursal_50"[2] 66.201.165.11 #1:
> STATE_MAIN_R3: sent MR3, ISAKMP SA established 
> {auth=OAKLEY_PRESHARED_KEY
> cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1024}
> Jun  6 09:59:30 vpn pluto[5269]: "sucursal_50"[2] 66.201.165.11 #2:
> responding to Quick Mode {msgid:763f514c}
> Jun  6 09:59:30 vpn pluto[5269]: "sucursal_50"[2] 66.201.165.11 #2:
> transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
> Jun  6 09:59:30 vpn pluto[5269]: "sucursal_50"[2] 66.201.165.11 #2:
> STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
> Jun  6 09:59:31 vpn pluto[5269]: "sucursal_50"[2] 66.201.165.11 #2:
> transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
> 
> 
> Jun  6 09:59:31 vpn pluto[5269]: "sucursal_50"[2] 66.201.165.11 #2:
> STATE_QUICK_R2: IPsec SA established {ESP=>0x80f41efc <0x9623ac90 
> 
> 
> 
> xfrm=3DES_0-HMAC_MD5 NATD=none DPD=none}
> Jun  6 09:59:37 vpn pluto[5269]: "sucursal_40" #3: responding 
> to Main Mode
> Jun  6 09:59:37 vpn pluto[5269]: "sucursal_40" #3: transition 
> from state
> STATE_MAIN_R0 to state STATE_MAIN_R1
> Jun  6 09:59:37 vpn pluto[5269]: "sucursal_40" #3: 
> STATE_MAIN_R1: sent MR1,
> expecting MI2
> Jun  6 09:59:38 vpn pluto[5269]: "sucursal_40" #3: transition 
> from state
> STATE_MAIN_R1 to state STATE_MAIN_R2
> Jun  6 09:59:38 vpn pluto[5269]: "sucursal_40" #3: 
> STATE_MAIN_R2: sent MR2,
> expecting MI3
> Jun  6 09:59:40 vpn pluto[5269]: "sucursal_40" #3: Main mode 
> peer ID is
> ID_IPV4_ADDR: '190.53.0.113'
> Jun  6 09:59:40 vpn pluto[5269]: "sucursal_40" #3: I did not send a
> certificate because I do not have one.
> Jun  6 09:59:40 vpn pluto[5269]: "sucursal_40" #3: transition 
> from state
> STATE_MAIN_R2 to state STATE_MAIN_R3
> Jun  6 09:59:40 vpn pluto[5269]: "sucursal_40" #3: 
> STATE_MAIN_R3: sent MR3,
> ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY 
> cipher=oakley_3des_cbc_192
> prf=oakley_md5 group=modp1024}
> Jun  6 09:59:41 vpn pluto[5269]: "sucursal_40" #4: responding 
> to Quick Mode
> {msgid:720c424e}
> Jun  6 09:59:41 vpn pluto[5269]: "sucursal_40" #4: transition 
> from state
> STATE_QUICK_R0 to state STATE_QUICK_R1
> Jun  6 09:59:41 vpn pluto[5269]: "sucursal_40" #4: 
> STATE_QUICK_R1: sent QR1,
> inbound IPsec SA installed, expecting QI2
> Jun  6 09:59:43 vpn pluto[5269]: "sucursal_40" #4: transition 
> from state
> STATE_QUICK_R1 to state STATE_QUICK_R2
> 
> 
> Jun  6 09:59:43 vpn pluto[5269]: "sucursal_40" #4: 
> STATE_QUICK_R2: IPsec SA
> established {ESP=>0xdf2786d4 <0x4c0b74b3 xfrm=3DES_0-HMAC_MD5 
> NATD=none
> DPD=none}
> 
> But I cant ping between subnets.....

Alright your connections are working, they are connected.

See both IPSec SA established in logs.

If you still can't ping between the two that probably means
That your firewall rules are droping the packets.

You may need to add a rule to your firewall like this.

iptables -t filter -A FORWARD -s 192.168.0.0/16 -d 192.168.0.0/16 -j ACCEPT

Peter



-- 
No virus found in this incoming message.
Checked by AVG Free Edition. 
Version: 7.5.472 / Virus Database: 269.8.11/836 - Release Date: 06/06/2007
01:10 p.m.

More information about the Users mailing list