[Openswan Users] Subnet-to-subnet configuration problem

Julien GROSJEAN - Proxiad j.grosjean at proxiad.com
Tue Jun 12 09:28:47 EDT 2007 

Hello,

I want to connect two subnets connected over internet withVPN/ADSL 
Router which accept VPN Passtrought.


Here is my configuration :

10.1.11.0/24        left subnet
        |
10.1.11.39            OpenSwan on CentOS Server
 LEFT/Gateway/Router
 10.1.11.21           Router Private address
         |
193.x.x.x            PUBLIC ADDRESS LEFT
   [Internet]
217.x.x.x            PUBLIC ADRESS RIGHT
         |
192.168.10.1            right
     RIGHT/Gateway/Router
192.168.10.55      OpenSwan on CentOS sever
         |
192.168.10.0/24           right subnet


I tried a lot of solutions detailled below :


Here is my /etc/ipsec.conf file on both boxes for the first solution :

(Just interface change to ipsec0=eth1 to the left ipsec file)

######## BEGIN IPSEC.CONF FILE #########
config setup
         interfaces="ipsec0=eth0"

conn net-to-net
    left=10.1.11.39
    leftsubnet=10.1.11.0/24
    leftrsasigkey=0sAQPAXKfwyOzivJcLrqytpNR/BlmKOkvTKpPWUAPdt
    leftnexthop=193.x.x.x
    right=192.168.10.55
    rightsubnet=192.168.10.0/24
    rightrsasigkey=0sAQPSJVkiFYTgqCRsQUafz15D0ObiT20QuoqJGWF1  
    rightnexthop=217.x.x.x
    auto=add 

#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf

##### END OF FILE #######

When i run ipsec auto --up net-to-net, here is the result :

104 "net-to-net" #1: STATE_MAIN_I1: initiate
010 "net-to-net" #1: STATE_MAIN_I1: retransmission; will wait 20s for 
response
010 "net-to-net" #1: STATE_MAIN_I1: retransmission; will wait 40s for 
response

on both boxes...


Results of ipsec auto --status  on RIGHT box :

000 interface lo/lo ::1
000 interface lo/lo 127.0.0.1
000 interface eth0/eth0 192.168.10.55
000 %myid = (none)
000 debug none
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, 
keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, 
keysizemax=192
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, 
keysizemin=40, keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, 
keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, 
keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, 
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, 
keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, 
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, 
keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, 
keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0
000
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, 
keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, 
keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,0,0} 
trans={0,0,0} attrs={0,0,0}
000
000 "net-to-net": 
192.168.10.0/24===192.168.10.55---217.x.x.x...193.x.x.x---10.1.11.39===10.1.11.0/24; 
unrouted; eroute owner: #0
000 "net-to-net":     srcip=unset; dstip=unset; srcup=ipsec _updown; 
dstup=ipsec _updown;
000 "net-to-net":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 
540s; rekey_fuzz: 100%; keyingtries: 0
000 "net-to-net":   policy: RSASIG+ENCRYPT+TUNNEL+PFS+UP; prio: 24,24; 
interface: eth0;
000 "net-to-net":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000
000 #1: "net-to-net":500 STATE_MAIN_I1 (sent MI1, expecting MR1); 
EVENT_RETRANSMIT in 15s; nodpd
000 #1: pending Phase 2 for "net-to-net" replacing #0
000


ipsec auto --status on the LEFT box :

000 interface lo/lo ::1
000 interface lo/lo 127.0.0.1
000 interface eth1/eth1 10.1.11.39
000 %myid = (none)
000 debug none
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, 
keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, 
keysizemax=192
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, 
keysizemin=40, keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, 
keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, 
keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, 
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, 
keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, 
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, 
keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, 
keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0
000
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, 
keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, 
keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,0,0} 
trans={0,0,0} attrs={0,0,0}
000
000 "net-to-net": 
10.1.11.0/24===10.1.11.39---193.x.x.x...217.x.x.x---192.168.10.55===192.168.10.0/24; 
unrouted; eroute owner: #0
000 "net-to-net":     srcip=unset; dstip=unset; srcup=ipsec _updown; 
dstup=ipsec _updown;
000 "net-to-net":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 
540s; rekey_fuzz: 100%; keyingtries: 0
000 "net-to-net":   policy: RSASIG+ENCRYPT+TUNNEL+PFS+UP; prio: 24,24; 
interface: eth1;
000 "net-to-net":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000
000 #1: "net-to-net":500 STATE_MAIN_I1 (sent MI1, expecting MR1); 
EVENT_RETRANSMIT in 36s; nodpd
000 #1: pending Phase 2 for "net-to-net" replacing #0
000

This way seems good to me cause it's a little bit like my schema :
10.1.11.0/24===10.1.11.39---193.x.x.x...217.x.x.x---192.168.10.55===192.168.10.0/24

So, i try another configuration and just modify left and right parameters :

conn net-to-net
    left=10.1.11.21
    leftsubnet=10.1.11.0/24
    leftrsasigkey=0sAQPAXKfwyOzivJcLrqytpNR/BlmKOkvTKpPWUAPdt
    leftnexthop=193.x.x.x
    right=192.168.10.1
    rightsubnet=192.168.10.0/24
    rightrsasigkey=0sAQPSJVkiFYTgqCRsQUafz15D0ObiT20QuoqJGWF1  
    rightnexthop=217.x.x.x
    auto=add

but openswan is not happy :
022 "net-to-net": We cannot identify ourselves with either end of this 
connection.

So, i should put my openwan ip in the conf file but where cause i try 
every parameters i think, but with no good result...



I try this one too :

version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
         interfaces="ipsec0=eth0"
        # plutoload=%search

conn net-to-net
    left=10.1.11.39
    leftsubnet=10.1.11.0/24
    leftrsasigkey=0sAQPAXKfwyOzivJcLrqytpNR/BlmKOkvTKpPWUAP
    leftnexthop=10.1.11.21
    right=192.168.10.55
    rightsubnet=192.168.10.0/24
    rightrsasigkey=0sAQPSJVkiFSp5E7VR6u+RGsYgPR+bOVRgMTnfvi
    rightnexthop=192.168.10.1
    auto=add

#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf

It try to connect but there is no PUBLIC ADDRESSES, so how can we talk 
?? I don't understand... but i read a lot of tutos ans doc about 
openswan before coming here... :-)


Any advices are welcome... ;-)
Cheers


-------------- next part --------------
A non-text attachment was scrubbed...
Name: j.grosjean.vcf
Type: text/x-vcard
Size: 237 bytes
Desc: not available
Url : http://lists.openswan.org/pipermail/users/attachments/20070612/2faeab6d/attachment-0001.vcf

More information about the Users mailing list