[Openswan Users] Subnet-to-subnet configuration problem

Julien GROSJEAN - Proxiad j.grosjean at proxiad.com
Wed Jun 13 08:20:44 EDT 2007 

Ok, so, in fact, i had to use pre-shared key to connect subnets.

So, here is my ipsec.conf file :

#### BEGIN  IPSEC.CONF ###

config setup
        # NAT-TRAVERSAL support, see README.NAT-Traversal
         nat_traversal=yes
        # virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%4:172.16.0.0/12
         interfaces="ipsec0=eth0"
        # plutoload=%search
         pfs=NO
         type=tunnel

conn net-to-net
    authby=secret
    left=192.168.10.55
    leftsubnet=192.169.10.0/24
    leftid=@vpnannexe
    leftnexthop=192.168.10.1
    right=193.x.x.x
    rightsubnet=10.1.11.0/24
    esp=3des-md5
    keyexchange=ike
    auto=add

#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf

### END ###

my ipsec.secrets file :

#### BEGIN SECRETS FILE ####
: PSK "MySecretKEY"
#### END ###

Here are logs :

#### BEGIN LOGS ###
Jun 12 23:56:22 vpnannexe pluto[2676]: "net-to-net" #1: received Vendor 
ID payload [Openswan (this version) 2.4.4  X.509-1.5.4 
PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR]
Jun 12 23:56:22 vpnannexe pluto[2676]: "net-to-net" #1: received Vendor 
ID payload [Dead Peer Detection]
Jun 12 23:56:22 vpnannexe pluto[2676]: "net-to-net" #1: received Vendor 
ID payload [RFC 3947] method set to=109          
Jun 12 23:56:22 vpnannexe pluto[2676]: "net-to-net" #1: enabling 
possible NAT-traversal with method 3
Jun 12 23:56:22 vpnannexe pluto[2676]: "net-to-net" #1: transition from 
state STATE_MAIN_I1 to state STATE_MAIN_I2
Jun 12 23:56:22 vpnannexe pluto[2676]: "net-to-net" #1: STATE_MAIN_I2: 
sent MI2, expecting MR2
Jun 12 23:56:22 vpnannexe pluto[2676]: "net-to-net" #1: I did not send a 
certificate because I do not have one.
Jun 12 23:56:22 vpnannexe pluto[2676]: "net-to-net" #1: NAT-Traversal: 
Result using 3: both are NATed
Jun 12 23:56:22 vpnannexe pluto[2676]: "net-to-net" #1: transition from 
state STATE_MAIN_I2 to state STATE_MAIN_I3
Jun 12 23:56:22 vpnannexe pluto[2676]: "net-to-net" #1: STATE_MAIN_I3: 
sent MI3, expecting MR3
Jun 12 23:56:22 vpnannexe pluto[2676]: "net-to-net" #1: ignoring 
informational payload, type INVALID_ID_INFORMATION
Jun 12 23:56:22 vpnannexe pluto[2676]: "net-to-net" #1: received and 
ignored informational message
Jun 12 23:56:23 vpnannexe pluto[2676]: "net-to-net" #2: Main mode peer 
ID is ID_FQDN: '@vpnagence'
Jun 12 23:56:23 vpnannexe pluto[2676]: "net-to-net" #2: no suitable 
connection for peer '@vpnagence'
Jun 12 23:56:23 vpnannexe pluto[2676]: "net-to-net" #2: sending 
encrypted notification INVALID_ID_INFORMATION to 193.x.x.x:500
### END ###

vpnannexe is the openswan server where logs come from. vpnagence is the 
remote vpn server.
There are exactly the sames logs on both servers...

Any help is appreciated.

Regards.


Julien GROSJEAN - Proxiad a écrit :
> Hello,
>
> I modify my configuration after reading again and i found my mistakes...
>
> I enable NAT-TRAVERSAL
> It seems to trying to connect, but... here are logs exactly the sames 
> on both boxes:
>
>
> ### STARTING LOGS ###
>
> 104 "net-to-net" #1: STATE_MAIN_I1: initiate
> 003 "net-to-net" #1: received Vendor ID payload [Openswan (this 
> version) 2.4.4  X.509-1.5.4 PLUTO_SENDS_VENDORID 
> PLUTO_USES              _KEYRR]
> 003 "net-to-net" #1: received Vendor ID payload [Dead Peer Detection]
> 003 "net-to-net" #1: received Vendor ID payload [RFC 3947] method set 
> to=109
> 106 "net-to-net" #1: STATE_MAIN_I2: sent MI2, expecting MR2
> 003 "net-to-net" #1: NAT-Traversal: Result using 3: both are NATed
> 108 "net-to-net" #1: STATE_MAIN_I3: sent MI3, expecting MR3
> 003 "net-to-net" #1: ignoring informational payload, type 
> INVALID_ID_INFORMATION
> 003 "net-to-net" #1: received and ignored informational message
>
> 010 "net-to-net" #1: STATE_MAIN_I3: retransmission; will wait 20s for 
> response
> 003 "net-to-net" #1: ignoring informational payload, type 
> INVALID_ID_INFORMATION
> 003 "net-to-net" #1: received and ignored informational message
> 003 "net-to-net" #1: discarding duplicate packet; already STATE_MAIN_I3
>
> ...
> ### ENDING LOGS ###
>
>
> And always the same message.
> Can you tell me where is the problem ?
>
> Here is are my conf files :
>
> ##### FIRST CONF FILE ######
> # /etc/ipsec.conf - Openswan IPsec configuration file
> # RCSID $Id: ipsec.conf.in,v 1.15.2.2 2005/11/14 20:10:27 paul Exp $
> # This file:  /usr/share/doc/openswan/ipsec.conf-sample
> #
> # Manual:     ipsec.conf.5
> version 2.0     # conforms to second version of ipsec.conf specification
>
> # basic configuration
> config setup
>         # NAT-TRAVERSAL support, see README.NAT-Traversal
>          nat_traversal=yes
>         # 
> virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%4:172.16.0.0/12
>          interfaces="ipsec0=eth0"
>         # plutoload=%search
>
> conn net-to-net
>     left=192.168.10.55
>     leftsubnet=192.169.10.0/24
>     leftid=@192.168.10.55
>     leftrsasigkey=0sAQPSJVkiFSp5E7VR6u+RGs...
>     leftnexthop=192.168.10.1
>     right=193.x.x.x
>     rightsubnet=10.1.11.0/24
>     rightrsasigkey=0sAQPAXKfwyOzCtzo2DoGwhh...
>     auto=add
>
> #Disable Opportunistic Encryption
> include /etc/ipsec.d/examples/no_oe.conf
> ##### END OF FIRST CONF FILE #####
>
> #### SECOND CONF FILE #####
> # /etc/ipsec.conf - Openswan IPsec configuration file
> # RCSID $Id: ipsec.conf.in,v 1.15.2.2 2005/11/14 20:10:27 paul Exp $
> # This file:  /usr/share/doc/openswan/ipsec.conf-sample
> #
> # Manual:     ipsec.conf.5
> version 2.0     # conforms to second version of ipsec.conf specification
> # basic configuration
> config setup
>         # NAT-TRAVERSAL support, see README.NAT-Traversal
>          nat_traversal=yes
>         # 
> virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%4:172.16.0.0/12
>          interfaces="ipsec0=eth1"
>         # plutoload=%search
>
> conn net-to-net
>     left=10.1.11.39
>     leftsubnet=10.1.11.0/24
>     leftid=@10.1.11.39
>     leftrsasigkey=0sAQPAXKfw....
>     leftnexthop=10.1.11.21
>     right=217.x.x.x
>     rightsubnet=192.168.10.0/24
>     rightrsasigkey=0sAQPSJVkiFSp5E7VR6u+....
>     auto=add
>
> #Disable Opportunistic Encryption
> include /etc/ipsec.d/examples/no_oe.conf
> ### END OF SECOND CONF FILE ###
>
>
> Perhaps wrong leftid and rightid ?
> What about these parameters ?
> Can you help me ? :-)
>
> Thx in advance.
>
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan: 
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>   
-------------- next part --------------
A non-text attachment was scrubbed...
Name: j.grosjean.vcf
Type: text/x-vcard
Size: 237 bytes
Desc: not available
Url : http://lists.openswan.org/pipermail/users/attachments/20070613/7c50b54c/attachment.vcf

More information about the Users mailing list