[Openswan Users] site-to-site ipsec contivity 1750 with openswan

Peter McGill petermcgill at goco.net
Tue May 22 09:07:26 EDT 2007


Marcos,

Alright, the conf does not load the conn at all, otherwise the
Conn looks good. Do you start it manually?
Set auto=start, and initiate with the openswan, it works better
Than letting the nortel initiate.
If that doesn't solve for you, also try these.

Did you setup your ipsec.secrets file?

/etc/ipsec.secrets
200.186.xxx.xx 200.198.xxx.xxx : PSK "preshared secret here"

Also, set debug options to none, klipsdebug=none and plutodebug=none,
The standard logging is usually enouph, send us the full pluto log for
The connection then.

Just to verify, what openswan version are you running? 2.x?
ipsec --version
 
Peter McGill
 


________________________________

	From: Marcos Abadi [mailto:marcosabadi at gmail.com] 
	Sent: May 20, 2007 7:07 PM
	To: petermcgill at goco.net
	Subject: Re: [Openswan Users] site-to-site ipsec contivity 1750 with openswan
	
	
	I do not be getting to establish a connection using PSK, my server is Debian 3.1 kernel 2.6.11.12 with Nortel 1750
	
	My configuration
	------------------------------------------
	
	version 2.0     # conforms to second version of ipsec.conf specification
	
	# basic configuration
	config setup
	        interfaces="ipsec0=eth3.300"
	        # Debug-logging controls:  "none" for (almost) none, "all" for lots. 
	        klipsdebug=all
	        plutodebug="control parsing"
	        nat_traversal=yes
	        uniqueids=yes
	
	
	#Disable Opportunistic Encryption
	include /etc/ipsec.d/examples/no_oe.conf
	
	
	conn umesp
	        left=200.186.xxx.xx
	        leftsubnet=10.11.193.0/24
	        right=200.198.xxx.xxx
	        rightsubnet=10.0.1.0/24 
	        keyexchange=ike
	        ike=3des-md5-modp1024
	        esp=3DES-md5
	        compress=yes
	        authby=secret
	        type=tunnel
	        pfs=yes
	
	
	conn block
	    auto=ignore
	
	conn private
	    auto=ignore
	
	conn private-or-clear
	    auto=ignore
	
	conn clear-or-private
	    auto=ignore
	
	conn clear
	    auto=ignore
	
	conn packetdefault
	    auto=ignore
	
	
	----------------------------------------------------------------------
	
	Log
	
	May 20 20:01:48 fw1-imec ipsec__plutorun: Starting Pluto subsystem...
	May 20 20:01:48 fw1-imec pluto[1331]: Starting Pluto (Openswan Version 2.2.0 X.509-1.5.4 PLUTO_USES_KEYRR)
	May 20 20:01:48 fw1-imec pluto[1331]:   including NAT-Traversal patch (Version 0.6c)
	May 20 20:01:48 fw1-imec pluto[1331]: | inserting event EVENT_REINIT_SECRET, timeout in 3600 seconds 
	May 20 20:01:48 fw1-imec pluto[1331]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
	May 20 20:01:48 fw1-imec pluto[1331]: Using Linux 2.6 IPsec interface code
	May 20 20:01:48 fw1-imec pluto[1331]: Changing to directory '/etc/ipsec.d/cacerts' 
	May 20 20:01:48 fw1-imec pluto[1331]: Could not change to directory '/etc/ipsec.d/aacerts'
	May 20 20:01:48 fw1-imec pluto[1331]: Changing to directory '/etc/ipsec.d/ocspcerts'
	May 20 20:01:48 fw1-imec pluto[1331]: Changing to directory '/etc/ipsec.d/crls' 
	May 20 20:01:48 fw1-imec pluto[1331]:   Warning: empty directory
	May 20 20:01:48 fw1-imec pluto[1331]: | inserting event 11??, timeout in 14292 seconds
	May 20 20:01:48 fw1-imec pluto[1331]: | next event EVENT_REINIT_SECRET in 3600 seconds 
	May 20 20:01:48 fw1-imec pluto[1331]: |
	May 20 20:01:48 fw1-imec pluto[1331]: | *received w
	
	
	
	 packet from 200.186.xxx.xx:500: ignoring Vendor ID payload [424e45530000000a]
	May 20 20:02:42 fw1-imec pluto[1331]: packet from 200.186.xxx.xx:500: received Vendor ID payload [Dead Peer Detection]
	May 20 20:02:42 fw1-imec pluto[1331]: packet from 200.186.xxx.xx:500: initial Main Mode message received on
200.198.105.235:500 but no connection has been authorized
	May 20 20:02:42 fw1-imec pluto[1331]: | next event EVENT_REINIT_SECRET in 3546 seconds
	
	
	
	
	
	
	
	
	
	
	On 5/18/07, Peter McGill <petermcgill at goco.net> wrote: 

		Well I use Slackware Linux, but it shouldn't really matter, any Linux/BSD should do.
		More important is get the latest Openswan, 2.4.7, to get all bug fixes, features, etc...
		 
		Have you used Openswan before, if not be sure to read up on it.
		You'll need to setup your firewall rules to allow the IPSec encrypted and unencrypted
		traffic.
		 
		Peter McGill
		 


________________________________

			From: Marcos Abadi [mailto:marcosabadi at gmail.com] 
			Sent: May 18, 2007 3:08 PM
			To: petermcgill at goco.net
			Subject: Re: [Openswan Users] site-to-site ipsec contivity 1750 with openswan
			
			
						Thanks Peter,
			
			Which the operation system that you use to connect the Nortel ??
			
			
			
			On 5/18/07, Peter McGill < petermcgill at goco.net <mailto:petermcgill at goco.net> > wrote: 

				> -----Original Message-----
				> Date: Fri, 18 May 2007 10:19:17 -0300 
				> From: "Marcos Abadi" <marcosabadi at gmail.com>
				> Subject: [Openswan Users] site-to-site ipsec contivity 1750 with
				>       openswan
				> To: users at openswan.org
				>
				> somebody knows as to implement a connection vpn site-to-site
				> ipsec with
				> contivity 1750 of the Nortel using openswan?
				
				I have years of experience with Nortel and openswan, with 
				Multiple versions of each. Things don't change much between the
				Versions.
				
				For 3DES/Triple DES encryption...
				
				Openswan setup
				/etc/ipsec.conf
				conn nortel-172-26-net-to-openswan-net
				        left=<openswan public ip> 
				        leftnexthop=%defaultroute
				        leftsubnet=172.21.0.0/16
				        alsoflip=nortel-switch
				        rightsubnet=172.26.0.0/16
				        auto=start 
				
				conn nortel-192-168-net-to-openswan-net
				        left=<openswan public ip>
				        leftnexthop=%defaultroute
				        leftsubnet=172.21.0.0/16
				        alsoflip=nortel-switch 
				        rightsubnet=192.168.0.0/16
				        auto=start
				
				conn nortel-switch
				        left=<nortel public ip>
				        leftnexthop=%defaultroute
				        also=nortel 
				
				conn nortel
				        keyexchange=ike
				        aggrmode=no
				        auth=esp
				        ike=3des-md5-modp1024
				        esp=3des-md5
				        pfs=yes
				        compress=yes
				        ikelifetime=12.0h # 1.0h
				        keylife=12.0h # 8.0h
				        authby=secret
				
				To fix a glitch with connection renewals...
				This + the 12 hour lifetime keeps conn running
				during office hours 7am-6pm mon-fri.
				crontab -e/l
				# Reset nortel Connection at 7:00 every weekday:
				0 7 * * 1-5 /root/nortel-reset > /dev/null 2>&1
				
				/root/nortel-reset
				#!/bin/bash
				IPSEC=/usr/local/sbin/ipsec
				$IPSEC auto --down nortel-192-168-net-to-openswan-net 
				$IPSEC auto --down nortel-172-26-net-to-openswan-net
				$IPSEC auto --up nortel-192-168-net-to-openswan-net
				$IPSEC auto --up nortel-172-26-net-to-openswan-net
				
				Nortel setup
				Branch office
				        Connectivity 
				                Idle Timeout 00:00:00
				        IPSec
				                Encryption
				                        ESP - Triple DES with MD5 Integrity Checked/Enabled
				                        Others Unchecked/Disabled
				                IKE Encryption and Diffie-Hellman Group
				                        Triple DES with Group 2 (1024-bit prime)
				                Aggressive Mode ISAKMP Initial Contact Payload Disabled
				                Perfect Forward Secrecy Enabled 
				                Compression Enabled
				                Rekey Timeout 12:00:00 (hours)
				                Keepalive (On-demand connections) Disabled
				
				Peter
				
				




			-- 
			Marcos Abadi
			CCNA - Cisco Certified 
			CSCO10868158
			LPI - Linux Cerfified
			LPI ID: LPI000064006  
			User Linux #385452
			Porto Alegre - RS
			Fone:(51)9975-2060 




	-- 
	Marcos Abadi
	CCNA - Cisco Certified 
	CSCO10868158
	LPI - Linux Cerfified
	LPI ID: LPI000064006  
	User Linux #385452
	Porto Alegre - RS
	Fone:(51)9975-2060 




More information about the Users mailing list