[Openswan Users] Help required: Trouble setting up openswan

Phil Wild philwild at gmail.com
Wed Nov 28 10:13:40 EST 2007 

Hi

I have fixed the routing table and I think I have progressed a little
further. I have also turned off the plutodebug.

netstat -rn shows

root at zulu:~# netstat -rn
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt
Iface
203.161.90.1    0.0.0.0         255.255.255.255 UH        0 0          0
ppp0
10.3.0.0        0.0.0.0         255.255.255.0   U         0 0          0
eth1
192.168.10.0    203.161.90.1    255.255.255.0   UG        0 0          0
ppp0
0.0.0.0         0.0.0.0         0.0.0.0         U         0 0          0
ppp0


Should I see an ipsec interface here?

I am still unsure if I am actually getting a valid connection. What I do
know is that I can not ping through the vpn

running ipsec auto --status gives me:

root at bravo:/var/log# ipsec auto --status
000 interface lo/lo ::1
000 interface lo/lo 127.0.0.1
000 interface eth0/eth0 192.168.10.2
000 interface eth1/eth1 202.72.167.27
000 interface eth1:1/eth1:1 202.72.167.29
000 %myid = (none)
000 debug none
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64,
keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192,
keysizemax=192
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40,
keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0,
keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128,
keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256,
keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC,
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0
000
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,0,0}
trans={0,0,0} attrs={0,0,0}
000
000 "bravo-zulu":
192.168.10.0/24===202.72.167.27[@bravo.gastech.com.au]---202.72.167.25...203.161.90.1---203.161.71.190[@zulu]===10.3.0.0/24;
erouted; eroute owner: #3
000 "bravo-zulu":     srcip=unset; dstip=unset; srcup=ipsec _updown;
dstup=ipsec _updown;
000 "bravo-zulu":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s;
rekey_fuzz: 100%; keyingtries: 0
000 "bravo-zulu":   policy: RSASIG+ENCRYPT+TUNNEL+PFS+UP; prio: 24,24;
interface: eth1;
000 "bravo-zulu":   newest ISAKMP SA: #1; newest IPsec SA: #3;
000 "bravo-zulu":   IKE algorithm newest: 3DES_CBC_192-MD5-MODP1536
000
000 #3: "bravo-zulu":500 STATE_QUICK_I2 (sent QI2, IPsec SA established);
EVENT_SA_REPLACE in 28026s; newest IPSEC; eroute owner
000 #3: "bravo-zulu" esp.2549d809 at 203.161.71.190 esp.f6c5b82a at 202.72.167.27
tun.0 at 203.161.71.190 tun.0 at 202.72.167.27
000 #2: "bravo-zulu":500 STATE_QUICK_I2 (sent QI2, IPsec SA established);
EVENT_SA_REPLACE in 26858s
000 #2: "bravo-zulu" esp.b72ad41a at 203.161.71.190 esp.e40902a at 202.72.167.27
tun.0 at 203.161.71.190 tun.0 at 202.72.167.27
000 #1: "bravo-zulu":500 STATE_MAIN_I4 (ISAKMP SA established);
EVENT_SA_REPLACE in 1543s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0)
000


ifconfig -a does not show an ipsec0 interface, should I see an ipsec
interface on the hosts?

Cheers

Phil

On 27/11/2007, Paul Wouters <paul at xelerance.com> wrote:
>
> On Mon, 26 Nov 2007, Phil Wild wrote:
>
> > I posted the below to the list about a week ago and did not get any
> > responses. Does anyone have any ideas what is going wrong with my
> > configuration as I have not been able to get any further.
>
> > > Nov 20 14:25:15 bravo ipsec__plutorun: ...could not start conn
> "bravo-zulu"
> > > netstat -rn on host zulu shows:
> > >
> > > Destination     Gateway         Genmask         Flags   MSS
> Window  irtt Iface
> > > 203.161.90.1    0.0.0.0         255.255.255.255 UH        0
> 0          0 ppp0
> > > 10.3.0.0        0.0.0.0         255.255.255.0   U         0
> 0          0 eth1
> > > 192.168.10.0    203.161.90.1    255.255.255.0   UG        0
> 0          0 ppp0
> > > 0.0.0.0         0.0.0.0         0.0.0.0         U         0
> 0          0 ppp0
>
> Blame your ISP if that is really the default route you got. Try changing
> to
> something that might make sense. Run a traceroute and check what your real
> gateway
> is, then do a "route add -host ipofgw dev ppp0" and "route add default gw
> ipofgw"
>
> Paul
>



-- 
Tel: 0400 466 952
Fax: 0433 123 226
email: philwild at gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20071129/1430a32a/attachment-0001.html

More information about the Users mailing list