[Openswan Users] Help required: Trouble setting up openswan
Peter McGill
petermcgill at goco.net
Wed Nov 28 10:39:36 EST 2007
This in a line in your status or logs indicates that you have a phase 1 connection:
STATE_MAIN_I4 (ISAKMP SA established)
This in a line in you status or logs indicates that you have a phase 2 connection:
STATE_QUICK_I2 (sent QI2, IPsec SA established)
Once you've received the IPsec SA established message you know the connection is connected.
If you cannot ping the remote side, it could be due to firewall rules or your conn settings, among other things.
You only get an ipsec0 interface if your using KLIPS, which you only get if you specifically install it and turn of NETKEY,
since NETKEY is enabled by default in most modern kernels. NETKEY is also sometimes known as NATIVE and does not
have ipsec0 interface instead it reuses the public interface whatever it is, in your case ppp0.
ipsec version or ipsec verify will tell you which one your using, and are also good info to send to the list with your problem.
Are your ping tests being done to and from the servers themselves or from hosts on the subnets.
Either do your ping tests to and from hosts on the subnets or add leftsourceip=<left server LAN ip> and rightsourceip to your conn.
If you've done this and still can't ping, it may be your firewall, are you running firewall software or iptables on either server or
between them?
If you you need to allow the ipsec traffic as follows:
protocol 17 (udp), port 500 (isakmp)
protocol 50 (esp)
protocol 17 (udp), port 4500 (nat-t) if your using nat traversal to get through network address translation routers between the
hosts.
You also need to allow the ping and other traffic that utilizes the tunnels.
And you cannot NAT any of this traffic if your SNATing or MASQUERADEing your LAN(s) to the internet.
Peter McGill
_____
From: Phil Wild [mailto:philwild at gmail.com]
Sent: November 28, 2007 10:14 AM
To: Paul Wouters; petermcgill at goco.net; Users at openswan.org
Subject: Re: [Openswan Users] Help required: Trouble setting up openswan
Hi
I have fixed the routing table and I think I have progressed a little further. I have also turned off the plutodebug.
netstat -rn shows
root at zulu:~# netstat -rn
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
203.161.90.1 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0
10.3.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
192.168.10.0 203.161.90.1 <http://203.161.90.1> 255.255.255.0 UG 0 0 0 ppp0
0.0.0.0 0.0.0.0 0.0.0.0 U 0 0 0 ppp0
Should I see an ipsec interface here?
I am still unsure if I am actually getting a valid connection. What I do know is that I can not ping through the vpn
running ipsec auto --status gives me:
root at bravo:/var/log# ipsec auto --status
000 interface lo/lo ::1
000 interface lo/lo 127.0.0.1
000 interface eth0/eth0 192.168.10.2
000 interface eth1/eth1 202.72.167.27
000 interface eth1:1/eth1:1 202.72.167.29
000 %myid = (none)
000 debug none
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0
000
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0}
000
000 "bravo-zulu":
192.168.10.0/24===202.72.167.27[@bravo.gastech.com.au]---202.72.167.25...203.161.90.1---203.161.71.190[@zulu]===10.3.0.0/24;
erouted; eroute owner: #3
000 "bravo-zulu": srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;
000 "bravo-zulu": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "bravo-zulu": policy: RSASIG+ENCRYPT+TUNNEL+PFS+UP; prio: 24,24; interface: eth1;
000 "bravo-zulu": newest ISAKMP SA: #1; newest IPsec SA: #3;
000 "bravo-zulu": IKE algorithm newest: 3DES_CBC_192-MD5-MODP1536
000
000 #3: "bravo-zulu":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 28026s; newest IPSEC; eroute owner
000 #3: "bravo-zulu" esp.2549d809 at 203.161.71.190 esp.f6c5b82a at 202.72.167.27 tun.0 at 203.161.71.190 tun.0 at 202.72.167.27
000 #2: "bravo-zulu":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 26858s
000 #2: "bravo-zulu" esp.b72ad41a at 203.161.71.190 esp.e40902a at 202.72.167.27 tun.0 at 203.161.71.190 tun.0 at 202.72.167.27
000 #1: "bravo-zulu":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 1543s; newest ISAKMP; lastdpd=-1s(seq in:0
out:0)
000
ifconfig -a does not show an ipsec0 interface, should I see an ipsec interface on the hosts?
Cheers
Phil
On 27/11/2007, Paul Wouters <paul at xelerance.com> wrote:
On Mon, 26 Nov 2007, Phil Wild wrote:
> I posted the below to the list about a week ago and did not get any
> responses. Does anyone have any ideas what is going wrong with my
> configuration as I have not been able to get any further.
> > Nov 20 14:25:15 bravo ipsec__plutorun: ...could not start conn "bravo-zulu"
> > netstat -rn on host zulu shows:
> >
> > Destination Gateway Genmask Flags MSS Window irtt Iface
> > 203.161.90.1 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0
> > 10.3.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
> > 192.168.10.0 203.161.90.1 <http://203.161.90.1> 255.255.255.0 UG 0 0 0 ppp0
> > 0.0.0.0 0.0.0.0 0.0.0.0 U 0 0 0 ppp0
Blame your ISP if that is really the default route you got. Try changing to
something that might make sense. Run a traceroute and check what your real gateway
is, then do a "route add -host ipofgw dev ppp0" and "route add default gw ipofgw"
Paul
--
Tel: 0400 466 952
Fax: 0433 123 226
email: philwild at gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20071128/ddc06118/attachment.html
More information about the Users
mailing list