[Openswan Users] OpenSWAN node to node connection
Peter McGill
petermcgill at goco.net
Thu Oct 11 14:09:07 EDT 2007
You must have the subnets set for your ping tests.
The only traffic that uses the tunnel is what matches your subnet lines.
If you want to ping from the openswan machine to the openswan machine, then
either remove the subnet lines in the conf, or add left/rightsourceip parameters which match
your private ip's used for you ping tests.
Note anytime you change your conf's you will need to reload your conn for the changes to take effect.
You can either:
ipsec auto --replace net-to-net
on both openswan's followed by a:
ipsec auto --up net-to-net
on one side, or reset both ipsec daemons:
ipsec restart
Try reading the man pages and doc files in the distribution all this information is there.
Peter McGill
_____
From: Vuppula, Srinivas [mailto:srinivas.vuppula at intel.com]
Sent: October 11, 2007 1:58 PM
To: petermcgill at goco.net
Cc: users at openswan.org
Subject: RE: [Openswan Users] OpenSWAN node to node connection
It was typo in the email only. The conf file was having defaultroute.
I do get the SA established successfully....don't know why it worked today and not yesterday..may be reboot helped..
But the ther thing i saw was that, once the SA tunnel established....i cannot pinch the 2 systems from each other...the ping hangs//
But while its hang, tcpdump does show the packets with ESP. So the tunnel is fine and packets does cross...
Why is the ping fails from one to other system....
Do i need to have 2 NIC on one linux box and get another system connected on the 2nd NIC and ping that from other linux box...
Why can't the ping from laptop ot gateway or viceversa do not works...
_____
From: Peter McGill [mailto:petermcgill at goco.net]
Sent: Thursday, October 11, 2007 10:44 AM
To: Vuppula, Srinivas; users at openswan.org
Subject: RE: [Openswan Users] OpenSWAN node to node connection
Well for one thing I don't think you can have the same subnet on both sides of the tunnel.
I suggest removing the subnet lines in the conf, for a host to host tunnel.
Also you spelt left=%defaultroute incorrectly as left=%defaultroot in your Left ipsec.conf.
ie)
Left ipsec.conf:
conn net-to-net
left=%defaultroute
leftnexthop=%defaultroute
leftid=@left.com
leftrsasigkey=...
# leftsubnet=192.168.1.100/32 # defaults to left
right=192.168.1.101
rightid=@right.com
rightrsasigkey=...
# rightsubnet=192.168.1.101/32 # defaults to right
auto=add
Right ipsec.conf:
conn net-to-net
left=%defaultroute
leftnexthop=%defaultroute
leftid=@right.com
leftrsasigkey=...
# leftsubnet=192.168.1.101/32 # defaults to left
right=192.168.1.100
rightid=@left.com
rightrsasigkey=...
# rightsubnet=192.168.1.100 # defaults to right
auto=add
Peter McGill
_____
From: users-bounces at openswan.org [mailto:users-bounces at openswan.org] On Behalf Of Vuppula, Srinivas
Sent: October 11, 2007 12:40 PM
To: users at openswan.org
Subject: [Openswan Users] OpenSWAN node to node connection
I am trying to connect two linux systems through router (both are directly conncted to LinkSys router).
The IP of each system are 192.168.1.100 and 192.168.1.101.
The gateway IP of the router is 192.168.1.1
I also named the 2 linux boxes as box1 at left.com and box2 at right.com
Both of them has openSWAN installed. Ipsec is started on both.
Attached are the 2 IPSec.conf files.
When I run the command on the left system as described at <http://wiki.openswan.org/index.php/Openswan/Configure>
http://wiki.openswan.org/index.php/Openswan/Configure
I do not get tunnel established. It retries retransimission and hangs.
The command used is
Ipsec auto --up net-to-net
My goal is to get 2 systems connected as client -server over VPN tunnel using IPSec.
Can any one comment on the config. Is it correct? What is to be changed?
The left system has IP with DHCP configured. The right system has static IP configured, as suggested in the document.
Thanks,
Srinivas
Left system IPSec.conf:
conn net-to-net
left=%defaultroot # also tried with 192.168.1.100 but same result
leftid=@left.com
leftsubnet=192.168.1.1/24
leftrsasigkey=0sAQOE4rLjh9bL3szKqCwxSoHT84l+jGbfPcUfNs9BDL2UAwEITq1MVmHIQHwo2UX8aQ5ObSnDQYVODwf5gYIGzmShqpt0FEFN8ewYIdxkPvcSLiC5AgLs
GBO0Lu4o2A4VOx6btaiTygcFtpyrvNGdpWFJiLe5TeExV+TaaxS8Uq3x4b/3FUsFsH3AfS3CN7qnKeCpZN54y3qOBzxxmQNKR/scV5pLIQr60FFOG1O5GYqhFAZR9gTIC998
V5USMz0LpB6aNir7avE5dTdWcypunyZFWPDyZXyDt6gtNgaX/1G+b1yCKGOGZD+5pIdOBnzp1wArmo+Rmvuw9ifisM/DI6rT8tEI0ZgcxsV5RR6tLlaOg3dd
right=192.168.1.101
rightid=@right.com
rightsubnet=192.168.1.1/24
rightrsasigkey=0sAQN8O4IdR8iTX7C5r38mkS/Lgy3UbkuirD624dei/HbmfrhanH4fwIdNGZu++IbfC5lr1fJH5+XVhAI5yYljj6I1KW+p+X3y+qL78jiWCJAfQhSdePq
rP1uvTOFJ89RcFCn8gQexcGSr2cq2hFW7Bny8+L1Az/YxEskhNO47dDoRn739WtrYS3eE/B/NJyFrucrZf8wtKm7FF2cOIknWJ1s4YlRvXZ1kokvDa3gPAugL9I1KGJ8KuFK
R0p1gdwWXWfWVPDktpSVV6MxmyDt2IYJSWBrLzDEFEI9OgB9R4PWgC38w5bf7uxkJXxC+K47EX9yr1F5JMWbh4jvefStlQSKY2SgygQ6BO/Ua70MoIAxyy76N
auto=add
Right system IPSec.conf : I switched the setting as mentioned in RoadWarrior configuration
conn net-to-net
left=192.168.1.101
leftid=@right.com
leftsubnet=192.168.1.1/24
leftrsasigkey=0sAQN8O4IdR8iTX7C5r38mkS/Lgy3UbkuirD624dei/HbmfrhanH4fwIdNGZu++IbfC5lr1fJH5+XVhAI5yYljj6I1KW+p+X3y+qL78jiWCJAfQhSdePqr
P1uvTOFJ89RcFCn8gQexcGSr2cq2hFW7Bny8+L1Az/YxEskhNO47dDoRn739WtrYS3eE/B/NJyFrucrZf8wtKm7FF2cOIknWJ1s4YlRvXZ1kokvDa3gPAugL9I1KGJ8KuFKR
0p1gdwWXWfWVPDktpSVV6MxmyDt2IYJSWBrLzDEFEI9OgB9R4PWgC38w5bf7uxkJXxC+K47EX9yr1F5JMWbh4jvefStlQSKY2SgygQ6BO/Ua70MoIAxyy76N
rightnexthop=%defaultroute
right=192.168.1.100
rightid=@left.com
rightrsasigkey=0sAQOE4rLjh9bL3szKqCwxSoHT84l+jGbfPcUfNs9BDL2UAwEITq1MVmHIQHwo2UX8aQ5ObSnDQYVODwf5gYIGzmShqpt0FEFN8ewYIdxkPvcSLiC5AgL
sGBO0Lu4o2A4VOx6btaiTygcFtpyrvNGdpWFJiLe5TeExV+TaaxS8Uq3x4b/3FUsFsH3AfS3CN7qnKeCpZN54y3qOBzxxmQNKR/scV5pLIQr60FFOG1O5GYqhFAZR9gTIC99
8V5USMz0LpB6aNir7avE5dTdWcypunyZFWPDyZXyDt6gtNgaX/1G+b1yCKGOGZD+5pIdOBnzp1wArmo+Rmvuw9ifisM/DI6rT8tEI0ZgcxsV5RR6tLlaOg3dd
auto=add
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20071011/6fefff14/attachment-0001.html
More information about the Users
mailing list