[Openswan Users] Netscreen to Openswan

zyx at shells.nl zyx at shells.nl
Sat Oct 20 20:13:23 EDT 2007 

Hi There,

I'm a rooky at openswan and am having some trouble getting openswan to work with my netscreen 5gt.
I have the following setup:

Site A:	(openswan)
public: 1.1.1.1/24
private: 172.21.21.1/24

Site B: (netscreen)
public: 2.2.2.2/24
private: 172.21.23.1/24

I'm using a preshared key for the connection.
Here's my ipsec.conf:

conn dubai
	type=tunnel
        auto=add
        authby=secret
        keyingtries=3
        pfs=yes
        keylife=3600
        # we cannot rekey for %any, let client rekey
        rekey=no
        # left = local (openswan)
        leftid=@openswan
        left=1.1.1.1
        leftsubnet=172.21.21.0/24
        leftnexthop=%defaultroute
        # right = remote (netscreen)
        rightid=@netscreen
        right=%any
        rightsubnet=172.21.23.0/24

When i start ipsec i see the connection beeing build properly:

Oct 21 01:45:11 s01 pluto[17221]: "dubai"[1] 2.2.2.2 #1: responding to Main Mode from unknown peer 2.2.2.2
Oct 21 01:45:11 s01 pluto[17221]: "dubai"[1] 2.2.2.2 #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Oct 21 01:45:11 s01 pluto[17221]: "dubai"[1] 2.2.2.2 #1: STATE_MAIN_R1: sent MR1, expecting MI2
Oct 21 01:45:11 s01 pluto[17221]: "dubai"[1] 2.2.2.2 #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Oct 21 01:45:11 s01 pluto[17221]: "dubai"[1] 2.2.2.2 #1: STATE_MAIN_R2: sent MR2, expecting MI3
Oct 21 01:45:11 s01 pluto[17221]: "dubai"[1] 2.2.2.2 #1: Main mode peer ID is ID_FQDN: '@netscreen'
Oct 21 01:45:11 s01 pluto[17221]: "dubai"[1] 2.2.2.2 #1: I did not send a certificate because I do not have one.
Oct 21 01:45:11 s01 pluto[17221]: "dubai"[1] 2.2.2.2 #1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Oct 21 01:45:11 s01 pluto[17221]: "dubai"[1] 2.2.2.2 #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
Oct 21 01:45:12 s01 pluto[17221]: "dubai"[1] 2.2.2.2 #2: responding to Quick Mode {msgid:5d3b91da}
Oct 21 01:45:12 s01 pluto[17221]: "dubai"[1] 2.2.2.2 #2: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Oct 21 01:45:12 s01 pluto[17221]: "dubai"[1] 2.2.2.2 #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Oct 21 01:45:12 s01 pluto[17221]: "dubai"[1] 2.2.2.2 #2: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Oct 21 01:45:12 s01 pluto[17221]: "dubai"[1] 2.2.2.2 #2: STATE_QUICK_R2: IPsec SA established {ESP=>0x8ab48939 <0x050ada65 xfrm=3DES_0-HMAC_SHA1 NATD=none DPD=none}


Now when i login to siteA and try to ping the private subnet of siteB the packets get dropped by the default gateway of siteA.
Tcpdump confirms that there are no packets flowing in when i do a ping. This also happens vice versa.

Somehow the packet are not transported trough the tunnel, but instead they are send to the default gateway.
I played with freeswan ages ago and seem to remember that there should be a tunnel interface? ifconfig -a doesn't list any ...

What am i not seeing here? Suggestions anyone?

Thanks,
Zyx

More information about the Users mailing list