[Openswan Users] VPN up, cant route (ping)

J Zakhar jzakhar at gmail.com
Sat Sep 1 13:59:37 EDT 2007


right side (work openswan box, behind a cisco 2600).

# default settings for connections
conn %default
        # keyingtries default to %forever
        #keyingtries=3
        # Sig keys (default: %dnsondemand)
        leftrsasigkey=%cert
        rightrsasigkey=%cert
        # Lifetimes, defaults are 1h/8hrs
        #ikelifetime=20m
        #keylife=1h
        #rekeymargin=8m

#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf

conn admin_tun
        type=tunnel
        left=192.168.0.199
        leftsubnet=192.168.0.0/24
        right=www.xxx.com
        rightsubnet=192.168.42.0/24
        pfs=yes
        authby=rsasig
        leftid=@vtiger.yyy.com
        rightid=@www.xxx.com

leftrsasigkey=0sAQNwEhIz7tkD+7JiRrAyFb57wj3oA0ecfI+M+cq6zUSGQbRAC0yGgnchLqZcaHgSOqudnZXvFKse5D5We+GViTwQbUewk4gxXm2iWKr8HfFkxetTwsp2GwbfqrlgmidE5Jt6WIWQcvRsWEiO75vIw7L+gfafKFhPJMhWkNtcjOlQEFMQHseR6OTWen8wUs0+9TKUX5akdMihhk+uNpuZlMor5WoqNMESPu+WjKUXe1MvgcYh0fpCCy92UsN2ngI9fX5iMBt8hOovkwyZRLpU4bDBzyPfyxETE7H822qs1/wQlB2DHQQwwTUO5Os6WE71wTFmHQFGJgOV3E8XRQwmBnjz17wYAQzY8TioYN3rVEu0YFup

rightrsasigkey=0sAQOsj68C6X0gV0VyNRxk+m4xUOshUwwHhc4uHIk7ZPpdFQkfbLZz6eLqNhUXPY5uk7nmrHyeJr4yhlY4SsWOp8TF2WmD7AD41fsDiKpokxCOpMCkhKqXsbSJiBUMtE8su4Kyhhe8JHjJYSynjXse/iK1HOdWIxb6jvd5ZwY1p9zx/CqEXIh5OnC47S3pEdob3jE8IbYJFxEr66nSdHPHI7RcdyjhyCZ2SogdWIoQsJ8UJtiVlG2lo3wPOILz7PvizfCi8ld/bWryHPrRTxwamvC3asKVgtyUHyvrYqVIWW6adpxVawh6KtuzNbWoAl4p7NtecmoihqQUNh3+OHc/UyXCtmhVJvaVpcqF0bm+61K6gRpV
        auto=add


left side (my home VPN server, no NAT here).

config setup
        interfaces=%defaultroute
        klipsdebug=none
        plutodebug=none
        plutoload=%search
        plutostart=%search
        plutowait=no
        uniqueids=yes
        virtual_private=%v4:!192.168.42.0/24
        x_localdynamic=www.eq2trinitas.com

conn %default
        keyingtries=0

conn admin_tun
        type=tunnel
        left=%defaultroute
        leftsubnet=192.168.42.0/24
        right=vtiger.yyy.com
        rightsubnet=192.168.0.0/24
        pfs=yes
        authby=rsasig
        leftid=@www.xxx.com
        rightid=@vtiger.yyy.com

leftrsasigkey=0sAQOsj68C6X0gV0VyNRxk+m4xUOshUwwHhc4uHIk7ZPpdFQkfbLZz6eLqNhUXPY5uk7nmrHyeJr4yhlY4SsWOp8TF2WmD7AD41fsDiKpokxCOpMCkhKqXsbSJiBUMtE8su4Kyhhe8JHjJYSynjXse/iK1HOdWIxb6jvd5ZwY1p9zx/CqEXIh5OnC47S3pEdob3jE8IbYJFxEr66nSdHPHI7RcdyjhyCZ2SogdWIoQsJ8UJtiVlG2lo3wPOILz7PvizfCi8ld/bWryHPrRTxwamvC3asKVgtyUHyvrYqVIWW6adpxVawh6KtuzNbWoAl4p7NtecmoihqQUNh3+OHc/UyXCtmhVJvaVpcqF0bm+61K6gRpV

rightrsasigkey=0sAQNwEhIz7tkD+7JiRrAyFb57wj3oA0ecfI+M+cq6zUSGQbRAC0yGgnchLqZcaHgSOqudnZXvFKse5D5We+GViTwQbUewk4gxXm2iWKr8HfFkxetTwsp2GwbfqrlgmidE5Jt6WIWQcvRsWEiO75vIw7L+gfafKFhPJMhWkNtcjOlQEFMQHseR6OTWen8wUs0+9TKUX5akdMihhk+uNpuZlMor5WoqNMESPu+WjKUXe1MvgcYh0fpCCy92UsN2ngI9fX5iMBt8hOovkwyZRLpU4bDBzyPfyxETE7H822qs1/wQlB2DHQQwwTUO5Os6WE71wTFmHQFGJgOV3E8XRQwmBnjz17wYAQzY8TioYN3rVEu0YFup
        auto=add




right side status :

Alexandria:~ # ipsec auto status
ipsec auto: warning: obsolete command syntax used
000 interface lo/lo ::1
000 interface lo/lo 127.0.0.1
000 interface lo/lo 127.0.0.1
000 interface eth1/eth1 192.168.0.199
000 interface eth1/eth1 192.168.0.199
000 %myid = (none)
000 debug none
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64,
keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192,
keysizemax=192
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40,
keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0,
keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128,
keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256,
keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0
000
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,0,0}
trans={0,0,0} attrs={0,0,0}
000
000 "admin_tun":
192.168.0.0/24===192.168.0.199[@vtiger.yyy.com]...71.235.161.238[@www.xxx.com]===192.168.42.0/24;
erouted; eroute owner: #6
000 "admin_tun":     srcip=unset; dstip=unset; srcup=ipsec _updown;
dstup=ipsec _updown;
000 "admin_tun":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s;
rekey_fuzz: 100%; keyingtries: 0
000 "admin_tun":   policy: RSASIG+ENCRYPT+TUNNEL+PFS; prio: 24,24;
interface: eth1;
000 "admin_tun":   newest ISAKMP SA: #5; newest IPsec SA: #6;
000 "admin_tun":   IKE algorithm newest: 3DES_CBC_192-MD5-MODP1536
000
000 #6: "admin_tun":500 STATE_QUICK_R2 (IPsec SA established);
EVENT_SA_REPLACE in 28283s; newest IPSEC; eroute owner
000 #6: "admin_tun" esp.98245b5d at 71.235.161.238 esp.ae22e33b at 192.168.0.199
tun.0 at 71.235.161.238 tun.0 at 192.168.0.199
000 #5: "admin_tun":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established);
EVENT_SA_REPLACE in 3083s; newest ISAKMP; nodpd


left side status:

[root at smoothwall root]# ipsec auto status
ipsec auto: warning: obsolete command syntax used
000 interface ipsec0/eth1 71.235.161.238
000
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=64, keysizemin=168,
keysizemax=168
000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=64, keysizemin=40,
keysizemax=128
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=64, keysizemin=96,
keysizemax=448
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=128, keysizemin=128,
keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=128,
keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256,
keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=7, name=AUTH_ALGORITHM_HMAC_SHA2_512,
keysizemin=512, keysizemax=512
000
000 algorithm IKE encrypt: id=65289, name=OAKLEY_SSH_PRIVATE_65289,
blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=65005, name=OAKLEY_TWOFISH_CBC, blocksize=16,
keydeflen=128
000 algorithm IKE encrypt: id=65004, name=OAKLEY_SERPENT_CBC, blocksize=16,
keydeflen=128
000 algorithm IKE encrypt: id=6, name=OAKLEY_CAST_CBC, blocksize=8,
keydeflen=128
000 algorithm IKE encrypt: id=3, name=OAKLEY_BLOWFISH_CBC, blocksize=8,
keydeflen=128
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
keydeflen=128
000 algorithm IKE encrypt: id=1, name=OAKLEY_DES_CBC, blocksize=8,
keydeflen=64
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
keydeflen=192
000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64
000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32
000 algorithm IKE hash: id=2, name=OAKLEY_SHA, hashsize=20
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE dh group: id=1, name=OAKLEY_GROUP_MODP768, bits=768
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,8,36}
trans={0,8,240} attrs={0,8,160}
000
000 "tantor":
192.168.42.0/24===71.235.161.238[@www.xxx.com]---71.235.160.1...12.170.252.209[@vtiger.yyy.com]===192.168.0.0/24
000 "tantor":   CAs: '%any'...'%any'
000 "tantor":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s;
rekey_fuzz: 100%; keyingtries: 0
000 "tantor":   policy: RSASIG+ENCRYPT+TUNNEL+PFS+DISABLEARRIVALCHECK;
interface: eth1; erouted
000 "tantor":   newest ISAKMP SA: #7; newest IPsec SA: #8; eroute owner: #8
000 "tantor":   IKE algorithms wanted: 5_000-1-5, 5_000-2-5, 5_000-1-2,
5_000-2-2, 5_000-1-1, 5_000-2-1, flags=-strict
000 "tantor":   IKE algorithms found:  5_192-1_128-5, 5_192-2_160-5,
5_192-1_128-2, 5_192-2_160-2, 5_192-1_128-1, 5_192-2_160-1,
000 "tantor":   IKE algorithm newest: 3DES_CBC_192-MD5-MODP1536
000 "tantor":   ESP algorithms wanted: 3_000-1, 3_000-2, flags=-strict
000 "tantor":   ESP algorithms loaded: 3_168-1_128, 3_168-2_160,
000 "tantor":   ESP algorithm newest: 3DES_0-HMAC_MD5; pfsgroup=<Phase1>
000
000 #8: "tantor" STATE_QUICK_I2 (sent QI2, IPsec SA established);
EVENT_SA_REPLACE in 27431s; newest IPSEC; eroute owner
000 #8: "tantor" esp.ae22e33b at 12.170.252.209 esp.98245b5d at 71.235.161.238
tun.1008 at 12.170.252.209 tun.1007 at 71.235.161.238
000 #7: "tantor" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in
2676s; newest ISAKMP


route right:

Alexandria:~ # route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use
Iface
192.168.0.0     *               255.255.255.0   U     0      0        0 eth1
192.168.42.0    *               255.255.255.0   U     0      0        0 eth1
link-local      *               255.255.0.0     U     0      0        0 eth1
loopback        *               255.0.0.0       U     0      0        0 lo
default         192.168.0.253   0.0.0.0         UG    0      0        0 eth1


route left.

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use
Iface
192.168.0.0     c-71-235-160-1. 255.255.255.0   UG    0      0        0
ipsec0
192.168.42.0    *               255.255.255.0   U     0      0        0 eth0
172.28.42.0     192.168.42.1    255.255.255.0   UG    0      0        0 eth0
71.235.160.0    *               255.255.248.0   U     0      0        0 eth1
71.235.160.0    *               255.255.248.0   U     0      0        0
ipsec0
default         c-71-235-160-1. 0.0.0.0         UG    0      0        0 eth1


any help would be much appreciated.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20070901/84f0c004/attachment-0001.html 


More information about the Users mailing list