[Openswan Users] VPN up, cant route (ping)
J Zakhar
jzakhar at gmail.com
Sat Sep 1 13:59:37 EDT 2007
right side (work openswan box, behind a cisco 2600).
# default settings for connections
conn %default
# keyingtries default to %forever
#keyingtries=3
# Sig keys (default: %dnsondemand)
leftrsasigkey=%cert
rightrsasigkey=%cert
# Lifetimes, defaults are 1h/8hrs
#ikelifetime=20m
#keylife=1h
#rekeymargin=8m
#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf
conn admin_tun
type=tunnel
left=192.168.0.199
leftsubnet=192.168.0.0/24
right=www.xxx.com
rightsubnet=192.168.42.0/24
pfs=yes
authby=rsasig
leftid=@vtiger.yyy.com
rightid=@www.xxx.com
leftrsasigkey=0sAQNwEhIz7tkD+7JiRrAyFb57wj3oA0ecfI+M+cq6zUSGQbRAC0yGgnchLqZcaHgSOqudnZXvFKse5D5We+GViTwQbUewk4gxXm2iWKr8HfFkxetTwsp2GwbfqrlgmidE5Jt6WIWQcvRsWEiO75vIw7L+gfafKFhPJMhWkNtcjOlQEFMQHseR6OTWen8wUs0+9TKUX5akdMihhk+uNpuZlMor5WoqNMESPu+WjKUXe1MvgcYh0fpCCy92UsN2ngI9fX5iMBt8hOovkwyZRLpU4bDBzyPfyxETE7H822qs1/wQlB2DHQQwwTUO5Os6WE71wTFmHQFGJgOV3E8XRQwmBnjz17wYAQzY8TioYN3rVEu0YFup
rightrsasigkey=0sAQOsj68C6X0gV0VyNRxk+m4xUOshUwwHhc4uHIk7ZPpdFQkfbLZz6eLqNhUXPY5uk7nmrHyeJr4yhlY4SsWOp8TF2WmD7AD41fsDiKpokxCOpMCkhKqXsbSJiBUMtE8su4Kyhhe8JHjJYSynjXse/iK1HOdWIxb6jvd5ZwY1p9zx/CqEXIh5OnC47S3pEdob3jE8IbYJFxEr66nSdHPHI7RcdyjhyCZ2SogdWIoQsJ8UJtiVlG2lo3wPOILz7PvizfCi8ld/bWryHPrRTxwamvC3asKVgtyUHyvrYqVIWW6adpxVawh6KtuzNbWoAl4p7NtecmoihqQUNh3+OHc/UyXCtmhVJvaVpcqF0bm+61K6gRpV
auto=add
left side (my home VPN server, no NAT here).
config setup
interfaces=%defaultroute
klipsdebug=none
plutodebug=none
plutoload=%search
plutostart=%search
plutowait=no
uniqueids=yes
virtual_private=%v4:!192.168.42.0/24
x_localdynamic=www.eq2trinitas.com
conn %default
keyingtries=0
conn admin_tun
type=tunnel
left=%defaultroute
leftsubnet=192.168.42.0/24
right=vtiger.yyy.com
rightsubnet=192.168.0.0/24
pfs=yes
authby=rsasig
leftid=@www.xxx.com
rightid=@vtiger.yyy.com
leftrsasigkey=0sAQOsj68C6X0gV0VyNRxk+m4xUOshUwwHhc4uHIk7ZPpdFQkfbLZz6eLqNhUXPY5uk7nmrHyeJr4yhlY4SsWOp8TF2WmD7AD41fsDiKpokxCOpMCkhKqXsbSJiBUMtE8su4Kyhhe8JHjJYSynjXse/iK1HOdWIxb6jvd5ZwY1p9zx/CqEXIh5OnC47S3pEdob3jE8IbYJFxEr66nSdHPHI7RcdyjhyCZ2SogdWIoQsJ8UJtiVlG2lo3wPOILz7PvizfCi8ld/bWryHPrRTxwamvC3asKVgtyUHyvrYqVIWW6adpxVawh6KtuzNbWoAl4p7NtecmoihqQUNh3+OHc/UyXCtmhVJvaVpcqF0bm+61K6gRpV
rightrsasigkey=0sAQNwEhIz7tkD+7JiRrAyFb57wj3oA0ecfI+M+cq6zUSGQbRAC0yGgnchLqZcaHgSOqudnZXvFKse5D5We+GViTwQbUewk4gxXm2iWKr8HfFkxetTwsp2GwbfqrlgmidE5Jt6WIWQcvRsWEiO75vIw7L+gfafKFhPJMhWkNtcjOlQEFMQHseR6OTWen8wUs0+9TKUX5akdMihhk+uNpuZlMor5WoqNMESPu+WjKUXe1MvgcYh0fpCCy92UsN2ngI9fX5iMBt8hOovkwyZRLpU4bDBzyPfyxETE7H822qs1/wQlB2DHQQwwTUO5Os6WE71wTFmHQFGJgOV3E8XRQwmBnjz17wYAQzY8TioYN3rVEu0YFup
auto=add
right side status :
Alexandria:~ # ipsec auto status
ipsec auto: warning: obsolete command syntax used
000 interface lo/lo ::1
000 interface lo/lo 127.0.0.1
000 interface lo/lo 127.0.0.1
000 interface eth1/eth1 192.168.0.199
000 interface eth1/eth1 192.168.0.199
000 %myid = (none)
000 debug none
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64,
keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192,
keysizemax=192
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40,
keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0,
keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128,
keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256,
keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0
000
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,0,0}
trans={0,0,0} attrs={0,0,0}
000
000 "admin_tun":
192.168.0.0/24===192.168.0.199[@vtiger.yyy.com]...71.235.161.238[@www.xxx.com]===192.168.42.0/24;
erouted; eroute owner: #6
000 "admin_tun": srcip=unset; dstip=unset; srcup=ipsec _updown;
dstup=ipsec _updown;
000 "admin_tun": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s;
rekey_fuzz: 100%; keyingtries: 0
000 "admin_tun": policy: RSASIG+ENCRYPT+TUNNEL+PFS; prio: 24,24;
interface: eth1;
000 "admin_tun": newest ISAKMP SA: #5; newest IPsec SA: #6;
000 "admin_tun": IKE algorithm newest: 3DES_CBC_192-MD5-MODP1536
000
000 #6: "admin_tun":500 STATE_QUICK_R2 (IPsec SA established);
EVENT_SA_REPLACE in 28283s; newest IPSEC; eroute owner
000 #6: "admin_tun" esp.98245b5d at 71.235.161.238 esp.ae22e33b at 192.168.0.199
tun.0 at 71.235.161.238 tun.0 at 192.168.0.199
000 #5: "admin_tun":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established);
EVENT_SA_REPLACE in 3083s; newest ISAKMP; nodpd
left side status:
[root at smoothwall root]# ipsec auto status
ipsec auto: warning: obsolete command syntax used
000 interface ipsec0/eth1 71.235.161.238
000
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=64, keysizemin=168,
keysizemax=168
000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=64, keysizemin=40,
keysizemax=128
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=64, keysizemin=96,
keysizemax=448
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=128, keysizemin=128,
keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=128,
keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256,
keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=7, name=AUTH_ALGORITHM_HMAC_SHA2_512,
keysizemin=512, keysizemax=512
000
000 algorithm IKE encrypt: id=65289, name=OAKLEY_SSH_PRIVATE_65289,
blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=65005, name=OAKLEY_TWOFISH_CBC, blocksize=16,
keydeflen=128
000 algorithm IKE encrypt: id=65004, name=OAKLEY_SERPENT_CBC, blocksize=16,
keydeflen=128
000 algorithm IKE encrypt: id=6, name=OAKLEY_CAST_CBC, blocksize=8,
keydeflen=128
000 algorithm IKE encrypt: id=3, name=OAKLEY_BLOWFISH_CBC, blocksize=8,
keydeflen=128
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
keydeflen=128
000 algorithm IKE encrypt: id=1, name=OAKLEY_DES_CBC, blocksize=8,
keydeflen=64
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
keydeflen=192
000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64
000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32
000 algorithm IKE hash: id=2, name=OAKLEY_SHA, hashsize=20
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE dh group: id=1, name=OAKLEY_GROUP_MODP768, bits=768
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,8,36}
trans={0,8,240} attrs={0,8,160}
000
000 "tantor":
192.168.42.0/24===71.235.161.238[@www.xxx.com]---71.235.160.1...12.170.252.209[@vtiger.yyy.com]===192.168.0.0/24
000 "tantor": CAs: '%any'...'%any'
000 "tantor": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s;
rekey_fuzz: 100%; keyingtries: 0
000 "tantor": policy: RSASIG+ENCRYPT+TUNNEL+PFS+DISABLEARRIVALCHECK;
interface: eth1; erouted
000 "tantor": newest ISAKMP SA: #7; newest IPsec SA: #8; eroute owner: #8
000 "tantor": IKE algorithms wanted: 5_000-1-5, 5_000-2-5, 5_000-1-2,
5_000-2-2, 5_000-1-1, 5_000-2-1, flags=-strict
000 "tantor": IKE algorithms found: 5_192-1_128-5, 5_192-2_160-5,
5_192-1_128-2, 5_192-2_160-2, 5_192-1_128-1, 5_192-2_160-1,
000 "tantor": IKE algorithm newest: 3DES_CBC_192-MD5-MODP1536
000 "tantor": ESP algorithms wanted: 3_000-1, 3_000-2, flags=-strict
000 "tantor": ESP algorithms loaded: 3_168-1_128, 3_168-2_160,
000 "tantor": ESP algorithm newest: 3DES_0-HMAC_MD5; pfsgroup=<Phase1>
000
000 #8: "tantor" STATE_QUICK_I2 (sent QI2, IPsec SA established);
EVENT_SA_REPLACE in 27431s; newest IPSEC; eroute owner
000 #8: "tantor" esp.ae22e33b at 12.170.252.209 esp.98245b5d at 71.235.161.238
tun.1008 at 12.170.252.209 tun.1007 at 71.235.161.238
000 #7: "tantor" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in
2676s; newest ISAKMP
route right:
Alexandria:~ # route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use
Iface
192.168.0.0 * 255.255.255.0 U 0 0 0 eth1
192.168.42.0 * 255.255.255.0 U 0 0 0 eth1
link-local * 255.255.0.0 U 0 0 0 eth1
loopback * 255.0.0.0 U 0 0 0 lo
default 192.168.0.253 0.0.0.0 UG 0 0 0 eth1
route left.
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use
Iface
192.168.0.0 c-71-235-160-1. 255.255.255.0 UG 0 0 0
ipsec0
192.168.42.0 * 255.255.255.0 U 0 0 0 eth0
172.28.42.0 192.168.42.1 255.255.255.0 UG 0 0 0 eth0
71.235.160.0 * 255.255.248.0 U 0 0 0 eth1
71.235.160.0 * 255.255.248.0 U 0 0 0
ipsec0
default c-71-235-160-1. 0.0.0.0 UG 0 0 0 eth1
any help would be much appreciated.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20070901/84f0c004/attachment-0001.html
More information about the Users
mailing list