[Openswan Users] VPN tunnel has been established but cannot either ping each other or transfer the data across the tunnel
peter chen
esamore0913 at gmail.com
Mon Apr 7 07:22:56 EDT 2008
HI, users
I do have the same problem with your situation. Although I
established the tunnel, I still cannot ping each other. I try to
enable and disable the NAT-T, but I got the same result. I do not
enable the firewall for each other. Is anyone knows the where is
problem? Thanks a lots.
1.AP-VPN01<--> Internet <--> AP-VPN02
2.Below is my ipsec.conf:
version 2.0
config setup
interfaces=%defaultroute
klipsdebug=none
plutodebug=none
uniqueids=yes
nat_traversal=yes
conn chief-link4
forceencaps=yes
leftupdown=
leftnexthop=%defaultroute
aggrmode=yes
left=%defaultroute
leftsubnet=192.168.1.0/24
leftid=@test
rightnexthop=%defaultroute
right=202.153.x.x
rightsubnet=192.168.3.0/24
rightid=@test
auth=esp
esp=3des-sha1
authby=secret
ike=3des-sha-modp1024
ikelifetime=3600s
keylife=28800s
pfs=yes
3.openswan version: 2.4.9
4.AP-VPN01: Lan :192.168.1.11
AP-VPN02: Lan :192.168.3.33
when vpn's tunnel established, I cannot ping from 192.168.1.11 to
192.168.3.33
5. Below is my establishing tunnel message:
==============
Jan 1 00:30:24 pluto[2854]: "chief-link4": terminating SAs using this
connection
Jan 1 00:30:24 pluto[2854]: "chief-link4" #4: deleting state (STATE_QUICK_I2)
Jan 1 00:30:24 pluto[2854]: "chief-link4" #3: deleting state (STATE_AGGR_I2)
Jan 1 00:30:24 pluto[2854]: packet from 192.168.2.33:500:
Informational Exchange is for an unknown (expired?) SA
Jan 1 00:30:24 pluto[2854]: packet from 192.168.2.33:500:
Informational Exchange is for an unknown (expired?) SA
IPSEC EVENT: KLIPS device ipsec0 shut down.
Jan 1 00:30:29 pluto[2854]: "chief-link4": deleting connection
Jan 1 00:30:29 pluto[2854]: "chief-link4": unroute-client output:
/usr/local/lib/ipsec/_updown: doroute `ip route delete 192.168.3.0/24
via 192.168.2.204 dev ipsec0 ' failed (RTNETLINK answers: No such
process)
Jan 1 00:30:29 pluto[2854]: added connection description "chief-link4"
Jan 1 00:30:30 pluto[2854]: "chief-link4" #5: initiating Aggressive
Mode #5, connection "chief-link4"
Jan 1 00:30:30 pluto[2854]: "chief-link4" #5: Aggressive mode peer ID
is ID_FQDN: '@chief-link4'
Jan 1 00:30:30 pluto[2854]: "chief-link4" #5: Aggressive mode peer ID
is ID_FQDN: '@chief-link4'
Jan 1 00:30:30 pluto[2854]: "chief-link4" #5: transition from state
STATE_AGGR_I1 to state STATE_AGGR_I2
Jan 1 00:30:30 pluto[2854]: "chief-link4" #5: STATE_AGGR_I2: sent
AI2, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
Jan 1 00:30:30 pluto[2854]: "chief-link4" #6: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+PFS+UP+AGGRESSIVE {using isakmp#5}
Jan 1 00:30:33 pluto[2854]: "chief-link4" #6: transition from state
STATE_QUICK_I1 to state STATE_QUICK_I2
Jan 1 00:30:33 pluto[2854]: "chief-link4" #6: STATE_QUICK_I2: sent
QI2, IPsec SA established {ESP/NAT=>0x58000010 <0x867836c2
xfrm=3DES_0-HMAC_SHA1 NATD=none DPD=none}
112 "chief-link4" #5: STATE_AGGR_I1: initiate
004 "chief-link4" #5: STATE_AGGR_I2: sent AI2, ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha
group=modp1024}
117 "chief-link4" #6: STATE_QUICK_I1: initiate
004 "chief-link4" #6: STATE_QUICK_I2: sent QI2, IPsec SA established
{ESP/NAT=>0x58000010 <0x867836c2 xfrm=3DES_0-HMAC_SHA1 NATD=none
DPD=none}
===========
If you or anyone have any feasible solution to this problem, I will so
appreciate it.
More information about the Users
mailing list