[Openswan Users] IPSec SA established , but not able to ping or get IP
John Joseph
jjk_saji at yahoo.com
Fri Apr 25 08:21:35 EDT 2008
Hi Mohammed
Thanks for the reply
I had enabled nat-t in my ipsec and now I get the
following message
002 "road" #2: transition from state STATE_QUICK_I1 to
state STATE_QUICK_I2
004 "road" #2: STATE_QUICK_I2: sent QI2, IPsec SA
established {ESP/NAT=>0xad499dcc <0xc5c53f1d
xfrm=AES_0-HMAC_SHA1 IPCOMP=>0x0000d6a4 <0x0000a332
NATD=10.20.20.1:4500 DPD=none}
>From the link
http://www.jacco2.dds.nl/networking/freeswan-l2tp.html#NAT
I read that
"The NAT-T patch for KLIPS currently does not support
connections that authenticate through Preshared Keys
(PSKs). If you use a Preshared Key with KLIPS and
NAT-T, Openswan will not authorise the connection
because the sender's port is not 500 and the NAT-T
patch fails to support this."
In my case I am using only PSK key to autheticate .
And it is getting authenticated and connection
established but not able to access the other side of
the gw
Advice requested
Thanks
Joseph John
--- John Joseph <jjk_saji at yahoo.com> wrote:
>
>
> Hi All
> I am trying to do ipsec with psk for road
> warrior
> . I do not want to use l2tpd
> My Gateway had the following IP
> eth0 192.168.21.215
> eth1 10.20.20.1
>
> my road-warrior has info
> eth0 10.20.20.2
>
> After I run ipsec ,I get the message IPSec SA
> established , but from the road warrior I cannot
> (1) Did not get another interface or IP from
> 192.168.21.X
> (2) Cannot ping to any IP from the other
> subnet(192.168.21.X)
>
> I am adding ipsec.conf of both GW and RoadWarrior ,
> also some part of ipsec barf from the road warrior
> Advice requested on how to trouble
> shoot
> further so that my road warrior can ping to the
> other
> host
>
>
>
>
> ##########
> (1) ipsec.conf of Gateway
> ##
> conn %default
> keyingtries=1
> compress=yes
> authby=secret
>
>
>
>
> conn road
> left=10.20.20.1 # Gateways
> Information
> leftsubnet=192.168.21.0/24 #
> #leftid=@road.example.com # Local
> information
> #leftrsasigkey=0sAQPIPN9uI... #
> right=10.20.20.2 # Remote
> information
> #rightid=@xy.example.com #
> #rightrsasigkey=0sAQOnwiBPt... #
> auto=add # authorizes
> but doesn't start this
> authby=secret #
> connection at startup
>
>
> conn block
> auto=ignore
>
> conn private
> auto=ignore
>
> conn private-or-clear
> auto=ignore
>
> conn clear-or-private
> auto=ignore
>
> conn clear
> auto=ignore
>
> conn packetdefault
> auto=ignore
>
> ###############
> ipsec.conf of road warrior
> ###
> conn %default
> keyingtries=1
> compress=yes
> authby=secret
>
>
>
>
> conn road
> left=%defaultroute # Picks up
> our
> dynamic IP
> #leftid=@road.example.com # Local
> information
> #leftrsasigkey=0sAQPIPN9uI... #
> right=10.20.20.1 # Remote
> information
> rightsubnet=192.168.21.0/24 #
> #rightid=@xy.example.com #
> #rightrsasigkey=0sAQOnwiBPt... #
> auto=add # authorizes
> but doesn't start this
> authby=secret #
> connection at startup
>
>
> conn block
> auto=ignore
>
> conn private
> auto=ignore
>
> conn private-or-clear
> auto=ignore
>
> conn clear-or-private
> auto=ignore
>
> conn clear
> auto=ignore
>
> conn packetdefault
> auto=ignore
>
> ########################
> part of ipsec barf
>
> ##########
>
> _________________________ ipsec/status
> + ipsec auto --status
> 000 interface lo/lo ::1
> 000 interface lo/lo 127.0.0.1
> 000 interface lo/lo 127.0.0.1
> 000 interface eth0/eth0 10.20.20.2
> 000 interface eth0/eth0 10.20.20.2
> 000 %myid = (none)
> 000 debug none
> 000
> 000 algorithm ESP encrypt: id=2, name=ESP_DES,
> ivlen=8, keysizemin=64, keysizemax=64
> 000 algorithm ESP encrypt: id=3, name=ESP_3DES,
> ivlen=8, keysizemin=192, keysizemax=192
> 000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH,
> ivlen=8, keysizemin=40, keysizemax=448
> 000 algorithm ESP encrypt: id=11, name=ESP_NULL,
> ivlen=0, keysizemin=0, keysizemax=0
> 000 algorithm ESP encrypt: id=12, name=ESP_AES,
> ivlen=8, keysizemin=128, keysizemax=256
> 000 algorithm ESP encrypt: id=252, name=ESP_SERPENT,
> ivlen=8, keysizemin=128, keysizemax=256
> 000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH,
> ivlen=8, keysizemin=128, keysizemax=256
> 000 algorithm ESP auth attr: id=1,
> name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128,
> keysizemax=128
> 000 algorithm ESP auth attr: id=2,
> name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160,
> keysizemax=160
> 000 algorithm ESP auth attr: id=5,
> name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256,
> keysizemax=256
> 000 algorithm ESP auth attr: id=251, name=(null),
> keysizemin=0, keysizemax=0
> 000
> 000 algorithm IKE encrypt: id=5,
> name=OAKLEY_3DES_CBC,
> blocksize=8, keydeflen=192
> 000 algorithm IKE encrypt: id=7,
> name=OAKLEY_AES_CBC,
> blocksize=16, keydeflen=128
> 000 algorithm IKE hash: id=1, name=OAKLEY_MD5,
> hashsize=16
> 000 algorithm IKE hash: id=2, name=OAKLEY_SHA1,
> hashsize=20
> 000 algorithm IKE dh group: id=2,
> name=OAKLEY_GROUP_MODP1024, bits=1024
> 000 algorithm IKE dh group: id=5,
> name=OAKLEY_GROUP_MODP1536, bits=1536
> 000 algorithm IKE dh group: id=14,
> name=OAKLEY_GROUP_MODP2048, bits=2048
> 000 algorithm IKE dh group: id=15,
> name=OAKLEY_GROUP_MODP3072, bits=3072
> 000 algorithm IKE dh group: id=16,
> name=OAKLEY_GROUP_MODP4096, bits=4096
> 000 algorithm IKE dh group: id=17,
> name=OAKLEY_GROUP_MODP6144, bits=6144
> 000 algorithm IKE dh group: id=18,
> name=OAKLEY_GROUP_MODP8192, bits=8192
> 000
> 000 stats db_ops.c: {curr_cnt, total_cnt, maxsz}
> :context={0,0,0} trans={0,0,0} attrs={0,0,0}
> 000
> 000 "road":
> 10.20.20.2...10.20.20.1===192.168.21.0/24;
> erouted; eroute owner: #2
> 000 "road": srcip=unset; dstip=unset;
> srcup=ipsec
> _updown; dstup=ipsec _updown;
> 000 "road": ike_life: 3600s; ipsec_life: 28800s;
> rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1
>
=== message truncated ===
__________________________________________________________
Sent from Yahoo! Mail.
A Smarter Email http://uk.docs.yahoo.com/nowyoucan.html
More information about the Users
mailing list