[Openswan Users] how to connect openswan to broadband---full detail!!!

Peter McGill petermcgill at goco.net
Wed Jul 2 12:13:11 EDT 2008 

Nirmala,

Correct me if I'm wrong, but your scenario is this:
At each location you have a broadband internet router connected to the internet.
This router is physically connected to your Openswan (Linux) gateway using the 192.168.1.0/24
network which the router manages.
Then you connect the Openswan gateway to your internal LAN 192.169.x.x via another net card.
(Note: 192.169.80/100.x are public internet addresses, unless they are assigned to you, you
shouldn't use them else you risk not being able to communicate with the real assigned computers.
perhaps you meant to use 192.168.80/100.x)

This means that both your Openswan gateways are natted before they reach the internet, this
is a double nat scenario and I do not think it possible to work.
If possible (modem connects only to Openswan gateway), then change the modem to pass the external
public address through to the Openswan gateway rather than using the 192.168.1.0/24 network.
Then Openswan gateway will have a public address of 59.90.235.x without nat, and this will work.

Note you should use something like this, don't set any other options unless you know what your doing.
Openswan has good secure defaults, unless your connecting to non-openswan you should not need to
change any encryption settings. Note the debug entries are removed also, they are for developer
debugging not user troubleshooting and get in the way flooding your logs, only use if asked by a devel.

Don't use shared secrets unless necessary, use default rsa public keys instead.
As explained in doc/install.html and doc/config.html...
On each machine do...
ipsec newhostkey --output /etc/ipsec.secrets --hostname `hostname -f`
chmod 0600 /etc/ipsec.secrets
ipsec showhostkey --left
Copy this output of the above command showhostkey to your ipsec.conf.

ipsec.conf (all indented lines are indented with single tab only not spaces):
version 2.0

config setup
	interfaces="ipsec0=eth1" # assuming your using klips and eth1 is interface to internet

include /etc/ipsec.d/examples/no_oe.conf

conn testorig
	left=59.90.235.34
	leftsubnet=192.168.100.0/24
	leftsourceip=192.168.100.1? # lan address of openswan gateway
	# RSA nnnn bits   hostname.example.net   ddd mmm dd hh:mm:ss yyyy
	leftrsasigkey=0sAQNs...
	right=59.90.235.36
	rightsubnet=192.168.80.0/24
	rightsourceip=192.168.80.1? # lan address of openswan gateway
	# RSA nnnn bits   hostname.example.net   ddd mmm dd hh:mm:ss yyyy
	rightrsasigkey=0sAQNs...
	auto=start # add if you want to start/stop manualy, start for always on connections.

Peter McGill
IT Systems Analyst
Gra Ham Energy Limited 

> -----Original Message-----
> From: users-bounces at openswan.org 
> [mailto:users-bounces at openswan.org] On Behalf Of Nirmala Balu
> Sent: July 2, 2008 5:30 AM
> To: users-request at openswan.org
> Cc: users at openswan.org
> Subject: [Openswan Users] how to connect openswan to 
> broadband---full detail!!!
> 
>   My network diagram is shown below.
>       openswan gateway1<----->modem1<----> internet <------->
>    modem2<-------->openswan gateway2
>       IP addresses:
> 
>       (1)openswan gateway1--192.168.1.102
>       (2)modem 1 internal ip address----192.168.1.1
>       (3)modem 1 external(static)ip address----59.90.235.34
>       (4)modem 2 external(static)ip address----59.90.235.36
>       (5)modem 2 internal ip address----192.168.1.1
>       (6)openswan gateway 2--192.168.1.2
> 
>    My ipsec.conf and ipsec.conf is given below:
>    IPSEC.CONF
>    -------------------
>    version 2.0
>    config setup
>            interfaces="ipsec0=eth1"
>            plutodebug=all
>            klipsdebug=all
>            uniqueids=yes
>    conn testorig
>            left=192.168.1.102 <http://192.168.1.102/> 
>            ike=aes128-sha-modp8192
>            esp=aes256-sha1
> 
> - Ignored:
>            #leftsubnet=192.169.100.0/24
>            leftnexthop=192.168.1.1 <http://192.168.1.1/> 
>            right=192.168.1.2 <http://192.168.1.2/> 
>            #rightsubnet=192.169.80.0/24
>            rightnexthop=192.168.1.1 <http://192.168.1.1/> 
>            authby=secret
>            pfs=no
>            ikelifetime=1h
>            keylife=1d
>            auto=ignore
>            compress=no
>            rekey=no
>            failureshunt=passthrough
>            auth=esp
> 
>    include /etc/ipsec.d/examples/no_oe
> .conf
> 
>    IPSEC.SECRETS
>    --------------------------
>    192.168.1.102 <http://192.168.1.102/>  192.168.1.2 
> <http://192.168.1.2/> : PSK "secret"
> 
>    When i gave "up " command ,tunnel is not coming up.
> 
>    [root at vpn1 ~]# ipsec auto --up testorig
>    104 "testorig" #1: STATE_MAIN_I1: initiate
>    010 "testorig" #1: STATE_MAIN_I1: retransmission; will 
> wait 20s for response
> 
>    In barf message, it is giving following error:
>    "*ERROR: asynchronous network error report on eth1 
> (sport=500) for message
>    to 192.168.1.2 <http://192.168.1.2/>  port 500, 
> complainant 192.168.1.102 <http://192.168.1.102/> : No route 
> to host [errno
>    113, origin ICMP type 3 code 1 (not authenticated)]"*
>    ......
>    .....
>    Jul  2 19:45:25 vpn1 pluto[4038]: | inserting event 
> EVENT_RETRANSMIT,
>    timeout in 10 seconds for #1
>    Jul  2 19:45:25 vpn1 pluto[4038]: | next event 
> EVENT_RETRANSMIT in 10
>    seconds for #1
>    Jul  2 19:45:28 vpn1 pluto[4038]: | rejected packet:
>    Jul  2 19:45:28 vpn1 pluto[4038]: |   f1 15 14 43  0d 09 
> 72 48  00 00 00 00
>    00 00 00 00
>    Jul  2 19:45:28 vpn1 pluto[4038]: |   01 10 02 00  00 00 
> 00 00  00 00 00 78
>    0d 00 00 38
>    Jul  2 19:45:28 vpn1 pluto[4038]: |   00 00 00 01  00 00 
> 00 01  00 00 00 2c
>    00 01 00 01
>    Jul  2 19:45:28 vpn1 pluto[4038]: |   00 00 00 24  00 01 
> 00 00  80 0b 00 01
>    80 0c 0e 10
>    Jul  2 19:45:28 vpn1 pluto[4038]: |   80 01 00 07  80 02 
> 00 02  80 03 00 01
>    80 04 00 12
>    Jul  2 19:45:28 vpn1 pluto[4038]: |   80 0e 00 80  0d 00 
> 00 10  4f 45 4e 55
>    7a 5e 71 5f
>    Jul  2 19:45:28 vpn1 pluto[4038]: |   6a 7b 61 4a  00 00 
> 00 14  af ca d7 13
>    68 a1 f1 c9
>    Jul  2 19:45:28 vpn1 pluto[4038]: |   6b 86 96 fc  77 57 01 00
>    Jul  2 19:45:28 vpn1 pluto[4038]: | control:
>    Jul  2 19:45:28 vpn1 pluto[4038]: |   18 00 00 00  00 00 
> 00 00  08 00 00 00
>    01 00 00 00
>    Jul  2 19:45:28 vpn1 pluto[4038]: |   c0 a8 01 66  c0 a8 
> 01 66  2c 00 00 00
>    00 00 00 00
>    Jul  2 19:45:28 vpn1 pluto[4038]: |   0b 00 00 00  71 00 
> 00 00  02 03 01 00
>    00 00 00 00
>    Jul  2 19:45:28 vpn1 pluto[4038]: |   00 00 00 00  02 00 
> 00 00  c0 a8 01 66
>    00 00 00 00
>    Jul  2 19:45:28 vpn1 pluto[4038]: |   00 00 00 00
>    Jul  2 19:45:28 vpn1 pluto[4038]: | name:
>    Jul  2 19:45:28 vpn1 pluto[4038]: |   02 00 01 f4  c0 a8 
> 01 02  00 00 00 00
>    00 00 00 00
>    Jul  2 19:45:28 vpn1 pluto[4038]: "testorig" #1: *ERROR: 
> asynchronous
>    network error report on eth1 (sport=500) for message to 
> 192.168.1.2 <http://192.168.1.2/>  port
>    500, complainant 192.168.1.102 <http://192.168.1.102/> : 
> No route to host [errno 113, origin ICMP
>    type 3 code 1 (not authenticated)]*
>    Jul  2 19:45:28 vpn1 pluto[4038]: | next event 
> EVENT_RETRANSMIT in 7 seconds
>    for #1
>    Jul  2 19:45:35 vpn1 pluto[4038]: |
>    Jul  2 19:45:35 vpn1 pluto[4038]: | *time t
> 
> 
>    can you tell me what is the mistake in this configuration?????
>    what to do to solve this problem???
> 
>    thanks in advance,
>    Regards,
>    Nirmala
>

More information about the Users mailing list