[Openswan Users] how to connect openswan to broadband---full detail!!!
Nirmala Balu
nirmala2005 at gmail.com
Thu Jul 3 00:17:54 EDT 2008
Hello sir,
Thank you for reply ....Now the adsl modem is having four ethernet ports and
one wireless .I have connected openswan gateway to one ethernet port...You
have told to change the modem to pass the external public address to
openswan gateway .Will you tell me how to pass the external address from
modem to openswan gateway????
Normally, which type of internet connection(adsl,leased line or any
other..), the openswan can be deployed???? How you are using openswan
through internet scenerio????
Thanks in advance,
Regards,
Nirmala.
On 7/2/08, Peter McGill <petermcgill at goco.net> wrote:
>
> Nirmala,
>
> Correct me if I'm wrong, but your scenario is this:
> At each location you have a broadband internet router connected to the
> internet.
> This router is physically connected to your Openswan (Linux) gateway using
> the 192.168.1.0/24
> network which the router manages.
> Then you connect the Openswan gateway to your internal LAN 192.169.x.x via
> another net card.
> (Note: 192.169.80/100.x are public internet addresses, unless they are
> assigned to you, you
> shouldn't use them else you risk not being able to communicate with the
> real assigned computers.
> perhaps you meant to use 192.168.80/100.x)
>
> This means that both your Openswan gateways are natted before they reach
> the internet, this
> is a double nat scenario and I do not think it possible to work.
> If possible (modem connects only to Openswan gateway), then change the
> modem to pass the external
> public address through to the Openswan gateway rather than using the
> 192.168.1.0/24 network.
> Then Openswan gateway will have a public address of 59.90.235.x without
> nat, and this will work.
>
> Note you should use something like this, don't set any other options unless
> you know what your doing.
> Openswan has good secure defaults, unless your connecting to non-openswan
> you should not need to
> change any encryption settings. Note the debug entries are removed also,
> they are for developer
> debugging not user troubleshooting and get in the way flooding your logs,
> only use if asked by a devel.
>
> Don't use shared secrets unless necessary, use default rsa public keys
> instead.
> As explained in doc/install.html and doc/config.html...
> On each machine do...
> ipsec newhostkey --output /etc/ipsec.secrets --hostname `hostname -f`
> chmod 0600 /etc/ipsec.secrets
> ipsec showhostkey --left
> Copy this output of the above command showhostkey to your ipsec.conf.
>
> ipsec.conf (all indented lines are indented with single tab only not
> spaces):
> version 2.0
>
> config setup
> interfaces="ipsec0=eth1" # assuming your using klips and eth1 is
> interface to internet
>
> include /etc/ipsec.d/examples/no_oe.conf
>
> conn testorig
> left=59.90.235.34
> leftsubnet=192.168.100.0/24
> leftsourceip=192.168.100.1? # lan address of openswan gateway
> # RSA nnnn bits hostname.example.net ddd mmm dd hh:mm:ss yyyy
> leftrsasigkey=0sAQNs...
> right=59.90.235.36
> rightsubnet=192.168.80.0/24
> rightsourceip=192.168.80.1? # lan address of openswan gateway
> # RSA nnnn bits hostname.example.net ddd mmm dd hh:mm:ss yyyy
> rightrsasigkey=0sAQNs...
> auto=start # add if you want to start/stop manualy, start for always
> on connections.
>
> Peter McGill
> IT Systems Analyst
> Gra Ham Energy Limited
>
> > -----Original Message-----
> > From: users-bounces at openswan.org
> > [mailto:users-bounces at openswan.org] On Behalf Of Nirmala Balu
> > Sent: July 2, 2008 5:30 AM
> > To: users-request at openswan.org
> > Cc: users at openswan.org
> > Subject: [Openswan Users] how to connect openswan to
> > broadband---full detail!!!
> >
> > My network diagram is shown below.
> > openswan gateway1<----->modem1<----> internet <------->
> > modem2<-------->openswan gateway2
> > IP addresses:
> >
> > (1)openswan gateway1--192.168.1.102
> > (2)modem 1 internal ip address----192.168.1.1
> > (3)modem 1 external(static)ip address----59.90.235.34
> > (4)modem 2 external(static)ip address----59.90.235.36
> > (5)modem 2 internal ip address----192.168.1.1
> > (6)openswan gateway 2--192.168.1.2
> >
> > My ipsec.conf and ipsec.conf is given below:
> > IPSEC.CONF
> > -------------------
> > version 2.0
> > config setup
> > interfaces="ipsec0=eth1"
> > plutodebug=all
> > klipsdebug=all
> > uniqueids=yes
> > conn testorig
> > left=192.168.1.102 <http://192.168.1.102/>
> > ike=aes128-sha-modp8192
> > esp=aes256-sha1
> >
> > - Ignored:
> > #leftsubnet=192.169.100.0/24
> > leftnexthop=192.168.1.1 <http://192.168.1.1/>
> > right=192.168.1.2 <http://192.168.1.2/>
> > #rightsubnet=192.169.80.0/24
> > rightnexthop=192.168.1.1 <http://192.168.1.1/>
> > authby=secret
> > pfs=no
> > ikelifetime=1h
> > keylife=1d
> > auto=ignore
> > compress=no
> > rekey=no
> > failureshunt=passthrough
> > auth=esp
> >
> > include /etc/ipsec.d/examples/no_oe
> > .conf
> >
> > IPSEC.SECRETS
> > --------------------------
> > 192.168.1.102 <http://192.168.1.102/> 192.168.1.2
> > <http://192.168.1.2/> : PSK "secret"
> >
> > When i gave "up " command ,tunnel is not coming up.
> >
> > [root at vpn1 ~]# ipsec auto --up testorig
> > 104 "testorig" #1: STATE_MAIN_I1: initiate
> > 010 "testorig" #1: STATE_MAIN_I1: retransmission; will
> > wait 20s for response
> >
> > In barf message, it is giving following error:
> > "*ERROR: asynchronous network error report on eth1
> > (sport=500) for message
> > to 192.168.1.2 <http://192.168.1.2/> port 500,
> > complainant 192.168.1.102 <http://192.168.1.102/> : No route
> > to host [errno
> > 113, origin ICMP type 3 code 1 (not authenticated)]"*
> > ......
> > .....
> > Jul 2 19:45:25 vpn1 pluto[4038]: | inserting event
> > EVENT_RETRANSMIT,
> > timeout in 10 seconds for #1
> > Jul 2 19:45:25 vpn1 pluto[4038]: | next event
> > EVENT_RETRANSMIT in 10
> > seconds for #1
> > Jul 2 19:45:28 vpn1 pluto[4038]: | rejected packet:
> > Jul 2 19:45:28 vpn1 pluto[4038]: | f1 15 14 43 0d 09
> > 72 48 00 00 00 00
> > 00 00 00 00
> > Jul 2 19:45:28 vpn1 pluto[4038]: | 01 10 02 00 00 00
> > 00 00 00 00 00 78
> > 0d 00 00 38
> > Jul 2 19:45:28 vpn1 pluto[4038]: | 00 00 00 01 00 00
> > 00 01 00 00 00 2c
> > 00 01 00 01
> > Jul 2 19:45:28 vpn1 pluto[4038]: | 00 00 00 24 00 01
> > 00 00 80 0b 00 01
> > 80 0c 0e 10
> > Jul 2 19:45:28 vpn1 pluto[4038]: | 80 01 00 07 80 02
> > 00 02 80 03 00 01
> > 80 04 00 12
> > Jul 2 19:45:28 vpn1 pluto[4038]: | 80 0e 00 80 0d 00
> > 00 10 4f 45 4e 55
> > 7a 5e 71 5f
> > Jul 2 19:45:28 vpn1 pluto[4038]: | 6a 7b 61 4a 00 00
> > 00 14 af ca d7 13
> > 68 a1 f1 c9
> > Jul 2 19:45:28 vpn1 pluto[4038]: | 6b 86 96 fc 77 57 01 00
> > Jul 2 19:45:28 vpn1 pluto[4038]: | control:
> > Jul 2 19:45:28 vpn1 pluto[4038]: | 18 00 00 00 00 00
> > 00 00 08 00 00 00
> > 01 00 00 00
> > Jul 2 19:45:28 vpn1 pluto[4038]: | c0 a8 01 66 c0 a8
> > 01 66 2c 00 00 00
> > 00 00 00 00
> > Jul 2 19:45:28 vpn1 pluto[4038]: | 0b 00 00 00 71 00
> > 00 00 02 03 01 00
> > 00 00 00 00
> > Jul 2 19:45:28 vpn1 pluto[4038]: | 00 00 00 00 02 00
> > 00 00 c0 a8 01 66
> > 00 00 00 00
> > Jul 2 19:45:28 vpn1 pluto[4038]: | 00 00 00 00
> > Jul 2 19:45:28 vpn1 pluto[4038]: | name:
> > Jul 2 19:45:28 vpn1 pluto[4038]: | 02 00 01 f4 c0 a8
> > 01 02 00 00 00 00
> > 00 00 00 00
> > Jul 2 19:45:28 vpn1 pluto[4038]: "testorig" #1: *ERROR:
> > asynchronous
> > network error report on eth1 (sport=500) for message to
> > 192.168.1.2 <http://192.168.1.2/> port
> > 500, complainant 192.168.1.102 <http://192.168.1.102/> :
> > No route to host [errno 113, origin ICMP
> > type 3 code 1 (not authenticated)]*
> > Jul 2 19:45:28 vpn1 pluto[4038]: | next event
> > EVENT_RETRANSMIT in 7 seconds
> > for #1
> > Jul 2 19:45:35 vpn1 pluto[4038]: |
> > Jul 2 19:45:35 vpn1 pluto[4038]: | *time t
> >
> >
> > can you tell me what is the mistake in this configuration?????
> > what to do to solve this problem???
> >
> > thanks in advance,
> > Regards,
> > Nirmala
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20080702/94b95e81/attachment.html
More information about the Users
mailing list