[Openswan Users] how to connect openswan to broadband---full detail!!!

Peter McGill petermcgill at goco.net
Thu Jul 3 09:45:06 EDT 2008 

Nirmala,

Are you using the wireless part? If so you won't be able to
disable the 192.168.1.0/24 net, as it will be needed for that.

Or is the Openswan computer the only computer connected
directly to the internet modem, wired or otherwise? If so,
then you can proceed. You'll need to get your isp to
reconfigure the device to give your computer the internet
ip. I always setup my internet connections this way, so
IPSec naturally works without issue.

PS. Don't use the users-request at openswan.org address, just
use the users at openswan.org one.


Peter McGill
IT Systems Analyst
Gra Ham Energy Limited 

> -----Original Message-----
> From: Nirmala Balu [mailto:nirmala2005 at gmail.com] 
> Sent: July 3, 2008 12:18 AM
> To: petermcgill at goco.net
> Cc: users-request at openswan.org; users at openswan.org
> Subject: Re: [Openswan Users] how to connect openswan to 
> broadband---full detail!!!
> 
> Hello sir,
> Thank you for reply ....Now the adsl modem is having four 
> ethernet ports and one wireless .I have connected openswan 
> gateway to one ethernet port...You have told to  change the 
> modem to pass the external public address to openswan gateway 
> .Will you tell me how to pass the external address from modem 
> to openswan gateway????
>  
> Normally, which type of internet connection(adsl,leased line 
> or any other..), the openswan can be deployed???? How you are 
> using openswan through internet scenerio????
>  
> Thanks in advance,
> Regards,
> Nirmala.
> 
>  
> On 7/2/08, Peter McGill <petermcgill at goco.net> wrote: 
> 
> 	Nirmala,
> 	
> 	Correct me if I'm wrong, but your scenario is this:
> 	At each location you have a broadband internet router 
> connected to the internet.
> 	This router is physically connected to your Openswan 
> (Linux) gateway using the 192.168.1.0/24
> 	network which the router manages.
> 	Then you connect the Openswan gateway to your internal 
> LAN 192.169.x.x via another net card.
> 	(Note: 192.169.80/100.x are public internet addresses, 
> unless they are assigned to you, you
> 	shouldn't use them else you risk not being able to 
> communicate with the real assigned computers.
> 	perhaps you meant to use 192.168.80/100.x)
> 	
> 	This means that both your Openswan gateways are natted 
> before they reach the internet, this
> 	is a double nat scenario and I do not think it possible to work.
> 	If possible (modem connects only to Openswan gateway), 
> then change the modem to pass the external
> 	public address through to the Openswan gateway rather 
> than using the 192.168.1.0/24 network.
> 	Then Openswan gateway will have a public address of 
> 59.90.235.x without nat, and this will work.
> 	
> 	Note you should use something like this, don't set any 
> other options unless you know what your doing.
> 	Openswan has good secure defaults, unless your 
> connecting to non-openswan you should not need to
> 	change any encryption settings. Note the debug entries 
> are removed also, they are for developer
> 	debugging not user troubleshooting and get in the way 
> flooding your logs, only use if asked by a devel.
> 	
> 	Don't use shared secrets unless necessary, use default 
> rsa public keys instead.
> 	As explained in doc/install.html and doc/config.html...
> 	On each machine do...
> 	ipsec newhostkey --output /etc/ipsec.secrets --hostname 
> `hostname -f`
> 	chmod 0600 /etc/ipsec.secrets
> 	ipsec showhostkey --left
> 	Copy this output of the above command showhostkey to 
> your ipsec.conf.
> 	
> 	ipsec.conf (all indented lines are indented with single 
> tab only not spaces):
> 	version 2.0
> 	
> 	config setup
> 	       interfaces="ipsec0=eth1" # assuming your using 
> klips and eth1 is interface to internet
> 	
> 	include /etc/ipsec.d/examples/no_oe.conf
> 	
> 	conn testorig
> 	       left=59.90.235.34
> 	       leftsubnet=192.168.100.0/24
> 	       leftsourceip=192.168.100.1? # lan address of 
> openswan gateway
> 	       # RSA nnnn bits   hostname.example.net   ddd mmm 
> dd hh:mm:ss yyyy
> 	       leftrsasigkey=0sAQNs...
> 	       right=59.90.235.36
> 	       rightsubnet=192.168.80.0/24
> 	       rightsourceip=192.168.80.1? # lan address of 
> openswan gateway
> 	       # RSA nnnn bits   hostname.example.net   ddd mmm 
> dd hh:mm:ss yyyy
> 	       rightrsasigkey=0sAQNs...
> 	       auto=start # add if you want to start/stop 
> manualy, start for always on connections.
> 	
> 	Peter McGill
> 	IT Systems Analyst
> 	Gra Ham Energy Limited
> 	
> 	> -----Original Message-----
> 	> From: users-bounces at openswan.org
> 	> [mailto:users-bounces at openswan.org] On Behalf Of Nirmala Balu
> 	> Sent: July 2, 2008 5:30 AM
> 	> To: users-request at openswan.org
> 	> Cc: users at openswan.org
> 	> Subject: [Openswan Users] how to connect openswan to
> 	> broadband---full detail!!!
> 	>
> 	>   My network diagram is shown below.
> 	>       openswan gateway1<----->modem1<----> internet <------->
> 	>    modem2<-------->openswan gateway2
> 	>       IP addresses:
> 	>
> 	>       (1)openswan gateway1--192.168.1.102
> 	>       (2)modem 1 internal ip address----192.168.1.1
> 	>       (3)modem 1 external(static)ip address----59.90.235.34
> 	>       (4)modem 2 external(static)ip address----59.90.235.36
> 	>       (5)modem 2 internal ip address----192.168.1.1
> 	>       (6)openswan gateway 2--192.168.1.2
> 	>
> 	>    My ipsec.conf and ipsec.conf is given below:
> 	>    IPSEC.CONF
> 	>    -------------------
> 	>    version 2.0
> 	>    config setup
> 	>            interfaces="ipsec0=eth1"
> 	>            plutodebug=all
> 	>            klipsdebug=all
> 	>            uniqueids=yes
> 	>    conn testorig
> 	>            left=192.168.1.102 <http://192.168.1.102/>
> 	>            ike=aes128-sha-modp8192
> 	>            esp=aes256-sha1
> 	>
> 	> - Ignored:
> 	>            #leftsubnet=192.169.100.0/24
> 	>            leftnexthop=192.168.1.1 <http://192.168.1.1/>
> 	>            right=192.168.1.2 <http://192.168.1.2/>
> 	>            #rightsubnet=192.169.80.0/24
> 	>            rightnexthop=192.168.1.1 <http://192.168.1.1/>
> 	>            authby=secret
> 	>            pfs=no
> 	>            ikelifetime=1h
> 	>            keylife=1d
> 	>            auto=ignore
> 	>            compress=no
> 	>            rekey=no
> 	>            failureshunt=passthrough
> 	>            auth=esp
> 	>
> 	>    include /etc/ipsec.d/examples/no_oe
> 	> .conf
> 	>
> 	>    IPSEC.SECRETS
> 	>    --------------------------
> 	>    192.168.1.102 <http://192.168.1.102/>  192.168.1.2
> 	> <http://192.168.1.2/> : PSK "secret"
> 	>
> 	>    When i gave "up " command ,tunnel is not coming up.
> 	>
> 	>    [root at vpn1 ~]# ipsec auto --up testorig
> 	>    104 "testorig" #1: STATE_MAIN_I1: initiate
> 	>    010 "testorig" #1: STATE_MAIN_I1: retransmission; will
> 	> wait 20s for response
> 	>
> 	>    In barf message, it is giving following error:
> 	>    "*ERROR: asynchronous network error report on eth1
> 	> (sport=500) for message
> 	>    to 192.168.1.2 <http://192.168.1.2/>  port 500,
> 	> complainant 192.168.1.102 <http://192.168.1.102/> : No route
> 	> to host [errno
> 	>    113, origin ICMP type 3 code 1 (not authenticated)]"*
> 	>    ......
> 	>    .....
> 	>    Jul  2 19:45:25 vpn1 pluto[4038]: | inserting event
> 	> EVENT_RETRANSMIT,
> 	>    timeout in 10 seconds for #1
> 	>    Jul  2 19:45:25 vpn1 pluto[4038]: | next event
> 	> EVENT_RETRANSMIT in 10
> 	>    seconds for #1
> 	>    Jul  2 19:45:28 vpn1 pluto[4038]: | rejected packet:
> 	>    Jul  2 19:45:28 vpn1 pluto[4038]: |   f1 15 14 43  0d 09
> 	> 72 48  00 00 00 00
> 	>    00 00 00 00
> 	>    Jul  2 19:45:28 vpn1 pluto[4038]: |   01 10 02 00  00 00
> 	> 00 00  00 00 00 78
> 	>    0d 00 00 38
> 	>    Jul  2 19:45:28 vpn1 pluto[4038]: |   00 00 00 01  00 00
> 	> 00 01  00 00 00 2c
> 	>    00 01 00 01
> 	>    Jul  2 19:45:28 vpn1 pluto[4038]: |   00 00 00 24  00 01
> 	> 00 00  80 0b 00 01
> 	>    80 0c 0e 10
> 	>    Jul  2 19:45:28 vpn1 pluto[4038]: |   80 01 00 07  80 02
> 	> 00 02  80 03 00 01
> 	>    80 04 00 12
> 	>    Jul  2 19:45:28 vpn1 pluto[4038]: |   80 0e 00 80  0d 00
> 	> 00 10  4f 45 4e 55
> 	>    7a 5e 71 5f
> 	>    Jul  2 19:45:28 vpn1 pluto[4038]: |   6a 7b 61 4a  00 00
> 	> 00 14  af ca d7 13
> 	>    68 a1 f1 c9
> 	>    Jul  2 19:45:28 vpn1 pluto[4038]: |   6b 86 96 fc  
> 77 57 01 00
> 	>    Jul  2 19:45:28 vpn1 pluto[4038]: | control:
> 	>    Jul  2 19:45:28 vpn1 pluto[4038]: |   18 00 00 00  00 00
> 	> 00 00  08 00 00 00
> 	>    01 00 00 00
> 	>    Jul  2 19:45:28 vpn1 pluto[4038]: |   c0 a8 01 66  c0 a8
> 	> 01 66  2c 00 00 00
> 	>    00 00 00 00
> 	>    Jul  2 19:45:28 vpn1 pluto[4038]: |   0b 00 00 00  71 00
> 	> 00 00  02 03 01 00
> 	>    00 00 00 00
> 	>    Jul  2 19:45:28 vpn1 pluto[4038]: |   00 00 00 00  02 00
> 	> 00 00  c0 a8 01 66
> 	>    00 00 00 00
> 	>    Jul  2 19:45:28 vpn1 pluto[4038]: |   00 00 00 00
> 	>    Jul  2 19:45:28 vpn1 pluto[4038]: | name:
> 	>    Jul  2 19:45:28 vpn1 pluto[4038]: |   02 00 01 f4  c0 a8
> 	> 01 02  00 00 00 00
> 	>    00 00 00 00
> 	>    Jul  2 19:45:28 vpn1 pluto[4038]: "testorig" #1: *ERROR:
> 	> asynchronous
> 	>    network error report on eth1 (sport=500) for message to
> 	> 192.168.1.2 <http://192.168.1.2/>  port
> 	>    500, complainant 192.168.1.102 <http://192.168.1.102/> :
> 	> No route to host [errno 113, origin ICMP
> 	>    type 3 code 1 (not authenticated)]*
> 	>    Jul  2 19:45:28 vpn1 pluto[4038]: | next event
> 	> EVENT_RETRANSMIT in 7 seconds
> 	>    for #1
> 	>    Jul  2 19:45:35 vpn1 pluto[4038]: |
> 	>    Jul  2 19:45:35 vpn1 pluto[4038]: | *time t
> 	>
> 	>
> 	>    can you tell me what is the mistake in this 
> configuration?????
> 	>    what to do to solve this problem???
> 	>
> 	>    thanks in advance,
> 	>    Regards,
> 	>    Nirmala
> 	>
> 	
> 	
> 
> 
>

More information about the Users mailing list