[Openswan Users] Fedora 8 and Netscreen

Peter McGill petermcgill at goco.net
Thu May 8 09:47:12 EDT 2008


Michael,

Your routes look fine if your running NETKEY and ppp0 is your internet interface.
However, the subnet definitions your using only route traffic
between two computers (192.168.3.1 and 192.127.220.100) through the tunnel.
All other traffic will use the internet without encryption.
You need to run the traceroute and telnet from your 192.168.3.1 machine.
And you can only communicate with 192.127.220.100 on the remote end, nothing else.
If 192.168.3.1 is also the computer which runs openswan then add this:
	leftsourceip=192.168.3.1
Otherwise linux will default to the internet address as the source and it won't go
through the tunnel.

If this doesn't help you'll need to send more information, preferably an ipsec barf,
with debugging turned off and a clear explanation of how your testing the connection.
ipsec.conf:
config setup
	klipsdebug=none
	plutodebug=none
ipsec setup --restart
ipsec auto --up myvpn
traceroute or whatever test
ipsec barf > ipsec_barf.txt

Peter McGill
IT Systems Analyst
Gra Ham Energy Limited 

> -----Original Message-----
> From: users-bounces at openswan.org 
> [mailto:users-bounces at openswan.org] On Behalf Of Michael Lavallee
> Sent: May 8, 2008 12:55 AM
> To: users at openswan.org
> Subject: Re: [Openswan Users] Fedora 8 and Netscreen
> 
> Michael Lavallee wrote:
> > I need a bit of help with a VPN I am setting up.  I need to 
> connect to 
> > the company that I do work for, and they are using a 
> Juniper Netscreen 
> > device on their end. I am able to bring the tunnel up but I 
> can't seem 
> > to connect to the other end.
> >   
> 
> I'm still fighting with this, but haven't gotten any further ahead.  
> I've read quite a few how-to's and made use of the search 
> engines but I 
> am still back at square one.  The person at the other end 
> things it is a 
> routing issue, but as I look at other examples of 
> configurations I have 
> seen on Internet I am wondering if the subnet's she recommended I use 
> are an issue, as I haven't seen other examples quite like them before.
> 
> -----Original Message-----
> From: users-bounces at openswan.org 
> [mailto:users-bounces at openswan.org] On Behalf Of Michael Lavallee
> Sent: May 6, 2008 12:39 AM
> To: users at openswan.org
> Subject: [Openswan Users] Fedora 8 and Netscreen
> 
> Hi everyone,
> 
> I need a bit of help with a VPN I am setting up.  I need to 
> connect to 
> the company that I do work for, and they are using a Juniper 
> Netscreen 
> device on their end. I am able to bring the tunnel up but I 
> can't seem 
> to connect to the other end.
> 
> I'll post my configuration, maybe someone can point out what 
> I have done 
> wrong!
> 
> When I type "ipsec --auto up myvpn" I get a success from what 
> I can see:
> ...
> 004 "myvpn" #4: STATE_QUICK_I2: sent QI2, IPsec SA established
> 
> And this is my configuration:
> conn myvpn
>   auto=add
>   authby=secret
>   compress=no
>   ike=aes256-sha1-modp1024
>   esp=aes256-sha1
>   pfs=yes
>   left=209.105.205.212
>   leftsubnet=192.168.3.1/32
>   right=192.127.94.73
>   rightsubnet=192.127.220.100/32
> 
> But when I run a traceroute on 192.127.220.100 I can see it going 
> through a bunch of hops, basically through the Internet just 
> as if there 
> was no VPN.  I check my route and I see:
> 
> 192.127.220.100 *               255.255.255.255 UH    0      
> 0        0 ppp0
> nrba-dsl.onlink *               255.255.255.255 UH    0      
> 0        0 ppp0
> 72.38.58.0      *               255.255.255.128 U     0      
> 0        0 eth1
> 192.168.3.0     *               255.255.255.0   U     0      
> 0        0 eth2
> link-local      *               255.255.0.0     U     0      
> 0        0 eth1
> default         *               0.0.0.0         U     0      
> 0        0 ppp0
> 
> Now I can see that the first line is the VPN, but I'm thinking things 
> aren't routing properly?  I'm not sure where to look from here.  My 
> ultimate goal is to be able to telnet to one of the two IP addresses 
> behind their firewall so I can do my work. 



More information about the Users mailing list