[Openswan Users] Tunnel not starting

Arjun Datta arjun at greatgulfhomes.com
Wed May 28 17:23:21 EDT 2008 

This is a FreeSWAN version 2.0 question concerning a pre-existing setup 
I have been asked to maintain.  Before anyone asks, I cannot upgrade the 
ipsec version as yet to openswan and and so am stuck using freeswan for 
now =)  (I know, I know, it's super old)

I have the following setup:

10.105.0.0/16===75.77.55.162---75.77.55.161...216.162.44.113---216.162.44.114===10.225.0.0/16

Left:
Linux  2.4.20-30.9
Linux FreeS/WAN 2.06
# basic configuration
config setup
        # virtual and physical interfaces for IPSEC, normally a single
        # `virtual=physical' pair, or a (quoted!) list of pairs.  In the
        # simple case, where you only want to run IPSEC on one interface,
        # the virtual (ipsec0) shouldn't need changing but the physical
        # (eth999) will (to the interface connecting to the public network,
        # e.g. eth0 or ppp0 or something like that).
        # *This must be right* or almost nothing will work.
        interfaces="ipsec0=eth1"
        # should setup turn IP forwarding on after IPSEC is started, and off
        # before it is stopped?
        forwardcontrol=no
        # KLIPS debugging output.  "none" for none, "all" for lots
        klipsdebug=none
        # Pluto debugging output.  "none" for none, "all" for lots
        plutodebug=none
        # manually-keyed connections to set up at startup
        manualstart=
        # should Pluto wait for each negotiation to finish before 
proceeding?
        plutowait=yes

conn block
        auto=ignore

conn private
        auto=ignore

conn clear
        auto=ignore

conn private-or-clear
        auto=ignore

conn clear-or-private
        auto=ignore

conn packetdefault
        auto=ignore


conn corp-atlantat1
        type=tunnel
        left=75.77.55.162
        leftnexthop=75.77.55.161
        leftsubnet=10.105.0.0/16
        leftfirewall=yes
        right=216.162.44.114
        rightnexthop=216.162.44.113
        rightsubnet=10.225.0.0/16
        rightfirewall=yes
        # (manual) base for SPI numbering; must end in 0
        spibase=0x520
        # (auto) key-exchange type
        keyexchange=ike
        # (auto) key lifetime (before automatic rekeying)
        keylife=8h
        # (auto) how persistent to be in (re)keying negotiations (0 
means very)
        keyingtries=0
        auto=start

Right:
Linux 2.0.36
Linux FreeS/WAN 1.00
# basic configuration
config setup
        # virtual and physical interfaces for IPSEC, normally a single
        # `virtual=physical' pair, or a (quoted!) list of pairs.  In the
        # simple case, where you only want to run IPSEC on one interface,
        # the virtual (ipsec0) shouldn't need changing but the physical
        # (eth999) will (to the interface connecting to the public network,
        # e.g. eth0 or ppp0 or something like that).
        # *This must be right* or almost nothing will work.
        interfaces="ipsec0=eth2"
        # should setup turn IP forwarding on after IPSEC is started, and off
        # before it is stopped?
        forwardcontrol=no
        # KLIPS debugging output.  "none" for none, "all" for lots
        klipsdebug=none
        # Pluto debugging output.  "none" for none, "all" for lots
        plutodebug=none
        # manually-keyed connections to set up at startup
        manualstart=
        # connections to load into Pluto's internal database at startup
        plutoload="corp-atlantat1"
        # connections for Pluto to try to negotiate at startup
        plutostart="corp-atlantat1"

conn corp-atlantat1
        type=tunnel
        #this is the new dsl config when it gets rolled out
        left=75.77.55.162
        leftnexthop=75.77.55.161
        leftsubnet=10.105.0.0/16
        leftfirewall=yes
        right=216.162.44.114
        rightnexthop=216.162.44.113
        rightsubnet=10.225.0.0/16
        rightfirewall=yes
        # (manual) base for SPI numbering; must end in 0
        spibase=0x520
        # (auto) key-exchange type
        keyexchange=ike
        # (auto) key lifetime (before automatic rekeying)
        keylife=8h
        # (auto) how persistent to be in (re)keying negotiations (0 
means very)
        keyingtries=0

When I try to (re)start the connection,
left side says:
ipsec auto --status | grep corp-atlantat1
000 "corp-atlantat1": 10.225.0.0/16===216.162.44.114---216.162.44.113...
000 "corp-atlantat1": ...75.77.55.161---75.77.55.162===10.105.0.0/16
000 "corp-atlantat1": ike_life: 3600s; ipsec_life: 28800s; rekey_window: 
540s; keyingtries: 0
000 "corp-atlantat1": policy: POLICY_ENCRYPT+POLICY_TUNNEL+POLICY_PFS; 
interface: eth2; routed
000 "corp-atlantat1": newest ISAKMP SA: #0; newest IPsec SA: #0; eroute 
owner: #0
000 #25: "corp-atlantat1" STATE_MAIN_I1 (sent MI1, expecting MR1); 
EVENT_RETRANSMIT in 14s

right side says:
ipsec auto --status | grep corp-atlantat1
000 "corp-atlantat1": 
10.105.0.0/16===75.77.55.162---75.77.55.161...216.162.44.113---216.162.44.114===10.225.0.0/16; 
unrouted; eroute owner: #0
000 "corp-atlantat1":   ike_life: 3600s; ipsec_life: 28800s; 
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "corp-atlantat1":   policy: RSASIG+ENCRYPT+PFS+lKOD+rKOD; prio: 
16,16; interface: eth1;
000 "corp-atlantat1":   newest ISAKMP SA: #0; newest IPsec SA: #0;

Obviously the tunnel is not up.

Is this because right is freeswan 2.0 and left is freeswan 1.0 ?

-- 
Regards,
 
Arjun Datta

More information about the Users mailing list