[Openswan Users] openswan on dedibox

Reza Issany issanyr at gmail.com
Wed Nov 12 15:29:45 EST 2008 

Hi,

Please forgive me for my bad english. I'm a french people.

I'm trying to configure IPSEC / L2TP using X509 certs on a dedibox 
server (remote server).
No firewall for the moment (iptables desactivated).

I'v successfully installed openswan and generated certificats, but the 
connection doesn't work.
This server has just one interface :
eth0 --> Public IP Address

I've created an alias :
eth0:1 --> 192.168.2.1/24

ipsec.conf :
version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        nat_traversal=yes
        
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%4:172.16.0.0/12,%4:192.168.2.0/24
        interfaces=%defaultroute
        OE=off
        plutodebug=none
        nhelpers=1

conn %default
        keyingtries=1
        compress=yes
        disablearrivalcheck=no
        authby=rsasig
        leftrsasigkey=%cert
        rightrsasigkey=%cert

conn roadwarrior-xp
        type=transport
        left=publicIPoftheserver
        leftsubnet=192.168.2.0/24
        leftcert=vpn.toto.com.pem
        leftprotoport=17/1701
        right=%any
        rightprotoport=17/1701
        pfs=no
        auto=add

conn block
        auto=ignore

conn private
        auto=ignore

conn private-or-clear
        auto=ignore

conn clear-or-private
        auto=ignore

conn clear
        auto=ignore

conn packetdefault
        auto=ignore


l2tpd.conf :
[global]
auth file = /etc/l2tpd/l2tp-secrets

[lns default]
ip range = 192.168.2.10-192.168.2.20
local ip = 192.168.2.1
require chap = yes
refuse pap = yes
require authentication = yes
name = OCTI VPN
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd
length bit = yes


options.l2tpd :
ipcp-accept-local
ipcp-accept-remote
auth
crtscts
idle 1800
mtu 1200
mru 1200
nodefaultroute
debug
lock
proxyarp
connect-delay 5000
nologfd

chap-secrets :
reza            *       "reza"                  192.168.2.10

When I do a tcpdump when trying to connect I just have this log :
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
16:14:55.810698 IP LSt-Amand-1xxxxx.w2xx7-128.abo.wanadoo.fr.isakmp > 
xxxxx.dedibox.fr.isakmp: isakmp: phase 1 I ident
16:14:55.952977 IP LSt-Amand-1xxxx.w2xxx7-128.abo.wanadoo.fr.isakmp > 
xxxx.dedibox.fr.isakmp: isakmp: phase 1 I ident
16:14:56.062266 IP LSt-Amand-1xxxx.w217-xxx8.abo.wanadoo.fr.24101 > 
xxx.dedibox.fr.4500: NONESP-encap: isakmp: phase 1 I ident[E]
16:14:56.923956 IP LSt-Amand-1xxxxx6-224.w217-128.abo.wanadoo.fr.24101 > 
xxxxxdedibox.fr.4500: NONESP-encap: isakmp: phase 1 I ident[E]
16:14:58.903170 IP LSt-Amand-1xxxxxxxx4.w217-128.abo.wanadoo.fr.24101 
 >xxxxx43.dedibox.fr.4500: NONESP-encap: isakmp: phase 1 I ident[E]
16:15:02.923689 IP LSt-Amand-1xxxxxxxxx.w2xx-128.abo.wanadoo.fr.24101 > 
xxxxx.dedibox.fr.4500: NONESP-encap: isakmp: phase 1 I ident[E]
16:15:10.914068 IP LSt-Amand-xxxxxxxxx.abo.wanadoo.fr.24101 > 
xxxx.dedibox.fr.4500: NONESP-encap: isakmp: phase 1 I ident[E]
16:15:26.889735 IP LSt-Amand-1xxxxx17-128.abo.wanadoo.fr.24101 > 
xxxx.dedibox.fr.4500: NONESP-encap: isakmp: phase 1 I ident[E]
16:15:58.874303 IP LSt-Amand-1xxxx.abo.wanadoo.fr.24101 > 
xxxxx.dedibox.fr.4500: NONESP-encap: isakmp: phase 2/others I inf[E]

Any idea please ?

Thanks for your helps

azer.

More information about the Users mailing list