[Openswan Users] Openswan -> openswan two host behind NAT problem - Solved

Steve Kieu msh.computing at gmail.com
Fri Sep 19 18:44:27 EDT 2008 

Hi, I solved problem myself by looking at the wiki. It is not actually
clearly documented on the man page that the right should be the public
accessible IP of the left rather than the VPN endpoints. Also the man page
does not give an example of such setup otherwise I would not lose nearly 5
hours to figure it out. :-)

But openswan is really, much better than racoon in my experience.





On Fri, Sep 19, 2008 at 1:05 PM, Steve Kieu <msh.computing at gmail.com> wrote:

>
> Hello everyone,
>
> I am trying to set the below config without success.
>
> From a64  <=>  peace-dk
>
>  [169.173.0.0/24] a64 [169.173.0.64 ] => [169.173.0.1] adsl modem [
> 118.92.238.50] ==========  [202.78.240.7] linux-fw [192.168.2.1] => [
> 192.168.2.252] peace-dk
>
> I have configured the adsl modem to forward IKE trafic (udp 4500 and 500)
> to a64 (169.173.0.64). But I did not do (do not want to) set it on
> linux-fw the same way. I want the connection initiated from  peace-dk and
> join 169.173.0.0/24 with 192.168.2.252/32. The exact setup work with
> racoon (in a64 set passive on). Now I am trying to do it with openswan with
> following config:
>
> on a64
>
> conn for-peace
>         left=169.173.0.64
>         #leftid=a64
>         leftnexthop=%defaultroute
>         authby=secret
>         type=tunnel
>         forceencaps=yes
>         leftsubnet=169.173.0.0/24
>         rightnexthop=202.78.240.7
>         right=192.168.2.252
>         rightsubnet=192.168.2.252/32
>         esp=blowfish-sha1
>         keyexchange=ike
>         auto=add
>
> on peace-dk
>
> conn home1
>         type=tunnel
>         forceencaps=yes
>         authby=secret
>         left=192.168.2.252
>         leftnexthop=%defaultroute
>         leftsubnet=192.168.2.252/32
>         rightnexthop=118.92.238.50
>         right=169.173.0.64
>         rightsubnet=169.173.0.0/24
>         esp=blowfish-sha1
>         auto=start
>
> It does not work, seems the phase 1 get through but phase 2 is pending
>
> root at peace:~# ipsec auto --status | grep home
> 000 "home1":
> 192.168.2.252/32===192.168.2.252---192.168.2.1...118.92.238.50---169.173.0.64===169.173.0.0/24;
> erouted HOLD; eroute owner: #0
> 000 "home1":     srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec
> _updown;
> 000 "home1":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s;
> rekey_fuzz: 100%; keyingtries: 0
> 000 "home1":   policy: PSK+ENCRYPT+TUNNEL+PFS+UP; prio: 32,24; interface:
> eth1; encap: udp;
> 000 "home1":   newest ISAKMP SA: #0; newest IPsec SA: #0;
> 000 "home1":   IKE algorithms wanted:
> BLOWFISH_CBC(3)_000-SHA1(2)-MODP1536(5),
> BLOWFISH_CBC(3)_000-SHA1(2)-MODP1024(2); flags=strict
> 000 "home1":   IKE algorithms found:
> BLOWFISH_CBC(3)_000-SHA1(2)-MODP1536(5),
> BLOWFISH_CBC(3)_000-SHA1(2)-MODP1024(2); flags=strict
> 000 "home1":   ESP algorithms wanted: BLOWFISH(7)_000-SHA1(2); flags=strict
> 000 "home1":   ESP algorithms loaded: BLOWFISH(7)_000-SHA1(2); flags=strict
> 000 #1: "home1":500 STATE_MAIN_I1 (sent MI1, expecting MR1);
> EVENT_RETRANSMIT in 13s; nodpd
> 000 #1: pending Phase 2 for "home1" replacing #0
>
>
> root at a64:~# ipsec auto --status|grep peace
> 000 "for-peace":
> 169.173.0.0/24===169.173.0.64---169.173.0.1...202.78.240.7---192.168.2.252===192.168.2.252/32;
> unrouted; eroute owner: #0
> 000 "for-peace":     srcip=unset; dstip=unset; srcup=ipsec _updown;
> dstup=ipsec _updown;
> 000 "for-peace":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s;
> rekey_fuzz: 100%; keyingtries: 0
> 000 "for-peace":   policy: PSK+ENCRYPT+TUNNEL+PFS+UP; prio: 24,32;
> interface: eth0; encap: udp;
> 000 "for-peace":   newest ISAKMP SA: #0; newest IPsec SA: #0;
> 000 "for-peace":   ESP algorithms wanted: BLOWFISH(7)_000-SHA1(2);
> flags=strict
> 000 "for-peace":   ESP algorithms loaded: BLOWFISH(7)_000-SHA1(2);
> flags=strict
> 000 #1: "for-peace":500 STATE_MAIN_I1 (sent MI1, expecting MR1);
> EVENT_RETRANSMIT in 29s; nodpd
> 000 #1: pending Phase 2 for "for-peace" replacing #0
>
>
> Any idea what I did wrong? That is the only case I got trouble to setup
> openswan, and racoon works, all other ; I can easily get openswan to work
> without any problem at all (tested with winXP, and cisco PIX, other linux)
>
> Thanks in advance,
>
> Regards,
>
>
> --
> Steve Kieu
>
>


-- 
Steve Kieu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20080920/ffe5812e/attachment.html

More information about the Users mailing list