[Openswan Users] Openswan network to network example

Enrique Bonet ebonet at glup.uv.es
Fri Feb 13 13:05:55 EST 2009 

Hi all,

As an example for students in a course I am teaching, I use as an
example the configuration of a network to network openswan connection 
with the following topology:

192.168.100.0/24===147.156.223.83---147.156.222.1...147.156.100.1---147.156.101.228===192.168.200.0/24

Using Fedora 10 (kernel 2.6.27.12-170.2.4) and Openswan 2.4.9-2, the
following configuration file (/etc/ipsec.conf) works correctly:

version	2.0	# conforms to second version of ipsec.conf specification
config setup
	nat_traversal=no
	interfaces=%defaultroute
conn host1-host2
        left=147.156.223.83
	leftid=@peon7.irobot.uv.es
        leftnexthop=147.156.222.1
        leftsubnet=192.168.100.0/24
        right=147.156.101.228
	rightid=@lolabl.irobot.uv.es
        rightnexthop=147.156.100.1
        rightsubnet=192.168.200.0/24
        authby=secret
	auto=add

Running ipsec auto --up host1-host2 the command "service ipsec status"
returns:

Ipsec running - pluto pid: XXXX
pluto pid XXXX
1 tunnels up

However, using Openswan 2.6.19-1, the following example does not work
(I have made many attempts to change parameters and this is my last
trial):

version	2.0	# conforms to second version of ipsec.conf specification
config setup
	protostack=netkey
	nat_traversal=no
	virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%
v4:!192.168.200.0/24 (%v4:!192.168.100.0/24 for the other node)
	oe=off
	nhelpers=0
	myid=@lolabl.irobot.uv.es (@peon7.irobot.uv.es for the other node)
conn host1-host2
        left=147.156.223.83
	leftid=@peon7.irobot.uv.es
        leftnexthop=147.156.222.1
        leftsubnet=192.168.100.0/24
        right=147.156.101.228
	rightid=@lolabl.irobot.uv.es
        rightnexthop=147.156.100.1
        rightsubnet=192.168.200.0/24
        authby=secret
	auto=add

Running ipsec auto --up host1-host2 the command "service ipsec status"
returns:

Ipsec running - pluto pid: XXXX
pluto pid XXXX
No tunnels up

I have analyzed the network packets with Wireshark and the packet
interchange seems to be correct (nine packets, six Identity Protection
(Main Mode) and three Quick Mode).

I would appreciate any help about why the second example fails with
this version of Openswan or where I can find an example of network to 
network connection that operates correctly in Openswan 2.6.19 (or in
Openswan 2.6.X).

Thank you very much in advance for your time

Enrique Bonet
Lecturer / University of Valencia (Spain)

More information about the Users mailing list