[Openswan Users] Wrong conf ipsec

Peter McGill petermcgill at goco.net
Mon Feb 23 10:07:07 EST 2009 

ALAEDDINE abbech wrote:
> Hi all;
> I'm new in openswan mailing list.
> I have estabilished ipsec tunnel beetwen two host machines.
> 
> 172.30.0.3 - host A <------ipsec------> host B - 172.30.2.10
> 
> My /etc/ipsec.conf in host A is:
> 
> version 2.0 # conforms to second version of ipsec.conf specification
> 
> # basic configuration
> config setup
> # Debug-logging controls: "none" for (almost) none, "all" for lots.
> # klipsdebug=none
> # plutodebug="control parsing"

Your missing the following in config setup section:
	oe=off

> conn %default
>         keyingtries=0
>         #       disablearrivalcheck=no
>         authby=rsasig
>         #       leftrsasigkey=%dns
>         #       rightrsasigkey=%dns
> 
> conn test
>     auto=start
>     left=172.30.0.3
>     right=172.30.0.10
>     keyexchange=ike
>     esp=3des-sha1-96
>     keyingtries=0
>     rekeymargin=4m
>     type=transport

Why are you using transport mode?
If all your doing is trying to connect one openswan machine to another, 
then do not mess will all the options, they will work with defaults.
Stick to using left, right, auto & authby. Leave the other options 
alone. You also don't need the conn %default section. Your just making 
things harder for yourself, more places to mess up.
doc/install.html and doc/config.html (in the openswan tarball) have all 
the info you need for configuring and openswan to openswan connection.

>     disablearrivalcheck=no
>     authby=secret
>     pfs=yes
> and /etc/ipsec.secrets in A is:
> 
> 172.30.0.10 172.30.0.3: PSK 0x123456
> 
> My /etc/ipsec.conf in host B is:
> 
> version 2.0 # conforms to second version of ipsec.conf specification
> 
> # basic configuration
> config setup
> # Debug-logging controls: "none" for (almost) none, "all" for lots.
>  #klipsdebug=none
>  #plutodebug="control parsing"

Ditto above...

> conn %default
>         keyingtries=0
>         #       disablearrivalcheck=no
>         authby=rsasig
>         #       leftrsasigkey=%dns
>         #       rightrsasigkey=%dns
> conn test
>     auto=start
>     left=172.30.0.3
>     right=172.30.0.10
>     keyexchange=ike
>     esp=3des-sha1-96
>     keyingtries=0
>     rekeymargin=4m
>     type=transport
>     disablearrivalcheck=no
>     authby=secret
>     pfs=yes
> 
> and /etc/ipsec.secrets in B is:
> 
> 172.30.0.3 172.30.0.10: PSK 0x123456
> 
> i restart ipsec service and i (#ipsec auto --up test) in both host
> i have this message:
> 117 "test" #14: STATE_QUICK_I1: initiate
> 004 "test" #14: STATE_QUICK_I2: sent QI2, IPsec SA established transport 
> mode {ESP=>0x11aed5dd <0xeabdc300 xfrm=3DES_0-HMAC_SHA1 NATOA=none 
> NATD=none DPD=none}
> and #ipsec setup status i have this message in both host
> IPsec running  - pluto pid: 3963
> pluto pid 3963
> No tunnels up
> 
> i do #ipsec verify
> Checking your system to see if IPsec got installed and started correctly:
> Version check and ipsec on-path                                [OK]
> Linux Openswan U2.6.14/K2.6.18-92.1.10.el5 (netkey)
> Checking for IPsec support in kernel                           [OK]
> NETKEY detected, testing for disabled ICMP send_redirects      [FAILED]
> 
>   Please disable /proc/sys/net/ipv4/conf/*/send_redirects
>   or NETKEY will cause the sending of bogus ICMP redirects!
> 
> NETKEY detected, testing for disabled ICMP accept_redirects    [FAILED]
> 
>   Please disable /proc/sys/net/ipv4/conf/*/accept_redirects
>   or NETKEY will accept bogus ICMP redirects!
> 
> Checking for RSA private key (/etc/ipsec.secrets)              [OK]
> Checking that pluto is running                                 [OK]
> Two or more interfaces found, checking IP forwarding           [FAILED]
> Checking for 'ip' command                                      [OK]
> Checking for 'iptables' command                                [OK]
> 
> Opportunistic Encryption DNS checks:
>    Looking for TXT in forward dns zone: RTPPROXY               [MISSING]
>   Cannot execute command "host -t txt RTPPROXY": No such file or directory
>    Does the machine have at least one non-private address?     [FAILED]

	oe=off # will fix this as shown above.

> I don't know where is the fault in my config
> Please who can help me.
> Thanks.
> 
> 
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan: 
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

More information about the Users mailing list