[Openswan Users] Wrong conf ipsec
simon charles
charlessimon at hotmail.com
Mon Feb 23 11:03:13 EST 2009
Hi !
Looking at the configuration files i see that the encryption domains ( rightsubnet / leftsubnet ) are not defined in ipsec.conf files. The type of vpn is specified as transport ( type=transport ) and should be type=tunnel for full encrypted tunnel. From "ipsec verify" - i see that ip forwarding is turned off - which is fine if this is just a host-to-host setup and you don't want network behind these peers to communicate with each other across the tunnel - else turn forwarding on. Hope that helps.
- Simon Charles -
Date: Mon, 23 Feb 2009 11:52:46 +0000
From: alasupcom at yahoo.fr
To: users at openswan.org
Subject: [Openswan Users] Wrong conf ipsec
Hi all;
I'm new in openswan mailing list.
I have estabilished ipsec tunnel beetwen two host machines.
172.30.0.3 - host A <------ipsec------> host B - 172.30.2.10
My /etc/ipsec.conf in host A is:
version 2.0 # conforms to second version of ipsec.conf specification# basic configurationconfig setup# Debug-logging controls: "none" for (almost) none, "all" for lots.# klipsdebug=none# plutodebug="control parsing"conn %default keyingtries=0 # disablearrivalcheck=no authby=rsasig # leftrsasigkey=%dns # rightrsasigkey=%dnsconn test auto=start left=172.30.0.3 right=172.30.0.10
keyexchange=ike esp=3des-sha1-96 keyingtries=0 rekeymargin=4m type=transport
disablearrivalcheck=no authby=secret pfs=yes
and /etc/ipsec.secrets in A is:
172.30.0.10 172.30.0.3: PSK 0x123456
My /etc/ipsec.conf in host B is:
version 2.0 # conforms to second version of ipsec.conf specification# basic configurationconfig setup# Debug-logging controls: "none" for (almost) none, "all" for lots. #klipsdebug=none #plutodebug="control parsing"conn %default keyingtries=0 # disablearrivalcheck=no authby=rsasig # leftrsasigkey=%dns # rightrsasigkey=%dnsconn test auto=start left=172.30.0.3 right=172.30.0.10 keyexchange=ike esp=3des-sha1-96 keyingtries=0 rekeymargin=4m type=transport disablearrivalcheck=no authby=secret pfs=yes
and /etc/ipsec.secrets in B is:
172.30.0.3 172.30.0.10: PSK 0x123456
i restart ipsec service and i (#ipsec auto --up test) in both host
i have this message:
117 "test" #14: STATE_QUICK_I1: initiate004 "test" #14: STATE_QUICK_I2: sent QI2, IPsec SA established transport mode {ESP=>0x11aed5dd <0xeabdc300 xfrm=3DES_0-HMAC_SHA1 NATOA=none NATD=none DPD=none}
and #ipsec setup status i have this message in both host
IPsec running - pluto pid: 3963pluto pid 3963No
tunnels up
i do #ipsec verify
Checking your system to see if IPsec got installed and started correctly:Version check and ipsec on-path [OK]Linux Openswan U2.6.14/K2.6.18-92.1.10.el5 (netkey)Checking for IPsec support in kernel [OK]NETKEY detected, testing
for disabled ICMP send_redirects [FAILED] Please disable /proc/sys/net/ipv4/conf/*/send_redirects or NETKEY will cause the sending of bogus ICMP redirects!NETKEY detected, testing for disabled ICMP accept_redirects [FAILED] Please disable /proc/sys/net/ipv4/conf/*/accept_redirects or NETKEY will accept bogus ICMP redirects!Checking for RSA private key (/etc/ipsec.secrets) [OK]Checking that pluto is running [OK]Two or more interfaces found, checking IP forwarding [FAILED]Checking for 'ip'
command [OK]Checking for 'iptables' command [OK]Opportunistic Encryption DNS checks: Looking for TXT in forward dns zone: RTPPROXY [MISSING] Cannot execute command "host -t txt RTPPROXY": No such file or directory Does the machine have at least one non-private address? [FAILED]
I don't know where is the fault in my config
Please who can help me.
Thanks.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20090223/ec2755ad/attachment-0001.html
More information about the Users
mailing list