[Openswan Users] net-to-net - openswan 2.6.18 on k.2.6.24.7

Peter McGill petermcgill at goco.net
Wed Jan 7 14:13:27 EST 2009 

This is not uncommon, -I doesn't always work, try adding the following to your conf.
	leftsourceip=192.168.10.254
	rightsourceip=192.168.23.1
Also check that your firewall isn't blocking tunnel traffic.
You need to allow communication between 192.168.10.0/24 and 192.168.23.0/24 on ipsec0.
Not sure what that Delete SA message is about, what ipsec device is on the other end of tunnel?

Peter McGill
IT Systems Analyst
Gra Ham Energy Limited 

> -----Original Message-----
> From: users-bounces at openswan.org 
> [mailto:users-bounces at openswan.org] On Behalf Of TC
> Sent: January 7, 2009 12:20 PM
> To: users at openswan.org
> Subject: [Openswan Users] net-to-net - openswan 2.6.18 on k.2.6.24.7
> 
> Hi all,
> 
> I have installed kernel 2.6.24.7 + klips patch + openswan 2.6.18
> I have made a net-to-net config. The connection start but I cannot
> ping the end of the tunnel.
> 
> ping 192.168.23.1 -I eth1 not working
> ping 192.168.10.254 -I eth1 not working
> 
> ping 192.168.10.254 -I eth1
> PING 192.168.10.254 (192.168.10.254) from 192.168.23.1 eth1: 
> 56(84) bytes of data.
> From 192.168.23.1 icmp_seq=2 Destination Host Unreachable
> >From 192.168.23.1 icmp_seq=3 Destination Host Unreachable
> From 192.168.23.1 icmp_seq=4 Destination Host Unreachable
> 
> 
> A config(and same config to B but different ipsec.secrets)
> 
> version 2.0
> 
> config setup
>     interfaces="ipsec0=eth0"
>     protostack=klips
> 
> conn block
>     auto=ignore
> 
> conn private
>     auto=ignore
> 
> conn private-or-clear
>     auto=ignore
> 
> conn clear-or-private
>     auto=ignore
> 
> conn clear
>     auto=ignore
> 
> conn packetdefault
>     auto=ignore
> 
> conn A-B
>     left=WAN_IP_FROM_A
>     leftnexthop=GATEWAY_FROM_A
>     leftsubnet=192.168.10.0/24
>     right=WAN_IP_FROM_B
>     rightnexthop=GATEWAY_FROM_B
>     rightsubnet=192.168.23.0/24
>     type=tunnel
>     auth=esp
>     leftrsasigkey=0sAQOY...
>     rightrsasigkey=0sAQNqB...
>     auto=start
> 
> in /var/log/syslog I have:
>    Jan  7 19:13:12 vpn ipsec_setup: Starting Openswan IPsec 2.6.18...
>    Jan  7 19:13:12 vpn ipsec__plutorun: 002 added connection 
> description "A-B"  
>    Jan  7 19:13:12 vpn ipsec__plutorun: 104 "A-B" #1: 
> STATE_MAIN_I1: initiate
> 
> in /var/log.secure I have:
> Jan  7 19:15:57 vpn pluto[10094]: "A-B" #1: STATE_MAIN_I2: 
> sent MI2, expecting MR2
> Jan  7 19:15:57 vpn pluto[10094]: "A-B" #1: transition from 
> state STATE_MAIN_I2 to state STATE_MAIN_I3
> Jan  7 19:15:57 vpn pluto[10094]: "A-B" #1: STATE_MAIN_I3: 
> sent MI3, expecting MR3
> Jan  7 19:15:57 vpn pluto[10094]: "A-B" #1: received Vendor 
> ID payload [CAN-IKEv2]
> Jan  7 19:15:57 vpn pluto[10094]: "A-B" #1: Main mode peer ID 
> is ID_IPV4_ADDR: '82.79.83.23'
> Jan  7 19:15:57 vpn pluto[10094]: "A-B" #1: transition from 
> state STATE_MAIN_I3 to state STATE_MAIN_I4
> Jan  7 19:15:57 vpn pluto[10094]: "A-B" #1: STATE_MAIN_I4: 
> ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=aes_128 
> prf=oakley_sha group=modp2048}
> Jan  7 19:15:57 vpn pluto[10094]: "A-B" #2: initiating Quick 
> Mode RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW {using isakmp#1 
> msgid:beed36ed proposal=defaults pfsgroup=OAKLEY_GROUP_MODP2048}
> Jan  7 19:15:57 vpn pluto[10094]: "A-B" #2: transition from 
> state STATE_QUICK_I1 to state STATE_QUICK_I2
> Jan  7 19:15:57 vpn pluto[10094]: "A-B" #2: STATE_QUICK_I2: 
> sent QI2, IPsec SA established tunnel mode {ESP=>0x45d84918 
> <0x892b2f5a xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=none}
> Jan  7 19:16:16 vpn pluto[10094]: "A-B" #1: ignoring Delete 
> SA payload: PROTO_IPSEC_ESP SA(0x45d84917) not found (maybe expired)
> Jan  7 19:16:16 vpn pluto[10094]: "A-B" #1: received and 
> ignored informational message
> 
> 
> Thx for Help.
> 
> --
> TC
> 
>

More information about the Users mailing list