[Openswan Users] CentOS host-to-host Ipsec VPN
Marko Mernik
marci at mernik.net
Mon Jul 13 14:16:53 EDT 2009
I add "ipsec auto --status" to the post if helps to debug my problem.
[root at router quickstarts]# ipsec auto --status
000 using kernel interface: netkey
000 interface lo/lo ::1
000 interface lo/lo 127.0.0.1
000 interface lo/lo 127.0.0.1
000 interface eth0/eth0 192.168.5.1
000 interface eth0/eth0 192.168.5.1
000 interface eth1/eth1 89.212.110.115
000 interface eth1/eth1 89.212.110.115
000 interface eth1/eth1 182.168.5.1
000 interface eth1/eth1 182.168.5.1
000 %myid = (none)
000 debug
raw+crypt+parsing+emitting+control+lifecycle+klips+dns+oppo+controlmore+pfkey+nattraversal+x509
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64,
keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192,
keysizemax=192
000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, keysizemin=40,
keysizemax=128
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8,
keysizemin=40, keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0,
keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128,
keysizemax=256
000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256,
keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD,
keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC,
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0
000
000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=131
000 algorithm IKE encrypt: id=3, name=OAKLEY_BLOWFISH_CBC, blocksize=8,
keydeflen=128
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
keydeflen=128
000 algorithm IKE encrypt: id=65004, name=OAKLEY_SERPENT_CBC,
blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=65005, name=OAKLEY_TWOFISH_CBC,
blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=65289, name=OAKLEY_TWOFISH_CBC_SSH,
blocksize=16, keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32
000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0}
trans={0,0,0} attrs={0,0,0}
000
000 "CentOSGWh-CentOSSIP":
89.212.110.115<89.212.110.115>[@GW,+S=C]...93.103.133.46<93.103.133.46>[@SIP,+S=C];
erouted; eroute owner: #2
000 "CentOSGWh-CentOSSIP": myip=unset; hisip=unset;
000 "CentOSGWh-CentOSSIP": ike_life: 3600s; ipsec_life: 28800s;
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3
000 "CentOSGWh-CentOSSIP": policy:
RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW; prio: 32,32; interface: eth1;
000 "CentOSGWh-CentOSSIP": newest ISAKMP SA: #1; newest IPsec SA: #2;
000 "CentOSGWh-CentOSSIP": IKE algorithm newest: AES_CBC_128-SHA1-MODP2048
000
000 #2: "CentOSGWh-CentOSSIP":500 STATE_QUICK_I2 (sent QI2, IPsec SA
established); EVENT_SA_REPLACE in 27972s; newest IPSEC; eroute owner;
isakmp#1; idle; import:admin initiate
000 #2: "CentOSGWh-CentOSSIP" esp.d9809939 at 93.103.133.46
esp.9a313065 at 89.212.110.115 tun.0 at 93.103.133.46 tun.0 at 89.212.110.115
ref=0 refhim=4294901761
000 #1: "CentOSGWh-CentOSSIP":500 STATE_MAIN_I4 (ISAKMP SA established);
EVENT_SA_REPLACE in 2689s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0);
idle; import:admin initiate
000
[root at router quickstarts]#
Marko Mernik pravi:
> Hi!
>
> I have a problem with setup of VPN on CentOS 5.3 from CentOS to CentOS
> host bouth are 5.3 release.
>
> My ipsec verify:
>
> Host A:
> [root at hard ~]# ipsec verify
> Checking your system to see if IPsec got installed and started correctly:
> Version check and ipsec on-path [OK]
> Linux Openswan U2.6.14/K2.6.18-128.1.16.el5 (netkey)
> Checking for IPsec support in kernel [OK]
> NETKEY detected, testing for disabled ICMP send_redirects [OK]
> NETKEY detected, testing for disabled ICMP accept_redirects [OK]
> Checking for RSA private key (/etc/ipsec.secrets) [OK]
> Checking that pluto is running [OK]
> Two or more interfaces found, checking IP forwarding [OK]
> Checking NAT and MASQUERADEing [OK]
> Checking for 'ip' command [OK]
> Checking for 'iptables' command [OK]
> Opportunistic Encryption Support [DISABLED]
> [root at hard ~]#
>
> Host B:
> [root at router quickstarts]# ipsec verify
> Checking your system to see if IPsec got installed and started correctly:
> Version check and ipsec on-path [OK]
> Linux Openswan U2.6.14/K2.6.18-128.1.10.el5 (netkey)
> Checking for IPsec support in kernel [OK]
> NETKEY detected, testing for disabled ICMP send_redirects [OK]
> NETKEY detected, testing for disabled ICMP accept_redirects [OK]
> Checking for RSA private key (/etc/ipsec.secrets) [OK]
> Checking that pluto is running [OK]
> Two or more interfaces found, checking IP forwarding [OK]
> Checking NAT and MASQUERADEing
> Checking for 'ip' command [OK]
> Checking for 'iptables' command [OK]
> Opportunistic Encryption Support [DISABLED]
> [root at router quickstarts]#
>
> My ipsec.conf
> config setup
> # Debug-logging controls: "none" for (almost) none, "all" for lots.
> klipsdebug=all
> plutodebug=all
> # For Red Hat Enterprise Linux and Fedora, leave
> protostack=netkey
> protostack=netkey
> nat_traversal=yes
>
>
> conn CentOSGWh-CentOSSIP
> type=tunnel
> left=89.212.110.115 <MY WAN IP>
> leftsourceip=182.168.5.1 <MY LAN GW IP>
> leftnexthop=89.212.0.1 <MY WAN GATEWAY>
> leftid=@GW
> leftrsasigkey=0sAQNfBmtp9IYym...< RSA KEY >
>
> right=93.103.133.46 <MY WAN IP HOST B>
> rightid=@SIP
> rightsourceip=192.168.3.1 <MY LAN GW HOST B >
> rightnexthop=93.103.0.1 <MY WAN GATEWAY HOST B>
> rightrsasigkey=0sAQN1E< RSA KEY >
> auto=add
>
> When i run "ipsec auto --up CentOSGWh-CentOSSIP" output:
>
> Host A
> [root at router quickstarts]# ipsec auto --up CentOSGWh-CentOSSIP
> 117 "CentOSGWh-CentOSSIP" #4: STATE_QUICK_I1: initiate
> 004 "CentOSGWh-CentOSSIP" #4: STATE_QUICK_I2: sent QI2, IPsec SA
> established tunnel mode {ESP=>0x7c711da1 <0x705e3569
> xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=none}
> [root at router quickstarts]#
>
> Host B
> [root at hard ~]# ipsec auto --up CentOSGWh-CentOSSIP
> 117 "CentOSGWh-CentOSSIP" #5: STATE_QUICK_I1: initiate
> 004 "CentOSGWh-CentOSSIP" #5: STATE_QUICK_I2: sent QI2, IPsec SA
> established tunnel mode {ESP=>0xf2b33c6a <0xb71f4981
> xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=none}
> [root at hard ~]#
>
> What am i doing wrong ?
>
> lp, Marci
>
More information about the Users
mailing list