[Openswan Users] beginner help

The Archer archerfish at gmail.com
Fri Jul 24 01:22:20 EDT 2009 

Hello, I'm trying to setup a pretty straightforward vpn tunnel from my house
to my friend's house. We both have debian machines of the same release and
both have the same version openswan. I've dug through every tutorial and
such that I can find and everything LOOKS right to me but it's just not
picking up and going.

Both machines have two NIC's - one connected to the cable modem which gets a
real world IP (eth1 in both cases) and one that gets the private IP (eth0 -
192.168.0.3 for left, eth2 - 192.168.1.3 for right).

IP masquerading is running on both machines so that the private networks can
spoof out behind the public IP's on eth1, and iptables is setup on both to
drop all packets (very last rule is to drop anything not specifically
allowed higher up) that do not have an explicit 'accept' statement in the
rules, with an 'established' clause at the very beginning of the set.

I'm stumped... I'm hoping a few more sets of eyes looking at this will get
me back on track.

So, that as a preliminary, here's the meat of the matter

------------config file (identical on both machines)-----------
config setup
        nat_traversal=no
        nhelpers=0

conn net-to-net
  left=69.x.x.x
  leftsubnet=192.168.0.0/24
  leftid=@user-12l.x.x.x
  leftrsasigkey=0sAQN0kZV......
  leftnexthop=%defaultroute
  right=70.x.x.x
  rightsubnet=192.168.1.0/24
  rightid=@cpe-70-x.x.x
  rightrsasigkey=0sAQOOk......
  rightnexthop=%defaultroute
  auto=start

include /etc/ipsec.d/examples/no_oe.conf
-------------------------------

Iptables rules that I've put in place on both machines relating to try and
accept all traffic for ipsec:
-------
iptables -A INPUT -i eth1 -p 50 -j ACCEPT
iptables -A INPUT -i eth1 -p 51 -j ACCEPT
iptables -A INPUT -i eth1 -p udp --dport 500 -j ACCEPT

/sbin/iptables -t nat -A POSTROUTING -o eth1 -s 192.168.0.0/24 -d \!
192.168.1.0/24 -j MASQUERADE (left host masquerade rule)
/sbin/iptables -t nat -A POSTROUTING -o eth1 -s 192.168.1.0/24 -d \!
192.168.1.0/24 -j MASQUERADE (right host masquerade rule)

output rules that may or may not be related:
iptables -A OUTPUT -d 192.168.0.0/255.255.255.0 -o eth0 -j ACCEPT
(192.168.1 and eth2 on right host)
iptables -A OUTPUT -s 255.255.255.255 -o eth1 -j ACCEPT
-------

When I go to start ipsec, this is what I see:
-----------------
/etc/init.d/ipsec start
ipsec_setup: NETKEY on eth1 70.112.22.94/255.255.240.0 broadcast
255.255.255.255
ipsec_setup: ...Openswan IPsec started
ipsec_setup: Starting Openswan IPsec 2.4.12...
ipsec_setup: Starting Openswan IPsec 2.4.12...
ipsec__plutorun: 104 "net-to-net" #1: STATE_MAIN_I1: initiate
ipsec__plutorun: ...could not start conn "net-to-net"
------------------

Here's my route table (right host) after starting up ipsec:
---------
netstat -rn
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt
Iface
192.168.1.0     0.0.0.0         255.255.255.0   U          0 0          0
eth2
192.168.0.0     70.x.x.1       255.255.255.0   UG        0 0          0 eth1
70.x.x.0          0.0.0.0         255.255.240.0   U           0 0          0
eth1
0.0.0.0            70.x.x.1       0.0.0.0              UG        0
0          0 eth1
----------

And finally this is what I get from a --status check on the right host (the
left host is similar in all respects to this for routing and status)

ipsec auto --status
000 interface lo/lo ::1
000 interface lo/lo 127.0.0.1
000 interface eth1/eth1 70.x.x.x
000 interface eth2/eth2 192.168.1.3
000 %myid = (none)
000 debug none
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64,
keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192,
keysizemax=192
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40,
keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0,
keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128,
keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256,
keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0
000
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,0,0}
trans={0,0,0} attrs={0,0,0}
000
000 "net-to-net":
192.168.1.0/24===70.x.x.x[@cpe-70-x.x.x]---70.x.x.1...70.x.x.1---69.x.x.48[@user-12l.x.x.x]===192.168.0.0/24;
erouted; eroute owner: #4
000 "net-to-net":     srcip=unset; dstip=unset; srcup=ipsec _updown;
dstup=ipsec _updown;
000 "net-to-net":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s;
rekey_fuzz: 100%; keyingtries: 0
000 "net-to-net":   policy: RSASIG+ENCRYPT+TUNNEL+PFS+UP; prio: 24,24;
interface: eth1; encap: esp;
000 "net-to-net":   newest ISAKMP SA: #1; newest IPsec SA: #4;
000 "net-to-net":   IKE algorithm newest: 3DES_CBC_192-MD5-MODP1536
000
000 #3: "net-to-net":500 STATE_QUICK_R2 (IPsec SA established);
EVENT_SA_REPLACE in 28496s
000 #3: "net-to-net" esp.33b504ac at 69.x.x.x
esp.ffa99974 at 70.x.x.xtun.0@69.x.x.xtun.0 at 70.x.x.x
000 #2: "net-to-net":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established);
EVENT_SA_REPLACE in 3295s; lastdpd=-1s(seq in:0 out:0)
000 #4: "net-to-net":500 STATE_QUICK_I2 (sent QI2, IPsec SA established);
EVENT_SA_REPLACE in 27952s; newest IPSEC; eroute owner
000 #4: "net-to-net" esp.27529dc9 at 69.x.x.x
esp.c086da7 at 70.x.x.xtun.0@69.x.x.xtun.0 at 70.x.x.x
000 #1: "net-to-net":500 STATE_MAIN_I4 (ISAKMP SA established);
EVENT_SA_REPLACE in 2979s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0)
000
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20090724/bdb3ee65/attachment-0001.html

More information about the Users mailing list