[Openswan Users] OpenSwan difficulties

Fri Jun 5 16:31:29 EDT 2009

Hi everyone,

First of all, sorry about the amount of information here and my bad english
(I'm brazilian). Dispite of that, I'm here to ask for help.

I'm new using OpenSwan IPsec and I'm having some difficulties to configure
two VPN connections with the same remote server.

The network map works like this: Client Server -> My Firewall -> OpenSwan
Server in DMZ -> Processing server in DMZ

On the firewall (shorewall), I created two tunnels, zones em hosts.

My shorewall files:

tunnells
ipsec   net     200.x.x.x conn1,conn2

hosts
conn1 eth0:192.168.102.0/24,200.x.x.x ipsec
conn2 eth0:10.201.136.0/21,200.x.x.x  ipsec

zones
conn1 ipsec
conn2 ipsec

My policy file accept everything incoming from or outcoming to this zones.

When incoming, a NAT rule forward the packages to the OpenSwan server.

On the OpenSwan server, I created the two connections to the same remote IP.
Each one works with a diferent remote subnet (192.168.102.0/29 and
10.201.136.0/21). This server works with shorewall too. I need to forward 3
types of packages to another two servers on the same subnet (192.168.1.x).

I'm succesfully connected to the first subnet (192.x.x.x) but, with the
second one, the most important (always like this), I don't receive any
packages.

My ipsec.conf is something like this (using PSK):

conn 1
        right=192.168.1.224
        #rightnexthop=
        rightsubnet=192.168.1.224/32
        #rightid=
        left=200.x.x.x
        #leftnexthop=
        leftsubnet=192.168.102.0/24
        keyexchange=ike
        ike=3des-md5-modp1024
        esp=3des-md5
        #ah=3des-md5
        ikelifetime=28800s
        #keylife=28800s
        pfs=no
        compress=no
        authby=secret
        auto=start
        aggrmode=no

conn 2
        right=192.168.1.224
        #rightnexthop=
        rightsubnet=192.168.1.224/32
        #rightid=
        left=200.x.x.x
        #leftnexthop=
        leftsubnet=10.201.136.0/21
        keyexchange=ike
        ike=3des-md5-modp1024
        esp=3des-md5
        #ah=3des-md5
        ikelifetime=28800s
        keylife=28800s
        pfs=no
        compress=no
        authby=secret
        auto=start
        aggrmode=no

Inside my openswan.log:

"conn1" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
"conn1" #2: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x0d243b91
<0x964680c9 xfrm=3DES_0-HMAC_MD5 NATD=200.x.x.x:4500 DPD=none}
"conn2" #3: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
"conn2" #3: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x09bf8953
<0xea5fc696 xfrm=3DES_0-HMAC_MD5 NATD=200.x.x.x:4500 DPD=none}

Inside my syslog, there is something like this:

Jun  5 16:03:43 conn2 ipsec_setup: Starting Openswan IPsec 2.4.9...
Jun  5 16:03:44 conn2 ipsec__plutorun: 104 "conn2" #1: STATE_MAIN_I1:
initiate
Jun  5 16:03:44 conn2 ipsec__plutorun: ...could not start conn "conn2"

On the first log it shows an established connection, but, in the other way,
the "conn2" didn't started.

Can someone help me whit that? I need some tips to finish this task.

Best regards,

João K.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20090605/d30385bd/attachment-0001.html 