[Openswan Users] Openswan to Openswan (behind a NAT)

JT Edwards tstrike34 at gmail.com
Mon Sep 21 11:28:59 EDT 2009


Hi everyone,

I have since abandoned V-IPSecure... Quite frankly it sucks and I have worked almost a month on trying to get it to sync up with Openswan. I want to connect networks 192.168.122.0/24 (left) and 192.168.133.0/24 (right) bidirectionally via VPN.

I have moved since to using Openswan behind a NAT Firewall as seen in this illustration:

Here is the ipsec.conf:

conn ait-2-torden-xen
        type=tunnel
        aggrmode=no
        compress=no
        authby=secret
        right=22.123.34.56 #Public IP of local Openswan server
        rightid=22.123.34.56 #Public IP of local Openswan server
        rightnexthop=22.123.34.1 #Public IP of Gateway front of local Openswan server
        rightsubnet=192.168.122.0/24 # Subnet on local Openswan server  virbr0
        rightsourceip=192.168.122.1 # IP address within 192.168.122.0/24 network
        left=192.168.1.250    #LAN IP of remote Openswan server
        leftid=12.234.22.224  #Public IP of router in front of Openswan server
        leftnexthop=12.234.22.1 #Public IP of Gateway of router in front of remote Openswan server
        leftsubnet=192.168.133.0/24 # Subnet on remote Openswan server  virbr0
        leftsourceip=192.168.133.1 # IP address within 192.168.133.0/24 network
        auto=start

And here is the securelog from the Openswan server behind the NAT route:

Sep 21 09:50:25 aitdemo5 sshd[31697]: Accepted password for root from 192.168.1.19 port 59919 ssh2
Sep 21 09:50:25 aitdemo5 sshd[31697]: pam_unix(sshd:session): session opened for user root by (uid=0)
Sep 21 09:51:18 aitdemo5 userhelper[31737]: pam_timestamp(system-config-samba:session): updated timestamp file `/var/run/sudo/root/unknown'
Sep 21 09:51:18 aitdemo5 userhelper[31740]: running '/usr/share/system-config-samba/system-config-samba.py' with root privileges on behalf of 'root'
Sep 21 09:54:36 aitdemo5 ipsec__plutorun: Starting Pluto subsystem...
Sep 21 09:54:36 aitdemo5 pluto[31907]: Starting Pluto (Openswan Version 2.6.14; Vendor ID OEoSJUweaqAX) pid:31907
Sep 21 09:54:36 aitdemo5 pluto[31907]: Setting NAT-Traversal port-4500 floating to on
Sep 21 09:54:36 aitdemo5 pluto[31907]:    port floating activation criteria nat_t=1/port_float=1
Sep 21 09:54:36 aitdemo5 pluto[31907]:    including NAT-Traversal patch (Version 0.6c)
Sep 21 09:54:36 aitdemo5 pluto[31907]: using /dev/urandom as source of random entropy
Sep 21 09:54:36 aitdemo5 pluto[31907]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)
Sep 21 09:54:36 aitdemo5 pluto[31907]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)
Sep 21 09:54:36 aitdemo5 pluto[31907]: ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok (ret=0)
Sep 21 09:54:36 aitdemo5 pluto[31907]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Sep 21 09:54:39 aitdemo5 pluto[31907]: ike_alg_register_enc(): Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)
Sep 21 09:54:39 aitdemo5 pluto[31907]: ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)
Sep 21 09:54:39 aitdemo5 pluto[31907]: ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)
Sep 21 09:54:39 aitdemo5 pluto[31907]: starting up 3 cryptographic helpers
Sep 21 09:54:44 aitdemo5 pluto[31921]: using /dev/urandom as source of random entropy
Sep 21 09:54:44 aitdemo5 pluto[31907]: started helper pid=31921 (fd:7)
Sep 21 09:54:54 aitdemo5 pluto[31922]: using /dev/urandom as source of random entropy
Sep 21 09:54:54 aitdemo5 pluto[31907]: started helper pid=31922 (fd:8)
Sep 21 09:54:59 aitdemo5 pluto[31923]: using /dev/urandom as source of random entropy
Sep 21 09:54:59 aitdemo5 pluto[31907]: started helper pid=31923 (fd:9)
Sep 21 09:55:04 aitdemo5 pluto[31907]: Using Linux 2.6 IPsec interface code on 2.6.18-128.el5xen (experimental code)
Sep 21 09:55:05 aitdemo5 pluto[31907]: ike_alg_register_enc(): WARNING: enc alg=0 not found in constants.c:oakley_enc_names  
Sep 21 09:55:05 aitdemo5 pluto[31907]: ike_alg_register_enc(): Activating <NULL>: Ok (ret=0)
Sep 21 09:55:05 aitdemo5 pluto[31907]: ike_alg_register_enc(): WARNING: enc alg=0 not found in constants.c:oakley_enc_names  
Sep 21 09:55:05 aitdemo5 pluto[31907]: ike_alg_add(): ERROR: Algorithm already exists
Sep 21 09:55:05 aitdemo5 pluto[31907]: ike_alg_register_enc(): Activating <NULL>: FAILED (ret=-17)
Sep 21 09:55:05 aitdemo5 pluto[31907]: ike_alg_register_enc(): WARNING: enc alg=0 not found in constants.c:oakley_enc_names  
Sep 21 09:55:05 aitdemo5 pluto[31907]: ike_alg_add(): ERROR: Algorithm already exists
Sep 21 09:55:05 aitdemo5 pluto[31907]: ike_alg_register_enc(): Activating <NULL>: FAILED (ret=-17)
Sep 21 09:55:05 aitdemo5 pluto[31907]: ike_alg_register_enc(): WARNING: enc alg=0 not found in constants.c:oakley_enc_names  
Sep 21 09:55:05 aitdemo5 pluto[31907]: ike_alg_add(): ERROR: Algorithm already exists
Sep 21 09:55:05 aitdemo5 pluto[31907]: ike_alg_register_enc(): Activating <NULL>: FAILED (ret=-17)
Sep 21 09:55:05 aitdemo5 pluto[31907]: ike_alg_register_enc(): WARNING: enc alg=0 not found in constants.c:oakley_enc_names  
Sep 21 09:55:10 aitdemo5 pluto[31907]: ike_alg_add(): ERROR: Algorithm already exists
Sep 21 09:55:10 aitdemo5 pluto[31907]: ike_alg_register_enc(): Activating <NULL>: FAILED (ret=-17)
Sep 21 09:55:10 aitdemo5 pluto[31907]: ike_alg_register_enc(): WARNING: enc alg=0 not found in constants.c:oakley_enc_names  
Sep 21 09:55:10 aitdemo5 pluto[31907]: ike_alg_add(): ERROR: Algorithm already exists
Sep 21 09:55:10 aitdemo5 pluto[31907]: ike_alg_register_enc(): Activating <NULL>: FAILED (ret=-17)
Sep 21 09:55:10 aitdemo5 pluto[31907]: Changed path to directory '/etc/ipsec.d/cacerts'
Sep 21 09:55:10 aitdemo5 pluto[31907]: Changed path to directory '/etc/ipsec.d/aacerts'
Sep 21 09:55:15 aitdemo5 pluto[31907]: Changed path to directory '/etc/ipsec.d/ocspcerts'
Sep 21 09:55:15 aitdemo5 pluto[31907]: Changing to directory '/etc/ipsec.d/crls'
Sep 21 09:55:20 aitdemo5 pluto[31907]:   Warning: empty directory
Sep 21 09:55:25 aitdemo5 pluto[31907]: Changing back to directory '/' failed - (2 No such file or directory)
Sep 21 09:55:25 aitdemo5 pluto[31907]: Changing back to directory '/' failed - (2 No such file or directory)
Sep 21 09:55:30 aitdemo5 pluto[31907]: added connection description "ait-2-torden-xen"
Sep 21 09:55:35 aitdemo5 pluto[31907]: listening for IKE messages
Sep 21 09:55:35 aitdemo5 pluto[31907]: adding interface vnet0/vnet0 192.168.133.1:500
Sep 21 09:55:35 aitdemo5 pluto[31907]: adding interface vnet0/vnet0 192.168.133.1:4500
Sep 21 09:55:35 aitdemo5 pluto[31907]: adding interface eth0/eth0 192.168.133.2:500
Sep 21 09:55:35 aitdemo5 pluto[31907]: adding interface eth0/eth0 192.168.133.2:4500
Sep 21 09:55:35 aitdemo5 pluto[31907]: adding interface eth0/eth0 192.168.1.250:500
Sep 21 09:55:35 aitdemo5 pluto[31907]: adding interface eth0/eth0 192.168.1.250:4500
Sep 21 09:55:35 aitdemo5 pluto[31907]: adding interface lo/lo 127.0.0.1:500
Sep 21 09:55:35 aitdemo5 pluto[31907]: adding interface lo/lo 127.0.0.1:4500
Sep 21 09:55:35 aitdemo5 pluto[31907]: adding interface lo/lo ::1:500
Sep 21 09:55:35 aitdemo5 pluto[31907]: loading secrets from "/etc/ipsec.secrets"
Sep 21 09:55:35 aitdemo5 pluto[31907]: loading secrets from "/etc/ipsec.d/ipsec.secrets"
Sep 21 09:55:35 aitdemo5 pluto[31907]: "ait-2-torden-xen": request to add a prospective erouted policy with netkey kernel --- experimental
Sep 21 09:55:41 aitdemo5 pluto[31907]: "ait-2-torden-xen": route-client output: /usr/libexec/ipsec/_updown.netkey: doroute `ip route replace 192.168.122.0/24 via 12.234.22.1 dev eth0  src 192.168.133.1' failed (RTNETLINK answers: Network is unreachable)
Sep 21 09:55:41 aitdemo5 pluto[31907]: "ait-2-torden-xen" #1: initiating Main Mode
Sep 21 09:55:41 aitdemo5 pluto[31907]: "ait-2-torden-xen" #1: ignoring unknown Vendor ID payload [4f456d406b6753464548407f]
Sep 21 09:55:41 aitdemo5 pluto[31907]: "ait-2-torden-xen" #1: received Vendor ID payload [Dead Peer Detection]
Sep 21 09:55:41 aitdemo5 pluto[31907]: "ait-2-torden-xen" #1: received Vendor ID payload [RFC 3947] method set to=109 
Sep 21 09:55:46 aitdemo5 pluto[31907]: "ait-2-torden-xen" #1: enabling possible NAT-traversal with method 4
Sep 21 09:55:46 aitdemo5 pluto[31907]: "ait-2-torden-xen" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
Sep 21 09:55:51 aitdemo5 pluto[31907]: "ait-2-torden-xen" #1: STATE_MAIN_I2: sent MI2, expecting MR2
Sep 21 09:55:56 aitdemo5 pluto[31907]: "ait-2-torden-xen" #1: discarding duplicate packet; already STATE_MAIN_I2
Sep 21 09:55:56 aitdemo5 pluto[31907]: "ait-2-torden-xen" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): i am NATed
Sep 21 09:56:01 aitdemo5 pluto[31907]: "ait-2-torden-xen" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Sep 21 09:56:06 aitdemo5 pluto[31907]: "ait-2-torden-xen" #1: STATE_MAIN_I3: sent MI3, expecting MR3
Sep 21 09:56:06 aitdemo5 pluto[31907]: "ait-2-torden-xen" #1: discarding duplicate packet; already STATE_MAIN_I3
Sep 21 09:56:06 aitdemo5 pluto[31907]: "ait-2-torden-xen" #1: received Vendor ID payload [CAN-IKEv2]
Sep 21 09:56:06 aitdemo5 pluto[31907]: "ait-2-torden-xen" #1: Main mode peer ID is ID_IPV4_ADDR: '22.123.34.56'
Sep 21 09:56:06 aitdemo5 pluto[31907]: "ait-2-torden-xen" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
Sep 21 09:56:06 aitdemo5 pluto[31907]: "ait-2-torden-xen" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_128 prf=oakley_sha group=modp2048}
Sep 21 09:56:06 aitdemo5 pluto[31907]: "ait-2-torden-xen" #1: alloc_bytes1() was mistakenly asked to malloc 0 bytes for st_skey_ar in duplicate_state, please report to dev at openswan.org
Sep 21 09:56:06 aitdemo5 pluto[31907]: "ait-2-torden-xen" #1: alloc_bytes1() was mistakenly asked to malloc 0 bytes for st_skey_er in duplicate_state, please report to dev at openswan.org
Sep 21 09:56:06 aitdemo5 pluto[31907]: "ait-2-torden-xen" #1: alloc_bytes1() was mistakenly asked to malloc 0 bytes for st_skey_pi in duplicate_state, please report to dev at openswan.org
Sep 21 09:56:06 aitdemo5 pluto[31907]: "ait-2-torden-xen" #1: alloc_bytes1() was mistakenly asked to malloc 0 bytes for st_skey_pr in duplicate_state, please report to dev at openswan.org
Sep 21 09:56:06 aitdemo5 pluto[31907]: "ait-2-torden-xen" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW {using isakmp#1 msgid:5c78e672 proposal=defaults pfsgroup=OAKLEY_GROUP_MODP2048}
Sep 21 09:56:06 aitdemo5 pluto[31907]: "ait-2-torden-xen" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Sep 21 09:56:06 aitdemo5 pluto[31907]: "ait-2-torden-xen" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0xa74ab6c6 <0x961f7c94 xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=none}


Do I have this ipsec.conf correct? It seems I have having routing problems.

Thanks in advance all.


JT
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20090921/ddda8e1b/attachment-0001.html 


More information about the Users mailing list