[Openswan Users] ipsec tunneling + openswam + mac os x + ping

Paul Wouters paul at xelerance.com
Tue Apr 20 08:15:39 EDT 2010 

On Mon, 19 Apr 2010, Stefan Miklosovic wrote:

> eth2      Link encap:Ethernet  HWaddr xx:xx:xx:xx:xx:xx
>         inet addr:12.34.56.78  Bcast:255.255.255.255  Mask:
> 255.255.255.0

That broadcast/mask seems wrong. Not sure if you errored it when
anonimizing it.

> # cat /etc/ipsec.secrets
> 10.0.0.1 %any: PSK "thiskeyisshit"

and public now :)

>       nat_traversal=yes
>       interfaces="ipsec0=eth2"
> #       virtual_private=
> %v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16

Looks like you did not enable virtual_private, which you need for NAT-T

> conn roadwarrior-net
> conn roadwarrior-l2tp
> conn roadwarrior-l2tp-updatewin
> conn roadwarrior-all
> conn roadwarrior

Merge all of these into one, see the updated examples in /etc/ipsec.d/examples/l2tp*

>       left=12.34.56.78
>       leftnexthop=12.34.56.1
>       right=%any
>       rightsubnet=192.168.0.0/24
>       forceencaps=yes
>       ike=3des-md5;modp1024
>       phase2=esp
>       phase2alg=3des-md5;modp1024
>       auto=add

For l2tp use transport mode, and no subnets except a rightsubnet=vhost:%no,%priv
Use leftprotoport=17/1701 and rightprotoport=17/%any

> Apr 19 10:41:52 charon1 pluto[22429]: "roadwarrior-net"[1]
> 192.168.0.168 #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established
> {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5
> group=modp1024}
>
> Apr 19 10:41:52 charon1 pluto[22429]: "roadwarrior-net"[1]
> 192.168.0.168 #1: ignoring informational payload, type
> IPSEC_INITIAL_CONTACT msgid=00000000
> Apr 19 10:41:52 charon1 pluto[22429]: "roadwarrior-net"[1]
> 192.168.0.168 #1: received and ignored informational message
> Apr 19 10:41:53 charon1 pluto[22429]: "roadwarrior-net"[1]
> 192.168.0.168 #1: the peer proposed: 10.0.0.2/32:0/0 ->
> 192.168.0.168/32:0/0
> Apr 19 10:41:53 charon1 pluto[22429]: "roadwarrior-net"[1]
> 192.168.0.168 #2: responding to Quick Mode proposal {msgid:4c56b781}
> Apr 19 10:41:53 charon1 pluto[22429]: "roadwarrior-net"[1]
> 192.168.0.168 #2:     us:
> 10.0.0.0/16===12.34.56.78<12.34.56.78>[+S=C]---12.34.56.1
> Apr 19 10:41:53 charon1 pluto[22429]: "roadwarrior-net"[1]
> 192.168.0.168 #2:   them: 192.168.0.168[+S=C]===192.168.0.0/24
> Apr 19 10:41:53 charon1 pluto[22429]: | NAT-OA: 32 tunnel: 0
> Apr 19 10:41:53 charon1 pluto[22429]: "roadwarrior-net"[1]
> 192.168.0.168 #2: transition from state STATE_QUICK_R0 to state
> STATE_QUICK_R1
> Apr 19 10:41:53 charon1 pluto[22429]: "roadwarrior-net"[1]
> 192.168.0.168 #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA
> installed, expecting QI2
> Apr 19 10:41:53 charon1 pluto[22429]: "roadwarrior-net"[1]
> 192.168.0.168 #2: transition from state STATE_QUICK_R1 to state
> STATE_QUICK_R2
> Apr 19 10:41:53 charon1 pluto[22429]: "roadwarrior-net"[1]
> 192.168.0.168 #2: STATE_QUICK_R2: IPsec SA established tunnel mode
> {ESP/NAT=>0x0b6204fa <0xd6474be5 xfrm=3DES_0-HMAC_MD5 NATOA=none
> NATD=192.168.0.168:4500 DPD=none}
> Apr 19 11:37:22 charon1 pluto[22429]: "roadwarrior-net"[1]
> 192.168.0.168 #3: initiating Main Mode to replace #1
> Apr 19 11:38:32 charon1 pluto[22429]: "roadwarrior-net"[1]
> 192.168.0.168 #3: max number of retransmissions (2) reached
> STATE_MAIN_I1.  No response (or no acceptable response) to our first
> IKE message
> Apr 19 11:41:52 charon1 pluto[22429]: "roadwarrior-net"[1]
> 192.168.0.168 #1: ISAKMP SA expired (LATEST!)

Make sure to set rekey=no

With those changes, try again and let us know if you see more issues.

Paul

More information about the Users mailing list