[Openswan Users] problem with net-to-net configuration

Gary Long long at magillem.com
Tue Dec 7 05:02:02 EST 2010 

I read more documentation about openswan and vpn and I think I now have 
a clear view of the network infrastructure... So here are the details.


machine 1 (ubuntu 9.10 (kernel 2.6.31) with openswan 2.6.22 (using netkey))
192.168.1.200  #DMZ# (static ip provided by the adsl box)
        |
        |
        |
192.168.1.1
adsl box with NAT
217.128.31.99
        |
        |
INTERNET
        |
        |
82.239.74.246
adsl box with NAT
192.168.1.1
        |
        |
        |
192.168.1.100  #DMZ# (static ip provided by the adsl box)
machine 2 (ubuntu 8.04 (kernel 2.6.24) with openswan 2.4.9 (using netkey))

I want to establish a vpn between machine 1 and machine 2 and I want 
only these to machine to be accessible through the vpn.

Here are the configuration files :

*
machine 1:*

version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
	nat_traversal=yes
	oe=off
	protostack=netkey
	virtual_private=%v4:10.0.0.0/8,%4:172.16.40.0/24,%4:192.168.0.0/16
	nhelpers=0

#vpn connection
conn net-to-net
	keyingtries=2
	authby=secret
	type=tunnel
	keyexchange=ike
	left=192.168.1.200
	leftid=192.168.1.200
	leftsubnet=192.168.1.210/30
	leftnexthop=%defaultroute
	right=82.239.74.246
	rightid=82.239.74.246
	rightsubnet=192.168.1.110/30
	rightnexthop=%defaultroute
	auto=add


*machine 2:*

version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
	nat_traversal=yes
	virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/16
	protostack=netkey
         nhelpers=0


# vpn connection
conn net-to-net
      keyingtries=2
      authby=secret
      type=tunnel
      keyexchange=ike
      left=192.168.1.100
      leftid=192.168.1.100
      leftsubnet=192.168.1.110/30
      leftnexthop=%defaultroute
      right=217.128.31.99
      rightid=217.128.31.99
      rightsubnet=192.168.1.210/30
      rightnexthop=%defaultroute
      auto=add
include /etc/ipsec.d/examples/no_oe.conf


There must be something wrong with the configuration but I don't know 
what...
Also, I'm not sure about what to write inside the ipsec.secrets file. I 
want to use a *PSK *and I know I must write something like left ip right 
ip: PSK "mysecretkey" but I don't know if I should use the local ip 
address of machine 1 and machine 2 or public ip of adsl box 1 and 2. Do 
the content of the ipsec.secrets file have to be exactly the same on 
both side or should I invert the ip according to left and right side?

On machine 1, *ipsec verify* return everything as OK except the 
Opportunistic Encruption Support which is disabled.
On machine 2, *ipsec verify* return everything as OK except the 
"*Checking for RSA private key : ipsec showhostkey: no default key in 
"/etc/ipsec.secrets*"

The actual content of the machine 1 ipsec.secrets file is : 
192.168.1.200 %any: PSK "testkey"
For machine 2, it is : 192.168.1.100 %any: PSK "testkey"

When I start ipsec an the tunnel, it doesn't succeed. the result of the 
ipsec barf command contains :

can't authenticate: no preshared key found for '192.168.1.100' and 
'217.128.31.99'. Attribute OAKLEY_AUTHENTICATION_METHOD

There is obviously a problem with the ipsec.secrets config on machine 2 
side but I don't know how to fix it...

If you need more informations, please feel free to ask :)

Thnak you for your help :)



Le 06/12/2010 19:17, Neal Murphy a écrit :
> On Monday 06 December 2010 04:48:50 Gary Long wrote:
>> Hi again :)
>>
>> Sorry for the late answer. I wasn't able to work on this until today =(
>>
>> I tried the ip addr command on both computer and they both have only
>> their local ip addresses on eth0.
>>
>> machine 1 :
>>       inet 192.168.1.200/24 brd 192.168.1.255 scope global eth0
>>
>> machine 2:
>>       inet 192.168.1.200/24 brd 192.168.1.255 scope global eth0
> Will having the same subnet at both ends cause problems?
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20101207/0209157f/attachment.html

More information about the Users mailing list