[Openswan Users] problem with net-to-net configuration

Willie Gillespie wgillespie+openswan at es2eng.com
Wed Dec 8 20:38:33 EST 2010 

Hi Gary,

Sounds like you are closer.  I'm not exactly sure what is wrong with 
your setup.  As far as I know, the secrets file uses the ids (someone 
correct me if I'm wrong)... but then it doesn't look like it should 
matter in your case since you are using %any as your second.

It may be a silly question, but did you run
   ipsec auto --rereadsecrets
on machine 2 or otherwise restart ipsec?

One second thought:  If you don't want to share the subnets through the 
tunnel, and you only want a host-to-host IPsec tunnel, you'll want to 
remove the left/rightsubnet lines from your config.

Sorry I'm not much help.

Willie

Gary Long wrote:
>   I read more documentation about openswan and vpn and I think I now 
> have a clear view of the network infrastructure... So here are the details.
> 
> 
> machine 1 (ubuntu 9.10 (kernel 2.6.31) with openswan 2.6.22 (using netkey))
> 192.168.1.200  #DMZ# (static ip provided by the adsl box)
>        |
>        |
>        |
> 192.168.1.1
> adsl box with NAT
> 217.128.31.99
>        |
>        |
> INTERNET
>        |
>        |
> 82.239.74.246
> adsl box with NAT
> 192.168.1.1
>        |
>        |
>        |
> 192.168.1.100  #DMZ# (static ip provided by the adsl box)
> machine 2 (ubuntu 8.04 (kernel 2.6.24) with openswan 2.4.9 (using netkey))
> 
> I want to establish a vpn between machine 1 and machine 2 and I want 
> only these to machine to be accessible through the vpn.
> 
> Here are the configuration files :
> 
> *
> machine 1:*
> 
> version 2.0     # conforms to second version of ipsec.conf specification
> 
> # basic configuration
> config setup
> 	nat_traversal=yes
> 	oe=off
> 	protostack=netkey
> 	virtual_private=%v4:10.0.0.0/8,%4:172.16.40.0/24,%4:192.168.0.0/16
> 	nhelpers=0
> 
> #vpn connection
> conn net-to-net
> 	keyingtries=2
> 	authby=secret
> 	type=tunnel
> 	keyexchange=ike
> 	left=192.168.1.200
> 	leftid=192.168.1.200
> 	leftsubnet=192.168.1.210/30
> 	leftnexthop=%defaultroute
> 	right=82.239.74.246
> 	rightid=82.239.74.246
> 	rightsubnet=192.168.1.110/30
> 	rightnexthop=%defaultroute
> 	auto=add
> 
> 
> *machine 2:*
> 
> version 2.0     # conforms to second version of ipsec.conf specification
> 
> # basic configuration
> config setup
> 	nat_traversal=yes
> 	virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/16
> 	protostack=netkey
>         nhelpers=0
> 
> 
> # vpn connection
> conn net-to-net
>      keyingtries=2
>      authby=secret
>      type=tunnel
>      keyexchange=ike
>      left=192.168.1.100
>      leftid=192.168.1.100
>      leftsubnet=192.168.1.110/30
>      leftnexthop=%defaultroute
>      right=217.128.31.99
>      rightid=217.128.31.99
>      rightsubnet=192.168.1.210/30
>      rightnexthop=%defaultroute
>      auto=add
> include /etc/ipsec.d/examples/no_oe.conf
> 
> 
> There must be something wrong with the configuration but I don't know 
> what...
> Also, I'm not sure about what to write inside the ipsec.secrets file. I 
> want to use a *PSK *and I know I must write something like left ip right 
> ip: PSK "mysecretkey" but I don't know if I should use the local ip 
> address of machine 1 and machine 2 or public ip of adsl box 1 and 2. Do 
> the content of the ipsec.secrets file have to be exactly the same on 
> both side or should I invert the ip according to left and right side?
> 
> On machine 1, *ipsec verify* return everything as OK except the 
> Opportunistic Encruption Support which is disabled.
> On machine 2, *ipsec verify* return everything as OK except the 
> "*Checking for RSA private key : ipsec showhostkey: no default key in 
> "/etc/ipsec.secrets*"
> 
> The actual content of the machine 1 ipsec.secrets file is : 
> 192.168.1.200 %any: PSK "testkey"
> For machine 2, it is : 192.168.1.100 %any: PSK "testkey"
> 
> When I start ipsec an the tunnel, it doesn't succeed. the result of the 
> ipsec barf command contains :
> 
> can't authenticate: no preshared key found for '192.168.1.100' and 
> '217.128.31.99'. Attribute OAKLEY_AUTHENTICATION_METHOD
> 
> There is obviously a problem with the ipsec.secrets config on machine 2 
> side but I don't know how to fix it...
> 
> If you need more informations, please feel free to ask :)
> 
> Thnak you for your help :)
> 
> 
> 
> Le 06/12/2010 19:17, Neal Murphy a écrit :
>> On Monday 06 December 2010 04:48:50 Gary Long wrote:
>>> Hi again :)
>>>
>>> Sorry for the late answer. I wasn't able to work on this until today =(
>>>
>>> I tried the ip addr command on both computer and they both have only
>>> their local ip addresses on eth0.
>>>
>>> machine 1 :
>>>      inet 192.168.1.200/24 brd 192.168.1.255 scope global eth0
>>>
>>> machine 2:
>>>      inet 192.168.1.200/24 brd 192.168.1.255 scope global eth0
>> Will having the same subnet at both ends cause problems?
>> _______________________________________________
>> Users at openswan.org
>> http://lists.openswan.org/mailman/listinfo/users
>> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>> Building and Integrating Virtual Private Networks with Openswan: 
>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan: 
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

More information about the Users mailing list