[Openswan Users] problem with net-to-net configuration

long at magillem.com long at magillem.com
Thu Dec 9 08:26:24 EST 2010


Hi Willie =)

Yes, I tried the ipsec auto --rereadsecrets option.

I finally succeeded in creating the vpn tunnel between the two hosts !

As someone told earlier, I changed the subnet of my machine 2 (from
192.168.1.100 to 192.168.2.100). I also used the @ids in the ipsec.secrets
file. I added the parameter leftsourceip and rightsourceip set to the
local ip addresses of both machine.

I'm not sure about which modification solved the problem (maybe all of
them...) but it works :) I can ping from both side and also connect
through ssh.

I don't have the exact content of the config file now but I'll post it on
monday. It could help someone else :)

Thank you for your help :)

> Hi Gary,
>
> Sounds like you are closer.  I'm not exactly sure what is wrong with
> your setup.  As far as I know, the secrets file uses the ids (someone
> correct me if I'm wrong)... but then it doesn't look like it should
> matter in your case since you are using %any as your second.
>
> It may be a silly question, but did you run
>    ipsec auto --rereadsecrets
> on machine 2 or otherwise restart ipsec?
>
> One second thought:  If you don't want to share the subnets through the
> tunnel, and you only want a host-to-host IPsec tunnel, you'll want to
> remove the left/rightsubnet lines from your config.
>
> Sorry I'm not much help.
>
> Willie
>
> Gary Long wrote:
>>   I read more documentation about openswan and vpn and I think I now
>> have a clear view of the network infrastructure... So here are the
>> details.
>>
>>
>> machine 1 (ubuntu 9.10 (kernel 2.6.31) with openswan 2.6.22 (using
>> netkey))
>> 192.168.1.200  #DMZ# (static ip provided by the adsl box)
>>        |
>>        |
>>        |
>> 192.168.1.1
>> adsl box with NAT
>> 217.128.31.99
>>        |
>>        |
>> INTERNET
>>        |
>>        |
>> 82.239.74.246
>> adsl box with NAT
>> 192.168.1.1
>>        |
>>        |
>>        |
>> 192.168.1.100  #DMZ# (static ip provided by the adsl box)
>> machine 2 (ubuntu 8.04 (kernel 2.6.24) with openswan 2.4.9 (using
>> netkey))
>>
>> I want to establish a vpn between machine 1 and machine 2 and I want
>> only these to machine to be accessible through the vpn.
>>
>> Here are the configuration files :
>>
>> *
>> machine 1:*
>>
>> version 2.0     # conforms to second version of ipsec.conf specification
>>
>> # basic configuration
>> config setup
>> 	nat_traversal=yes
>> 	oe=off
>> 	protostack=netkey
>> 	virtual_private=%v4:10.0.0.0/8,%4:172.16.40.0/24,%4:192.168.0.0/16
>> 	nhelpers=0
>>
>> #vpn connection
>> conn net-to-net
>> 	keyingtries=2
>> 	authby=secret
>> 	type=tunnel
>> 	keyexchange=ike
>> 	left=192.168.1.200
>> 	leftid=192.168.1.200
>> 	leftsubnet=192.168.1.210/30
>> 	leftnexthop=%defaultroute
>> 	right=82.239.74.246
>> 	rightid=82.239.74.246
>> 	rightsubnet=192.168.1.110/30
>> 	rightnexthop=%defaultroute
>> 	auto=add
>>
>>
>> *machine 2:*
>>
>> version 2.0     # conforms to second version of ipsec.conf specification
>>
>> # basic configuration
>> config setup
>> 	nat_traversal=yes
>> 	virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/16
>> 	protostack=netkey
>>         nhelpers=0
>>
>>
>> # vpn connection
>> conn net-to-net
>>      keyingtries=2
>>      authby=secret
>>      type=tunnel
>>      keyexchange=ike
>>      left=192.168.1.100
>>      leftid=192.168.1.100
>>      leftsubnet=192.168.1.110/30
>>      leftnexthop=%defaultroute
>>      right=217.128.31.99
>>      rightid=217.128.31.99
>>      rightsubnet=192.168.1.210/30
>>      rightnexthop=%defaultroute
>>      auto=add
>> include /etc/ipsec.d/examples/no_oe.conf
>>
>>
>> There must be something wrong with the configuration but I don't know
>> what...
>> Also, I'm not sure about what to write inside the ipsec.secrets file. I
>> want to use a *PSK *and I know I must write something like left ip right
>> ip: PSK "mysecretkey" but I don't know if I should use the local ip
>> address of machine 1 and machine 2 or public ip of adsl box 1 and 2. Do
>> the content of the ipsec.secrets file have to be exactly the same on
>> both side or should I invert the ip according to left and right side?
>>
>> On machine 1, *ipsec verify* return everything as OK except the
>> Opportunistic Encruption Support which is disabled.
>> On machine 2, *ipsec verify* return everything as OK except the
>> "*Checking for RSA private key : ipsec showhostkey: no default key in
>> "/etc/ipsec.secrets*"
>>
>> The actual content of the machine 1 ipsec.secrets file is :
>> 192.168.1.200 %any: PSK "testkey"
>> For machine 2, it is : 192.168.1.100 %any: PSK "testkey"
>>
>> When I start ipsec an the tunnel, it doesn't succeed. the result of the
>> ipsec barf command contains :
>>
>> can't authenticate: no preshared key found for '192.168.1.100' and
>> '217.128.31.99'. Attribute OAKLEY_AUTHENTICATION_METHOD
>>
>> There is obviously a problem with the ipsec.secrets config on machine 2
>> side but I don't know how to fix it...
>>
>> If you need more informations, please feel free to ask :)
>>
>> Thnak you for your help :)
>>
>>
>>
>> Le 06/12/2010 19:17, Neal Murphy a écrit :
>>> On Monday 06 December 2010 04:48:50 Gary Long wrote:
>>>> Hi again :)
>>>>
>>>> Sorry for the late answer. I wasn't able to work on this until today
>>>> =(
>>>>
>>>> I tried the ip addr command on both computer and they both have only
>>>> their local ip addresses on eth0.
>>>>
>>>> machine 1 :
>>>>      inet 192.168.1.200/24 brd 192.168.1.255 scope global eth0
>>>>
>>>> machine 2:
>>>>      inet 192.168.1.200/24 brd 192.168.1.255 scope global eth0
>>> Will having the same subnet at both ends cause problems?
>>> _______________________________________________
>>> Users at openswan.org
>>> http://lists.openswan.org/mailman/listinfo/users
>>> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>>> Building and Integrating Virtual Private Networks with Openswan:
>>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>>
>>
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> Users at openswan.org
>> http://lists.openswan.org/mailman/listinfo/users
>> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>> Building and Integrating Virtual Private Networks with Openswan:
>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>




More information about the Users mailing list