[Openswan Users] IPsec-Setup

Thomas Schweikle tps at vr-web.de
Thu Apr 7 17:15:49 EDT 2011 

Hi!

Having two systems, want to tunnel between two subnets. I have:

on my server (A):
Internet eth0: 172.31.99.27 gw 192.168.99.1
Internal eth1: 192.168.128.2; net 192.168.128.0/24

on the client (B):
Internet eth0: unknown (DSL) gw 192.168.1.1 (DSL-Router is gateway)
Internal eth0: 192.168.1.2; net 192.168.1.0/24

on (B):
conn B-A
        type=            tunnel
        auth=            esp
        authby=          secret
        keyexchange=     ike
        pfs=             no
        aggrmode=        yes
        ike=             3des-sha1-modp1024
        esp=             3des-sha1
        auto=            start
        #
        # LOCAL
        leftid=          @B
        left=            192.168.1.2
        leftsubnet=      192.168.1.0/24
        leftnexthop=     %defaultroute     (I assume 192.168.1.1)
        #
        # REMOTE
        rightid=         @A
        right=           172.31.99.27
        rightsubnet=     192.168.128.0/24
        rightnexthop=    %defaultroute     (I assume 172.31.99.1)


on (A):
conn A-B
        type=            tunnel
        auth=            esp
        authby=          secret
        keyexchange=     ike
        pfs=             no
        aggrmode=        yes
        ike=             3des-sha1-modp1024
        esp=             3des-sha1
        auto=            add
        #
        # LOCAL
        leftid=          @A
        left=            172.31.99.27
        leftsubnet=      192.168.128.0/24
        leftnexthop=     %defaultroute     (I assume 172.31.99.1)
        #
        # REMOTE
        rightid=         @B
        right=           %any
        rightsubnet=     192.168.1.0/24
        rightnexthop=    %defaultroute     (I assume 192.168.1.1)


Starting IPsec doesn't give any error messages (A):
Apr  7 22:59:02 A kernel:
  [1143570.309552] NET: Registered protocol family 15
Apr  7 22:59:02 A kernel:
  [1143570.351431] Initializing XFRM netlink socket
Apr  7 22:59:02 A kernel:
  [1143570.359222] Intel AES-NI instructions are not detected.
Apr  7 22:59:02 A pluto:
  adjusting ipsec.d to /etc/ipsec.d

Starting IPsec on the client also (B):
Apr  7 23:02:03 ns3 kernel:
  [5964887.221337] NET: Registered protocol family 15
Apr  7 23:02:03 ns3 kernel:
  [5964887.251574] intel_rng: FWH not detected
Apr  7 23:02:03 ns3 kernel:
  [5964887.328468] Initializing XFRM netlink socket
Apr  7 23:02:03 ns3 kernel:
  [5964887.334486] padlock: VIA PadLock not detected.
Apr  7 23:02:03 ns3 kernel:
  [5964887.339793] padlock: VIA PadLock Hash Engine not detected.
Apr  7 23:02:03 ns3 kernel:
  [5964887.347344] padlock: VIA PadLock not detected.
Apr  7 23:02:03 ns3 pluto:
  adjusting ipsec.d to /etc/ipsec.d


For the routing tables I have
(on A):
192.168.128.0  0.0.0.0      255.255.254.0  U   0    0  0 eth1
172.31.99.0    0.0.0.0      255.255.254.0  U   0    0  0 eth0
0.0.0.0        213.95.82.1  0.0.0.0        UG  100  0  0 eth0

(on B):
192.168.1.0    0.0.0.0      255.255.255.0  U   0    0  0 eth0
0.0.0.0        192.168.1.1  0.0.0.0        UG  100  0  0 eth0


Now trying to ping the server (from B):
root at B:~# ping 172.31.99.27
PING 172.31.99.27 (172.31.99.27) 56(84) bytes of data.
64 bytes from 172.31.99.27: icmp_req=1 ttl=57 time=27.9 ms
64 bytes from 172.31.99.27: icmp_req=2 ttl=57 time=28.7 ms
64 bytes from 172.31.99.27: icmp_req=3 ttl=57 time=27.9 ms
64 bytes from 172.31.99.27: icmp_req=4 ttl=57 time=29.4 ms
64 bytes from 172.31.99.27: icmp_req=5 ttl=57 time=30.6 ms
64 bytes from 172.31.99.27: icmp_req=6 ttl=57 time=28.9 ms
64 bytes from 172.31.99.27: icmp_req=7 ttl=57 time=29.0 ms
^C
--- 172.31.99.27 ping statistics ---
7 packets transmitted, 7 received, 0% packet loss, time 6009ms
rtt min/avg/max/mdev = 27.921/28.960/30.639/0.871 ms


Now the internal address of the server (from B):
root at B:~# ping 192.168.128.2
PING 192.168.128.2 (192.168.128.2) 56(84) bytes of data.
64 bytes from 192.168.128.2: icmp_req=1 ttl=64 time=29.2 ms
64 bytes from 192.168.128.2: icmp_req=2 ttl=64 time=29.1 ms
64 bytes from 192.168.128.2: icmp_req=3 ttl=64 time=32.4 ms
64 bytes from 192.168.128.2: icmp_req=4 ttl=64 time=30.9 ms
64 bytes from 192.168.128.2: icmp_req=5 ttl=64 time=28.9 ms
64 bytes from 192.168.128.2: icmp_req=6 ttl=64 time=28.9 ms
^C
--- 192.168.128.2 ping statistics ---
6 packets transmitted, 6 received, 0% packet loss, time 5007ms
rtt min/avg/max/mdev = 28.920/29.936/32.474/1.322 ms


And last some system within the connected subnet (from B):
root at B:~# ping 192.168.128.4
PING 192.168.128.4 (192.168.128.4) 56(84) bytes of data.


Any idea why this does not work??


-- 
Thomas

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 219 bytes
Desc: OpenPGP digital signature
Url : http://lists.openswan.org/pipermail/users/attachments/20110407/bfdb68ec/attachment.bin

More information about the Users mailing list