[Openswan Users] IPsec-Setup

Thomas Schweikle tps at vr-web.de
Tue Apr 12 10:42:32 EDT 2011


Am 12.04.2011 01:32, schrieb SilverTip257:
> Thomas,
> 
> I can attest that the docs are not terribly out-of-date if they are
> out-of-date at all.

Why did I find various hints and tips if tried just quitted with
error messages? After searching it went clear: these options are
where deprecated and are now gone.

> I used the documentation I found on the web, Openswan wiki, and any
> advice I got from this list to create a working setup.  I used CentOS
> and Debian Lenny with NETKEY (XFRM) and not KLIPS (this time around).

Looks as if we're using mainly the same docs. Then one questin
remains: why does it work for you, but not for me?

It wasn't at all complicated to set up an encrypted tunnel with the
docs. Worked right away out of the box. But now, in a real
environment, mainly the same config doesn't work at all as expected.
Trying various things I do not get it up and running as it should.
The tunnel is established, but I can't communicate over it. No way.
No solution --- until now.

> Something sounds wrong with your configuration if Openswan cannot find
> itself/its side.

Yes, there was a little error, I overlooked after changing some
other things. But: even after fixing this --- it is far from being
useful. I need a transparent tunnel working in both directions not
only in one way. All I've got as far was a tunnel working in one
way, but not the other. I want to connect two networks. None of the
two shall be aware about being connected by some fancy encrypted
connection right through the Internet.

> ** You may not be properly reloading/removing the
> configuration/connections.  Look up the man page on `ipsec auto` and
> you'll find everything you need to add, delete, replace, bring up, and
> bring down connections.  Ex: ipsec auto --replace "connection_name"

Does a system restart remove all old connections? If not, I'll file
a bug report for Ubuntu. I've tried with Ubuntu 10.04 LTS, 10.10 and
now 11.04b1. No success. In all cases I *was* able to build up the
tunnel right away, but in no case I was able to communicate over
this established tunnel.

> ** Pretty much everything you describe I went through and fixed on my
> setup.  I'm telling you it has to do with the 4conns and/or advanced
> routing - pick one and try it.

I thougt this, but now, at least, I do not think that way any more.

> ** Post your network layout (gateways + subnet for both ends) _AND_ a
> recent config (both hosts) on a site like pastebin.com and provide a
> link in your response.

For the client:
http://home.vrweb.de/~tps/config/ipsec-ns3/barf.txt.html
http://home.vrweb.de/~tps/config/ipsec-ns3/ipsec.conf.html
http://home.vrweb.de/~tps/config/ipsec-ns3/ipsec.secrets.html
http://home.vrweb.de/~tps/config/ipsec-ns3/pluto.err.html
http://home.vrweb.de/~tps/config/ipsec-ns3/status.txt.html

For the server:
http://home.vrweb.de/~tps/config/ipsec-vpn/barf.txt.html
http://home.vrweb.de/~tps/config/ipsec-vpn/ipsec.conf.html
http://home.vrweb.de/~tps/config/ipsec-vpn/ipsec.secrets.html
http://home.vrweb.de/~tps/config/ipsec-vpn/pluto.err.html
http://home.vrweb.de/~tps/config/ipsec-vpn/status.txt.html

> The documentation does not spoon feed, but given reading and
> experimentation it does provide the necessary knowledge.


-- 
Thomas


More information about the Users mailing list