[Openswan Users] Internet over IPSec Tunnel
Sebastian
Sebastian at maushammer.net
Fri Apr 29 14:56:22 EDT 2011
Hello,
I am new to OpenSwan - so I have to ask a few questions ;)
I have 2 Locations with static public IPs.
Location A Linux Server with Ubuntu 10 Server, OpenSwan and iptables
Location B Lancom 1711 VPN Router
My Plan is to have a IPSec Tunnel between both locations and transfer all Internet Traffic from Location B over VPN to Location A and then to the Internet.
Here is my Configuration for OpenSwan:
# /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.16 2005/07/26 12:29:45 ken Exp $
# This file: /usr/share/doc/openswan/ipsec.conf-sample
#
# Manual: ipsec.conf.5
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
forwardcontrol=yes
interfaces=%defaultroute
nat_traversal=yes
oe=off
protostack=netkey
syslog=user.debug
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
conn HOME
auth=esp
authby=secret
auto=start
esp=aes-128-md5
ike=aes256
ikelifetime=8000s
keylife=2000s
left=212.117.XXX.XXX
leftid=212.117.XXX.XXX
leftnexthop=%defaultroute
leftsubnet=0.0.0.0/0
pfs=no
right=217.92.XXX.XXX
rightid=217.92.XXX.XXX
rightnexthop=%defaultroute
rightsubnet=10.70.0.0/24
type=tunnel
The Configuration on Site B is Supported from the Vendor an should be no Problem I have done this several Times with the Lancom Boxes.
I can't export the Configuration in a readable Form so here a few Things from Site B
Nat-Traversal: Yes
DPD: 60 Seconds
Dynamic: No
IKE-Exchange: Main Mode
Certificate Authentication: No
Let Remote Site choose the Remote Network: No
SAs: Shared for KeepAlive
PFS:No
IKE Group: 2 MODP-1024
IKE-Proposals: AES CBC 128bit Hash MD5 Lifetime 8000 Seconds
IPSec-Proposals: Mode Tunnel, Enryption-ESP AES-CBC 128 bit , Auth-ESP HMAC-MD5, No AH, No IPCOMP, Lifetime 2000 Seconds
In the Routing Table is an Entry for 0.0.0.0/0 where the VPN is defined as Default Gateway/Nexthop
So here is the Problem:
Actually my Lancom Box says the VPN Connection is established.
But no Traffic is going over the VPN to the Internet.
Lancom Tracelog:
[VPN-Status] 2011/04/29 20:30:50,033 Devicetime: 2011/04/29 20:30:50,180
IKE info: Phase-1 negotiation started for peer LUX rule isakmp-peer-LUX using MAIN mode
[VPN-Status] 2011/04/29 20:30:50,258 Devicetime: 2011/04/29 20:30:50,210
IKE info: Phase-1 remote proposal 1 for peer LUX matched with local proposal 1
[VPN-Status] 2011/04/29 20:30:50,459 Devicetime: 2011/04/29 20:30:50,470
IKE info: Phase-1 [inititiator] for peer LUX between initiator id 217.92.35.33, responder id 212.117.175.46 done
IKE info: SA ISAKMP for peer LUX encryption aes-cbc authentication md5
IKE info: life time ( 8000 sec/ 0 kb)
[VPN-Status] 2011/04/29 20:30:50,459 Devicetime: 2011/04/29 20:30:50,470
IKE info: Phase-1 SA Rekeying Timeout (Soft-Event) for peer LUX set to 6400 seconds (Initiator)
[VPN-Status] 2011/04/29 20:30:50,474 Devicetime: 2011/04/29 20:30:50,470
IKE info: Phase-1 SA Timeout (Hard-Event) for peer LUX set to 8000 seconds (Initiator)
[VPN-Status] 2011/04/29 20:30:50,474 Devicetime: 2011/04/29 20:30:50,520
IKE info: NOTIFY received of type INVALID_ID_INFORMATION for peer LUX
[VPN-Status] 2011/04/29 20:30:56,381 Devicetime: 2011/04/29 20:30:56,530
IKE info: Phase-2 remote proposal 1 for peer LUX matched with local proposal 1
[VPN-Status] 2011/04/29 20:30:56,583 Devicetime: 2011/04/29 20:30:56,560
IKE info: Phase-2 SA Rekeying Timeout (Soft-Event) for peer LUX set to 1800 seconds (Responder)
[VPN-Status] 2011/04/29 20:30:56,583 Devicetime: 2011/04/29 20:30:56,560
IKE info: Phase-2 SA Timeout (Hard-Event) for peer LUX set to 2000 seconds (Responder)
[VPN-Status] 2011/04/29 20:30:56,594 Devicetime: 2011/04/29 20:30:56,560
IKE info: Phase-2 [responder] done with 2 SAS for peer LUX rule ipsec-0-LUX-pr0-l0-r0
IKE info: rule:' ipsec 10.70.0.0/255.255.255.0 <-> 0.0.0.0/0.0.0.0 '
IKE info: SA ESP [0x37ca9ff0] alg AES keylength 128 +hmac HMAC_MD5 outgoing
IKE info: SA ESP [0x7c42c092] alg AES keylength 128 +hmac HMAC_MD5 incoming
IKE info: life soft( 1800 sec/0 kb) hard (2000 sec/0 kb)
IKE info: tunnel between src: 217.92.35.33 dst: 212.117.175.46
[VPN-Status] 2011/04/29 20:30:57,444 Devicetime: 2011/04/29 20:30:57,570
VPN: LUX (212.117.175.46) connected
[VPN-Status] 2011/04/29 20:30:57,636 Devicetime: 2011/04/29 20:30:57,620
IKE info: NOTIFY received of type INVALID_ID_INFORMATION for peer LUX
[VPN-Packet] 2011/04/29 20:16:38,560 Devicetime: 2011/04/29 20:16:38,510
no sa available: give up, should be retransmitted: 10.70.20.100->217.237.151.142 82 UDP port 65370->53
As Attachment ive added the output from ipsec barf and ipsec auto -status
Hoping for some suggetions.
Best Regards
Sebastian
________________________________
---------------------------------
Non-Public E-Mail Hosting by www.it-freakz.net
Diese E-Mail ist nur f?r den Empf?nger bestimmt, an den sie gerichtet ist und kann vertrauliches bzw. unter das Berufsgeheimnis fallendes Material enthalten.
Sind Sie nicht der Empf?nger, so haben Sie diese E-Mail irrt?mlich erhalten und jegliche Verwendung, Ver?ffentlichung, Weiterleitung, Abschrift oder jeglicher Druck ist strengstens untersagt.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20110429/e6b58a49/attachment-0001.html
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: ipsec-barf.txt
Url: http://lists.openswan.org/pipermail/users/attachments/20110429/e6b58a49/attachment-0002.txt
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: ipsec-status.txt
Url: http://lists.openswan.org/pipermail/users/attachments/20110429/e6b58a49/attachment-0003.txt
More information about the Users
mailing list