[Openswan Users] Internet over IPSec Tunnel

Sebastian Sebastian at maushammer.net
Fri Apr 29 14:56:22 EDT 2011 

Hello,

I am new to OpenSwan - so I have to ask a few questions ;)

I have 2 Locations with static public IPs.
Location A Linux Server with Ubuntu 10 Server, OpenSwan and iptables
Location B Lancom 1711 VPN Router

My Plan is to have a IPSec Tunnel between both locations and transfer all Internet Traffic from Location B over VPN to Location A and then to the Internet.

Here is my Configuration for OpenSwan:
# /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.16 2005/07/26 12:29:45 ken Exp $

# This file:  /usr/share/doc/openswan/ipsec.conf-sample
#
# Manual:     ipsec.conf.5
version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        forwardcontrol=yes
        interfaces=%defaultroute
        nat_traversal=yes
        oe=off
        protostack=netkey
        syslog=user.debug
        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12


conn HOME
        auth=esp
        authby=secret
        auto=start
        esp=aes-128-md5
        ike=aes256
        ikelifetime=8000s
        keylife=2000s
        left=212.117.XXX.XXX
        leftid=212.117.XXX.XXX
        leftnexthop=%defaultroute
        leftsubnet=0.0.0.0/0
        pfs=no
        right=217.92.XXX.XXX
        rightid=217.92.XXX.XXX
        rightnexthop=%defaultroute
        rightsubnet=10.70.0.0/24
        type=tunnel


The Configuration on Site B is Supported from the Vendor an should be no Problem I have done this several Times with the Lancom Boxes.
I can't export the Configuration in a readable Form so here a few Things from Site B
Nat-Traversal: Yes
DPD: 60 Seconds
Dynamic: No
IKE-Exchange: Main Mode
Certificate Authentication: No
Let Remote Site choose the Remote Network: No
SAs: Shared for KeepAlive
PFS:No
IKE Group: 2 MODP-1024
IKE-Proposals: AES CBC 128bit Hash MD5 Lifetime 8000 Seconds
IPSec-Proposals: Mode Tunnel, Enryption-ESP AES-CBC 128 bit , Auth-ESP HMAC-MD5, No AH, No IPCOMP, Lifetime 2000 Seconds

In the Routing Table is an Entry for 0.0.0.0/0 where the VPN is defined as Default Gateway/Nexthop

So here is the Problem:

Actually my Lancom Box says the VPN Connection is established.
But no Traffic is going over the VPN to the Internet.

Lancom Tracelog:
[VPN-Status] 2011/04/29 20:30:50,033 Devicetime: 2011/04/29 20:30:50,180
IKE info: Phase-1 negotiation started for peer LUX rule isakmp-peer-LUX using MAIN mode
[VPN-Status] 2011/04/29 20:30:50,258 Devicetime: 2011/04/29 20:30:50,210
IKE info: Phase-1 remote proposal 1 for peer LUX matched with local proposal 1

[VPN-Status] 2011/04/29 20:30:50,459 Devicetime: 2011/04/29 20:30:50,470
IKE info: Phase-1 [inititiator] for peer LUX between initiator id 217.92.35.33, responder id 212.117.175.46 done
IKE info: SA ISAKMP for peer LUX encryption aes-cbc authentication md5
IKE info: life time ( 8000 sec/ 0 kb)
[VPN-Status] 2011/04/29 20:30:50,459 Devicetime: 2011/04/29 20:30:50,470
IKE info: Phase-1 SA Rekeying Timeout (Soft-Event) for peer LUX set to 6400 seconds (Initiator)

[VPN-Status] 2011/04/29 20:30:50,474 Devicetime: 2011/04/29 20:30:50,470
IKE info: Phase-1 SA Timeout (Hard-Event) for peer LUX set to 8000 seconds (Initiator)
[VPN-Status] 2011/04/29 20:30:50,474 Devicetime: 2011/04/29 20:30:50,520
IKE info: NOTIFY received of type INVALID_ID_INFORMATION for peer LUX


[VPN-Status] 2011/04/29 20:30:56,381 Devicetime: 2011/04/29 20:30:56,530
IKE info: Phase-2 remote proposal 1 for peer LUX matched with local proposal 1

[VPN-Status] 2011/04/29 20:30:56,583 Devicetime: 2011/04/29 20:30:56,560
IKE info: Phase-2 SA Rekeying Timeout (Soft-Event) for peer LUX set to 1800 seconds (Responder)

[VPN-Status] 2011/04/29 20:30:56,583 Devicetime: 2011/04/29 20:30:56,560
IKE info: Phase-2 SA Timeout (Hard-Event) for peer LUX set to 2000 seconds (Responder)

[VPN-Status] 2011/04/29 20:30:56,594 Devicetime: 2011/04/29 20:30:56,560
IKE info: Phase-2 [responder] done with 2 SAS for peer LUX rule ipsec-0-LUX-pr0-l0-r0
IKE info: rule:' ipsec 10.70.0.0/255.255.255.0 <-> 0.0.0.0/0.0.0.0 '
IKE info: SA ESP [0x37ca9ff0] alg AES keylength 128 +hmac HMAC_MD5 outgoing
IKE info: SA ESP [0x7c42c092] alg AES keylength 128 +hmac HMAC_MD5 incoming
IKE info: life soft( 1800 sec/0 kb) hard (2000 sec/0 kb)
IKE info: tunnel between src: 217.92.35.33 dst: 212.117.175.46

[VPN-Status] 2011/04/29 20:30:57,444 Devicetime: 2011/04/29 20:30:57,570
VPN: LUX (212.117.175.46) connected

[VPN-Status] 2011/04/29 20:30:57,636 Devicetime: 2011/04/29 20:30:57,620
IKE info: NOTIFY received of type INVALID_ID_INFORMATION for peer LUX
[VPN-Packet] 2011/04/29 20:16:38,560 Devicetime: 2011/04/29 20:16:38,510
no sa available: give up, should be retransmitted: 10.70.20.100->217.237.151.142 82 UDP port 65370->53


As Attachment ive added the output from ipsec barf and ipsec auto -status

Hoping for some suggetions.

Best Regards

Sebastian



________________________________

---------------------------------
Non-Public E-Mail Hosting by www.it-freakz.net

Diese E-Mail ist nur f?r den Empf?nger bestimmt, an den sie gerichtet ist und kann vertrauliches bzw. unter das Berufsgeheimnis fallendes Material enthalten.
Sind Sie nicht der Empf?nger, so haben Sie diese E-Mail irrt?mlich erhalten und jegliche Verwendung, Ver?ffentlichung, Weiterleitung, Abschrift oder jeglicher Druck ist strengstens untersagt.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20110429/e6b58a49/attachment-0001.html 
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: ipsec-barf.txt
Url: http://lists.openswan.org/pipermail/users/attachments/20110429/e6b58a49/attachment-0002.txt 
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: ipsec-status.txt
Url: http://lists.openswan.org/pipermail/users/attachments/20110429/e6b58a49/attachment-0003.txt

More information about the Users mailing list