[Openswan Users] [FAILED] messages
SVM
svm7 at mail15.com
Thu Apr 12 21:58:41 EDT 2012
13.04.2012 01:13, Jarek Joachimiak wrote:
> But when i try to pick up connection :
> ipsec auto --up roadwarriod
>
> nothing happens. I cant use ping, i cant log on to FTP and don't se
> any info on terminal.
You can't use icmp(ping) or any other type of traffic in direction from
"left" host to "right" end vice versa, because one side started to
capture your traffic and encapsulate it to ipsec-tunnel, but the other
host didn't receive it - your tunnel is not established! - that's a
reason why traffic can't proceed. Config is incorrect.
We'll fix it soon.
I attached files for both sides with working configs. Now they are
symmetrical, but if you are using NAT on left or right side
See "man ipsec.conf" for keyword "left"(last paragraph): "If using IP
address in combination with NAT......".
You have to correct it depending your needs.
Your config:
> config setup
> nat_traversal=yes
> virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%4:172.16.0.0/12
> interfaces=%defaultroute
1. There is syntax error in virtual_private=:
"%4:172.16.0.0/12" should be "%v4:172.16.0.0/12", missed 'v' in '%v4'.
2. Line "interfaces=%defaultroute"
There is no need to use KLIPS stack, and better to set
protostack=netkey
interfaces=%none
because it's useless to set interfaces=%defaultroute for netkey stack.
> conn sample
> # Left security gateway, subnet behind it, nexthop toward right.
> compress=yes
> keyingtries=1
> disablearrivalcheck=no
> leftrsasigkey=%cert
> rightrsasigkey=%cert
> authby=rsasig
3. As I can see, this part of parameters(the whole block "conn sample")
do not participate in your config, because of name of connection.
> conn roadwarrior-net
> leftsubnet=192.168.0.0/24
> also=roadwarrior
4. Line "leftsubnet=192.168.0.0/24" means, that you have such a subnet
BEHIND your ipsec host. If you use ipsec-tunnel to connect two hosts
point-to-point(prefix=32), you can simply delete this line and this
would mean that left end of connection goes to the left host only!
See "man ipsec.conf" fot keyword "leftsubnet"
> conn roadwarrior
> left=192.168.0.168
> right=192.168.0.149
> rightsubnet=192.168.0.0/24
5. Left and Right now in the same subnet, but in the real life they aren't.
Look at the line "rightsubnet=192.168.0.0/24".
There is at least one mistake in understanding subnets and ip routing.
Two endpoints of tunnel can't have ONE SAME private subnet
192.168.0.0/24 behind each other!
Left endpoint should have its own subnet(for example 192.168.0.0/24).
And righd endpoint should be in another private subnet
(for example 192.168.1.0/24). See "virtual_private=" parameter above.
For point-to-point connection this line "rightsubnet=192.168.0.0/24"
could be easily removed.
There are more than one variant and it depends on what you want to have
in result.
-------------- next part --------------
config setup
nat_traversal=yes
protostack=netkey
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
interfaces=%none
#conn sample
# compress=yes
# keyingtries=1
# disablearrivalcheck=no # You dont need it. see man ipsec.conf
# leftrsasigkey=%cert
# rightrsasigkey=%cert
# authby=rsasig # =rsasig is default option, so could be just removed
conn roadwarrior-net
leftsubnet=192.168.0.0/24
also=roadwarrior
conn roadwarrior
left=1192.168.0.149 # twisted
leftid=%fromcert # where to get ID for left
leftcert=client.pem
right=192.168.0.168 # twisted
# rightsubnet=X.X.X.X/X
rightid=%fromcert # where to get ID for right
rightcert=server.pem # here we ask to present exact certificate(client checks the server, and server checks client)
rightca=%same # means that client.pem and server.pem have to be issued by the same CA
auto=add # for autostart you might set "auto=start" of leave it and start like you did
pfs=yes
conn block
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear-or-private
auto=ignore
conn clear
auto=ignore
conn packetdefault
auto=ignore
-------------- next part --------------
config setup
nat_traversal=yes
protostack=netkey
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
interfaces=%none
#conn sample
# compress=yes
# keyingtries=1
# disablearrivalcheck=no
# leftrsasigkey=%cert
# rightrsasigkey=%cert
# authby=rsasig
conn roadwarrior-net
leftsubnet=192.168.0.0/24
also=roadwarrior
conn roadwarrior
left=192.168.0.168
leftid=%fromcert
leftcert=server.pem
right=192.168.0.149
# rightsubnet=X.X.X.X/X
rightid=%fromcert
rightcert=client.pem
rightca=%same
auto=add
pfs=yes
conn block
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear-or-private
auto=ignore
conn clear
auto=ignore
conn packetdefault
auto=ignore
More information about the Users
mailing list