[Openswan Users] Problem with a simple connection.
adstar at genis-x.com
adstar at genis-x.com
Fri Dec 7 14:32:43 EST 2012
Hi Paul,
I tried the alias side of things but I get errors on startup
firewall# /etc/init.d/ipsec restart
ipsec_setup: Stopping Openswan IPsec...
ipsec_setup: stop ordered, but IPsec appears to be already stopped!
ipsec_setup: doing cleanup anyway...
ipsec_setup: Starting Openswan IPsec 2.6.37...
ipsec_setup: ipsec0 -> NULL mtu=0(0) -> 0
ipsec_setup: Error: either "local" is duplicate, or "eth0" is a garbage.
The IP is added via ifconfig as an alias
eth0:1 Link encap:Ethernet HWaddr 00:25:90:35:35:9E
inet addr:103.29.172.40 Bcast:103.255.255.255 Mask:255.0.0.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:16 Memory:fe9e0000-fea00000
My current config
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
#plutodebug = "all"
#klipsdebug = "all"
#plutoopts="--perpeerlog"
dumpdir=/var/run/pluto/
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
oe=off
protostack=klips
#protostack=mast
plutostderrlog=/var/log/pluto.log
interfaces="ipsec0=eth0:1"
listen=103.29.172.40
conn multi-asic
rightsubnets={144.55.124.122/32,144.55.123.187/32,144.55.122.67/32,144.55.123.63/32,172.27.130.1/32,172.27.130.2/32,192.168.11.51/32,144.55.124.206/32}
leftsubnets={103.29.173.70/32,103.29.173.71/32,103.29.173.72/32,103.29.173.73/32,103.29.173.74/32,103.29.173.75/32,103.29.173.76/32,103.29.173.80/32,103.29.173.81/32,103.29.173.82/32,103.29.173.83/32,103.29.173.84/32,103.29.173.8
also=asic
conn asic
type = tunnel
authby = secret
left = 103.29.172.40
leftnexthop = 103.29.172.1
right = 119.225.115.131
rightnexthop = %defaultroute
ike = aes256-sha1-modp1536
esp = aes256-sha1
keyexchange = ike
pfs = no
auto = add
-----Original Message-----
From: Paul Wouters [mailto:paul at nohats.ca]
Sent: Saturday, 8 December 2012 2:25 AM
To: adstar at genis-x.com
Subject: Re: [Openswan Users] Problem with a simple connection.
On Fri, 7 Dec 2012, adstar at genis-x.com wrote:
> If I switch to protostack=mast the vpn comes up, but I don't know enough about mast, does it place a route like klips? If so I'm not seeing a route when the connection comes up.
If using mast, then you must configure mast using ifconfig to match your public ip with a /32 mask on it. But don't use mast unless you are using L2TP/IPsec.
> With this config that works if I switch back to klips I get the packet
> from 119.225.115.131:500: initial Main Mode message received on
> 103.29.172.40:500 but no connection has been authorized with
> policy=PSK
Looks like your connection just did not load or is misconfigured. run "ipsec auto --add connname" to see an error in loading?
You also need to add interfaces for each "alias" device when using KLIPS, so interfaces="ipsec0=eth0, ipsec1=eth0:1" etc etc.
Paul
> packet from 119.225.115.131:500: ignoring unknown Vendor ID payload
> [f4ed19e0c114eb516faaac0ee37daf2807b4381f000000010000138d50c08988...]
>
> error?
>
> Any advise guys?
>
> Plutorun started on Fri Dec 7 08:17:03 EDT 2012 adjusting ipsec.d to
> /etc/ipsec.d
> bind() will be filtered for 103.29.172.40 Starting Pluto (Openswan
> Version 2.6.37; Vendor ID OEu\134d\134jy\134\134ap) pid:24066
> LEAK_DETECTIVE support [disabled] OCF support for IKE [disabled] SAref
> support [disabled]: Protocol not available SAbind support [disabled]:
> Protocol not available NSS support [disabled] HAVE_STATSD notification
> support not compiled in Setting NAT-Traversal port-4500 floating to on
> port floating activation criteria nat_t=1/port_float=1
> NAT-Traversal support [enabled]
> using /dev/urandom as source of random entropy
> ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)
> ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)
> ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok (ret=0)
> ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
> ike_alg_register_enc(): Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)
> ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)
> ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)
> starting up 1 cryptographic helpers started helper pid=24070 (fd:4)
> Using KLIPSng (mast) IPsec interface code on 2.6.35.14-i686 using
> /dev/urandom as source of random entropy Changed path to directory
> '/etc/ipsec.d/cacerts'
> Changed path to directory '/etc/ipsec.d/aacerts'
> Changed path to directory '/etc/ipsec.d/ocspcerts'
> Changing to directory '/etc/ipsec.d/crls'
> Warning: empty directory
> listening for IKE messages
> | useful mast device -1
> skipping interface eth1 with 202.45.103.162
> ERROR: PF_KEY K_SADB_X_PLUMBIF response for configure_mast_device
> included errno 17: File exists adding interface mast0/eth0
> 103.29.172.40:500 (fd=10) adding interface mast0/eth0
> 103.29.172.40:4500 (fd=11) skipping interface eth0:4 with 172.16.0.100
> skipping interface eth0:2 with 103.29.175.1 skipping interface eth0:1
> with 103.29.174.1 skipping interface eth0:0 with 103.29.173.1 skipping
> interface eth0 with 103.29.172.1
> | useful mast device 0
> | useful mast device 0
> loading secrets from "/etc/ipsec.secrets"
> packet from 119.225.115.131:500: ignoring unknown Vendor ID payload
> [f4ed19e0c114eb516faaac0ee37daf2807b4381f000000010000138d50c10b74...]
> "multi-conn/1x1" #1: responding to Main Mode "multi-conn/1x1" #1:
> transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
> "multi-conn/1x1" #1: STATE_MAIN_R1: sent MR1, expecting MI2
> "multi-conn/1x1" #1: transition from state STATE_MAIN_R1 to state
> STATE_MAIN_R2 "multi-conn/1x1" #1: STATE_MAIN_R2: sent MR2, expecting
> MI3 "multi-conn/1x1" #1: Main mode peer ID is ID_IPV4_ADDR: '119.225.115.131'
> "multi-conn/1x1" #1: transition from state STATE_MAIN_R2 to state
> STATE_MAIN_R3 "multi-conn/1x1" #1: STATE_MAIN_R3: sent MR3, ISAKMP SA
> established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha
> group=modp1536} "multi-conn/1x1" #1: the peer proposed: 103.29.173.70/32:0/0 -> 144.55.124.122/32:0/0 "multi-conn/1x1" #2: responding to Quick Mode proposal {msgid:ed10f5ab}
> "multi-conn/1x1" #2: us: 103.29.173.70/32===103.29.172.40<103.29.172.40>[+S=C]---202.45.103.161
> "multi-conn/1x1" #2: them: 202.45.103.161---119.225.115.131<119.225.115.131>[+S=C]===144.55.124.122/32
> | mast_raw_eroute called op=4 said=tun.1002 at 103.29.172.40
> "multi-conn/1x1" #2: transition from state STATE_QUICK_R0 to state
> STATE_QUICK_R1 "multi-conn/1x1" #2: STATE_QUICK_R1: sent QR1, inbound
> IPsec SA installed, expecting QI2
> | mast_sag_eroute called op=1/add
> | mast_raw_eroute called op=1 said=tun.1001 at 119.225.115.131
> "multi-conn/1x1" #2: transition from state STATE_QUICK_R1 to state
> STATE_QUICK_R2 "multi-conn/1x1" #2: STATE_QUICK_R2: IPsec SA
> established tunnel mode {ESP=>0x2a7072ec <0x1f27e374
> xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=none DPD=none} "multi-conn/1x1"
> #2: discarding duplicate packet; already STATE_QUICK_R2
> "multi-conn/1x1" #2: discarding duplicate packet; already
> STATE_QUICK_R2
>
>
> # bconn configuration
> config setup
> # plutodebug = "all"
> # klipsdebug = "all"
> #plutoopts="--perpeerlog"
> dumpdir=/var/run/pluto/
> nat_traversal=yes
> virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
> oe=off
> protostack=mast
> plutostderrlog=/var/log/pluto.log
> # interfaces="ipsec0=eth0"
> listen=103.29.172.40
>
> conn multi-conn
> rightsubnets={144.55.124.122/32,144.55.123.187/32,144.55.122.67/32,144.55.123.63/32,172.27.130.1/32,172.27.130.2/32,192.168.11.51/32,144.55.124.206/32} leftsubnets={103.29.173.70/32,103.29.173.71/32,103.29.173.72/32,103.29.173.73/32,103.29.173.74/32,103.29.173.75/32,103.29.173.76/32,103.29.173.80/32,103.29.173.81/32,103.29.173.82/32,103.29.173.83/32,103.29.173.84/32,103.29.173.8
> also=conn
>
> conn conn
> type = tunnel
> authby = secret
> left = 103.29.172.40
> leftnexthop = %defaultroute
> right = 119.225.115.131
> rightnexthop = %defaultroute
> ike = aes256-sha1-modp1536
> esp = aes256-sha1
> keyexchange = ike
> pfs = no
> auto = add
>
> -----Original Message-----
> From: Elison Niven [mailto:elison.niven at elitecore.com]
> Sent: Thursday, 6 December 2012 10:41 PM
> To: adstar at genis-x.com
> Cc: users at lists.openswan.org
> Subject: Re: [Openswan Users] Problem with a simple connection.
>
> There's a typo. It should be left=103.29.172.40.
> You have put left = 103.29.173.140
>
> On Thursday 06 December 2012 05:09:11 PM IST, adstar at genis-x.com wrote:
>> Hi Elison,
>>
>> Sorry I totally forgot to cc the list..
>> I made the changes to my config but still have the issues with PSK
>>
>> # /etc/ipsec.conf - Openswan IPsec configuration file
>> version 2.0 # conforms to second version of ipsec.conf specification
>> # bconn configuration
>> config setup
>> dumpdir=/var/run/pluto/
>> nat_traversal=yes
>> virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
>> oe=off
>> protostack=auto
>> plutostderrlog=/var/log/pluto.log
>> interfaces="ipsec0=eth0"
>>
>> conn multi-conn
>> rightsubnets={144.55.124.122/32,144.55.123.187/32,144.55.122.67/32,144.55.123.63/32,172.27.130.1/32,172.27.130.2/32,192.168.11.51/32,144.55.124.206/32} leftsubnets={103.29.173.70/32,103.29.173.71/32,103.29.173.72/32,103.29.173.73/32,103.29.173.74/32,103.29.173.75/32,103.29.173.76/32,103.29.173.80/32,103.29.173.81/32,103.29.173.82/32,103.29.173.83/32,103.29.173.84/32,103.29.173.8
>> also=conn
>>
>> conn conn
>> type = tunnel
>> authby = secret
>> left = 103.29.173.140
>> right = 119.225.115.131
>> rightnexthop = %defaultroute
>> ike = aes256-sha1-modp1536
>> esp = aes256-sha1
>> keyexchange = ike
>> pfs = no
>> auto = add
>>
>> My Pluto log
>> Plutorun started on Thu Dec 6 22:36:06 EDT 2012 adjusting ipsec.d to
>> /etc/ipsec.d Starting Pluto (Openswan Version 2.6.37; Vendor ID
>> OEu\134d\134jy\134\134ap) pid:9770 LEAK_DETECTIVE support [disabled]
>> OCF support for IKE [disabled] SAref support [disabled]: Protocol not
>> available SAbind support [disabled]: Protocol not available NSS
>> support [disabled] HAVE_STATSD notification support not compiled in
>> Setting NAT-Traversal port-4500 floating to on
>> port floating activation criteria nat_t=1/port_float=1
>> NAT-Traversal support [enabled]
>> using /dev/urandom as source of random entropy
>> ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)
>> ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)
>> ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok (ret=0)
>> ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
>> ike_alg_register_enc(): Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)
>> ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)
>> ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)
>> starting up 1 cryptographic helpers started helper pid=9773 (fd:4)
>> Kernel interface auto-pick No Kernel NETKEY interface detected Using
>> KLIPS IPsec interface code on 2.6.35.14-i686 using /dev/urandom as
>> source of random entropy Changed path to directory
>> '/etc/ipsec.d/cacerts'
>> Changed path to directory '/etc/ipsec.d/aacerts'
>> Changed path to directory '/etc/ipsec.d/ocspcerts'
>> Changing to directory '/etc/ipsec.d/crls'
>> Warning: empty directory
>> address family inconsistency in this connection=2 host=2/nexthop=0
>> attempt to load incomplete connection address family inconsistency in
>> this connection=2 host=2/nexthop=0 attempt to load incomplete
>> connection listening for IKE messages adding interface ipsec0/eth0
>> 103.29.172.40:500 adding interface ipsec0/eth0 103.29.172.40:4500
>> adding interface ipsec0/eth0:4 172.16.0.100:500 adding interface
>> ipsec0/eth0:4 172.16.0.100:4500 adding interface ipsec0/eth0:2
>> 103.29.175.1:500 adding interface ipsec0/eth0:2 103.29.175.1:4500
>> adding interface ipsec0/eth0:1 103.29.174.1:500 adding interface
>> ipsec0/eth0:1 103.29.174.1:4500 adding interface ipsec0/eth0:0
>> 103.29.173.1:500 adding interface ipsec0/eth0:0 103.29.173.1:4500
>> adding interface ipsec0/eth0 103.29.172.1:500 adding interface
>> ipsec0/eth0 103.29.172.1:4500 loading secrets from
>> "/etc/ipsec.secrets"
>> packet from 119.225.115.131:500: ignoring unknown Vendor ID payload
>> [f4ed19e0c114eb516faaac0ee37daf2807b4381f000000010000138d50c08322...]
>> packet from 119.225.115.131:500: initial Main Mode message received
>> on
>> 103.29.172.40:500 but no connection has been authorized with
>> policy=PSK packet from 119.225.115.131:500: ignoring unknown Vendor
>> ID payload
>> [f4ed19e0c114eb516faaac0ee37daf2807b4381f000000010000138d50c08322...]
>> packet from 119.225.115.131:500: initial Main Mode message received
>> on
>> 103.29.172.40:500 but no connection has been authorized with
>> policy=PSK
>>
>> Cheers
>> Adam
>>
>>
>>
>> -----Original Message-----
>> From: Elison Niven [mailto:elison.niven at elitecore.com]
>> Sent: Thursday, 6 December 2012 10:08 PM
>> To: adstar at genis-x.com
>> Cc: users at lists.openswan.org
>> Subject: Re: [Openswan Users] Problem with a simple connection.
>>
>>> Ok so my external interface is eth1 internal eth0
>> You are receiving the main mode request on eth0.
>>
>> You are receiving packets on this interface :
>>> packet from 119.225.115.131:500: initial Main Mode message received
>>> on
>>> 103.29.172.40:500 but no connection has been authorized with
>>> policy=PSK
>> Therefore you should have left=103.29.172.40 in your config. You can omit leftnexthop in the config.
>>
>> Restart your ipsec service or do ipsec auto --rereadall after doing the changes.
>> Kindly do not take the discussion off-list.
>>
>> On Thursday 06 December 2012 04:26:57 PM IST, adstar at genis-x.com wrote:
>>> Hi Elison,
>>>
>>> Ok so my external interface is eth1 internal eth0
>>>
>>> I'm not sure what to put as the left/leftnexthop.
>>> I have tried
>>> conn conn
>>> type = tunnel
>>> authby = secret
>>> left = 202.45.103.162
>>> leftnexthop = 202.45.103.161
>>> right = 119.225.115.131
>>> rightnexthop = %defaultroute
>>> ike = aes256-sha1-modp1536
>>> esp = aes256-sha1
>>> keyexchange = ike
>>> pfs = no
>>> auto = add
>>>
>>> but still get the error
>>> packet from 119.225.115.131:500: ignoring unknown Vendor ID payload
>>> [f4ed19e0c114eb516faaac0ee37daf2807b4381f000000010000138d50c0798a...
>>> ] packet from 119.225.115.131:500: initial Main Mode message
>>> received on
>>> 103.29.172.40:500 but no connection has been authorized with
>>> policy=PSK packet from 119.225.115.131:500: ignoring unknown Vendor
>>> ID payload
>>> [f4ed19e0c114eb516faaac0ee37daf2807b4381f000000010000138d50c0798a...
>>> ] packet from 119.225.115.131:500: initial Main Mode message
>>> received on
>>> 103.29.172.40:500 but no connection has been authorized with
>>> policy=PSK
>>>
>>> Also do you mean all IPV6 on all interfaces?
>>>
>>> Thanks for you help
>>> Cheers
>>> Adam
>>>
>>> 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
>>> link/ether 00:25:90:35:35:9e brd ff:ff:ff:ff:ff:ff
>>> inet 103.29.172.1/24 brd 103.29.172.255 scope global eth0
>>> inet 103.29.173.1/24 brd 103.29.173.255 scope global eth0:0
>>> inet 103.29.174.1/24 brd 103.29.174.255 scope global eth0:1
>>> inet 103.29.175.1/24 brd 103.29.175.255 scope global eth0:2
>>> inet 172.16.0.100/24 brd 172.16.0.255 scope global eth0:4
>>> inet 103.29.172.40/24 scope global secondary eth0
>>> inet6 fe80::225:90ff:fe35:359e/64 scope link
>>> valid_lft forever preferred_lft forever
>>> 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
>>> link/ether 00:25:90:35:35:9f brd ff:ff:ff:ff:ff:ff
>>> inet 202.45.103.162/30 brd 202.45.103.163 scope global eth1
>>> inet6 fe80::225:90ff:fe35:359f/64 scope link
>>> valid_lft forever preferred_lft forever
>>>
>>>
>>> I would like my external clients to connect to the IP 172.29.172.40
>>>
>>> firewall# ip route
>>> 202.45.103.160/30 dev eth1 proto kernel scope link src
>>> 202.45.103.162
>>> 172.16.0.0/24 dev eth0 proto kernel scope link src 172.16.0.100
>>> 103.29.174.0/24 dev eth0 proto kernel scope link src 103.29.174.1
>>> 103.29.175.0/24 dev eth0 proto kernel scope link src 103.29.175.1
>>> 103.29.172.0/24 dev eth0 proto kernel scope link src 103.29.172.1
>>> 103.29.173.0/24 dev eth0 proto kernel scope link src 103.29.173.1
>>> default via 202.45.103.161 dev eth1
>>>
>>>
>>>
>>>
>>> -----Original Message-----
>>> From: Elison Niven [mailto:elison.niven at elitecore.com]
>>> Sent: Thursday, 6 December 2012 9:27 PM
>>> To: adstar at genis-x.com
>>> Cc: users at lists.openswan.org
>>> Subject: Re: [Openswan Users] Problem with a simple connection.
>>>
>>> The address type of your host address (left) does not match with the address type of your nexthop (leftnexthop).
>>> You can try removing leftnexthop=%defaultroute and put in the actual
>>> IPv4 gateway, and do the same for rightnexthop.
>>> You can also try disabling IPv6.
>>>
>>> On Thursday 06 December 2012 08:48:45 AM IST, adstar at genis-x.com wrote:
>>>> Hi all,
>>>>
>>>> I’m having an issue setting up a tunnel that I need some help with.
>>>>
>>>> I have included the relevant files below
>>>>
>>>>
>>>> My first issue is when I start ipsec I get the following error:
>>>>
>>>> Dec 6 13:51:30 firewall ipsec__plutorun: 023 address family
>>>> inconsistency in this connection=2 host=2/nexthop=0
>>>>
>>>> Dec 6 13:51:30 firewall ipsec__plutorun: 037 attempt to load
>>>> incomplete connection
>>>>
>>>> Dec 6 13:51:30 firewall ipsec__plutorun: 023 address family
>>>> inconsistency in this connection=2 host=2/nexthop=0
>>>>
>>>> Dec 6 13:51:30 firewall ipsec__plutorun: 037 attempt to load
>>>> incomplete connection
>>>>
>>>> My second issue is the right side can’t connect.
>>>>
>>>> packet from 119.225.115.131:500: ignoring unknown Vendor ID payload
>>>> [f4ed19e0c114eb516faaac0ee37daf2807b4381f000000010000138d50c009ee...
>>>> ]
>>>>
>>>> packet from 119.225.115.131:500: initial Main Mode message received
>>>> on
>>>> 103.29.172.40:500 but no connection has been authorized with
>>>> policy=PSK
>>>>
>>>> packet from 119.225.115.131:500: ignoring unknown Vendor ID payload
>>>> [f4ed19e0c114eb516faaac0ee37daf2807b4381f000000010000138d50c009ee...
>>>> ]
>>>>
>>>> packet from 119.225.115.131:500: initial Main Mode message received
>>>> on
>>>> 103.29.172.40:500 but no connection has been authorized with
>>>> policy=PSK
>>>>
>>>> Can anyone help me on where to go from here?
>>>>
>>>> Cheers
>>>> Adam
>>>>
>>>> firewall# ipsec --version
>>>>
>>>> Linux Openswan 2.6.37 (klips)
>>>>
>>>>
>>>> firewall# cat ipsec.conf
>>>>
>>>> # /etc/ipsec.conf - Openswan IPsec configuration file
>>>>
>>>> version 2.0 # conforms to second version of ipsec.conf specification
>>>>
>>>> # bconn configuration
>>>>
>>>> config setup
>>>>
>>>> #plutodebug = "all"
>>>>
>>>> #klipsdebug = "all"
>>>>
>>>> plutoopts="--perpeerlog"
>>>>
>>>> dumpdir=/var/run/pluto/
>>>>
>>>> nat_traversal=yes
>>>>
>>>>
>>>> virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
>>>> ,
>>>> %
>>>> v
>>>> 4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
>>>>
>>>> oe=off
>>>>
>>>> protostack=klips
>>>>
>>>> plutostderrlog=/var/log/pluto.log
>>>>
>>>> interfaces="ipsec0=eth0"
>>>>
>>>> listen=103.29.172.40
>>>>
>>>> # Add connections here
>>>>
>>>> conn multi-conn1
>>>>
>>>> rightsubnets={144.55.124.122/32,144.55.123.187/32,144.55.122.67/32,
>>>> 1
>>>> 4
>>>> 4
>>>> .55.123.63/32,172.27.130.1/32,172.27.130.2/32,192.168.11.51/32,144.55.
>>>> 124.206/32}
>>>>
>>>> leftsubnets={103.29.173.70/32,103.29.173.71/32,103.29.173.72/32,103.
>>>> 2
>>>> 9
>>>> .173.73/32,103.29.173.74/32,103.29.173.75/32,103.29.173.76/32,103.29.
>>>> 1
>>>> 73.80/32,103.29.173.81/32,103.29.173.82/32,103.29.173.83/32,103.29.
>>>> 1
>>>> 7
>>>> 3
>>>> .84/32,103.29.173.85/32,103.29.173.86/32,103.29.173.60/32,103.29.173.
>>>> 6 1/32,103.29.173.64/32,103.29.173.65/32}
>>>>
>>>> also=conn1
>>>>
>>>> conn conn1
>>>>
>>>> type = tunnel
>>>>
>>>> authby = secret
>>>>
>>>> left = 103.29.172.40
>>>>
>>>> leftnexthop = %defaultroute
>>>>
>>>> right = 119.225.115.131
>>>>
>>>> rightnexthop = %defaultroute
>>>>
>>>> ike = aes256-sha1-modp1536
>>>>
>>>> esp = aes256-sha1
>>>>
>>>> keyexchange = ike
>>>>
>>>> pfs = no
>>>>
>>>> auto = add
>>>>
>>>> firewall# cat ipsec.secrets
>>>>
>>>> # This file holds shared secrets or RSA private keys for
>>>> inter-Pluto
>>>>
>>>> # authentication. See ipsec_pluto(8) manpage, and HTML documentation.
>>>>
>>>> 103.29.172.40 119.225.115.131: PSK "BLANK-BLANK-BLANK"
>>>>
>>>> firewall# ip addr
>>>>
>>>> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
>>>>
>>>> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>>>>
>>>> inet 127.0.0.1/8 scope host lo
>>>>
>>>> inet6 ::1/128 scope host
>>>>
>>>> valid_lft forever preferred_lft forever
>>>>
>>>> 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc
>>>> pfifo_fast state UP qlen 1000
>>>>
>>>> link/ether 00:25:90:35:35:9e brd ff:ff:ff:ff:ff:ff
>>>>
>>>> inet 103.29.172.1/24 brd 103.29.172.255 scope global eth0
>>>>
>>>> inet 103.29.173.1/24 brd 103.29.173.255 scope global eth0:0
>>>>
>>>> inet 103.29.174.1/24 brd 103.29.174.255 scope global eth0:1
>>>>
>>>> inet 103.29.175.1/24 brd 103.29.175.255 scope global eth0:2
>>>>
>>>> inet 172.16.0.100/24 brd 172.16.0.255 scope global eth0:4
>>>>
>>>> inet 103.29.172.40/24 scope global secondary eth0
>>>>
>>>> inet6 fe80::225:90ff:fe35:359e/64 scope link
>>>>
>>>> valid_lft forever preferred_lft forever
>>>>
>>>> 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc
>>>> pfifo_fast state UP qlen 1000
>>>>
>>>> link/ether 00:25:90:35:35:9f brd ff:ff:ff:ff:ff:ff
>>>>
>>>> inet 202.45.103.162/30 brd 202.45.103.163 scope global eth1
>>>>
>>>> inet6 fe80::225:90ff:fe35:359f/64 scope link
>>>>
>>>> valid_lft forever preferred_lft forever
>>>>
>>>> 82: ipsec0: <NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state
>>>> UNKNOWN qlen 10
>>>>
>>>> link/ether 00:25:90:35:35:9e brd ff:ff:ff:ff:ff:ff
>>>>
>>>> inet 103.29.172.1/32 scope global ipsec0
>>>>
>>>> inet 103.29.173.1/32 scope global ipsec0
>>>>
>>>> inet 103.29.174.1/32 scope global ipsec0
>>>>
>>>> inet 103.29.175.1/32 scope global ipsec0
>>>>
>>>> inet 172.16.0.100/32 scope global ipsec0
>>>>
>>>> inet 103.29.172.40/32 scope global ipsec0
>>>>
>>>> inet6 fe80::225:90ff:fe35:359e/128 scope link
>>>>
>>>> valid_lft forever preferred_lft forever
>>>>
>>>> 83: ipsec1: <NOARP> mtu 0 qdisc noop state DOWN qlen 10
>>>>
>>>> link/void
>>>>
>>>> firewall# cat daemon.log
>>>>
>>>> Dec 6 13:51:29 firewall ipsec_setup: Starting Openswan IPsec 2.6.37...
>>>>
>>>> Dec 6 13:51:29 firewall ipsec_setup: Using KLIPS/legacy stack
>>>>
>>>> Dec 6 13:51:30 firewall ipsec_setup: KLIPS debug `none'
>>>>
>>>> Dec 6 13:51:30 firewall ipsec_setup: KLIPS ipsec0 on eth0
>>>> 103.29.172.1/24 broadcast mtu 1500
>>>>
>>>> Dec 6 13:51:30 firewall ipsec_setup: ipsec0 -> NULL mtu=0(0) -> 0
>>>>
>>>> Dec 6 13:51:30 firewall ipsec_setup: ...Openswan IPsec started
>>>>
>>>> Dec 6 13:51:30 firewall ipsec__plutorun: 023 address family
>>>> inconsistency in this connection=2 host=2/nexthop=0
>>>>
>>>> Dec 6 13:51:30 firewall ipsec__plutorun: 037 attempt to load
>>>> incomplete connection
>>>>
>>>> Dec 6 13:51:30 firewall ipsec__plutorun: 023 address family
>>>> inconsistency in this connection=2 host=2/nexthop=0
>>>>
>>>> Dec 6 13:51:30 firewall ipsec__plutorun: 037 attempt to load
>>>> incomplete connection
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Users at lists.openswan.org
>>>> https://lists.openswan.org/mailman/listinfo/users
>>>> Micropayments:
>>>> https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>>>> Building and Integrating Virtual Private Networks with Openswan:
>>>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=2
>>>> 8
>>>> 3
>>>> 1
>>>> 55
>>>
>>> --
>>> Best Regards,
>>> Elison Niven
>>>
>>>
>>>
>>
>> --
>> Best Regards,
>> Elison Niven
>>
>>
>>
>
> --
> Best Regards,
> Elison Niven
>
> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments:
> https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
More information about the Users
mailing list