[Openswan Users] Site-to-site between two OpenSwan machines

Daniel Cave dan.cave at me.com
Sun Jun 10 13:41:36 EDT 2012 

>  
> I have two OpenSwan 2.6.27 VMs using NETKEY and I can't seem to get them to establish a connection. I have a few questions:
> 1. 
> 
> Instead of putting my "conn" definitions right in ipsec.conf, I have an entry in ipsec.conf that says to look for *.conf files in /etc/ipsec.d/
> Is that an acceptable way to do it, and will that work if I want to define two tunnels from one machine? So if I just have one file /etc/ipsec.d/tunnels.conf and
> inside it's got two "conn" definitions, should it load both connetions or do I need to break them out into individual .conf files?
> 

Yes, that's what I have on both my devices.. you need a 'leftHandSide.conf' in /etc/ipsec.d/ with your connection details. I usually name my config files to the names of the Endpoints they're connecting to and in the [conf] directive.

i.e.  /etc/ipsec.d/walmart-east.conf will contain a directive which says [walmart-east]  and state the Lefthandside, IP, Subnets etc and the matching opposite  RighthandSide endpoint IP/subnets. 

*Walmart aren't my customers, I was just being generic ;) before anyone got excited lol :D


> 
> 2.
> When I start the machine on the "right" the logging shows that it is waiting for an IKE key, then it loads the secrets file and nothing happens. 
> I can then try to send traffic down the tunnel but nothing else happens or gets established. Does this mean that not all the proper ports are open or could that be something else? 
> 
> 

That's possible - have you run ipsec verify first to check you're end is setup right at both ends? 

(don't forget to check your corresponding secrets file in /etc/ipsec.d matches your RHS.

Also worth checking your iptables rules, vis  /etc/sysconfig/iptables , i setup a table specifically for openswan, so I can 'check' the tablename rather than having to do iptables --list -nv with my stuff in there .. or just 

 iptables --list -nv |grep 500
    0     0 ACCEPT     udp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           udp dpt:500 
    0     0 ACCEPT     udp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           udp dpt:4500 

If you do ipsec auto --up <connection> a successful conn should look like this.

[root at fcs01 ipsec.d]# ipsec auto --up c4l
104 "c4l" #5438: STATE_MAIN_I1: initiate
003 "c4l" #5438: ignoring unknown Vendor ID payload [4f4568794c64414365636661]
003 "c4l" #5438: received Vendor ID payload [Dead Peer Detection]
003 "c4l" #5438: received Vendor ID payload [RFC 3947] method set to=115 
106 "c4l" #5438: STATE_MAIN_I2: sent MI2, expecting MR2
003 "c4l" #5438: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): no NAT detected
108 "c4l" #5438: STATE_MAIN_I3: sent MI3, expecting MR3
003 "c4l" #5438: received Vendor ID payload [CAN-IKEv2]
004 "c4l" #5438: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1536}
117 "c4l" #5439: STATE_QUICK_I1: initiate
004 "c4l" #5439: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x1e64a913 <0xf084cb6d xfrm=3DES_0-HMAC_SHA1 NATOA=none NATD=none DPD=enabled}


The endpoint I have in this example is another Netkey ipsec box


> 3.
> When doing a site-to-site tunnel between two OpenSwan machines, should I enable PFS or any other features, or just "auto=start"?
> 

I don't bother with PFS, but an auto=start is fine :)

> 4.
> Can I use PSK when doing a site-to-site between OpenSwan machines, or do I have to use certs in that configuration?
> 
Yes preshared Keys is good.  make sure you specify  ' authby=secret'  and have an associated <connection.secrets> with perms of rw=o / 600 in /etc/ipsec.d/

in the format <Local Public IP>  <Remote Public IP>  :  PSK "<presharedkey>"

That should sort u.


> 
> 
> Thank you!!
> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

Regards

Dan.

More information about the Users mailing list