[Openswan Users] Can't get subnets to connect

Michael Wisniewski wiz561 at gmail.com
Tue Jun 12 16:33:51 EDT 2012


Hi!

I'm going through the OpenSwan book by Paul Wouters and
was successfully able to get the host-to-host tunnel working.  The next
step is to get your subnet to subnet tunnel up and running, and this is
where I started running into problems.  If I don't add the
left/rightsubnets in and run tcpdump, I can see the ping packets in the AH
stuff.  However, once I add those, that is when things start breaking.  If
I ping 192.168.101.128 from .101.129, the pings aren't going through the
tunnel anymore.  If I also attempt to ping the other side of the remote
gateway, I get...

$ ping 192.168.140.20
connect: Network is unreachable

Since I did this with pfsense and ipsec and things worked out, I would
assume that by doing it in Ubuntu would work as well.  If anybody can give
any suggestions or help, that would be great, because I really have to
learn this ipsec thing!

Below is my network information....

My topology looks like...

192.168.140.0/24 -> 192.168.140.20 -> 192.168.101.128 << switch to another
machine >> 192.168.101.129 -> 192.168.105.1 -> 192.168.105.0/24

My config is as follows....

############
version 2.0 # conforms to second version of ipsec.conf specification

config setup
interfaces=%defaultroute
nat_traversal=yes
 virtual_private=%v4:
10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/1,%v4:!192.168.101.0/24

conn %default
authby=rsasig
auth=ah

conn test
left=192.168.101.128
leftsubnet=192.168.140.0/24
 leftrsasigkey=0sAQOwZ1F.....
right=192.168.101.129
rightsubnet=192.168.5.0/24
 rightrsasigkey=0sAQOXP.....
auto=start
############

The log looks like this....

############
Jun 12 15:11:16 attic pluto[6315]: Starting Pluto (Openswan Version 2.6.37;
Vendor ID OEu\134d\134jy\134\134ap) pid:6315
Jun 12 15:11:16 attic pluto[6315]: LEAK_DETECTIVE support [disabled]
Jun 12 15:11:16 attic pluto[6315]: OCF support for IKE [disabled]
Jun 12 15:11:16 attic pluto[6315]: SAref support [disabled]: Protocol not
available
Jun 12 15:11:16 attic pluto[6315]: SAbind support [disabled]: Protocol not
available
Jun 12 15:11:16 attic pluto[6315]: NSS support [disabled]
Jun 12 15:11:16 attic pluto[6315]: HAVE_STATSD notification support not
compiled in
Jun 12 15:11:16 attic pluto[6315]: Setting NAT-Traversal port-4500 floating
to on
Jun 12 15:11:16 attic pluto[6315]:    port floating activation criteria
nat_t=1/port_float=1
Jun 12 15:11:16 attic pluto[6315]:    NAT-Traversal support  [enabled]
Jun 12 15:11:16 attic pluto[6315]: using /dev/urandom as source of random
entropy
Jun 12 15:11:16 attic pluto[6315]: ike_alg_register_enc(): Activating
OAKLEY_AES_CBC: Ok (ret=0)
Jun 12 15:11:16 attic pluto[6315]: starting up 1 cryptographic helpers
Jun 12 15:11:16 attic pluto[6315]: started helper pid=6318 (fd:6)
Jun 12 15:11:16 attic pluto[6315]: Kernel interface auto-pick
Jun 12 15:11:16 attic pluto[6315]: Using Linux 2.6 IPsec interface code on
3.2.0-24-generic (experimental code)
Jun 12 15:11:16 attic pluto[6318]: using /dev/urandom as source of random
entropy
Jun 12 15:11:16 attic pluto[6315]: ike_alg_register_enc(): Activating
aes_ccm_8: Ok (ret=0)
Jun 12 15:11:16 attic pluto[6315]: ike_alg_add(): ERROR: Algorithm already
exists
Jun 12 15:11:16 attic pluto[6315]: ike_alg_register_enc(): Activating
aes_ccm_12: FAILED (ret=-17)
Jun 12 15:11:16 attic pluto[6315]: ike_alg_add(): ERROR: Algorithm already
exists
Jun 12 15:11:16 attic pluto[6315]: ike_alg_register_enc(): Activating
aes_ccm_16: FAILED (ret=-17)
Jun 12 15:11:16 attic pluto[6315]: ike_alg_add(): ERROR: Algorithm already
exists
Jun 12 15:11:16 attic pluto[6315]: ike_alg_register_enc(): Activating
aes_gcm_8: FAILED (ret=-17)
Jun 12 15:11:16 attic pluto[6315]: ike_alg_add(): ERROR: Algorithm already
exists
Jun 12 15:11:16 attic pluto[6315]: ike_alg_register_enc(): Activating
aes_gcm_12: FAILED (ret=-17)
Jun 12 15:11:16 attic pluto[6315]: ike_alg_add(): ERROR: Algorithm already
exists
Jun 12 15:11:16 attic pluto[6315]: ike_alg_register_enc(): Activating
aes_gcm_16: FAILED (ret=-17)
Jun 12 15:11:16 attic pluto[6315]: Changed path to directory
'/etc/ipsec.d/cacerts'
Jun 12 15:11:16 attic pluto[6315]:   loaded CA cert file 'strongCert.pem'
(1407 bytes)
Jun 12 15:11:16 attic pluto[6315]: Changed path to directory
'/etc/ipsec.d/aacerts'
Jun 12 15:11:16 attic pluto[6315]: Changed path to directory
'/etc/ipsec.d/ocspcerts'
Jun 12 15:11:16 attic pluto[6315]: Changing to directory '/etc/ipsec.d/crls'
Jun 12 15:11:16 attic pluto[6315]:   Warning: empty directory
Jun 12 15:11:16 attic pluto[6315]: added connection description "test"
Jun 12 15:11:16 attic pluto[6315]: listening for IKE messages
Jun 12 15:11:16 attic pluto[6315]: adding interface eth0/eth0
192.168.101.129:500
Jun 12 15:11:16 attic pluto[6315]: adding interface eth0/eth0
192.168.101.129:4500
Jun 12 15:11:16 attic pluto[6315]: adding interface eth1/eth1
192.168.105.1:500
Jun 12 15:11:16 attic pluto[6315]: adding interface eth1/eth1
192.168.105.1:4500
Jun 12 15:11:16 attic pluto[6315]: adding interface lo/lo 127.0.0.1:500
Jun 12 15:11:16 attic pluto[6315]: adding interface lo/lo 127.0.0.1:4500
Jun 12 15:11:16 attic pluto[6315]: adding interface lo/lo ::1:500
Jun 12 15:11:16 attic pluto[6315]: loading secrets from "/etc/ipsec.secrets"
Jun 12 15:11:16 attic pluto[6315]: loaded private key for keyid:
PPK_RSA:AQOXP/NQt
Jun 12 15:11:16 attic pluto[6315]: "test" #1: initiating Main Mode
Jun 12 15:11:16 attic pluto[6315]: "test" #1: received Vendor ID payload
[Openswan (this version) 2.6.37 ]
Jun 12 15:11:16 attic pluto[6315]: "test" #1: received Vendor ID payload
[Dead Peer Detection]
Jun 12 15:11:16 attic pluto[6315]: "test" #1: received Vendor ID payload
[RFC 3947] method set to=109
Jun 12 15:11:16 attic pluto[6315]: "test" #1: enabling possible
NAT-traversal with method 4
Jun 12 15:11:16 attic pluto[6315]: "test" #1: transition from state
STATE_MAIN_I1 to state STATE_MAIN_I2
Jun 12 15:11:16 attic pluto[6315]: "test" #1: STATE_MAIN_I2: sent MI2,
expecting MR2
Jun 12 15:11:16 attic pluto[6315]: "test" #1: NAT-Traversal: Result using
RFC 3947 (NAT-Traversal): no NAT detected
Jun 12 15:11:16 attic pluto[6315]: "test" #1: transition from state
STATE_MAIN_I2 to state STATE_MAIN_I3
Jun 12 15:11:16 attic pluto[6315]: "test" #1: STATE_MAIN_I3: sent MI3,
expecting MR3
Jun 12 15:11:16 attic pluto[6315]: "test" #1: received Vendor ID payload
[CAN-IKEv2]
Jun 12 15:11:16 attic pluto[6315]: "test" #1: Main mode peer ID is
ID_IPV4_ADDR: '192.168.101.128'
Jun 12 15:11:16 attic pluto[6315]: "test" #1: transition from state
STATE_MAIN_I3 to state STATE_MAIN_I4
Jun 12 15:11:16 attic pluto[6315]: "test" #1: STATE_MAIN_I4: ISAKMP SA
established {auth=OAKLEY_RSA_SIG cipher=aes_128 prf=oakley_sha
group=modp2048}
Jun 12 15:11:16 attic pluto[6315]: "test" #2: initiating Quick Mode
RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#1
msgid:9b8ca5cf proposal=defaults pfsgroup=OAKLEY_GROUP_MODP2048}
Jun 12 15:11:16 attic pluto[6315]: "test" #2: transition from state
STATE_QUICK_I1 to state STATE_QUICK_I2
Jun 12 15:11:16 attic pluto[6315]: "test" #2: STATE_QUICK_I2: sent QI2,
IPsec SA established tunnel mode {ESP=>0x36bc78bc <0x95684c6d
xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=none}
Jun 12 15:11:34 attic pluto[6315]: "test" #1: ignoring Delete SA payload:
PROTO_IPSEC_ESP SA(0x7901353b) not found (maybe expired)
Jun 12 15:11:34 attic pluto[6315]: "test" #1: received and ignored
informational message
############
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.openswan.org/pipermail/users/attachments/20120612/24ce0789/attachment-0001.html>


More information about the Users mailing list