[Openswan Users] Can't get subnets to connect

simon charles charlessimon at hotmail.com
Tue Jun 12 19:19:47 EDT 2012


Hi , 
 Please check your leftsubnet/rightsubnet. Per your topology 

192.168.140.0/24
 -> 192.168.140.20 -> 192.168.101.128 << switch to another 
machine >> 192.168.101.129 -> 192.168.105.1 -> 192.168.105.0/24


it should be 192.168.140.0/24  and 192.168.105.0/24  but you have them defined as 

	leftsubnet=192.168.140.0/24

	leftrsasigkey=0sAQOwZ1F.....	right=192.168.101.129	rightsubnet=192.168.5.0/24  <==  a typo ? / should it be 192.168.105.0/24



- Simon Charles - 


Date: Tue, 12 Jun 2012 15:33:51 -0500
From: wiz561 at gmail.com
To: users at lists.openswan.org
Subject: [Openswan Users] Can't get subnets to connect

Hi!
I'm going through the OpenSwan book by Paul Wouters and was successfully able to get the host-to-host tunnel working.  The next step is to get your subnet to subnet tunnel up and running, and this is where I started running into problems.  If I don't add the left/rightsubnets in and run tcpdump, I can see the ping packets in the AH stuff.  However, once I add those, that is when things start breaking.  If I ping 192.168.101.128 from .101.129, the pings aren't going through the tunnel anymore.  If I also attempt to ping the other side of the remote gateway, I get...


$ ping 192.168.140.20connect: Network is unreachable
Since I did this with pfsense and ipsec and things worked out, I would assume that by doing it in Ubuntu would work as well.  If anybody can give any suggestions or help, that would be great, because I really have to learn this ipsec thing!

Below is my network information....
My topology looks like...

192.168.140.0/24 -> 192.168.140.20 -> 192.168.101.128 << switch to another machine >> 192.168.101.129 -> 192.168.105.1 -> 192.168.105.0/24


My config is as follows....
############version	2.0	# conforms to second version of ipsec.conf specification


config setup	interfaces=%defaultroute	nat_traversal=yes
	virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/1,%v4:!192.168.101.0/24


conn %default	authby=rsasig	auth=ah

conn test 	left=192.168.101.128	leftsubnet=192.168.140.0/24

	leftrsasigkey=0sAQOwZ1F.....	right=192.168.101.129	rightsubnet=192.168.5.0/24

	rightrsasigkey=0sAQOXP.....	auto=start############

The log looks like this....
############Jun 12 15:11:16 attic pluto[6315]: Starting Pluto (Openswan Version 2.6.37; Vendor ID OEu\134d\134jy\134\134ap) pid:6315

Jun 12 15:11:16 attic pluto[6315]: LEAK_DETECTIVE support [disabled]Jun 12 15:11:16 attic pluto[6315]: OCF support for IKE [disabled]Jun 12 15:11:16 attic pluto[6315]: SAref support [disabled]: Protocol not available

Jun 12 15:11:16 attic pluto[6315]: SAbind support [disabled]: Protocol not availableJun 12 15:11:16 attic pluto[6315]: NSS support [disabled]Jun 12 15:11:16 attic pluto[6315]: HAVE_STATSD notification support not compiled in

Jun 12 15:11:16 attic pluto[6315]: Setting NAT-Traversal port-4500 floating to onJun 12 15:11:16 attic pluto[6315]:    port floating activation criteria nat_t=1/port_float=1Jun 12 15:11:16 attic pluto[6315]:    NAT-Traversal support  [enabled]

Jun 12 15:11:16 attic pluto[6315]: using /dev/urandom as source of random entropyJun 12 15:11:16 attic pluto[6315]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)Jun 12 15:11:16 attic pluto[6315]: starting up 1 cryptographic helpers

Jun 12 15:11:16 attic pluto[6315]: started helper pid=6318 (fd:6)Jun 12 15:11:16 attic pluto[6315]: Kernel interface auto-pickJun 12 15:11:16 attic pluto[6315]: Using Linux 2.6 IPsec interface code on 3.2.0-24-generic (experimental code)

Jun 12 15:11:16 attic pluto[6318]: using /dev/urandom as source of random entropyJun 12 15:11:16 attic pluto[6315]: ike_alg_register_enc(): Activating aes_ccm_8: Ok (ret=0)Jun 12 15:11:16 attic pluto[6315]: ike_alg_add(): ERROR: Algorithm already exists

Jun 12 15:11:16 attic pluto[6315]: ike_alg_register_enc(): Activating aes_ccm_12: FAILED (ret=-17)Jun 12 15:11:16 attic pluto[6315]: ike_alg_add(): ERROR: Algorithm already existsJun 12 15:11:16 attic pluto[6315]: ike_alg_register_enc(): Activating aes_ccm_16: FAILED (ret=-17)

Jun 12 15:11:16 attic pluto[6315]: ike_alg_add(): ERROR: Algorithm already existsJun 12 15:11:16 attic pluto[6315]: ike_alg_register_enc(): Activating aes_gcm_8: FAILED (ret=-17)Jun 12 15:11:16 attic pluto[6315]: ike_alg_add(): ERROR: Algorithm already exists

Jun 12 15:11:16 attic pluto[6315]: ike_alg_register_enc(): Activating aes_gcm_12: FAILED (ret=-17)Jun 12 15:11:16 attic pluto[6315]: ike_alg_add(): ERROR: Algorithm already existsJun 12 15:11:16 attic pluto[6315]: ike_alg_register_enc(): Activating aes_gcm_16: FAILED (ret=-17)

Jun 12 15:11:16 attic pluto[6315]: Changed path to directory '/etc/ipsec.d/cacerts'Jun 12 15:11:16 attic pluto[6315]:   loaded CA cert file 'strongCert.pem' (1407 bytes)Jun 12 15:11:16 attic pluto[6315]: Changed path to directory '/etc/ipsec.d/aacerts'

Jun 12 15:11:16 attic pluto[6315]: Changed path to directory '/etc/ipsec.d/ocspcerts'Jun 12 15:11:16 attic pluto[6315]: Changing to directory '/etc/ipsec.d/crls'Jun 12 15:11:16 attic pluto[6315]:   Warning: empty directory

Jun 12 15:11:16 attic pluto[6315]: added connection description "test"Jun 12 15:11:16 attic pluto[6315]: listening for IKE messagesJun 12 15:11:16 attic pluto[6315]: adding interface eth0/eth0 192.168.101.129:500

Jun 12 15:11:16 attic pluto[6315]: adding interface eth0/eth0 192.168.101.129:4500Jun 12 15:11:16 attic pluto[6315]: adding interface eth1/eth1 192.168.105.1:500

Jun 12 15:11:16 attic pluto[6315]: adding interface eth1/eth1 192.168.105.1:4500Jun 12 15:11:16 attic pluto[6315]: adding interface lo/lo 127.0.0.1:500

Jun 12 15:11:16 attic pluto[6315]: adding interface lo/lo 127.0.0.1:4500Jun 12 15:11:16 attic pluto[6315]: adding interface lo/lo ::1:500Jun 12 15:11:16 attic pluto[6315]: loading secrets from "/etc/ipsec.secrets"

Jun 12 15:11:16 attic pluto[6315]: loaded private key for keyid: PPK_RSA:AQOXP/NQtJun 12 15:11:16 attic pluto[6315]: "test" #1: initiating Main ModeJun 12 15:11:16 attic pluto[6315]: "test" #1: received Vendor ID payload [Openswan (this version) 2.6.37 ]

Jun 12 15:11:16 attic pluto[6315]: "test" #1: received Vendor ID payload [Dead Peer Detection]Jun 12 15:11:16 attic pluto[6315]: "test" #1: received Vendor ID payload [RFC 3947] method set to=109 

Jun 12 15:11:16 attic pluto[6315]: "test" #1: enabling possible NAT-traversal with method 4Jun 12 15:11:16 attic pluto[6315]: "test" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2

Jun 12 15:11:16 attic pluto[6315]: "test" #1: STATE_MAIN_I2: sent MI2, expecting MR2Jun 12 15:11:16 attic pluto[6315]: "test" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected

Jun 12 15:11:16 attic pluto[6315]: "test" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3Jun 12 15:11:16 attic pluto[6315]: "test" #1: STATE_MAIN_I3: sent MI3, expecting MR3

Jun 12 15:11:16 attic pluto[6315]: "test" #1: received Vendor ID payload [CAN-IKEv2]Jun 12 15:11:16 attic pluto[6315]: "test" #1: Main mode peer ID is ID_IPV4_ADDR: '192.168.101.128'

Jun 12 15:11:16 attic pluto[6315]: "test" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4Jun 12 15:11:16 attic pluto[6315]: "test" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=aes_128 prf=oakley_sha group=modp2048}

Jun 12 15:11:16 attic pluto[6315]: "test" #2: initiating Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#1 msgid:9b8ca5cf proposal=defaults pfsgroup=OAKLEY_GROUP_MODP2048}

Jun 12 15:11:16 attic pluto[6315]: "test" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2Jun 12 15:11:16 attic pluto[6315]: "test" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x36bc78bc <0x95684c6d xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=none}

Jun 12 15:11:34 attic pluto[6315]: "test" #1: ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0x7901353b) not found (maybe expired)Jun 12 15:11:34 attic pluto[6315]: "test" #1: received and ignored informational message

############



_______________________________________________
Users at lists.openswan.org
https://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.openswan.org/pipermail/users/attachments/20120612/5beb3732/attachment-0001.html>


More information about the Users mailing list