[Openswan Users] Can't get subnets to connect
simon charles
charlessimon at hotmail.com
Tue Jun 12 19:19:47 EDT 2012
Hi ,
Please check your leftsubnet/rightsubnet. Per your topology
192.168.140.0/24
-> 192.168.140.20 -> 192.168.101.128 << switch to another
machine >> 192.168.101.129 -> 192.168.105.1 -> 192.168.105.0/24
it should be 192.168.140.0/24 and 192.168.105.0/24 but you have them defined as
leftsubnet=192.168.140.0/24
leftrsasigkey=0sAQOwZ1F..... right=192.168.101.129 rightsubnet=192.168.5.0/24 <== a typo ? / should it be 192.168.105.0/24
- Simon Charles -
Date: Tue, 12 Jun 2012 15:33:51 -0500
From: wiz561 at gmail.com
To: users at lists.openswan.org
Subject: [Openswan Users] Can't get subnets to connect
Hi!
I'm going through the OpenSwan book by Paul Wouters and was successfully able to get the host-to-host tunnel working. The next step is to get your subnet to subnet tunnel up and running, and this is where I started running into problems. If I don't add the left/rightsubnets in and run tcpdump, I can see the ping packets in the AH stuff. However, once I add those, that is when things start breaking. If I ping 192.168.101.128 from .101.129, the pings aren't going through the tunnel anymore. If I also attempt to ping the other side of the remote gateway, I get...
$ ping 192.168.140.20connect: Network is unreachable
Since I did this with pfsense and ipsec and things worked out, I would assume that by doing it in Ubuntu would work as well. If anybody can give any suggestions or help, that would be great, because I really have to learn this ipsec thing!
Below is my network information....
My topology looks like...
192.168.140.0/24 -> 192.168.140.20 -> 192.168.101.128 << switch to another machine >> 192.168.101.129 -> 192.168.105.1 -> 192.168.105.0/24
My config is as follows....
############version 2.0 # conforms to second version of ipsec.conf specification
config setup interfaces=%defaultroute nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/1,%v4:!192.168.101.0/24
conn %default authby=rsasig auth=ah
conn test left=192.168.101.128 leftsubnet=192.168.140.0/24
leftrsasigkey=0sAQOwZ1F..... right=192.168.101.129 rightsubnet=192.168.5.0/24
rightrsasigkey=0sAQOXP..... auto=start############
The log looks like this....
############Jun 12 15:11:16 attic pluto[6315]: Starting Pluto (Openswan Version 2.6.37; Vendor ID OEu\134d\134jy\134\134ap) pid:6315
Jun 12 15:11:16 attic pluto[6315]: LEAK_DETECTIVE support [disabled]Jun 12 15:11:16 attic pluto[6315]: OCF support for IKE [disabled]Jun 12 15:11:16 attic pluto[6315]: SAref support [disabled]: Protocol not available
Jun 12 15:11:16 attic pluto[6315]: SAbind support [disabled]: Protocol not availableJun 12 15:11:16 attic pluto[6315]: NSS support [disabled]Jun 12 15:11:16 attic pluto[6315]: HAVE_STATSD notification support not compiled in
Jun 12 15:11:16 attic pluto[6315]: Setting NAT-Traversal port-4500 floating to onJun 12 15:11:16 attic pluto[6315]: port floating activation criteria nat_t=1/port_float=1Jun 12 15:11:16 attic pluto[6315]: NAT-Traversal support [enabled]
Jun 12 15:11:16 attic pluto[6315]: using /dev/urandom as source of random entropyJun 12 15:11:16 attic pluto[6315]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)Jun 12 15:11:16 attic pluto[6315]: starting up 1 cryptographic helpers
Jun 12 15:11:16 attic pluto[6315]: started helper pid=6318 (fd:6)Jun 12 15:11:16 attic pluto[6315]: Kernel interface auto-pickJun 12 15:11:16 attic pluto[6315]: Using Linux 2.6 IPsec interface code on 3.2.0-24-generic (experimental code)
Jun 12 15:11:16 attic pluto[6318]: using /dev/urandom as source of random entropyJun 12 15:11:16 attic pluto[6315]: ike_alg_register_enc(): Activating aes_ccm_8: Ok (ret=0)Jun 12 15:11:16 attic pluto[6315]: ike_alg_add(): ERROR: Algorithm already exists
Jun 12 15:11:16 attic pluto[6315]: ike_alg_register_enc(): Activating aes_ccm_12: FAILED (ret=-17)Jun 12 15:11:16 attic pluto[6315]: ike_alg_add(): ERROR: Algorithm already existsJun 12 15:11:16 attic pluto[6315]: ike_alg_register_enc(): Activating aes_ccm_16: FAILED (ret=-17)
Jun 12 15:11:16 attic pluto[6315]: ike_alg_add(): ERROR: Algorithm already existsJun 12 15:11:16 attic pluto[6315]: ike_alg_register_enc(): Activating aes_gcm_8: FAILED (ret=-17)Jun 12 15:11:16 attic pluto[6315]: ike_alg_add(): ERROR: Algorithm already exists
Jun 12 15:11:16 attic pluto[6315]: ike_alg_register_enc(): Activating aes_gcm_12: FAILED (ret=-17)Jun 12 15:11:16 attic pluto[6315]: ike_alg_add(): ERROR: Algorithm already existsJun 12 15:11:16 attic pluto[6315]: ike_alg_register_enc(): Activating aes_gcm_16: FAILED (ret=-17)
Jun 12 15:11:16 attic pluto[6315]: Changed path to directory '/etc/ipsec.d/cacerts'Jun 12 15:11:16 attic pluto[6315]: loaded CA cert file 'strongCert.pem' (1407 bytes)Jun 12 15:11:16 attic pluto[6315]: Changed path to directory '/etc/ipsec.d/aacerts'
Jun 12 15:11:16 attic pluto[6315]: Changed path to directory '/etc/ipsec.d/ocspcerts'Jun 12 15:11:16 attic pluto[6315]: Changing to directory '/etc/ipsec.d/crls'Jun 12 15:11:16 attic pluto[6315]: Warning: empty directory
Jun 12 15:11:16 attic pluto[6315]: added connection description "test"Jun 12 15:11:16 attic pluto[6315]: listening for IKE messagesJun 12 15:11:16 attic pluto[6315]: adding interface eth0/eth0 192.168.101.129:500
Jun 12 15:11:16 attic pluto[6315]: adding interface eth0/eth0 192.168.101.129:4500Jun 12 15:11:16 attic pluto[6315]: adding interface eth1/eth1 192.168.105.1:500
Jun 12 15:11:16 attic pluto[6315]: adding interface eth1/eth1 192.168.105.1:4500Jun 12 15:11:16 attic pluto[6315]: adding interface lo/lo 127.0.0.1:500
Jun 12 15:11:16 attic pluto[6315]: adding interface lo/lo 127.0.0.1:4500Jun 12 15:11:16 attic pluto[6315]: adding interface lo/lo ::1:500Jun 12 15:11:16 attic pluto[6315]: loading secrets from "/etc/ipsec.secrets"
Jun 12 15:11:16 attic pluto[6315]: loaded private key for keyid: PPK_RSA:AQOXP/NQtJun 12 15:11:16 attic pluto[6315]: "test" #1: initiating Main ModeJun 12 15:11:16 attic pluto[6315]: "test" #1: received Vendor ID payload [Openswan (this version) 2.6.37 ]
Jun 12 15:11:16 attic pluto[6315]: "test" #1: received Vendor ID payload [Dead Peer Detection]Jun 12 15:11:16 attic pluto[6315]: "test" #1: received Vendor ID payload [RFC 3947] method set to=109
Jun 12 15:11:16 attic pluto[6315]: "test" #1: enabling possible NAT-traversal with method 4Jun 12 15:11:16 attic pluto[6315]: "test" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
Jun 12 15:11:16 attic pluto[6315]: "test" #1: STATE_MAIN_I2: sent MI2, expecting MR2Jun 12 15:11:16 attic pluto[6315]: "test" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected
Jun 12 15:11:16 attic pluto[6315]: "test" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3Jun 12 15:11:16 attic pluto[6315]: "test" #1: STATE_MAIN_I3: sent MI3, expecting MR3
Jun 12 15:11:16 attic pluto[6315]: "test" #1: received Vendor ID payload [CAN-IKEv2]Jun 12 15:11:16 attic pluto[6315]: "test" #1: Main mode peer ID is ID_IPV4_ADDR: '192.168.101.128'
Jun 12 15:11:16 attic pluto[6315]: "test" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4Jun 12 15:11:16 attic pluto[6315]: "test" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=aes_128 prf=oakley_sha group=modp2048}
Jun 12 15:11:16 attic pluto[6315]: "test" #2: initiating Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#1 msgid:9b8ca5cf proposal=defaults pfsgroup=OAKLEY_GROUP_MODP2048}
Jun 12 15:11:16 attic pluto[6315]: "test" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2Jun 12 15:11:16 attic pluto[6315]: "test" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x36bc78bc <0x95684c6d xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=none}
Jun 12 15:11:34 attic pluto[6315]: "test" #1: ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0x7901353b) not found (maybe expired)Jun 12 15:11:34 attic pluto[6315]: "test" #1: received and ignored informational message
############
_______________________________________________
Users at lists.openswan.org
https://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.openswan.org/pipermail/users/attachments/20120612/5beb3732/attachment-0001.html>
More information about the Users
mailing list