[Openswan Users] Can't get subnets to connect

Michael Wisniewski wiz561 at gmail.com
Tue Jun 12 19:25:49 EDT 2012


Simon,

Thanks for the info.  You are correct, it should have been 192.168.105.0/24.
 I suppose I was staring at IP's for too long today.

The problem turned out to actually be me not adding something called
"leftsourceip" and "righsourceip" to the config.  Paul responded and said
to add it.  I also sawa posting on here about this from last year.

source: https://lists.openswan.org/pipermail/users/2011-February/020093.html

After adding these, things started working.

Thanks all!  Hopefully things will start working smoother!



On Tue, Jun 12, 2012 at 6:19 PM, simon charles <charlessimon at hotmail.com>wrote:

>  Hi ,
>  Please check your leftsubnet/rightsubnet. Per your topology
>
> 192.168.140.0/24 -> 192.168.140.20 -> 192.168.101.128 << switch to
> another machine >> 192.168.101.129 -> 192.168.105.1 -> 192.168.105.0/24
>
> it should be 192.168.140.0/24  and 192.168.105.0/24  but you have them
> defined as
>
> leftsubnet=192.168.140.0/24
>  leftrsasigkey=0sAQOwZ1F.....
> right=192.168.101.129
> rightsubnet=192.168.5.0/24  <==  a typo ? / should it be 192.168.105.0/24
>
>
>
> - Simon Charles -
>
>
> ------------------------------
> Date: Tue, 12 Jun 2012 15:33:51 -0500
> From: wiz561 at gmail.com
> To: users at lists.openswan.org
> Subject: [Openswan Users] Can't get subnets to connect
>
>
> Hi!
>
> I'm going through the OpenSwan book by Paul Wouters and
> was successfully able to get the host-to-host tunnel working.  The next
> step is to get your subnet to subnet tunnel up and running, and this is
> where I started running into problems.  If I don't add the
> left/rightsubnets in and run tcpdump, I can see the ping packets in the AH
> stuff.  However, once I add those, that is when things start breaking.  If
> I ping 192.168.101.128 from .101.129, the pings aren't going through the
> tunnel anymore.  If I also attempt to ping the other side of the remote
> gateway, I get...
>
> $ ping 192.168.140.20
> connect: Network is unreachable
>
> Since I did this with pfsense and ipsec and things worked out, I would
> assume that by doing it in Ubuntu would work as well.  If anybody can give
> any suggestions or help, that would be great, because I really have to
> learn this ipsec thing!
>
> Below is my network information....
>
> My topology looks like...
>
> 192.168.140.0/24 -> 192.168.140.20 -> 192.168.101.128 << switch to
> another machine >> 192.168.101.129 -> 192.168.105.1 -> 192.168.105.0/24
>
> My config is as follows....
>
> ############
> version 2.0 # conforms to second version of ipsec.conf specification
>
> config setup
> interfaces=%defaultroute
> nat_traversal=yes
>  virtual_private=%v4:
> 10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/1,%v4:!192.168.101.0/24
>
> conn %default
> authby=rsasig
> auth=ah
>
> conn test
> left=192.168.101.128
> leftsubnet=192.168.140.0/24
>  leftrsasigkey=0sAQOwZ1F.....
> right=192.168.101.129
> rightsubnet=192.168.5.0/24
>  rightrsasigkey=0sAQOXP.....
> auto=start
> ############
>
> The log looks like this....
>
> ############
> Jun 12 15:11:16 attic pluto[6315]: Starting Pluto (Openswan Version
> 2.6.37; Vendor ID OEu\134d\134jy\134\134ap) pid:6315
> Jun 12 15:11:16 attic pluto[6315]: LEAK_DETECTIVE support [disabled]
> Jun 12 15:11:16 attic pluto[6315]: OCF support for IKE [disabled]
> Jun 12 15:11:16 attic pluto[6315]: SAref support [disabled]: Protocol not
> available
> Jun 12 15:11:16 attic pluto[6315]: SAbind support [disabled]: Protocol not
> available
> Jun 12 15:11:16 attic pluto[6315]: NSS support [disabled]
> Jun 12 15:11:16 attic pluto[6315]: HAVE_STATSD notification support not
> compiled in
> Jun 12 15:11:16 attic pluto[6315]: Setting NAT-Traversal port-4500
> floating to on
> Jun 12 15:11:16 attic pluto[6315]:    port floating activation criteria
> nat_t=1/port_float=1
> Jun 12 15:11:16 attic pluto[6315]:    NAT-Traversal support  [enabled]
> Jun 12 15:11:16 attic pluto[6315]: using /dev/urandom as source of random
> entropy
> Jun 12 15:11:16 attic pluto[6315]: ike_alg_register_enc(): Activating
> OAKLEY_AES_CBC: Ok (ret=0)
> Jun 12 15:11:16 attic pluto[6315]: starting up 1 cryptographic helpers
> Jun 12 15:11:16 attic pluto[6315]: started helper pid=6318 (fd:6)
> Jun 12 15:11:16 attic pluto[6315]: Kernel interface auto-pick
> Jun 12 15:11:16 attic pluto[6315]: Using Linux 2.6 IPsec interface code on
> 3.2.0-24-generic (experimental code)
> Jun 12 15:11:16 attic pluto[6318]: using /dev/urandom as source of random
> entropy
> Jun 12 15:11:16 attic pluto[6315]: ike_alg_register_enc(): Activating
> aes_ccm_8: Ok (ret=0)
> Jun 12 15:11:16 attic pluto[6315]: ike_alg_add(): ERROR: Algorithm already
> exists
> Jun 12 15:11:16 attic pluto[6315]: ike_alg_register_enc(): Activating
> aes_ccm_12: FAILED (ret=-17)
> Jun 12 15:11:16 attic pluto[6315]: ike_alg_add(): ERROR: Algorithm already
> exists
> Jun 12 15:11:16 attic pluto[6315]: ike_alg_register_enc(): Activating
> aes_ccm_16: FAILED (ret=-17)
> Jun 12 15:11:16 attic pluto[6315]: ike_alg_add(): ERROR: Algorithm already
> exists
> Jun 12 15:11:16 attic pluto[6315]: ike_alg_register_enc(): Activating
> aes_gcm_8: FAILED (ret=-17)
> Jun 12 15:11:16 attic pluto[6315]: ike_alg_add(): ERROR: Algorithm already
> exists
> Jun 12 15:11:16 attic pluto[6315]: ike_alg_register_enc(): Activating
> aes_gcm_12: FAILED (ret=-17)
> Jun 12 15:11:16 attic pluto[6315]: ike_alg_add(): ERROR: Algorithm already
> exists
> Jun 12 15:11:16 attic pluto[6315]: ike_alg_register_enc(): Activating
> aes_gcm_16: FAILED (ret=-17)
> Jun 12 15:11:16 attic pluto[6315]: Changed path to directory
> '/etc/ipsec.d/cacerts'
> Jun 12 15:11:16 attic pluto[6315]:   loaded CA cert file 'strongCert.pem'
> (1407 bytes)
> Jun 12 15:11:16 attic pluto[6315]: Changed path to directory
> '/etc/ipsec.d/aacerts'
> Jun 12 15:11:16 attic pluto[6315]: Changed path to directory
> '/etc/ipsec.d/ocspcerts'
> Jun 12 15:11:16 attic pluto[6315]: Changing to directory
> '/etc/ipsec.d/crls'
> Jun 12 15:11:16 attic pluto[6315]:   Warning: empty directory
> Jun 12 15:11:16 attic pluto[6315]: added connection description "test"
> Jun 12 15:11:16 attic pluto[6315]: listening for IKE messages
> Jun 12 15:11:16 attic pluto[6315]: adding interface eth0/eth0
> 192.168.101.129:500
> Jun 12 15:11:16 attic pluto[6315]: adding interface eth0/eth0
> 192.168.101.129:4500
> Jun 12 15:11:16 attic pluto[6315]: adding interface eth1/eth1
> 192.168.105.1:500
> Jun 12 15:11:16 attic pluto[6315]: adding interface eth1/eth1
> 192.168.105.1:4500
> Jun 12 15:11:16 attic pluto[6315]: adding interface lo/lo 127.0.0.1:500
> Jun 12 15:11:16 attic pluto[6315]: adding interface lo/lo 127.0.0.1:4500
> Jun 12 15:11:16 attic pluto[6315]: adding interface lo/lo ::1:500
> Jun 12 15:11:16 attic pluto[6315]: loading secrets from
> "/etc/ipsec.secrets"
> Jun 12 15:11:16 attic pluto[6315]: loaded private key for keyid:
> PPK_RSA:AQOXP/NQt
> Jun 12 15:11:16 attic pluto[6315]: "test" #1: initiating Main Mode
> Jun 12 15:11:16 attic pluto[6315]: "test" #1: received Vendor ID payload
> [Openswan (this version) 2.6.37 ]
> Jun 12 15:11:16 attic pluto[6315]: "test" #1: received Vendor ID payload
> [Dead Peer Detection]
> Jun 12 15:11:16 attic pluto[6315]: "test" #1: received Vendor ID payload
> [RFC 3947] method set to=109
> Jun 12 15:11:16 attic pluto[6315]: "test" #1: enabling possible
> NAT-traversal with method 4
> Jun 12 15:11:16 attic pluto[6315]: "test" #1: transition from state
> STATE_MAIN_I1 to state STATE_MAIN_I2
> Jun 12 15:11:16 attic pluto[6315]: "test" #1: STATE_MAIN_I2: sent MI2,
> expecting MR2
> Jun 12 15:11:16 attic pluto[6315]: "test" #1: NAT-Traversal: Result using
> RFC 3947 (NAT-Traversal): no NAT detected
> Jun 12 15:11:16 attic pluto[6315]: "test" #1: transition from state
> STATE_MAIN_I2 to state STATE_MAIN_I3
> Jun 12 15:11:16 attic pluto[6315]: "test" #1: STATE_MAIN_I3: sent MI3,
> expecting MR3
> Jun 12 15:11:16 attic pluto[6315]: "test" #1: received Vendor ID payload
> [CAN-IKEv2]
> Jun 12 15:11:16 attic pluto[6315]: "test" #1: Main mode peer ID is
> ID_IPV4_ADDR: '192.168.101.128'
> Jun 12 15:11:16 attic pluto[6315]: "test" #1: transition from state
> STATE_MAIN_I3 to state STATE_MAIN_I4
> Jun 12 15:11:16 attic pluto[6315]: "test" #1: STATE_MAIN_I4: ISAKMP SA
> established {auth=OAKLEY_RSA_SIG cipher=aes_128 prf=oakley_sha
> group=modp2048}
> Jun 12 15:11:16 attic pluto[6315]: "test" #2: initiating Quick Mode
> RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#1
> msgid:9b8ca5cf proposal=defaults pfsgroup=OAKLEY_GROUP_MODP2048}
>  Jun 12 15:11:16 attic pluto[6315]: "test" #2: transition from state
> STATE_QUICK_I1 to state STATE_QUICK_I2
> Jun 12 15:11:16 attic pluto[6315]: "test" #2: STATE_QUICK_I2: sent QI2,
> IPsec SA established tunnel mode {ESP=>0x36bc78bc <0x95684c6d
> xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=none}
> Jun 12 15:11:34 attic pluto[6315]: "test" #1: ignoring Delete SA payload:
> PROTO_IPSEC_ESP SA(0x7901353b) not found (maybe expired)
> Jun 12 15:11:34 attic pluto[6315]: "test" #1: received and ignored
> informational message
> ############
>
>
>
> _______________________________________________ Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users Micropayments:
> https://flattr.com/thing/38387/IPsec-for-Linux-made-easy Building and
> Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.openswan.org/pipermail/users/attachments/20120612/9fdd872d/attachment.html>


More information about the Users mailing list