[Openswan Users] I need help on OpenSwan Setup Ubuntu to Cisco

Imran Shakir shaker.emran at gmail.com
Thu Mar 29 12:35:41 EDT 2012 

>
> Hi
>>
>> I've installed Openswan on Ubuntu 10.04.
>>
>> I've one network interface: eth0 = 10.202.x.x.
>>
>> I've created another Virtual Network Interface: eth0:0 = 192.168.y.y.
>>
>> I've Elastic IP: 50.17.z.z.
>>
>> I've done natting with following commands:
>>
>> iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
>>
>> then used more commands like this:
>>
>> iptables --flush
>> iptables -t nat --flush
>> iptables --delete-chain
>> iptables -t nat --delete-chain
>> iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE iptables -A
>> FORWARD -i eth0:0 -j ACCEPT
>>
>> I've configured my connection as under:
>>
>> conn TEST
>>
>> type=tunnel
>> authby=secret
>> ike=3des-md5-modp1024
>> ikelifetime=86400s
>>
>> phase2=esp
>> phase2alg=3des-md5;modp1024
>> lifetime=28800s
>> forceencaps=yes
>> pfs=no
>>
>> left=10.202.x.x
>> leftid=50.17.z.z
>> leftnexthop=%defaultroute
>> leftsubnet=192.168.y.y/32
>>
>> right=202.125.a.a
>> rightid=202.125.a.a
>> rightsubnet=172.16.b.b/32
>> rightnexthop=%defaultroute
>> dpdaction=restart
>> dpddelay=30
>> dpdtimeout=45
>>
>> auto=add
>>
>> now when I try to start a tunnel with command: ipsec auto --up TEST,
>> tunnel comes up successfully, but when i ping 172.16.b.b. I don't get
>> any reply.
>>
>> All ports opened for all IP Addresses, firewall allow all. Still no
>> success.
>>
>> My routing table is as under:
>>
>> Destination Gateway Genmask Flags Metric Ref Use Iface
>> 192.168.222.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
>> 10.202.70.0 0.0.0.0 255.255.254.0 U 0 0 0 eth0
>> 0.0.0.0 10.202.70.1 0.0.0.0 UG 100 0 0 eth0
>> 0.0.0.0 10.202.70.1 0.0.0.0 UG 100 0 0 eth0
>>
>>
>> iptables -L show:
>>
>> Chain INPUT (policy ACCEPT)
>>
>> target     prot opt source               destination
>>
>>
>> Chain FORWARD (policy ACCEPT)
>>
>> target     prot opt source               destination
>>
>> ACCEPT     all  --  anywhere             anywhere
>>
>>
>> Chain OUTPUT (policy ACCEPT)
>>
>> target     prot opt source               destination
>>
>> kindly guide me what i am missing, tunnel is being established
>> successfully but cannot ping other side, and they cannot ping me?
>>
>>
>> A I missing any route? Kindly do let me know what route to add, if
>> missed any?
>>
>> Thank you very much. Waiting for any answer. Thank you guys.
>>
>> Regards
>>
>> Imran
>>
> LOG is:
>
> Mar 29 09:51:49 mx2 pluto[10593]: "ufoneIN" #2236: Dead Peer Detection
> (RFC 3706): enabled Mar 29 09:51:49 mx2 pluto[10593]: "ufoneIN" #2237:
> initiating Quick Mode
> PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW {using isakmp#2236 msgid:a2d8cddd
> proposal=3DES(3)_192-MD5(1)_128 pfsgroup=no-pfs} Mar 29 09:51:49 mx2
> pluto[10593]: "ufoneIN" #2236: ignoring informational payload, type
> IPSEC_RESPONDER_LIFETIME msgid=00000000 Mar 29 09:51:49 mx2
> pluto[10593]: "ufoneIN" #2236: received and ignored informational
> message Mar 29 09:51:50 mx2 pluto[10593]: "ufoneIN" #2236: received
> Delete SA
> payload: deleting ISAKMP State #2236
> Mar 29 09:51:50 mx2 pluto[10593]: packet from 202.125.152.237:4500:
> received and ignored informational message Mar 29 09:52:01 mx2
> CRON[21635]: pam_unix(cron:session): session opened for user root by
> (uid=0) Mar 29 09:52:01 mx2 CRON[21635]: pam_unix(cron:session):
> session closed for user root Mar 29 09:52:32 mx2 pluto[10593]:
> "ufoneIN": deleting connection Mar 29 09:52:32 mx2 pluto[10593]:
> "ufoneIN" #2237: deleting state
> (STATE_QUICK_I1)
> Mar 29 09:52:32 mx2 pluto[10593]: added connection description "ufoneIN"
> Mar 29 09:52:36 mx2 pluto[10593]: "ufoneIN" #2238: initiating Main
> Mode Mar 29 09:52:37 mx2 pluto[10593]: "ufoneIN" #2238: received
> Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
> Mar 29 09:52:37 mx2 pluto[10593]: "ufoneIN" #2238: ignoring Vendor ID
> payload [FRAGMENTATION c0000000] Mar 29 09:52:37 mx2 pluto[10593]:
> "ufoneIN" #2238: enabling possible NAT-traversal with method
> draft-ietf-ipsec-nat-t-ike-05 Mar 29 09:52:37 mx2 pluto[10593]:
> "ufoneIN" #2238: transition from state
> STATE_MAIN_I1 to state STATE_MAIN_I2
> Mar 29 09:52:37 mx2 pluto[10593]: "ufoneIN" #2238: STATE_MAIN_I2: sent
> MI2, expecting MR2 Mar 29 09:52:37 mx2 pluto[10593]: "ufoneIN" #2238:
> received Vendor ID payload [Cisco-Unity] Mar 29 09:52:37 mx2
> pluto[10593]: "ufoneIN" #2238: received Vendor ID payload [XAUTH] Mar
> 29 09:52:37 mx2 pluto[10593]: "ufoneIN" #2238: ignoring unknown Vendor
> ID payload [938d9ec7b1eb6956bf8485a99551f9b7]
> Mar 29 09:52:37 mx2 pluto[10593]: "ufoneIN" #2238: ignoring Vendor ID
> payload [Cisco VPN 3000 Series] Mar 29 09:52:37 mx2 pluto[10593]:
> "ufoneIN" #2238: NAT-Traversal: Result using
> draft-ietf-ipsec-nat-t-ike-02/03: both are NATed Mar 29 09:52:37 mx2
> pluto[10593]: "ufoneIN" #2238: transition from state
> STATE_MAIN_I2 to state STATE_MAIN_I3
> Mar 29 09:52:37 mx2 pluto[10593]: "ufoneIN" #2238: STATE_MAIN_I3: sent
> MI3, expecting MR3 Mar 29 09:52:37 mx2 pluto[10593]: "ufoneIN" #2238:
> received Vendor ID payload [Dead Peer Detection] Mar 29 09:52:37 mx2
> pluto[10593]: | protocol/port in Phase 1 ID Payload is 17/0. accepted
> with port_floating NAT-T Mar 29 09:52:37 mx2 pluto[10593]: "ufoneIN"
> #2238: Main mode peer ID is
> ID_IPV4_ADDR: '202.125.152.237'
> Mar 29 09:52:37 mx2 pluto[10593]: "ufoneIN" #2238: transition from
> state
> STATE_MAIN_I3 to state STATE_MAIN_I4
> Mar 29 09:52:37 mx2 pluto[10593]: "ufoneIN" #2238: STATE_MAIN_I4:
> ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
> cipher=oakley_3des_cbc_192
> prf=oakley_md5 group=modp1024}
> Mar 29 09:52:37 mx2 pluto[10593]: "ufoneIN" #2238: Dead Peer Detection
> (RFC 3706): enabled Mar 29 09:52:37 mx2 pluto[10593]: "ufoneIN" #2239:
> initiating Quick Mode
> PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW {using isakmp#2238 msgid:3544a45b
> proposal=3DES(3)_192-MD5(1)_128 pfsgroup=no-pfs} Mar 29 09:52:37 mx2
> pluto[10593]: "ufoneIN" #2238: ignoring informational payload, type
> IPSEC_RESPONDER_LIFETIME msgid=00000000 Mar 29 09:52:37 mx2
> pluto[10593]: "ufoneIN" #2238: received and ignored informational
> message Mar 29 09:52:38 mx2 pluto[10593]: "ufoneIN" #2238: received
> Delete SA
> payload: deleting ISAKMP State #2238
> Mar 29 09:52:38 mx2 pluto[10593]: packet from 202.125.152.237:4500:
> received and ignored informational message
>
> Any idea how to resolve it?
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.openswan.org/pipermail/users/attachments/20120329/3f8e68c1/attachment-0001.html>

More information about the Users mailing list