[Openswan Users] bridging to OpenVPN -- is it possible?

Viacheslav Dushin slava333 at gmail.com
Wed Apr 17 19:42:02 UTC 2013 

Hi guys


Bascialy there are  two networks 10.128.0.0/24 (my provider's network) and
10.128.142.0/24 (my network built on OpenVPN) that I want to bridge via
site-to-site VPN. Is it possible? If not, what other solutions may be used?

Finally I managed (with your help) to set up the site-to-site connection to
my VPN provider. Ipsec status shows that tunnel is up:


--- tunnels status start ---

 /etc/init.d/ipsec status
IPsec running  - pluto pid: 797
pluto pid 797
1 tunnels up
some eroutes exist

---tunnels status end---


But traceroute 10.128.0.2 command dies  after 30 hops:

traceroute to 10.128.0.2 (10.128.0.2), 30 hops max, 60 byte packets
 1  * * *



Openswan version: Openswan U2.6.38/K3.1.0-1.2-xen (netkey)

Thanks, Slava

Other logs/configs see bellow

------ifconfig  start---------

eth0      Link encap:Ethernet  HWaddr 12:e8:12:8c:1a:c0
          inet addr:100.100.100.100  Bcast:100.100.100.255
 Mask:255.255.255.0
          inet6 addr: fe80::10e8:12ff:fe8c:1ac0/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:779249 errors:0 dropped:6352 overruns:0 frame:0
          TX packets:72439 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:86789600 (82.7 MiB)  TX bytes:41816455 (39.8 MiB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

tun0      Link encap:UNSPEC  HWaddr
00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.128.142.1  P-t-P:10.128.142.2  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:32031 errors:0 dropped:0 overruns:0 frame:0
          TX packets:33785 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:8637866 (8.2 MiB)  TX bytes:28671489 (27.3 MiB)

------ifconfig  end------

----status start-----

ipsec auto --status
000 using kernel interface: netkey
000 interface lo/lo ::1
000 interface lo/lo 127.0.0.1
000 interface lo/lo 127.0.0.1
000 interface eth0/eth0 100.100.100.100
000 interface eth0/eth0 100.100.100.100
000 %myid = (none)
000 debug none
000
000 virtual_private (%priv):
000 - allowed 6 subnets: 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12,
25.0.0.0/8, fd00::/8, fe80::/10
000 - disallowed 0 subnets:
000 WARNING: Disallowed subnets in virtual_private= is empty. If you have
000          private address space in internal use, it should be excluded!
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64,
keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192,
keysizemax=192
000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, keysizemin=40,
keysizemax=128
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40,
keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0,
keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128,
keysizemax=256
000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8,
keysizemin=160, keysizemax=288
000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=22, name=ESP_CAMELLIA, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256,
keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=6, name=AUTH_ALGORITHM_HMAC_SHA2_384,
keysizemin=384, keysizemax=384
000 algorithm ESP auth attr: id=7, name=AUTH_ALGORITHM_HMAC_SHA2_512,
keysizemin=512, keysizemax=512
000 algorithm ESP auth attr: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD,
keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC,
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=251, name=AUTH_ALGORITHM_NULL_KAME,
keysizemin=0, keysizemax=0
000
000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=131
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32
000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024
000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048
000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048
000
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,4,36}
trans={0,4,1536} attrs={0,4,2048}
000
000 "telphin": 10.128.142.0/24===100.100.100.100
<100.100.100.100>…200.200.200.200<200.200.200.200>===10.128.0.0/24;
erouted; eroute owner: #8
000 "telphin":     myip=unset; hisip=unset;
000 "telphin":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s;
rekey_fuzz: 100%; keyingtries: 0
000 "telphin":   policy:
PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 24,24;
interface: eth0;
000 "telphin":   newest ISAKMP SA: #7; newest IPsec SA: #8;
000 "telphin":   IKE algorithms wanted:
3DES_CBC(5)_000-SHA1(2)_000-MODP1536(5),
3DES_CBC(5)_000-SHA1(2)_000-MODP1024(2); flags=-strict
000 "telphin":   IKE algorithms found:
 3DES_CBC(5)_192-SHA1(2)_160-MODP1536(5)3DES_CBC(5)_192-SHA1(2)_160-MODP1024(2)
000 "telphin":   IKE algorithm newest: 3DES_CBC_192-SHA1-MODP1024
000 "telphin":   ESP algorithms wanted: 3DES(3)_000-SHA1(2)_000;
flags=-strict
000 "telphin":   ESP algorithms loaded: 3DES(3)_192-SHA1(2)_160
000 "telphin":   ESP algorithm newest: 3DES_000-HMAC_SHA1; pfsgroup=<Phase1>
000
000 #8: "telphin":4500 STATE_QUICK_I2 (sent QI2, IPsec SA established);
EVENT_SA_REPLACE in 26578s; newest IPSEC; eroute owner; isakmp#7; idle;
import:admin initiate
000 #8: "telphin" esp.3b287452 at 200.200.200.200 esp.26159e22 at 100.100.100.100
tun.0 at 200.200.200.200 tun.0 at 100.100.100.100 ref=0 refhim=4294901761
000 #7: "telphin":4500 STATE_MAIN_I4 (ISAKMP SA established);
EVENT_SA_REPLACE in 1660s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0);
idle; import:admin initiate
000

------- status end -----

--- verify start -----

ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                             [OK]
Linux Openswan U2.6.38/K3.1.0-1.2-xen (netkey)
Checking for IPsec support in kernel                         [OK]
 SAref kernel support                                       [N/A]
 NETKEY:  Testing XFRM related proc values                   [OK]
[OK]
[OK]
Checking that pluto is running                               [OK]
 Pluto listening for IKE on udp 500                         [OK]
 Pluto listening for NAT-T on udp 4500                       [OK]
Two or more interfaces found, checking IP forwarding         [FAILED]
Checking NAT and MASQUERADEing                               [OK]
Checking for 'ip' command                                   [OK]
Checking /bin/sh is not /bin/dash                           [WARNING]
Checking for 'iptables' command                             [OK]
Opportunistic Encryption Support                             [DISABLED]

# /etc/ipsec.conf - Openswan IPsec configuration file

# This file:  /usr/share/doc/openswan/ipsec.conf-sample
#
# Manual:     ipsec.conf.5


version 2.0 # conforms to second version of ipsec.conf specification


--- verify end -----

---- config start ---

# basic configuration
config setup
        interfaces="%defaultroute"
# Do not set debug options to debug configuration issues!
# plutodebug / klipsdebug = "all", "none" or a combation from below:
# "raw crypt parsing emitting control klips pfkey natt x509 dpd private"
# eg:
# plutodebug="control parsing"
# Again: only enable plutodebug or klipsdebug when asked by a developer
#
# enable to get logs per-peer
# plutoopts="--perpeerlog"
#
# Enable core dumps (might require system changes, like ulimit -C)
# This is required for abrtd to work properly
# Note: incorrect SElinux policies might prevent pluto writing the core
dumpdir=/var/run/pluto/
#
# NAT-TRAVERSAL support, see README.NAT-Traversal
nat_traversal=yes
# exclude networks used on server side by adding %v4:!a.b.c.0/24
# It seems that T-Mobile in the US and Rogers/Fido in Canada are
# using 25/8 as "private" address space on their 3G network.
# This range has not been announced via BGP (at least upto 2010-12-21)
virtual_private=%v4:
10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
# OE is now off by default. Uncomment and change to on, to enable.
oe=off
# which IPsec stack to use. auto will try netkey, then klips then mast
protostack=netkey
# Use this to log to a file, or disable logging on embedded systems (like
openwrt)
#plutostderrlog=/dev/null


# Add connections here

# sample VPN connection
# for more examples, see /etc/ipsec.d/examples/
#conn sample
# # Left security gateway, subnet behind it, nexthop toward right.
# left=10.0.0.1
# leftsubnet=172.16.0.0/24
# leftnexthop=10.22.33.44
# # Right security gateway, subnet behind it, nexthop toward left.
# right=10.12.12.1
# rightsubnet=192.168.0.0/24
# rightnexthop=10.101.102.103
# # To authorize this connection, but not actually start it,
# # at startup, uncomment this.
# #auto=add


conn telphin
               left=100.100.100.100 # left for local
               leftsubnet=10.128.142.0/24
               #leftnexthop=10.128.142.0
               right=200.200.200.200 # right for remote
               rightsubnet=10.128.0.0/24
               #rightnexthop=10.128.0.0
               type=tunnel
               authby=secret
               auto=start
               auth=esp
               keyexchange=ike
               ike=3des-sha1
               esp=3des-sha1
               pfs=yes
               forceencaps=yes

---- config end ---
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20130417/51c40432/attachment-0001.html>

More information about the Users mailing list