[Openswan Users] bridging to OpenVPN -- is it possible?
Viacheslav Dushin
slava333 at gmail.com
Wed Apr 17 20:23:28 UTC 2013
Hi, Nick
>Why have you got forceencaps (although it appears to be working)?
Because I'm new to OpenSWAN :) It was asked in the settings I got from my
provider.
But it seems to be working with forceencaps=no (my gateway where openswan
is installed has public ip).
>Is the traceroute failing from the gateway?
Yes, from the gateway
> Try adding a leftsourceip=your_ipsec_server_LAN_IP.
Do you mean IP in my OpenVPN network?
leftsourceip=10.128.142.1
now it dies with the timeout:
traceroute 10.128.0.2
traceroute to 10.128.0.2 (10.128.0.2), 30 hops max, 60 byte packets
1 vm12202 (100.100.100.100) 3000.607 ms !H 3000.595 ms !H 3000.582 ms
!H
100.100.100.100 -- is my gateway public ip address
200.200.200.200 -- is IPSec provider's public ip address
One dummy question: Is OpenSWAN able to bridge IPsec networks only? Can it
bridge to OpenVPN networks?
Thanks, Slava
2013/4/17 Nick Howitt <n1ck.h0w1tt at gmail.com>
> Why have you got forceencaps (although it appears to be working)?
>
> Is the traceroute failing from the gateway? Try adding a
> leftsourceip=your_ipsec_server_LAN_IP.
>
> Nick
>
>
> On 17/04/2013 20:42, Viacheslav Dushin wrote:
>
> Hi guys
>
>
> Bascialy there are two networks 10.128.0.0/24 (my provider's network)
> and 10.128.142.0/24 (my network built on OpenVPN) that I want to bridge
> via site-to-site VPN. Is it possible? If not, what other solutions may be
> used?
>
> Finally I managed (with your help) to set up the site-to-site connection
> to my VPN provider. Ipsec status shows that tunnel is up:
>
>
> --- tunnels status start ---
>
> /etc/init.d/ipsec status
> IPsec running - pluto pid: 797
> pluto pid 797
> 1 tunnels up
> some eroutes exist
>
> ---tunnels status end---
>
>
> But traceroute 10.128.0.2 command dies after 30 hops:
>
> traceroute to 10.128.0.2 (10.128.0.2), 30 hops max, 60 byte packets
> 1 * * *
>
>
>
> Openswan version: Openswan U2.6.38/K3.1.0-1.2-xen (netkey)
>
> Thanks, Slava
>
> Other logs/configs see bellow
>
> ------ifconfig start---------
>
> eth0 Link encap:Ethernet HWaddr 12:e8:12:8c:1a:c0
> inet addr:100.100.100.100 Bcast:100.100.100.255
> Mask:255.255.255.0
> inet6 addr: fe80::10e8:12ff:fe8c:1ac0/64 Scope:Link
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:779249 errors:0 dropped:6352 overruns:0 frame:0
> TX packets:72439 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:86789600 (82.7 MiB) TX bytes:41816455 (39.8 MiB)
>
> lo Link encap:Local Loopback
> inet addr:127.0.0.1 Mask:255.0.0.0
> inet6 addr: ::1/128 Scope:Host
> UP LOOPBACK RUNNING MTU:16436 Metric:1
> RX packets:0 errors:0 dropped:0 overruns:0 frame:0
> TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:0
> RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
>
> tun0 Link encap:UNSPEC HWaddr
> 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
> inet addr:10.128.142.1 P-t-P:10.128.142.2 Mask:255.255.255.255
> UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
> RX packets:32031 errors:0 dropped:0 overruns:0 frame:0
> TX packets:33785 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:100
> RX bytes:8637866 (8.2 MiB) TX bytes:28671489 (27.3 MiB)
>
> ------ifconfig end------
>
> ----status start-----
>
> ipsec auto --status
> 000 using kernel interface: netkey
> 000 interface lo/lo ::1
> 000 interface lo/lo 127.0.0.1
> 000 interface lo/lo 127.0.0.1
> 000 interface eth0/eth0 100.100.100.100
> 000 interface eth0/eth0 100.100.100.100
> 000 %myid = (none)
> 000 debug none
> 000
> 000 virtual_private (%priv):
> 000 - allowed 6 subnets: 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12,
> 25.0.0.0/8, fd00::/8, fe80::/10
> 000 - disallowed 0 subnets:
> 000 WARNING: Disallowed subnets in virtual_private= is empty. If you have
> 000 private address space in internal use, it should be excluded!
> 000
> 000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64,
> keysizemax=64
> 000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192,
> keysizemax=192
> 000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, keysizemin=40,
> keysizemax=128
> 000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8,
> keysizemin=40, keysizemax=448
> 000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0,
> keysizemax=0
> 000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128,
> keysizemax=256
> 000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8,
> keysizemin=160, keysizemax=288
> 000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8,
> keysizemin=128, keysizemax=256
> 000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8,
> keysizemin=128, keysizemax=256
> 000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8,
> keysizemin=128, keysizemax=256
> 000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8,
> keysizemin=128, keysizemax=256
> 000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=8,
> keysizemin=128, keysizemax=256
> 000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=8,
> keysizemin=128, keysizemax=256
> 000 algorithm ESP encrypt: id=22, name=ESP_CAMELLIA, ivlen=8,
> keysizemin=128, keysizemax=256
> 000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8,
> keysizemin=128, keysizemax=256
> 000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8,
> keysizemin=128, keysizemax=256
> 000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
> keysizemin=128, keysizemax=128
> 000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
> keysizemin=160, keysizemax=160
> 000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256,
> keysizemin=256, keysizemax=256
> 000 algorithm ESP auth attr: id=6, name=AUTH_ALGORITHM_HMAC_SHA2_384,
> keysizemin=384, keysizemax=384
> 000 algorithm ESP auth attr: id=7, name=AUTH_ALGORITHM_HMAC_SHA2_512,
> keysizemin=512, keysizemax=512
> 000 algorithm ESP auth attr: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD,
> keysizemin=160, keysizemax=160
> 000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC,
> keysizemin=128, keysizemax=128
> 000 algorithm ESP auth attr: id=251, name=AUTH_ALGORITHM_NULL_KAME,
> keysizemin=0, keysizemax=0
> 000
> 000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=131
> 000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
> keydeflen=192
> 000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
> keydeflen=128
> 000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
> 000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
> 000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32
> 000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64
> 000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
> 000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
> 000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
> 000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
> 000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
> 000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
> 000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
> 000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024
> 000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048
> 000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048
> 000
> 000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,4,36}
> trans={0,4,1536} attrs={0,4,2048}
> 000
> 000 "telphin": 10.128.142.0/24===100.100.100.100
> <100.100.100.100>…200.200.200.200<200.200.200.200>===10.128.0.0/24;
> erouted; eroute owner: #8
> 000 "telphin": myip=unset; hisip=unset;
> 000 "telphin": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s;
> rekey_fuzz: 100%; keyingtries: 0
> 000 "telphin": policy:
> PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 24,24;
> interface: eth0;
> 000 "telphin": newest ISAKMP SA: #7; newest IPsec SA: #8;
> 000 "telphin": IKE algorithms wanted:
> 3DES_CBC(5)_000-SHA1(2)_000-MODP1536(5),
> 3DES_CBC(5)_000-SHA1(2)_000-MODP1024(2); flags=-strict
> 000 "telphin": IKE algorithms found:
> 3DES_CBC(5)_192-SHA1(2)_160-MODP1536(5)3DES_CBC(5)_192-SHA1(2)_160-MODP1024(2)
> 000 "telphin": IKE algorithm newest: 3DES_CBC_192-SHA1-MODP1024
> 000 "telphin": ESP algorithms wanted: 3DES(3)_000-SHA1(2)_000;
> flags=-strict
> 000 "telphin": ESP algorithms loaded: 3DES(3)_192-SHA1(2)_160
> 000 "telphin": ESP algorithm newest: 3DES_000-HMAC_SHA1;
> pfsgroup=<Phase1>
> 000
> 000 #8: "telphin":4500 STATE_QUICK_I2 (sent QI2, IPsec SA established);
> EVENT_SA_REPLACE in 26578s; newest IPSEC; eroute owner; isakmp#7; idle;
> import:admin initiate
> 000 #8: "telphin" esp.3b287452 at 200.200.200.200
> esp.26159e22 at 100.100.100.100 tun.0 at 200.200.200.200 tun.0 at 100.100.100.100ref=0 refhim=4294901761
> 000 #7: "telphin":4500 STATE_MAIN_I4 (ISAKMP SA established);
> EVENT_SA_REPLACE in 1660s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0);
> idle; import:admin initiate
> 000
>
> ------- status end -----
>
> --- verify start -----
>
> ipsec verify
> Checking your system to see if IPsec got installed and started correctly:
> Version check and ipsec on-path [OK]
> Linux Openswan U2.6.38/K3.1.0-1.2-xen (netkey)
> Checking for IPsec support in kernel [OK]
> SAref kernel support [N/A]
> NETKEY: Testing XFRM related proc values [OK]
> [OK]
> [OK]
> Checking that pluto is running [OK]
> Pluto listening for IKE on udp 500 [OK]
> Pluto listening for NAT-T on udp 4500 [OK]
> Two or more interfaces found, checking IP forwarding [FAILED]
> Checking NAT and MASQUERADEing [OK]
> Checking for 'ip' command [OK]
> Checking /bin/sh is not /bin/dash [WARNING]
> Checking for 'iptables' command [OK]
> Opportunistic Encryption Support [DISABLED]
>
> # /etc/ipsec.conf - Openswan IPsec configuration file
>
> # This file: /usr/share/doc/openswan/ipsec.conf-sample
> #
> # Manual: ipsec.conf.5
>
>
> version 2.0 # conforms to second version of ipsec.conf specification
>
>
> --- verify end -----
>
> ---- config start ---
>
> # basic configuration
> config setup
> interfaces="%defaultroute"
> # Do not set debug options to debug configuration issues!
> # plutodebug / klipsdebug = "all", "none" or a combation from below:
> # "raw crypt parsing emitting control klips pfkey natt x509 dpd private"
> # eg:
> # plutodebug="control parsing"
> # Again: only enable plutodebug or klipsdebug when asked by a developer
> #
> # enable to get logs per-peer
> # plutoopts="--perpeerlog"
> #
> # Enable core dumps (might require system changes, like ulimit -C)
> # This is required for abrtd to work properly
> # Note: incorrect SElinux policies might prevent pluto writing the core
> dumpdir=/var/run/pluto/
> #
> # NAT-TRAVERSAL support, see README.NAT-Traversal
> nat_traversal=yes
> # exclude networks used on server side by adding %v4:!a.b.c.0/24
> # It seems that T-Mobile in the US and Rogers/Fido in Canada are
> # using 25/8 as "private" address space on their 3G network.
> # This range has not been announced via BGP (at least upto 2010-12-21)
> virtual_private=%v4:
> 10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
> # OE is now off by default. Uncomment and change to on, to enable.
> oe=off
> # which IPsec stack to use. auto will try netkey, then klips then mast
> protostack=netkey
> # Use this to log to a file, or disable logging on embedded systems
> (like openwrt)
> #plutostderrlog=/dev/null
>
>
> # Add connections here
>
> # sample VPN connection
> # for more examples, see /etc/ipsec.d/examples/
> #conn sample
> # # Left security gateway, subnet behind it, nexthop toward right.
> # left=10.0.0.1
> # leftsubnet=172.16.0.0/24
> # leftnexthop=10.22.33.44
> # # Right security gateway, subnet behind it, nexthop toward left.
> # right=10.12.12.1
> # rightsubnet=192.168.0.0/24
> # rightnexthop=10.101.102.103
> # # To authorize this connection, but not actually start it,
> # # at startup, uncomment this.
> # #auto=add
>
>
> conn telphin
> left=100.100.100.100 # left for local
> leftsubnet=10.128.142.0/24
> #leftnexthop=10.128.142.0
> right=200.200.200.200 # right for remote
> rightsubnet=10.128.0.0/24
> #rightnexthop=10.128.0.0
> type=tunnel
> authby=secret
> auto=start
> auth=esp
> keyexchange=ike
> ike=3des-sha1
> esp=3des-sha1
> pfs=yes
> forceencaps=yes
>
> ---- config end ---
>
>
> _______________________________________________Users at lists.openswan.orghttps://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20130418/aa02f3b5/attachment-0001.html>
More information about the Users
mailing list