[Openswan Users] bridging to OpenVPN -- is it possible?
Viacheslav Dushin
slava333 at gmail.com
Wed Apr 17 20:52:50 UTC 2013
>leftsourceip should be set to the LAN IP of the machine that is running
Openswan - your gateway.
>Does 10.128.0.2 exist?
Yes.
Thanks for the answers.
2013/4/18 Nick Howitt <n1ck.h0w1tt at gmail.com>
> leftsourceip should be set to the LAN IP of the machine that is running
> Openswan - your gateway.
> Does 10.128.0.2 exist?
> I wonder if you have a firewalling problem but I'm not good with these.
>
> I don't understand the question of bridging IPsec or OpenVPN networks. It
> uses IPsec to bridge two networks. Similarly you can use OpenVPN to two
> bridge networks.
>
>
> Nick
>
> On 17/04/2013 21:23, Viacheslav Dushin wrote:
>
> Hi, Nick
>
> >Why have you got forceencaps (although it appears to be working)?
> Because I'm new to OpenSWAN :) It was asked in the settings I got from my
> provider.
> But it seems to be working with forceencaps=no (my gateway where openswan
> is installed has public ip).
>
> >Is the traceroute failing from the gateway?
> Yes, from the gateway
>
> > Try adding a leftsourceip=your_ipsec_server_LAN_IP.
> Do you mean IP in my OpenVPN network?
>
> leftsourceip=10.128.142.1
>
> now it dies with the timeout:
>
> traceroute 10.128.0.2
> traceroute to 10.128.0.2 (10.128.0.2), 30 hops max, 60 byte packets
> 1 vm12202 (100.100.100.100) 3000.607 ms !H 3000.595 ms !H 3000.582
> ms !H
>
> 100.100.100.100 -- is my gateway public ip address
> 200.200.200.200 -- is IPSec provider's public ip address
>
> One dummy question: Is OpenSWAN able to bridge IPsec networks only? Can
> it bridge to OpenVPN networks?
>
> Thanks, Slava
>
>
>
> 2013/4/17 Nick Howitt <n1ck.h0w1tt at gmail.com>
>
>> Why have you got forceencaps (although it appears to be working)?
>>
>> Is the traceroute failing from the gateway? Try adding a
>> leftsourceip=your_ipsec_server_LAN_IP.
>>
>> Nick
>>
>>
>> On 17/04/2013 20:42, Viacheslav Dushin wrote:
>>
>> Hi guys
>>
>>
>> Bascialy there are two networks 10.128.0.0/24 (my provider's network)
>> and 10.128.142.0/24 (my network built on OpenVPN) that I want to bridge
>> via site-to-site VPN. Is it possible? If not, what other solutions may be
>> used?
>>
>> Finally I managed (with your help) to set up the site-to-site
>> connection to my VPN provider. Ipsec status shows that tunnel is up:
>>
>>
>> --- tunnels status start ---
>>
>> /etc/init.d/ipsec status
>> IPsec running - pluto pid: 797
>> pluto pid 797
>> 1 tunnels up
>> some eroutes exist
>>
>> ---tunnels status end---
>>
>>
>> But traceroute 10.128.0.2 command dies after 30 hops:
>>
>> traceroute to 10.128.0.2 (10.128.0.2), 30 hops max, 60 byte packets
>> 1 * * *
>>
>>
>>
>> Openswan version: Openswan U2.6.38/K3.1.0-1.2-xen (netkey)
>>
>> Thanks, Slava
>>
>> Other logs/configs see bellow
>>
>> ------ifconfig start---------
>>
>> eth0 Link encap:Ethernet HWaddr 12:e8:12:8c:1a:c0
>> inet addr:100.100.100.100 Bcast:100.100.100.255
>> Mask:255.255.255.0
>> inet6 addr: fe80::10e8:12ff:fe8c:1ac0/64 Scope:Link
>> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
>> RX packets:779249 errors:0 dropped:6352 overruns:0 frame:0
>> TX packets:72439 errors:0 dropped:0 overruns:0 carrier:0
>> collisions:0 txqueuelen:1000
>> RX bytes:86789600 (82.7 MiB) TX bytes:41816455 (39.8 MiB)
>>
>> lo Link encap:Local Loopback
>> inet addr:127.0.0.1 Mask:255.0.0.0
>> inet6 addr: ::1/128 Scope:Host
>> UP LOOPBACK RUNNING MTU:16436 Metric:1
>> RX packets:0 errors:0 dropped:0 overruns:0 frame:0
>> TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
>> collisions:0 txqueuelen:0
>> RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
>>
>> tun0 Link encap:UNSPEC HWaddr
>> 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
>> inet addr:10.128.142.1 P-t-P:10.128.142.2
>> Mask:255.255.255.255
>> UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
>> RX packets:32031 errors:0 dropped:0 overruns:0 frame:0
>> TX packets:33785 errors:0 dropped:0 overruns:0 carrier:0
>> collisions:0 txqueuelen:100
>> RX bytes:8637866 (8.2 MiB) TX bytes:28671489 (27.3 MiB)
>>
>> ------ifconfig end------
>>
>> ----status start-----
>>
>> ipsec auto --status
>> 000 using kernel interface: netkey
>> 000 interface lo/lo ::1
>> 000 interface lo/lo 127.0.0.1
>> 000 interface lo/lo 127.0.0.1
>> 000 interface eth0/eth0 100.100.100.100
>> 000 interface eth0/eth0 100.100.100.100
>> 000 %myid = (none)
>> 000 debug none
>> 000
>> 000 virtual_private (%priv):
>> 000 - allowed 6 subnets: 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12,
>> 25.0.0.0/8, fd00::/8, fe80::/10
>> 000 - disallowed 0 subnets:
>> 000 WARNING: Disallowed subnets in virtual_private= is empty. If you have
>> 000 private address space in internal use, it should be excluded!
>> 000
>> 000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64,
>> keysizemax=64
>> 000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192,
>> keysizemax=192
>> 000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, keysizemin=40,
>> keysizemax=128
>> 000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8,
>> keysizemin=40, keysizemax=448
>> 000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0,
>> keysizemax=0
>> 000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128,
>> keysizemax=256
>> 000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8,
>> keysizemin=160, keysizemax=288
>> 000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8,
>> keysizemin=128, keysizemax=256
>> 000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8,
>> keysizemin=128, keysizemax=256
>> 000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8,
>> keysizemin=128, keysizemax=256
>> 000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8,
>> keysizemin=128, keysizemax=256
>> 000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=8,
>> keysizemin=128, keysizemax=256
>> 000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=8,
>> keysizemin=128, keysizemax=256
>> 000 algorithm ESP encrypt: id=22, name=ESP_CAMELLIA, ivlen=8,
>> keysizemin=128, keysizemax=256
>> 000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8,
>> keysizemin=128, keysizemax=256
>> 000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8,
>> keysizemin=128, keysizemax=256
>> 000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
>> keysizemin=128, keysizemax=128
>> 000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
>> keysizemin=160, keysizemax=160
>> 000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256,
>> keysizemin=256, keysizemax=256
>> 000 algorithm ESP auth attr: id=6, name=AUTH_ALGORITHM_HMAC_SHA2_384,
>> keysizemin=384, keysizemax=384
>> 000 algorithm ESP auth attr: id=7, name=AUTH_ALGORITHM_HMAC_SHA2_512,
>> keysizemin=512, keysizemax=512
>> 000 algorithm ESP auth attr: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD,
>> keysizemin=160, keysizemax=160
>> 000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC,
>> keysizemin=128, keysizemax=128
>> 000 algorithm ESP auth attr: id=251, name=AUTH_ALGORITHM_NULL_KAME,
>> keysizemin=0, keysizemax=0
>> 000
>> 000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=131
>> 000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
>> keydeflen=192
>> 000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
>> keydeflen=128
>> 000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
>> 000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
>> 000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32
>> 000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64
>> 000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
>> 000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
>> 000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
>> 000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
>> 000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
>> 000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
>> 000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
>> 000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024
>> 000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048
>> 000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048
>> 000
>> 000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,4,36}
>> trans={0,4,1536} attrs={0,4,2048}
>> 000
>> 000 "telphin": 10.128.142.0/24===100.100.100.100
>> <100.100.100.100>…200.200.200.200<200.200.200.200>===10.128.0.0/24;
>> erouted; eroute owner: #8
>> 000 "telphin": myip=unset; hisip=unset;
>> 000 "telphin": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s;
>> rekey_fuzz: 100%; keyingtries: 0
>> 000 "telphin": policy:
>> PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 24,24;
>> interface: eth0;
>> 000 "telphin": newest ISAKMP SA: #7; newest IPsec SA: #8;
>> 000 "telphin": IKE algorithms wanted:
>> 3DES_CBC(5)_000-SHA1(2)_000-MODP1536(5),
>> 3DES_CBC(5)_000-SHA1(2)_000-MODP1024(2); flags=-strict
>> 000 "telphin": IKE algorithms found:
>> 3DES_CBC(5)_192-SHA1(2)_160-MODP1536(5)3DES_CBC(5)_192-SHA1(2)_160-MODP1024(2)
>> 000 "telphin": IKE algorithm newest: 3DES_CBC_192-SHA1-MODP1024
>> 000 "telphin": ESP algorithms wanted: 3DES(3)_000-SHA1(2)_000;
>> flags=-strict
>> 000 "telphin": ESP algorithms loaded: 3DES(3)_192-SHA1(2)_160
>> 000 "telphin": ESP algorithm newest: 3DES_000-HMAC_SHA1;
>> pfsgroup=<Phase1>
>> 000
>> 000 #8: "telphin":4500 STATE_QUICK_I2 (sent QI2, IPsec SA established);
>> EVENT_SA_REPLACE in 26578s; newest IPSEC; eroute owner; isakmp#7; idle;
>> import:admin initiate
>> 000 #8: "telphin" esp.3b287452 at 200.200.200.200
>> esp.26159e22 at 100.100.100.100 tun.0 at 200.200.200.200 tun.0 at 100.100.100.100ref=0 refhim=4294901761
>> 000 #7: "telphin":4500 STATE_MAIN_I4 (ISAKMP SA established);
>> EVENT_SA_REPLACE in 1660s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0);
>> idle; import:admin initiate
>> 000
>>
>> ------- status end -----
>>
>> --- verify start -----
>>
>> ipsec verify
>> Checking your system to see if IPsec got installed and started correctly:
>> Version check and ipsec on-path [OK]
>> Linux Openswan U2.6.38/K3.1.0-1.2-xen (netkey)
>> Checking for IPsec support in kernel [OK]
>> SAref kernel support [N/A]
>> NETKEY: Testing XFRM related proc values [OK]
>> [OK]
>> [OK]
>> Checking that pluto is running [OK]
>> Pluto listening for IKE on udp 500 [OK]
>> Pluto listening for NAT-T on udp 4500 [OK]
>> Two or more interfaces found, checking IP forwarding [FAILED]
>> Checking NAT and MASQUERADEing [OK]
>> Checking for 'ip' command [OK]
>> Checking /bin/sh is not /bin/dash [WARNING]
>> Checking for 'iptables' command [OK]
>> Opportunistic Encryption Support [DISABLED]
>>
>> # /etc/ipsec.conf - Openswan IPsec configuration file
>>
>> # This file: /usr/share/doc/openswan/ipsec.conf-sample
>> #
>> # Manual: ipsec.conf.5
>>
>>
>> version 2.0 # conforms to second version of ipsec.conf specification
>>
>>
>> --- verify end -----
>>
>> ---- config start ---
>>
>> # basic configuration
>> config setup
>> interfaces="%defaultroute"
>> # Do not set debug options to debug configuration issues!
>> # plutodebug / klipsdebug = "all", "none" or a combation from below:
>> # "raw crypt parsing emitting control klips pfkey natt x509 dpd private"
>> # eg:
>> # plutodebug="control parsing"
>> # Again: only enable plutodebug or klipsdebug when asked by a developer
>> #
>> # enable to get logs per-peer
>> # plutoopts="--perpeerlog"
>> #
>> # Enable core dumps (might require system changes, like ulimit -C)
>> # This is required for abrtd to work properly
>> # Note: incorrect SElinux policies might prevent pluto writing the core
>> dumpdir=/var/run/pluto/
>> #
>> # NAT-TRAVERSAL support, see README.NAT-Traversal
>> nat_traversal=yes
>> # exclude networks used on server side by adding %v4:!a.b.c.0/24
>> # It seems that T-Mobile in the US and Rogers/Fido in Canada are
>> # using 25/8 as "private" address space on their 3G network.
>> # This range has not been announced via BGP (at least upto 2010-12-21)
>> virtual_private=%v4:
>> 10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
>> # OE is now off by default. Uncomment and change to on, to enable.
>> oe=off
>> # which IPsec stack to use. auto will try netkey, then klips then mast
>> protostack=netkey
>> # Use this to log to a file, or disable logging on embedded systems
>> (like openwrt)
>> #plutostderrlog=/dev/null
>>
>>
>> # Add connections here
>>
>> # sample VPN connection
>> # for more examples, see /etc/ipsec.d/examples/
>> #conn sample
>> # # Left security gateway, subnet behind it, nexthop toward right.
>> # left=10.0.0.1
>> # leftsubnet=172.16.0.0/24
>> # leftnexthop=10.22.33.44
>> # # Right security gateway, subnet behind it, nexthop toward left.
>> # right=10.12.12.1
>> # rightsubnet=192.168.0.0/24
>> # rightnexthop=10.101.102.103
>> # # To authorize this connection, but not actually start it,
>> # # at startup, uncomment this.
>> # #auto=add
>>
>>
>> conn telphin
>> left=100.100.100.100 # left for local
>> leftsubnet=10.128.142.0/24
>> #leftnexthop=10.128.142.0
>> right=200.200.200.200 # right for remote
>> rightsubnet=10.128.0.0/24
>> #rightnexthop=10.128.0.0
>> type=tunnel
>> authby=secret
>> auto=start
>> auth=esp
>> keyexchange=ike
>> ike=3des-sha1
>> esp=3des-sha1
>> pfs=yes
>> forceencaps=yes
>>
>> ---- config end ---
>>
>>
>> _______________________________________________Users at lists.openswan.orghttps://lists.openswan.org/mailman/listinfo/users
>> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>> Building and Integrating Virtual Private Networks with Openswan:http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>>
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20130418/69d9e471/attachment-0001.html>
More information about the Users
mailing list