[Openswan Users] How to Bind to nic?

Daniel Cave dan.cave at me.com
Wed Feb 13 12:36:39 EST 2013


I've probably joined this too late, but does ETH1 have the correct IP's for your  external and internally routed IP's?

If you've changed the binding interface from _all_ to just one, I _presume_ that the tunnel will only successfully come up if it has valid IP's on the external/internal.  Is it binding properly to 4500/500 and can it route to both lans?

netstat -tnl grep 500 will tell u,, plus ifconfig/ip addr / ip route - of course :)

just my 0.02pence's worth

On 13 Feb 2013, at 17:21, Luis Nagaki wrote:

> Log from Server
> "client1"[1] ClientExternal IP #14: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): peer is NATed
> "client1"[1] ClientExternal IP #14: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
> "client1"[1] ClientExternal IP #14: STATE_MAIN_R2: sent MR2, expecting MI3
> "client1"[1] ClientExternal IP #14: Main mode peer ID is ID_FQDN: '@client1'
> "client1"[1] ClientExternal IP #14: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
> "client1"[1] ClientExternal IP #14: new NAT mapping for #14, was ClientExternal IP:500, now ClientExternal IP:12072
> "client1"[1] ClientExternal IP #14: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=aes_128 prf=oakley_sha group=modp2048}
> "client1"[1] ClientExternal IP #14: Dead Peer Detection (RFC 3706): enabled
> "client1"[1] ClientExternal IP #14: retransmitting in response to duplicate packet; already STATE_MAIN_R3
> "client1"[1] ClientExternal IP #13: DPD: No response from peer - declaring peer dead
> "client1"[1] ClientExternal IP #13: DPD: Restarting all connections that share this peer
> "client1"[1] ClientExternal IP #13: terminating SAs using this connection
> "client1" #14: deleting state (STATE_MAIN_R3)
> "client1" #13: deleting state (STATE_MAIN_R3)
> 
> 
> 
> On Wed, Feb 13, 2013 at 12:17 PM, Luis Nagaki <luis.nagaki at gmail.com> wrote:
> I thought it was the binding, (Which now works btw thanks Andy)
> 
> but i get to this point and it doesnt connect
> 
> "central" #1: ignoring unknown Vendor ID payload [4f45755c645c6a795c5c6170]
> "central" #1: received Vendor ID payload [Dead Peer Detection]
> "central" #1: received Vendor ID payload [RFC 3947] method set to=109 
> "central" #1: enabling possible NAT-traversal with method 4
> "central" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
> "central" #1: STATE_MAIN_I2: sent MI2, expecting MR2
> "central" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): i am NATed
> "central" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
> "central" #1: STATE_MAIN_I3: sent MI3, expecting MR3
> 
> stops at expecting MR3
> 
> 
> On Wed, Feb 13, 2013 at 12:11 PM, Andy Gay <andy at andynet.net> wrote:
> On Wed, 2013-02-13 at 09:16 -0500, Luis Nagaki wrote:
> > Hey Guys, since i am getting DHCP on the server, how do i bind ipsec
> > only on that nic? i dont want IPSEC confusing itself with the other
> > nics / ips
> >
> You can specify the interface to use in /etc/ipsec.conf. Add an entry in
> the "config setup" section at the top like:
>   plutoopts="--interface eth1"
> 
> /Andy
> 
> > --
> > This message has been scanned for viruses and
> > dangerous content by MailScanner, and is
> > believed to be clean.
> > _______________________________________________
> > Users at lists.openswan.org
> > https://lists.openswan.org/mailman/listinfo/users
> > Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> > Building and Integrating Virtual Private Networks with Openswan:
> > http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
> 
> 
> 
> 
> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

Regards

Dan.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20130213/24218f59/attachment.html>


More information about the Users mailing list