[Openswan Users] IPsec configuration

Ana kentdavies at gmail.com
Sat Nov 16 11:26:10 UTC 2013


Hi everybody.


I’m starting to learn *IPsec* and I'm having some problems.


I’m running two virtual machines with CentOS that simulates the network
depicted in the bellow picture.

[image: Inline image 1]


I want to create an IPsec tunnel between machine A and machine B. The keys
should be negotiated using IKE and the tunnel should enable total
connectivity between the two machines.



My *ipsec.conf* file on both machines is this:


config setup

            protostack=netkey

            dumpdir=/var/run/pluto/

            nat_traversal=yes

            virtual_private=%v4:10.1.1.0/24,%v4:10.1.2.0/24

conn gw-to-gw

            authby=secret

            left=192.168.1.1

            leftsubnet=10.1.1.0/24

            leftnexthop=192.168.1.2

            right=192.168.1.2

            rightsubnet=10.1.2.0/24

            rightnexthop=192.168.1.1

            auto=start

            type=tunnel


And *ipsec.secrets* on both machines is this:


192.168.1.1 192.168.1.2 : PSK "test"



I then do* service ipsec start* on machine A followed by the same command
on machine B. Then, again on machine A, I do *ipsec auto –up
gw-to-gw*followed by the exact same command on machine B.

Machine A output:

[root at mainmachine etc]# service ipsec start

ipsec_setup: Starting Openswan IPsec U2.6.32/K2.6.32-358.23.2.el6.i686...

ipsec_setup: /usr/libexec/ipsec/addconn Non-fips mode set in
/proc/sys/crypto/fips_enabled

[root at mainmachine etc]# ipsec auto --up gw-to-gw

117 "gw-to-gw" #5: STATE_QUICK_I1: initiate

004 "gw-to-gw" #5: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel
mode {ESP=>0xc17e5cb7 <0xefd31319 xfrm=AES_128-HMAC_SHA1 NATOA=none
NATD=none DPD=none}

[root at mainmachine etc]#


Machine B output:

[root at mainmachine etc]# service ipsec start

ipsec_setup: Starting Openswan IPsec U2.6.32/K2.6.32-358.23.2.el6.i686...

ipsec_setup: /usr/libexec/ipsec/addconn Non-fips mode set in
/proc/sys/crypto/fips_enabled

[root at mainmachine etc]# ipsec auto --up gw-to-gw

117 "gw-to-gw" #6: STATE_QUICK_I1: initiate

004 "gw-to-gw" #6: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel
mode {ESP=>0xf5fe7b43 <0x94c97925 xfrm=AES_128-HMAC_SHA1 NATOA=none
NATD=none DPD=none}

[root at mainmachine etc]#



I’m now using Wireshark to see how the traffic goes through the network
from machine A to machine B.


Listening on interface *eth5 *of machine B and pinging* 10.1.2.254* or
*10.1.2.2* from machine A, Wireshark does not capture any packet. If I do
the exact same procedure but not listening on interface *eth6* Wireshark
captures the following image.

[image: Inline image 2]



I believe that the packet should somehow be encrypted but Wireshark is
telling me that it is not, so probably I have some kind of error on my
*ipsec.conf* configuration.



Can someone point me in some direction?



Thanks,



Kent Davies
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20131116/f9b94348/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 19854 bytes
Desc: not available
URL: <http://lists.openswan.org/pipermail/users/attachments/20131116/f9b94348/attachment-0001.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 33en.jpg
Type: image/jpeg
Size: 231931 bytes
Desc: not available
URL: <http://lists.openswan.org/pipermail/users/attachments/20131116/f9b94348/attachment-0001.jpg>


More information about the Users mailing list