[Openswan Users] IPsec configuration

Bart Smink bartsmink at gmail.com
Sat Nov 16 11:37:10 UTC 2013 

Hi Kent,

Nice images, way better than the usual textart. I think that you need to
change virtual private to virtual_private=%v4:
0.0.0.0/0,%v6:fd00::/8,%v6:fe80::/10,%v4:!10.1.1.0/24 on left and
virtual_private=%v4:0.0.0.0/0,%v6:fd00::/8,%v6:fe80::/10,%v4:!10.1.2.0/24on
right. In ipsec.conf it is normal to have left as the local computer.
So
the ipsec.conf on computer B would be left = 192.168.2.1 leftsubnet =
10.1.2.0/24 right = 192.168.1.1 rightsubnet = 10.1.1.0/24 . And I dont use
leftnexthop and rightnexthop in my config, and I dont think you need it, it
is the next hop to the ISP, so in the direction of the WAN network.

Greetings,

Bart



2013/11/16 Ana <kentdavies at gmail.com>

> Hi everybody.
>
>
> I’m starting to learn *IPsec* and I'm having some problems.
>
>
> I’m running two virtual machines with CentOS that simulates the network
> depicted in the bellow picture.
>
> [image: Inline image 1]
>
>
> I want to create an IPsec tunnel between machine A and machine B. The keys
> should be negotiated using IKE and the tunnel should enable total
> connectivity between the two machines.
>
>
>
> My *ipsec.conf* file on both machines is this:
>
>
> config setup
>
>             protostack=netkey
>
>             dumpdir=/var/run/pluto/
>
>             nat_traversal=yes
>
>             virtual_private=%v4:10.1.1.0/24,%v4:10.1.2.0/24
>
> conn gw-to-gw
>
>             authby=secret
>
>             left=192.168.1.1
>
>             leftsubnet=10.1.1.0/24
>
>             leftnexthop=192.168.1.2
>
>             right=192.168.1.2
>
>             rightsubnet=10.1.2.0/24
>
>             rightnexthop=192.168.1.1
>
>             auto=start
>
>             type=tunnel
>
>
> And *ipsec.secrets* on both machines is this:
>
>
> 192.168.1.1 192.168.1.2 : PSK "test"
>
>
>
> I then do* service ipsec start* on machine A followed by the same command
> on machine B. Then, again on machine A, I do *ipsec auto –up gw-to-gw*followed by the exact same command on machine B.
>
> Machine A output:
>
> [root at mainmachine etc]# service ipsec start
>
> ipsec_setup: Starting Openswan IPsec U2.6.32/K2.6.32-358.23.2.el6.i686...
>
> ipsec_setup: /usr/libexec/ipsec/addconn Non-fips mode set in
> /proc/sys/crypto/fips_enabled
>
> [root at mainmachine etc]# ipsec auto --up gw-to-gw
>
> 117 "gw-to-gw" #5: STATE_QUICK_I1: initiate
>
> 004 "gw-to-gw" #5: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel
> mode {ESP=>0xc17e5cb7 <0xefd31319 xfrm=AES_128-HMAC_SHA1 NATOA=none
> NATD=none DPD=none}
>
> [root at mainmachine etc]#
>
>
> Machine B output:
>
> [root at mainmachine etc]# service ipsec start
>
> ipsec_setup: Starting Openswan IPsec U2.6.32/K2.6.32-358.23.2.el6.i686...
>
> ipsec_setup: /usr/libexec/ipsec/addconn Non-fips mode set in
> /proc/sys/crypto/fips_enabled
>
> [root at mainmachine etc]# ipsec auto --up gw-to-gw
>
> 117 "gw-to-gw" #6: STATE_QUICK_I1: initiate
>
> 004 "gw-to-gw" #6: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel
> mode {ESP=>0xf5fe7b43 <0x94c97925 xfrm=AES_128-HMAC_SHA1 NATOA=none
> NATD=none DPD=none}
>
> [root at mainmachine etc]#
>
>
>
> I’m now using Wireshark to see how the traffic goes through the network
> from machine A to machine B.
>
>
> Listening on interface *eth5 *of machine B and pinging* 10.1.2.254* or
> *10.1.2.2* from machine A, Wireshark does not capture any packet. If I do
> the exact same procedure but not listening on interface *eth6* Wireshark
> captures the following image.
>
> [image: Inline image 2]
>
>
>
> I believe that the packet should somehow be encrypted but Wireshark is
> telling me that it is not, so probably I have some kind of error on my
> *ipsec.conf* configuration.
>
>
>
> Can someone point me in some direction?
>
>
>
> Thanks,
>
>
>
>  Kent Davies
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
>


-- 
**** DISCLAIMER ****

"This e-mail and any attachment thereto may contain information which is
confidential and/or protected by intellectual property rights and are
intended for the sole use of the recipient(s) named above.
Any use of the information contained herein (including, but not limited to,
total or partial reproduction, communication or distribution in any form)
by other persons than the designated recipient(s) is prohibited.
If you have received this e-mail in error, please notify the sender either
by telephone or by e-mail and delete the material from any computer".

Thank you for your cooperation.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20131116/0f6d087b/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 33en.jpg
Type: image/jpeg
Size: 231931 bytes
Desc: not available
URL: <http://lists.openswan.org/pipermail/users/attachments/20131116/0f6d087b/attachment-0001.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 19854 bytes
Desc: not available
URL: <http://lists.openswan.org/pipermail/users/attachments/20131116/0f6d087b/attachment-0001.png>

More information about the Users mailing list