[Openswan Users] IPsec configuration

Ana kentdavies at gmail.com
Sat Nov 16 12:00:15 UTC 2013


Hi Bart.

Thanks for your reply.

I've followed your suggestions and changed *ipsec.conf *on machine A to:

config setup

            protostack=netkey

            nat_traversal=yes

            virtual_private=%v4:
0.0.0.0/0,%v6:fd00::/8,%v6:fe80::/10,%v4:!10.1.1.0/24

conn gw-to-gw

            authby=secret

            left=192.168.1.1

            leftsubnet=10.1.1.0/24

            right=192.168.1.2

            rightsubnet=10.1.2.0/24

            auto=start

            type=tunnel

And on machine B to:

config setup

            protostack=netkey

            nat_traversal=yes

            virtual_private=%v4:
0.0.0.0/0,%v6:fd00::/8,%v6:fe80::/10,%v4:!10.1.2.0/24

conn gw-to-gw

            authby=secret

            left=192.168.1.2

            leftsubnet=10.1.2.0/24

            right=192.168.1.1

            rightsubnet=10.1.1.0/24

            auto=start

            type=tunnel


As before, pinging from machine A to machine B, Wireshark listening at
interface *eth6* gives this:

[image: Inline image 1]

Again, it is not encrypted.

Thanks for your help.

Kent Davies


On Sat, Nov 16, 2013 at 11:37 AM, Bart Smink <bartsmink at gmail.com> wrote:

> Hi Kent,
>
> Nice images, way better than the usual textart. I think that you need to
> change virtual private to virtual_private=%v4:
> 0.0.0.0/0,%v6:fd00::/8,%v6:fe80::/10,%v4:!10.1.1.0/24 on left and
> virtual_private=%v4:0.0.0.0/0,%v6:fd00::/8,%v6:fe80::/10,%v4:!10.1.2.0/24on right. In ipsec.conf it is normal to have left as the local computer. So
> the ipsec.conf on computer B would be left = 192.168.2.1 leftsubnet =
> 10.1.2.0/24 right = 192.168.1.1 rightsubnet = 10.1.1.0/24 . And I dont
> use leftnexthop and rightnexthop in my config, and I dont think you need
> it, it is the next hop to the ISP, so in the direction of the WAN network.
>
> Greetings,
>
> Bart
>
>
>
> 2013/11/16 Ana <kentdavies at gmail.com>
>
>> Hi everybody.
>>
>>
>> I’m starting to learn *IPsec* and I'm having some problems.
>>
>>
>> I’m running two virtual machines with CentOS that simulates the network
>> depicted in the bellow picture.
>>
>> [image: Inline image 1]
>>
>>
>> I want to create an IPsec tunnel between machine A and machine B. The
>> keys should be negotiated using IKE and the tunnel should enable total
>> connectivity between the two machines.
>>
>>
>>
>> My *ipsec.conf* file on both machines is this:
>>
>>
>> config setup
>>
>>             protostack=netkey
>>
>>             dumpdir=/var/run/pluto/
>>
>>             nat_traversal=yes
>>
>>             virtual_private=%v4:10.1.1.0/24,%v4:10.1.2.0/24
>>
>> conn gw-to-gw
>>
>>             authby=secret
>>
>>             left=192.168.1.1
>>
>>             leftsubnet=10.1.1.0/24
>>
>>             leftnexthop=192.168.1.2
>>
>>             right=192.168.1.2
>>
>>             rightsubnet=10.1.2.0/24
>>
>>             rightnexthop=192.168.1.1
>>
>>             auto=start
>>
>>             type=tunnel
>>
>>
>> And *ipsec.secrets* on both machines is this:
>>
>>
>> 192.168.1.1 192.168.1.2 : PSK "test"
>>
>>
>>
>> I then do* service ipsec start* on machine A followed by the same
>> command on machine B. Then, again on machine A, I do *ipsec auto –up
>> gw-to-gw* followed by the exact same command on machine B.
>>
>> Machine A output:
>>
>> [root at mainmachine etc]# service ipsec start
>>
>> ipsec_setup: Starting Openswan IPsec U2.6.32/K2.6.32-358.23.2.el6.i686...
>>
>> ipsec_setup: /usr/libexec/ipsec/addconn Non-fips mode set in
>> /proc/sys/crypto/fips_enabled
>>
>> [root at mainmachine etc]# ipsec auto --up gw-to-gw
>>
>> 117 "gw-to-gw" #5: STATE_QUICK_I1: initiate
>>
>> 004 "gw-to-gw" #5: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel
>> mode {ESP=>0xc17e5cb7 <0xefd31319 xfrm=AES_128-HMAC_SHA1 NATOA=none
>> NATD=none DPD=none}
>>
>> [root at mainmachine etc]#
>>
>>
>> Machine B output:
>>
>> [root at mainmachine etc]# service ipsec start
>>
>> ipsec_setup: Starting Openswan IPsec U2.6.32/K2.6.32-358.23.2.el6.i686...
>>
>> ipsec_setup: /usr/libexec/ipsec/addconn Non-fips mode set in
>> /proc/sys/crypto/fips_enabled
>>
>> [root at mainmachine etc]# ipsec auto --up gw-to-gw
>>
>> 117 "gw-to-gw" #6: STATE_QUICK_I1: initiate
>>
>> 004 "gw-to-gw" #6: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel
>> mode {ESP=>0xf5fe7b43 <0x94c97925 xfrm=AES_128-HMAC_SHA1 NATOA=none
>> NATD=none DPD=none}
>>
>> [root at mainmachine etc]#
>>
>>
>>
>> I’m now using Wireshark to see how the traffic goes through the network
>> from machine A to machine B.
>>
>>
>> Listening on interface *eth5 *of machine B and pinging* 10.1.2.254* or
>> *10.1.2.2* from machine A, Wireshark does not capture any packet. If I
>> do the exact same procedure but not listening on interface *eth6*Wireshark captures the following image.
>>
>> [image: Inline image 2]
>>
>>
>>
>> I believe that the packet should somehow be encrypted but Wireshark is
>> telling me that it is not, so probably I have some kind of error on my
>> *ipsec.conf* configuration.
>>
>>
>>
>> Can someone point me in some direction?
>>
>>
>>
>> Thanks,
>>
>>
>>
>>  Kent Davies
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>> Users at lists.openswan.org
>> https://lists.openswan.org/mailman/listinfo/users
>> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>> Building and Integrating Virtual Private Networks with Openswan:
>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>>
>>
>
>
> --
> **** DISCLAIMER ****
>
> "This e-mail and any attachment thereto may contain information which is
> confidential and/or protected by intellectual property rights and are
> intended for the sole use of the recipient(s) named above.
> Any use of the information contained herein (including, but not limited
> to, total or partial reproduction, communication or distribution in any
> form) by other persons than the designated recipient(s) is prohibited.
> If you have received this e-mail in error, please notify the sender either
> by telephone or by e-mail and delete the material from any computer".
>
> Thank you for your cooperation.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20131116/43ab8cff/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 19854 bytes
Desc: not available
URL: <http://lists.openswan.org/pipermail/users/attachments/20131116/43ab8cff/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 70105 bytes
Desc: not available
URL: <http://lists.openswan.org/pipermail/users/attachments/20131116/43ab8cff/attachment-0003.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 33en.jpg
Type: image/jpeg
Size: 231931 bytes
Desc: not available
URL: <http://lists.openswan.org/pipermail/users/attachments/20131116/43ab8cff/attachment-0001.jpg>


More information about the Users mailing list