[Openswan Users] Help needed
users-bounces at lists.openswan.org
users-bounces at lists.openswan.org
Thu Nov 28 01:56:57 UTC 2013
Rescued from the Spam bucket. Please remember to subscribe to the mailing list before posting to it.
From: Gopi Boga <gopib.4180 at gmail.com>
Subject: Fwd: Help needed
Date: November 28, 2013 at 1:56:47 AM EST
To: users at lists.openswan.org
Hi all,
i am new to this ipsec configuration. i am trying to establish ipsec tunnel in between solarish machine and RHEL machine.
i am able to ping from RHEL to tunnel but not from solarish machine.
could you please help me in resolving this issue??
below are the my configurations on ompside (solaris)
----------------------------------------------------------------------------
s210omp root> cat ipsecinit.conf
{tunnel ip.tun234316288 negotiate tunnel raddr 2.2.2.7 laddr 1.1.1.7} ipsec {encr_algs aes encr_auth_algs hmac-md5}
{tunnel ip.tun234316291 negotiate tunnel raddr 2.2.2.8 laddr 1.1.1.8} ipsec {encr_algs aes encr_auth_algs hmac-md5}
s210omp root>
s210omp root> cat /etc/inet/secret/ike.preshared
#
#ident "@(#)ike.preshared 1.1 01/09/28 SMI"
#
# Copyright (c) 2001 by Sun Microsystems, Inc.
# All rights reserved.
#
# ike.preshared - Pre-shared secrets for IKE authentication.
#
# Entries are of the form:
#
# {
# <attribute> <value>
# ...
# }
#
# Consult the man page for ike.preshared(4) for details.
# ike.preshared for 172.33.8.250 and 172.33.8.128
{
localidtype IP
localid 172.33.8.250
remoteidtype IP
remoteid 172.33.8.128
key 775908663bfb52dfb6e6c625ec7318cc
}
# ike.preshared for 172.33.8.250 and 172.33.8.131
{
localidtype IP
localid 172.33.8.250
remoteidtype IP
remoteid 172.33.8.131
key 12192a9542ea382fa18e04ee7843a971
}
s210omp root>
s210omp root> cat /etc/inet/ike/config
###############################################################################
# Copyright (c) 2003 Lucent Technologies
# All Rights Reserved
#
# This is unpublished proprietary source code of Lucent Technologies.
# The copyright notice above does not evidence any actual
# or intended publication of such source code.
#
# ike.config - IKE uses the rules defined in this file to match incoming
# IKE requests and for constructing outgoing IKE requests.
# These rules are used to manage the keys exchanged for security
# association
###############################################################################
###### global parameters...
## Phase 1 transform defaults...
p1_lifetime_secs 14400
p1_nonce_len 20
# global default phase 1 transform
p1_xform { auth_method preshared oakley_group 5 auth_alg md5 encr_alg 3des }
# global phase 2 OD-H group
p2_pfs 5
# IKE rule between 172.33.8.250 and 172.33.8.128
{
label "172.33.8.250 - 172.33.8.128"
local_id_type IP
local_addr 172.33.8.250
remote_addr 172.33.8.128
}
# IKE rule between 172.33.8.250 and 172.33.8.131
{
label "172.33.8.250 - 172.33.8.131"
local_id_type IP
local_addr 172.33.8.250
remote_addr 172.33.8.131
}
s210omp root>
s210omp root> ipseckey -f /etc/inet/secret/ipseckeys
s210omp root> ipsecconf
#INDEX 4
{tunnel ip.tun234316288 negotiate tunnel raddr 2.2.2.7 laddr 1.1.1.7} ipsec {encr_algs aes encr_auth_algs hmac-md5}
#INDEX 12
{tunnel ip.tun234316291 negotiate tunnel raddr 2.2.2.8 laddr 1.1.1.8} ipsec {encr_algs aes encr_auth_algs hmac-md5}
s210omp root>
s210omp root> ipsecconf -a ./ipsecinit.conf
IPsec policy should be managed using smf(5). Modifying
the IPsec policy from the command line while the 'policy'
service is enabled could result in an inconsistent
security policy.
ipsecconf: Kernel returned: Entry already exists
ipsecconf: Duplicate policy entry (ignored):
{tunnel ip.tun234316288 negotiate tunnel raddr 2.2.2.7 laddr 1.1.1.7} ipsec {encr_algs aes encr_auth_algs hmac-md5}
ipsecconf: Kernel returned: Entry already exists
ipsecconf: Duplicate policy entry (ignored):
{tunnel ip.tun234316291 negotiate tunnel raddr 2.2.2.8 laddr 1.1.1.8} ipsec {encr_algs aes encr_auth_algs hmac-md5}
WARNING : New policy entries that are being added may
affect the existing connections. Existing connections
that are not subjected to policy constraints, may be
subjected to policy constraints because of the new
policy. This can disrupt the communication of the
existing connections.
s210omp root>
s210omp root> ifconfig ip.tun234316288
ip.tun234316288: flags=10008d1<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST,IPv4> mtu 1480 index 19
inet tunnel src 172.33.8.250 tunnel dst 172.33.8.128
tunnel security settings --> use 'ipsecconf -ln -i ip.tun234316288'
tunnel hop limit 60
inet 1.1.1.7 --> 2.2.2.7 netmask ffffff00
s210omp root>
s210omp root> ifconfig -a
lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
inet 127.0.0.1 netmask ff000000
ce0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
inet 135.254.174.160 netmask ffffff80 broadcast 135.254.174.255
ether 0:14:4f:d6:4c:6e
ce3: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 3
inet 172.33.8.250 netmask ffff0000 broadcast 172.33.255.255
ether 0:14:4f:d6:4c:6f
ce4: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 4
inet 172.16.47.254 netmask fffff000 broadcast 172.16.47.255
ether 0:14:4f:44:7a:9c
ce5: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 5
inet 172.16.31.254 netmask fffff000 broadcast 172.16.31.255
ether 0:14:4f:67:45:fe
ip.tun234316288: flags=10008d1<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST,IPv4> mtu 1480 index 19
inet tunnel src 172.33.8.250 tunnel dst 172.33.8.128
tunnel security settings --> use 'ipsecconf -ln -i ip.tun234316288'
tunnel hop limit 60
inet 1.1.1.7 --> 2.2.2.7 netmask ffffff00
ip.tun234316291: flags=10008d1<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST,IPv4> mtu 1480 index 13
inet tunnel src 172.33.8.250 tunnel dst 172.33.8.131
tunnel security settings --> use 'ipsecconf -ln -i ip.tun234316291'
tunnel hop limit 60
inet 1.1.1.8 --> 2.2.2.8 netmask ffffff00
s210omp root>
below are the configuration from ap(RHEL)
-------------------------------------------------------------
[flx4007]-> ifconfig ip.tun0
ip.tun0 Link encap:IPIP Tunnel HWaddr
inet addr:2.2.2.7 P-t-P:1.1.1.7 Mask:255.255.255.0
UP POINTOPOINT RUNNING NOARP MTU:1480 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:14 dropped:0 overruns:0 carrier:14
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
[flx4007]->
[flx4007]-> cat iptun0.conf
conn iptun0
type=tunnel
authby=secret
left=172.33.8.128
leftsubnet=1.1.1.7/32
leftsourceip=1.1.1.7
right=172.33.8.250
rightsubnet=2.2.2.7/32
rightsourceip=2.2.2.7
auto=start
pfs=yes
ike=3des-md5;modp1536
phase2alg=3des-md5;modp1536
aggrmode=no
ikelifetime=14400s
salifetime=3600s
compress=no
[flx4007]-> cat iptun0.secrets
172.33.8.250 172.33.8.128 : PSK "0x775908663bfb52dfb6e6c625ec7318cc"
[flx4007]->
[flx4007]-> ping 1.1.1.7
PING 1.1.1.7 (1.1.1.7) 56(84) bytes of data.
64 bytes from 1.1.1.7: icmp_seq=1 ttl=64 time=0.023 ms
64 bytes from 1.1.1.7: icmp_seq=2 ttl=64 time=0.017 ms
64 bytes from 1.1.1.7: icmp_seq=3 ttl=64 time=0.014 ms
64 bytes from 1.1.1.7: icmp_seq=4 ttl=64 time=0.017 ms
64 bytes from 1.1.1.7: icmp_seq=5 ttl=64 time=0.013 ms
^C
--- 1.1.1.7 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4503ms
rtt min/avg/max/mdev = 0.013/0.016/0.023/0.006 ms
[flx4007]-> ping 2.2.2.7
PING 2.2.2.7 (2.2.2.7) 56(84) bytes of data.
64 bytes from 2.2.2.7: icmp_seq=1 ttl=64 time=0.022 ms
64 bytes from 2.2.2.7: icmp_seq=2 ttl=64 time=0.013 ms
64 bytes from 2.2.2.7: icmp_seq=3 ttl=64 time=0.015 ms
64 bytes from 2.2.2.7: icmp_seq=4 ttl=64 time=0.014 ms
^C
--- 2.2.2.7 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3242ms
rtt min/avg/max/mdev = 0.013/0.016/0.022/0.003 ms
[flx4007]->
s210omp root> s210omp root>
s210omp root> ping 1.1.1.7
1.1.1.7 is alive
s210omp root> ping 2.2.2.7
^Cs210omp root>
ping from omp is not working could you please help me wat i am doing wrong??
please let me know if you need any information...
thanks,
gopi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20131128/4c435d62/attachment.html>
More information about the Users
mailing list