[Openswan Users] Help needed

users-bounces at lists.openswan.org users-bounces at lists.openswan.org
Thu Nov 28 01:56:57 UTC 2013


Rescued from the Spam bucket.  Please remember to subscribe to the mailing list before posting to it.

From: Gopi Boga <gopib.4180 at gmail.com>
Subject: Fwd: Help needed
Date: November 28, 2013 at 1:56:47 AM EST
To: users at lists.openswan.org


Hi all,

i am new to this ipsec configuration. i am trying to establish ipsec tunnel in between solarish machine and RHEL machine.

i am able to ping from RHEL to tunnel but not from solarish machine.

could you please help me in resolving this issue??

below are the my configurations on ompside (solaris)
----------------------------------------------------------------------------


s210omp root> cat ipsecinit.conf                                          
{tunnel ip.tun234316288 negotiate tunnel raddr 2.2.2.7 laddr 1.1.1.7} ipsec {encr_algs aes encr_auth_algs hmac-md5}
{tunnel ip.tun234316291 negotiate tunnel raddr 2.2.2.8 laddr 1.1.1.8} ipsec {encr_algs aes encr_auth_algs hmac-md5}
s210omp root> 


s210omp root> cat /etc/inet/secret/ike.preshared
#
#ident  "@(#)ike.preshared      1.1     01/09/28 SMI"
#
# Copyright (c) 2001 by Sun Microsystems, Inc.
# All rights reserved.
#

# ike.preshared - Pre-shared secrets for IKE authentication.
#
# Entries are of the form:
#
# {
#       <attribute> <value>
#       ...
# }
#
# Consult the man page for ike.preshared(4) for details.
# ike.preshared for 172.33.8.250 and 172.33.8.128
{
        localidtype IP
        localid 172.33.8.250
        remoteidtype IP
        remoteid 172.33.8.128
        key 775908663bfb52dfb6e6c625ec7318cc
}
# ike.preshared for 172.33.8.250 and 172.33.8.131
{
        localidtype IP
        localid 172.33.8.250
        remoteidtype IP
        remoteid 172.33.8.131
        key 12192a9542ea382fa18e04ee7843a971
}
s210omp root> 



s210omp root> cat /etc/inet/ike/config
###############################################################################
#              Copyright (c) 2003 Lucent Technologies                   
#                       All Rights Reserved                             
#                                                                       
#  This is unpublished proprietary source code of Lucent Technologies.  
#       The copyright notice above does not evidence any actual         
#            or intended publication of such source code.               
#                                                                       
# ike.config - IKE uses the rules defined in this file to match incoming
#       IKE requests and for constructing outgoing IKE requests.
#       These rules are used to manage the keys exchanged for security
#       association
###############################################################################

###### global parameters...

## Phase 1 transform defaults...

p1_lifetime_secs 14400
p1_nonce_len 20

# global default phase 1 transform
p1_xform { auth_method preshared oakley_group 5 auth_alg md5 encr_alg 3des }

# global phase 2 OD-H group
p2_pfs 5
# IKE rule between 172.33.8.250 and 172.33.8.128
{
        label "172.33.8.250 - 172.33.8.128"
        local_id_type IP
        local_addr 172.33.8.250
        remote_addr 172.33.8.128
}
# IKE rule between 172.33.8.250 and 172.33.8.131
{
        label "172.33.8.250 - 172.33.8.131"
        local_id_type IP
        local_addr 172.33.8.250
        remote_addr 172.33.8.131
}
s210omp root> 


s210omp root> ipseckey  -f /etc/inet/secret/ipseckeys
s210omp root> ipsecconf
#INDEX 4 
{tunnel ip.tun234316288 negotiate tunnel raddr 2.2.2.7 laddr 1.1.1.7} ipsec {encr_algs aes encr_auth_algs hmac-md5}

#INDEX 12 
{tunnel ip.tun234316291 negotiate tunnel raddr 2.2.2.8 laddr 1.1.1.8} ipsec {encr_algs aes encr_auth_algs hmac-md5}

s210omp root> 

s210omp root> ipsecconf -a ./ipsecinit.conf

        IPsec policy should be managed using smf(5). Modifying
        the IPsec policy from the command line while the 'policy'
        service is enabled could result in an inconsistent
        security policy.

ipsecconf: Kernel returned: Entry already exists
ipsecconf: Duplicate policy entry (ignored):
{tunnel ip.tun234316288 negotiate tunnel raddr 2.2.2.7 laddr 1.1.1.7} ipsec {encr_algs aes encr_auth_algs hmac-md5}

ipsecconf: Kernel returned: Entry already exists
ipsecconf: Duplicate policy entry (ignored):
{tunnel ip.tun234316291 negotiate tunnel raddr 2.2.2.8 laddr 1.1.1.8} ipsec {encr_algs aes encr_auth_algs hmac-md5}

        WARNING : New policy entries that are being added may
        affect the existing connections. Existing connections
        that are not subjected to policy constraints, may be
        subjected to policy constraints because of the new
        policy. This can disrupt the communication of the
        existing connections.

s210omp root> 

s210omp root> ifconfig ip.tun234316288
ip.tun234316288: flags=10008d1<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST,IPv4> mtu 1480 index 19
        inet tunnel src 172.33.8.250 tunnel dst 172.33.8.128
        tunnel security settings  -->  use 'ipsecconf -ln -i ip.tun234316288'
        tunnel hop limit 60 
        inet 1.1.1.7 --> 2.2.2.7 netmask ffffff00 
s210omp root> 




s210omp root> ifconfig -a
lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
        inet 127.0.0.1 netmask ff000000 
ce0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
        inet 135.254.174.160 netmask ffffff80 broadcast 135.254.174.255
        ether 0:14:4f:d6:4c:6e 
ce3: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 3
        inet 172.33.8.250 netmask ffff0000 broadcast 172.33.255.255
        ether 0:14:4f:d6:4c:6f 
ce4: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 4
        inet 172.16.47.254 netmask fffff000 broadcast 172.16.47.255
        ether 0:14:4f:44:7a:9c 
ce5: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 5
        inet 172.16.31.254 netmask fffff000 broadcast 172.16.31.255
        ether 0:14:4f:67:45:fe 
ip.tun234316288: flags=10008d1<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST,IPv4> mtu 1480 index 19
        inet tunnel src 172.33.8.250 tunnel dst 172.33.8.128
        tunnel security settings  -->  use 'ipsecconf -ln -i ip.tun234316288'
        tunnel hop limit 60 
        inet 1.1.1.7 --> 2.2.2.7 netmask ffffff00 
ip.tun234316291: flags=10008d1<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST,IPv4> mtu 1480 index 13
        inet tunnel src 172.33.8.250 tunnel dst 172.33.8.131
        tunnel security settings  -->  use 'ipsecconf -ln -i ip.tun234316291'
        tunnel hop limit 60 
        inet 1.1.1.8 --> 2.2.2.8 netmask ffffff00 
s210omp root> 




below are the configuration from ap(RHEL)
-------------------------------------------------------------

[flx4007]-> ifconfig ip.tun0       
ip.tun0   Link encap:IPIP Tunnel  HWaddr   
          inet addr:2.2.2.7  P-t-P:1.1.1.7  Mask:255.255.255.0
          UP POINTOPOINT RUNNING NOARP  MTU:1480  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:14 dropped:0 overruns:0 carrier:14
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

[flx4007]-> 
[flx4007]-> cat iptun0.conf
conn iptun0
        type=tunnel
        authby=secret
        left=172.33.8.128
        leftsubnet=1.1.1.7/32
        leftsourceip=1.1.1.7
        right=172.33.8.250
        rightsubnet=2.2.2.7/32
        rightsourceip=2.2.2.7
        auto=start
        pfs=yes
        ike=3des-md5;modp1536
        phase2alg=3des-md5;modp1536
        aggrmode=no
        ikelifetime=14400s
        salifetime=3600s
        compress=no
[flx4007]-> cat iptun0.secrets
172.33.8.250 172.33.8.128 : PSK "0x775908663bfb52dfb6e6c625ec7318cc"
[flx4007]-> 

[flx4007]-> ping 1.1.1.7
PING 1.1.1.7 (1.1.1.7) 56(84) bytes of data.
64 bytes from 1.1.1.7: icmp_seq=1 ttl=64 time=0.023 ms
64 bytes from 1.1.1.7: icmp_seq=2 ttl=64 time=0.017 ms
64 bytes from 1.1.1.7: icmp_seq=3 ttl=64 time=0.014 ms
64 bytes from 1.1.1.7: icmp_seq=4 ttl=64 time=0.017 ms
64 bytes from 1.1.1.7: icmp_seq=5 ttl=64 time=0.013 ms
^C
--- 1.1.1.7 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4503ms
rtt min/avg/max/mdev = 0.013/0.016/0.023/0.006 ms
[flx4007]-> ping 2.2.2.7
PING 2.2.2.7 (2.2.2.7) 56(84) bytes of data.
64 bytes from 2.2.2.7: icmp_seq=1 ttl=64 time=0.022 ms
64 bytes from 2.2.2.7: icmp_seq=2 ttl=64 time=0.013 ms
64 bytes from 2.2.2.7: icmp_seq=3 ttl=64 time=0.015 ms
64 bytes from 2.2.2.7: icmp_seq=4 ttl=64 time=0.014 ms
^C
--- 2.2.2.7 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3242ms
rtt min/avg/max/mdev = 0.013/0.016/0.022/0.003 ms
[flx4007]-> 





s210omp root> s210omp root> 
s210omp root> ping 1.1.1.7
1.1.1.7 is alive
s210omp root> ping 2.2.2.7


^Cs210omp root> 


ping from omp is not working could you please help me wat i am doing wrong??

please let me know if you need any information...

thanks,
gopi 




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20131128/4c435d62/attachment.html>


More information about the Users mailing list