[Openswan Users] no phase 2, openswan 1:2.6.23+dfsg-1ubuntu1 + mikrotik 6.11
Vladimir Obukhov
stncldbsh at gmail.com
Sun Apr 13 22:42:23 EDT 2014
ok I've moved on a bit
if I do:
# ipsec auto --verbose --down md-ene-mikrotik
# ipsec auto --verbose --up md-ene-mikrotik
I get my tunnel up and running!
/etc/init.d/ipsec restart
ipsec_setup: Stopping Openswan IPsec...
ipsec_setup: Starting Openswan IPsec U2.6.23/K2.6.32-50-generic-pae...
ipsec_setup: Command line is not complete. Try option "help"
so the problem is with startup scripts or smth
perhaps there is a fix for this, pls help
2014-04-10 15:58 GMT+07:00 Vladimir Obukhov <stncldbsh at gmail.com>:
> Hello,
>
> I am trying to make a tunnel between
> Linux Openswan U2.6.23/K2.6.32-50-generic-pae (netkey)
> and RouterOS 6.11
> they are connected as follows:
> LAN 192.168.20.0/24===[ <http://192.168.20.0/24===%5B> 88.888.8.88
> OPENSWAN ] ...INTERNET... [ 77.777.77.7 ROUTEROS ]===192.168.17.0/24 LAN;
>
> here's what I see on linux box
> # ipsec auto --status
> "md-ene-mikrotik":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established);
> EVENT_SA_REPLACE in 1340s; newest ISAKMP; lastdpd=70s(seq in:0 out:0);
> idle; import:not set
>
> on mikrotik I also see
> > ip ipsec remote-peers print
> 0 local-address=77.777.77.7 remote-address=88.888.8.88 state=established
> side=initiator established=38m5s
>
> so the first phase goes right
>
> but I see no sa-installed on microtic
> [admin at MikroTik] > ip ipsec installed-sa print
>
> # ip xfrm state
> gives nothing
>
>
> below are the settings on both sides, let me know if more info is needed
> by the way, there is one more tunnel between this mikrotik and another
> one, works fine.
> Thanks!
>
> here's my /etc/ipsec.conf
>
> config setup
> virtual_private=%v4:
> 10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
> oe=off
> protostack=netkey
>
> conn md-ene-mikrotik
> esp=3des-sha1
> ike=3des-md5-modp1024
> authby=secret
> keylife=28800s
> left=88.888.8.88
> leftsubnet=192.168.20.0/24
> leftsourceip=192.168.20.1
> right=77.777.77.7
> rightsubnet=192.168.17.0/24
> rightsourceip=192.168.17.1
> auto=add
> type=tunnel
> pfs=no
>
> here's mikrotik conf
> > ip ipsec peer print
> 1 address=88.888.8.88/32 local-address=0.0.0.0 passive=no port=500
> auth-method=pre-shared-key secret="cthdbc" generate-policy=no
> exchange-mode=main send-initial-contact=yes proposal-check=obey
> hash-algorithm=md5 enc-algorithm=3des
> dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=2m
> dpd-maximum-failures=5
>
> > ip ipsec policy print
> 1 src-address=192.168.17.0/24 src-port=any dst-address=192.168.20.0/24dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp
> tunnel=yes sa-src-address=77.777.77.7 sa-dst-address=88.888.8.88
> proposal=proposal1 priority=0
>
> > ip ipsec proposal print
> 1 name="proposal1" auth-algorithms=sha1 enc-algorithms=3des
> lifetime=8h pfs-group=modp1024
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20140414/595df515/attachment.html>
More information about the Users
mailing list