[Openswan Users] no phase 2, openswan 1:2.6.23+dfsg-1ubuntu1 + mikrotik 6.11

Vladimir Obukhov stncldbsh at gmail.com
Sat Apr 19 11:10:44 EDT 2014


anyone?
pls help ))


2014-04-14 9:42 GMT+07:00 Vladimir Obukhov <stncldbsh at gmail.com>:

> ok I've moved on a bit
> if I do:
> # ipsec auto --verbose --down md-ene-mikrotik
> # ipsec auto --verbose --up md-ene-mikrotik
> I get my tunnel up and running!
>
> /etc/init.d/ipsec restart
> ipsec_setup: Stopping Openswan IPsec...
> ipsec_setup: Starting Openswan IPsec U2.6.23/K2.6.32-50-generic-pae...
> ipsec_setup: Command line is not complete. Try option "help"
>
> so the problem is with startup scripts or smth
> perhaps there is a fix for this, pls help
>
> 2014-04-10 15:58 GMT+07:00 Vladimir Obukhov <stncldbsh at gmail.com>:
>
> Hello,
>>
>> I am trying to make a tunnel between
>> Linux Openswan U2.6.23/K2.6.32-50-generic-pae (netkey)
>> and RouterOS 6.11
>> they are connected as follows:
>> LAN 192.168.20.0/24===[ <http://192.168.20.0/24===%5B> 88.888.8.88
>> OPENSWAN ] ...INTERNET... [ 77.777.77.7 ROUTEROS ]===192.168.17.0/24 LAN;
>>
>> here's what I see on linux box
>> # ipsec auto --status
>> "md-ene-mikrotik":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established);
>> EVENT_SA_REPLACE in 1340s; newest ISAKMP; lastdpd=70s(seq in:0 out:0);
>> idle; import:not set
>>
>> on mikrotik I also see
>> > ip ipsec remote-peers print
>>  0 local-address=77.777.77.7 remote-address=88.888.8.88 state=established
>> side=initiator established=38m5s
>>
>> so the first phase goes right
>>
>> but I see no sa-installed on microtic
>> [admin at MikroTik] > ip ipsec installed-sa print
>>
>> # ip xfrm state
>> gives nothing
>>
>>
>> below are the settings on both sides, let me know if more info is needed
>> by the way, there is one more tunnel between this mikrotik and another
>> one, works fine.
>> Thanks!
>>
>> here's my /etc/ipsec.conf
>>
>> config setup
>>         virtual_private=%v4:
>> 10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
>>         oe=off
>>         protostack=netkey
>>
>> conn md-ene-mikrotik
>>     esp=3des-sha1
>>     ike=3des-md5-modp1024
>>     authby=secret
>>     keylife=28800s
>>     left=88.888.8.88
>>     leftsubnet=192.168.20.0/24
>>     leftsourceip=192.168.20.1
>>     right=77.777.77.7
>>     rightsubnet=192.168.17.0/24
>>     rightsourceip=192.168.17.1
>>     auto=add
>>     type=tunnel
>>     pfs=no
>>
>> here's mikrotik conf
>> > ip ipsec peer print
>>  1   address=88.888.8.88/32 local-address=0.0.0.0 passive=no port=500
>> auth-method=pre-shared-key secret="cthdbc" generate-policy=no
>> exchange-mode=main send-initial-contact=yes proposal-check=obey
>> hash-algorithm=md5 enc-algorithm=3des
>>      dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=2m
>> dpd-maximum-failures=5
>>
>> > ip ipsec policy print
>>  1    src-address=192.168.17.0/24 src-port=any dst-address=
>> 192.168.20.0/24 dst-port=any protocol=all action=encrypt level=require
>> ipsec-protocols=esp tunnel=yes sa-src-address=77.777.77.7
>> sa-dst-address=88.888.8.88 proposal=proposal1 priority=0
>>
>> > ip ipsec proposal print
>>  1    name="proposal1" auth-algorithms=sha1 enc-algorithms=3des
>> lifetime=8h pfs-group=modp1024
>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20140419/d1ea7cd4/attachment.html>


More information about the Users mailing list