[Openswan Users] [Centos6.5][site-to-site]Can't work

[Cody Chan]

Hi, all
I did step by step to let openswan work in site-to-site mode, but tried
several times, still, it couldn't work properly.
The following is my environment:

10.1.120.2(subnet:
10.1.120.0/24)--192.168.1.120----swith----192.168.1.121--10.1.121.2(subnet:10.1.121.0/24
)
PC-A                                         VPN-Server-A
 VPN-Server-B    PC-B
=======================
(VPN-Server-B && VPN-Server-A)
#ipsec verify

​Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                             [OK]
Linux Openswan U2.6.32/K2.6.32-431.29.2.el6.x86_64 (netkey)
Checking for IPsec support in kernel                         [OK]
 SAref kernel support                                       [N/A]
 NETKEY:  Testing for disabled ICMP send_redirects           [OK]
NETKEY detected, testing for disabled ICMP accept_redirects [OK]
Testing against enforced SElinux mode                       [OK]
Checking that pluto is running                               [OK]
 Pluto listening for IKE on udp 500                         [OK]
 Pluto listening for NAT-T on udp 4500                       [OK]
Two or more interfaces found, checking IP forwarding         [OK]
Checking NAT and MASQUERADEing                               [OK]
Checking for 'ip' command                                   [OK]
Checking /bin/sh is not /bin/dash                           [OK]
Checking for 'iptables' command                             [OK]
Opportunistic Encryption Support                             [DISABLED]

​(VPN-Server-B)
​#​cat /etc/ipsec.conf
version 2.0
config setup
klipsdebug=all
plutodebug=all
protostack=netkey
nat_traversal=yes
oe=off
​conn secgw-vpn
        authby=secret
        auto=start
        ike=3des-sha1
        keyexchange=ike
        auth=esp
        pfs=no
        type=tunnel
        left=192.168.1.121
        leftnexthop=%defaultroute
        leftsubnet=10.1.121.0/24
        right=192.168.1.120
rightnexthop=%defaultroute
        rightsubnet=10.1.120.0/24​

(VPN-Server-A)
​#​cat /etc/ipsec.conf
​version 2.0
config setup
klipsdebug=all
plutodebug=all
protostack=netkey
nat_traversal=yes
oe=off​
​conn secgw-vpn
authby=secret
auto=start
ike=3des-sha1
        keyexchange=ike
        auth=esp
        pfs=no
        type=tunnel
        left=192.168.1.120
        leftnexthop=%defaultroute
        leftsubnet=10.1.120.0/24
        right=192.168.1.121
rightnexthop=%defaultroute
        rightsubnet=10.1.121.0/24​

(VPN-Server-A, B is similar)
#ipsec auto --status
​000 using kernel interface: netkey
000 interface lo/lo ::1
000 interface lo/lo 127.0.0.1
000 interface lo/lo 127.0.0.1
000 interface eth0/eth0 192.168.1.120
000 interface eth0/eth0 192.168.1.120
000 interface eth1/eth1 10.1.120.1
000 interface eth1/eth1 10.1.120.1
000 %myid = (none)
000 debug
raw+crypt+parsing+emitting+control+lifecycle+klips+dns+oppo+controlmore+pfkey+nattraversal+x509+dpd+oppoinfo
000
000 virtual_private (%priv):
000 - allowed 0 subnets:
000 - disallowed 0 subnets:
000 WARNING: Either virtual_private= is not specified, or there is a syntax
000          error in that line. 'left/rightsubnet=vhost:%priv' will not
work!
000 WARNING: Disallowed subnets in virtual_private= is empty. If you have
000          private address space in internal use, it should be excluded!
000
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192,
keysizemax=192
000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, keysizemin=128,
keysizemax=128
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40,
keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0,
keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128,
keysizemax=256
000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=12,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=16,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=12,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=16,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=22, name=(null), ivlen=8, keysizemin=128,
keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256,
keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=6, name=AUTH_ALGORITHM_HMAC_SHA2_384,
keysizemin=384, keysizemax=384
000 algorithm ESP auth attr: id=7, name=AUTH_ALGORITHM_HMAC_SHA2_512,
keysizemin=512, keysizemax=512
000 algorithm ESP auth attr: id=8, name=(null), keysizemin=160,
keysizemax=160
000 algorithm ESP auth attr: id=9, name=(null), keysizemin=128,
keysizemax=128
000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0
000
000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=3, name=OAKLEY_BLOWFISH_CBC, blocksize=8,
keydeflen=128
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
keydeflen=128
000 algorithm IKE encrypt: id=65004, name=OAKLEY_SERPENT_CBC, blocksize=16,
keydeflen=128
000 algorithm IKE encrypt: id=65005, name=OAKLEY_TWOFISH_CBC, blocksize=16,
keydeflen=128
000 algorithm IKE encrypt: id=65289, name=OAKLEY_TWOFISH_CBC_SSH,
blocksize=16, keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32
000 algorithm IKE hash: id=5, name=OAKLEY_SHA2_384, hashsize=48
000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024
000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048
000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048
000
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0}
trans={0,0,0} attrs={0,0,0}
000
000 "secgw-vpn": 10.1.120.0/24===192.168.1.120
<192.168.1.120>[+S=C]---192.168.1.1...192.168.1.1---192.168.1.121<192.168.1.121>[+S=C]===
10.1.121.0/24; erouted; eroute owner: #9
000 "secgw-vpn":     myip=unset; hisip=unset;
000 "secgw-vpn":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s;
rekey_fuzz: 100%; keyingtries: 0; nat_keepalive: yes
000 "secgw-vpn":   policy:
PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 24,24;
interface: eth0;
000 "secgw-vpn":   dpd: action:clear; delay:0; timeout:0;
000 "secgw-vpn":   newest ISAKMP SA: #7; newest IPsec SA: #9;
000 "secgw-vpn":   IKE algorithms wanted:
3DES_CBC(5)_000-SHA1(2)_000-MODP1536(5),
3DES_CBC(5)_000-SHA1(2)_000-MODP1024(2)
000 "secgw-vpn":   IKE algorithms found:
 3DES_CBC(5)_192-SHA1(2)_160-MODP1536(5),
3DES_CBC(5)_192-SHA1(2)_160-MODP1024(2)
000 "secgw-vpn":   IKE algorithm newest: 3DES_CBC_192-SHA1-MODP1536
000
000 #9: "secgw-vpn":500 STATE_QUICK_R2 (IPsec SA established);
EVENT_SA_REPLACE in 27482s; newest IPSEC; eroute owner; isakmp#7; idle;
import:admin initiate
000 #9: "secgw-vpn" esp.9439d0e0 at 192.168.1.121 esp.3cdf6c67 at 192.168.1.120
tun.0 at 192.168.1.121 tun.0 at 192.168.1.120 ref=0 refhim=4294901761
000 #8: "secgw-vpn":500 STATE_QUICK_I2 (sent QI2, IPsec SA established);
EVENT_SA_REPLACE in 26240s; isakmp#7; idle; import:admin initiate
000 #8: "secgw-vpn" esp.6fa4ad30 at 192.168.1.121 esp.f544d986 at 192.168.1.120
tun.0 at 192.168.1.121 tun.0 at 192.168.1.120 ref=0 refhim=4294901761
000 #7: "secgw-vpn":500 STATE_MAIN_I4 (ISAKMP SA established);
EVENT_SA_REPLACE in 799s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle;
import:admin initiate
000  ​

​===============================
Failed When ping from both PC-A​ and PC-B to another.

Thx a lot.

-- 
QSBDT0RFUiBGUk9NIFJJRVNUIE9GIENUU0VV
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20141205/d4e6c156/attachment-0001.html>