[Openswan Users] IPSec on Centos6.5

Tue Feb 11 03:42:55 EST 2014

What settings do you have in the Draytek (including the advanced
settings)? 

Can you check your subnets (although it is not the issue) as your
virtual_private subnets do not match te rightsubnet (/16 is not
255.255.255.0). Anyway you should not need virtual_private or
nat_traversal. 

In your conn, you will probably also want a leftsubet and leftsoureceip.
Also to get the tunnel up and running I'd remove the esp line, change
auto to add and have the Draytek initiate the connection. 

Have you opened the CentOS firewall to udp:500 and the esp protocol? Is
there any reason you are not using PFS? 

Regards, 

Nick 

BTW I have a DrayTek 2710 and 2820 calling me (ClearOS). 

On 2014-02-11 05:29, David Fowler wrote: 

> Hi all
> 
> I'm having some issues getting Openswan running on a Centos6.5 box to connect to a Draytek router (or even another Centos box) using an IPSec connection
> 
> Here are all my settings (IP addresses have been changed - but consistent here)
> 1.1.1.1 - CentOS server
> 2.2.2.2 - CentOS server bcast
> 3.3.3.3 - router on the other end
> 
> When I run an 'ipsec --up testconenction', I get the following
> 
> ipsec auto --up testconnection
> 104 "testconnection" #3: STATE_MAIN_I1: initiate
> 010 "testconnection" #3: STATE_MAIN_I1: retransmission; will wait 20s for response
> 010 "testconnection" #3: STATE_MAIN_I1: retransmission; will wait 40s for response
> 
> The /var/log/secure file shows
> Feb 11 05:26:29 host pluto[31976]: | processing connection testconnection
> Feb 11 05:26:29 host pluto[31976]: | handling event EVENT_RETRANSMIT for 3.3.3.3 "testconnection" #3
> Feb 11 05:26:29 host pluto[31976]: | sending 592 bytes for EVENT_RETRANSMIT through eth0:500 to 3.3.3.3:500 (using #3)
> 
> Config files and outputs are below
> 
> ----------
> IFCONFIG
> eth0 Link encap:Ethernet HWaddr 00:16:3E:38:7B:2C
> inet addr:1.1.1.1 Bcast:2.2.2.2 Mask:255.255.248.0
> 
> -----------
> /ETC/IPSEC.CONF
> config setup
> klipsdebug=all
> plutodebug=all
> protostack=netkey
> nat_traversal=yes
> virtual_private=%v4:192.168.0.0/16,%v4:192.168.3.0/16
> interfaces=%defaultroute
> 
> conn testconnection
> type=tunnel
> left=1.1.1.1
> right=3.3.3.3
> rightsubnet=192.168.3.0/255.255.255.0
> auth=esp
> esp=3des-168
> keyexchange=ike
> auto=start
> pfs=no
> rekey=no
> authby=secret
> 
> ----------
> /ETC/IP.SECRETS
> 1.1.1.1 3.3.3.3: PSK "mykeyhere"
> 
> ----------
> IPSEC VERIFY
> Checking your system to see if IPsec got installed and started correctly:
> Version check and ipsec on-path [OK]
> Linux Openswan U2.6.32/K2.6.32-431.3.1.el6.x86_64 (netkey)
> Checking for IPsec support in kernel [OK]
> SAref kernel support [N/A]
> NETKEY: Testing for disabled ICMP send_redirects [OK]
> NETKEY detected, testing for disabled ICMP accept_redirects [OK]
> Checking that pluto is running [OK]
> Pluto listening for IKE on udp 500 [OK]
> Pluto listening for NAT-T on udp 4500 [OK]
> Checking for 'ip' command [OK]
> Checking /bin/sh is not /bin/dash [OK]
> Checking for 'iptables' command [OK]
> 
> ----------
> 
> Any help would be appreciated.
> 
> Dave
> 
> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users [1]
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy [2]
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155 [3]

Links:
------
[1] https://lists.openswan.org/mailman/listinfo/users
[2] https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
[3]
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20140211/16e37418/attachment-0001.html>