[Openswan Users] OpenSwan from Ubuntu to Vyatta via IPsec

Jesus arteche chechu.linux at gmail.com
Sun Jan 19 18:11:12 EST 2014 

Hey guys,

I'm trying to establish an IPsec tunnel between two different networks ...

Server A (openSwan over Ubuntu): has a subnet 10.1.3.0
Server B (Vyatta): has a subnet 10.54.229.0

I want route traffic between the two different networks using a IPsec
tunnel...I think I got to establish the tunnel:


In server A (ip:129.35.213.xx), I got this log from */var/log.auth.log*


Jan 19 23:00:05 vm-10-1-3-39 pluto[12250]: "sample" #1: transition from
state STATE_MAIN_I2 to state STATE_MAIN_I3
Jan 19 23:00:05 vm-10-1-3-39 pluto[12250]: "sample" #1: STATE_MAIN_I3: sent
MI3, expecting MR3
Jan 19 23:00:05 vm-10-1-3-39 pluto[12250]: "sample" #1: Main mode peer ID
is ID_IPV4_ADDR: '50.23.67.xx'
Jan 19 23:00:05 vm-10-1-3-39 pluto[12250]: "sample" #1: transition from
state STATE_MAIN_I3 to state STATE_MAIN_I4
Jan 19 23:00:05 vm-10-1-3-39 pluto[12250]: "sample" #1: STATE_MAIN_I4:
ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256
prf=oakley_sha group=modp1536}
Jan 19 23:00:05 vm-10-1-3-39 pluto[12250]: "sample" #2: initiating Quick
Mode PSK+ENCRYPT+TUNNEL+DONTREKEY+UP+IKEv2ALLOW {using isakmp#1
msgid:9deaa9b8 proposal=3DES(3)_192-MD5(1)_128 pfsgroup=no-pfs}
Jan 19 23:00:05 vm-10-1-3-39 pluto[12250]: "sample" #2: transition from
state STATE_QUICK_I1 to state STATE_QUICK_I2
Jan 19 23:00:05 vm-10-1-3-39 pluto[12250]: "sample" #2: STATE_QUICK_I2:
sent QI2, IPsec SA established tunnel mode {ESP=>0xc4377ca1 <0x33607d15
xfrm=3DES_0-HMAC_MD5 NATOA=none NATD=none DPD=none}
Jan 19 23:00:23 vm-10-1-3-39 pluto[12250]: "sample" #1: ignoring Delete SA
payload: PROTO_IPSEC_ESP SA(0xced37bef) not found (maybe expired)
Jan 19 23:00:23 vm-10-1-3-39 pluto[12250]: "sample" #1: received and
ignored informational message

*/etc/log/syslog*

Jan 19 23:00:04 vm-10-1-3-39 ipsec_setup: ...Openswan IPsec started
Jan 19 23:00:04 vm-10-1-3-39 ipsec__plutorun: adjusting ipsec.d to
/etc/ipsec.d
Jan 19 23:00:04 vm-10-1-3-39 pluto: adjusting ipsec.d to /etc/ipsec.d
Jan 19 23:00:04 vm-10-1-3-39 ipsec__plutorun: 002 added connection
description "sample"
Jan 19 23:00:04 vm-10-1-3-39 ipsec__plutorun: 104 "sample" #1:
STATE_MAIN_I1: initiate

*ipsec auto --status*

000 "sample": 10.1.3.0/26===129.35.213.xx[+S=C]...50.23.67.xx
<50.23.67.xx>[+S=C]===10.54.229.0/26; erouted; eroute owner: #2
000 "sample":     myip=unset; hisip=unset;
000 "sample":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s;
rekey_fuzz: 100%; keyingtries: 0
000 "sample":   policy:
PSK+ENCRYPT+TUNNEL+DONTREKEY+UP+IKEv2ALLOW+lKOD+rKOD; prio: 26,26;
interface: eth0;
000 "sample":   newest ISAKMP SA: #1; newest IPsec SA: #2;
000 "sample":   IKE algorithms wanted: AES_CBC(7)_256-SHA1(2)-MODP1536(5),
AES_CBC(7)_256-SHA1(2)-MODP1024(2); flags=-strict
000 "sample":   IKE algorithms found:  AES_CBC(7)_256-SHA1(2)_160-5,
AES_CBC(7)_256-SHA1(2)_160-2,
000 "sample":   IKE algorithm newest: AES_CBC_256-SHA1-MODP1536
000 "sample":   ESP algorithms wanted: 3DES(3)_000-MD5(1); flags=-strict
000 "sample":   ESP algorithms loaded: 3DES(3)_192-MD5(1)_128
000 "sample":   ESP algorithm newest: 3DES_0-HMAC_MD5; pfsgroup=<N/A>
000
000 #2: "sample":500 STATE_QUICK_I2 (sent QI2, IPsec SA established);
EVENT_SA_REPLACE_IF_USED in 27734s; newest IPSEC; eroute owner; isakmp#1;
idle; import:admin initiate
000 #2: "sample" esp.c4377ca1 at 50.23.67.xx
esp.33607d15 at 129.35.213.xxtun.0@50.23.67.xxtun.0 at 129.35.213.xxref=0
refhim=4294901761
000 #1: "sample":500 STATE_MAIN_I4 (ISAKMP SA established);
EVENT_SA_REPLACE_IF_USED in 2608s; newest ISAKMP; lastdpd=-1s(seq in:0
out:0); idle; import:admin initiate
000



In server B (Vyatta, ip 50.23.67.xx)

* show vpn ike sa*


Peer ID / IP                            Local ID / IP
------------                            -------------
129.35.213.xx                          50.23.67.xx

    State  Encrypt  Hash  D-H Grp  NAT-T  A-Time  L-Time
    -----  -------  ----  -------  -----  ------  ------
    up     aes256   sha1  5        no     651     3600



*show vpn ipsec sa*

Peer ID / IP                            Local ID / IP
------------                            -------------
129.35.213.xx                          50.23.67.xx

    Tunnel  State  Bytes Out/In   Encrypt  Hash  NAT-T  A-Time  L-Time
 Proto
    ------  -----  -------------  -------  ----  -----  ------  ------
 -----
    1       up     0.0/0.0        3des     md5   no     693     1800    all

*show log vpn ipsec*

Jan 19 17:00:03 havyatta-3 pluto[15748]: "peer-129.35.213.xx-tunnel-1"
#1452: received Delete SA payload: replace IPSEC State #1451 in 10 seconds
Jan 19 17:00:03 havyatta-3 pluto[15748]: "peer-129.35.213.xx-tunnel-1"
#1448: received Delete SA payload: deleting ISAKMP State #1448
Jan 19 17:00:03 havyatta-3 pluto[15748]: "peer-129.35.213.xx-tunnel-1"
#1452: received Delete SA payload: deleting ISAKMP State #1452
Jan 19 17:00:03 havyatta-3 pluto[15748]: ERROR: asynchronous network error
report on eth1 for message to 129.35.213.xx port 500, complainant
129.35.213.xxx: Connection refused [errno 111, origin ICMP type 3 code 3
(not authenticated)]
Jan 19 17:00:03 havyatta-3 pluto[15748]: ERROR: asynchronous network error
report on eth1 for message to 129.35.213.xx port 500, complainant
129.35.213.xx: Connection refused [errno 111, origin ICMP type 3 code 3
(not authenticated)]
Jan 19 17:00:05 havyatta-3 pluto[15748]: packet from 129.35.213.xx:500:
ignoring Vendor ID payload [4f456d406b6753464548407f]
Jan 19 17:00:05 havyatta-3 pluto[15748]: packet from 129.35.213.xx:500:
received Vendor ID payload [Dead Peer Detection]
Jan 19 17:00:05 havyatta-3 pluto[15748]: "peer-129.35.213.xx-tunnel-1"
#1453: responding to Main Mode
Jan 19 17:00:05 havyatta-3 pluto[15748]: "peer-129.35.213.xx-tunnel-1"
#1453: Peer ID is ID_IPV4_ADDR: '129.35.213.xx'
Jan 19 17:00:05 havyatta-3 pluto[15748]: "peer-129.35.213.xx-tunnel-1"
#1453: sent MR3, ISAKMP SA established
Jan 19 17:00:05 havyatta-3 pluto[15748]: "peer-129.35.213.xx-tunnel-1"
#1454: responding to Quick Mode
Jan 19 17:00:05 havyatta-3 pluto[15748]: "peer-129.35.213.xx-tunnel-1"
#1454: IPsec SA established {ESP=>0x33607d15 <0xc4377ca1}



Looks like the tunnel si established....but how can I now coonect from
machine in network 10.1.3.0 to a machine in a network 10.54.229.0???


Could you help me??

thanks in advance
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20140119/1e2ccdbe/attachment.html>

More information about the Users mailing list