[Openswan Users] OpenSwan from Ubuntu to Vyatta via IPsec
Jesus arteche
chechu.linux at gmail.com
Sun Jan 19 18:11:12 EST 2014
Hey guys,
I'm trying to establish an IPsec tunnel between two different networks ...
Server A (openSwan over Ubuntu): has a subnet 10.1.3.0
Server B (Vyatta): has a subnet 10.54.229.0
I want route traffic between the two different networks using a IPsec
tunnel...I think I got to establish the tunnel:
In server A (ip:129.35.213.xx), I got this log from */var/log.auth.log*
Jan 19 23:00:05 vm-10-1-3-39 pluto[12250]: "sample" #1: transition from
state STATE_MAIN_I2 to state STATE_MAIN_I3
Jan 19 23:00:05 vm-10-1-3-39 pluto[12250]: "sample" #1: STATE_MAIN_I3: sent
MI3, expecting MR3
Jan 19 23:00:05 vm-10-1-3-39 pluto[12250]: "sample" #1: Main mode peer ID
is ID_IPV4_ADDR: '50.23.67.xx'
Jan 19 23:00:05 vm-10-1-3-39 pluto[12250]: "sample" #1: transition from
state STATE_MAIN_I3 to state STATE_MAIN_I4
Jan 19 23:00:05 vm-10-1-3-39 pluto[12250]: "sample" #1: STATE_MAIN_I4:
ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256
prf=oakley_sha group=modp1536}
Jan 19 23:00:05 vm-10-1-3-39 pluto[12250]: "sample" #2: initiating Quick
Mode PSK+ENCRYPT+TUNNEL+DONTREKEY+UP+IKEv2ALLOW {using isakmp#1
msgid:9deaa9b8 proposal=3DES(3)_192-MD5(1)_128 pfsgroup=no-pfs}
Jan 19 23:00:05 vm-10-1-3-39 pluto[12250]: "sample" #2: transition from
state STATE_QUICK_I1 to state STATE_QUICK_I2
Jan 19 23:00:05 vm-10-1-3-39 pluto[12250]: "sample" #2: STATE_QUICK_I2:
sent QI2, IPsec SA established tunnel mode {ESP=>0xc4377ca1 <0x33607d15
xfrm=3DES_0-HMAC_MD5 NATOA=none NATD=none DPD=none}
Jan 19 23:00:23 vm-10-1-3-39 pluto[12250]: "sample" #1: ignoring Delete SA
payload: PROTO_IPSEC_ESP SA(0xced37bef) not found (maybe expired)
Jan 19 23:00:23 vm-10-1-3-39 pluto[12250]: "sample" #1: received and
ignored informational message
*/etc/log/syslog*
Jan 19 23:00:04 vm-10-1-3-39 ipsec_setup: ...Openswan IPsec started
Jan 19 23:00:04 vm-10-1-3-39 ipsec__plutorun: adjusting ipsec.d to
/etc/ipsec.d
Jan 19 23:00:04 vm-10-1-3-39 pluto: adjusting ipsec.d to /etc/ipsec.d
Jan 19 23:00:04 vm-10-1-3-39 ipsec__plutorun: 002 added connection
description "sample"
Jan 19 23:00:04 vm-10-1-3-39 ipsec__plutorun: 104 "sample" #1:
STATE_MAIN_I1: initiate
*ipsec auto --status*
000 "sample": 10.1.3.0/26===129.35.213.xx[+S=C]...50.23.67.xx
<50.23.67.xx>[+S=C]===10.54.229.0/26; erouted; eroute owner: #2
000 "sample": myip=unset; hisip=unset;
000 "sample": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s;
rekey_fuzz: 100%; keyingtries: 0
000 "sample": policy:
PSK+ENCRYPT+TUNNEL+DONTREKEY+UP+IKEv2ALLOW+lKOD+rKOD; prio: 26,26;
interface: eth0;
000 "sample": newest ISAKMP SA: #1; newest IPsec SA: #2;
000 "sample": IKE algorithms wanted: AES_CBC(7)_256-SHA1(2)-MODP1536(5),
AES_CBC(7)_256-SHA1(2)-MODP1024(2); flags=-strict
000 "sample": IKE algorithms found: AES_CBC(7)_256-SHA1(2)_160-5,
AES_CBC(7)_256-SHA1(2)_160-2,
000 "sample": IKE algorithm newest: AES_CBC_256-SHA1-MODP1536
000 "sample": ESP algorithms wanted: 3DES(3)_000-MD5(1); flags=-strict
000 "sample": ESP algorithms loaded: 3DES(3)_192-MD5(1)_128
000 "sample": ESP algorithm newest: 3DES_0-HMAC_MD5; pfsgroup=<N/A>
000
000 #2: "sample":500 STATE_QUICK_I2 (sent QI2, IPsec SA established);
EVENT_SA_REPLACE_IF_USED in 27734s; newest IPSEC; eroute owner; isakmp#1;
idle; import:admin initiate
000 #2: "sample" esp.c4377ca1 at 50.23.67.xx
esp.33607d15 at 129.35.213.xxtun.0@50.23.67.xxtun.0 at 129.35.213.xxref=0
refhim=4294901761
000 #1: "sample":500 STATE_MAIN_I4 (ISAKMP SA established);
EVENT_SA_REPLACE_IF_USED in 2608s; newest ISAKMP; lastdpd=-1s(seq in:0
out:0); idle; import:admin initiate
000
In server B (Vyatta, ip 50.23.67.xx)
* show vpn ike sa*
Peer ID / IP Local ID / IP
------------ -------------
129.35.213.xx 50.23.67.xx
State Encrypt Hash D-H Grp NAT-T A-Time L-Time
----- ------- ---- ------- ----- ------ ------
up aes256 sha1 5 no 651 3600
*show vpn ipsec sa*
Peer ID / IP Local ID / IP
------------ -------------
129.35.213.xx 50.23.67.xx
Tunnel State Bytes Out/In Encrypt Hash NAT-T A-Time L-Time
Proto
------ ----- ------------- ------- ---- ----- ------ ------
-----
1 up 0.0/0.0 3des md5 no 693 1800 all
*show log vpn ipsec*
Jan 19 17:00:03 havyatta-3 pluto[15748]: "peer-129.35.213.xx-tunnel-1"
#1452: received Delete SA payload: replace IPSEC State #1451 in 10 seconds
Jan 19 17:00:03 havyatta-3 pluto[15748]: "peer-129.35.213.xx-tunnel-1"
#1448: received Delete SA payload: deleting ISAKMP State #1448
Jan 19 17:00:03 havyatta-3 pluto[15748]: "peer-129.35.213.xx-tunnel-1"
#1452: received Delete SA payload: deleting ISAKMP State #1452
Jan 19 17:00:03 havyatta-3 pluto[15748]: ERROR: asynchronous network error
report on eth1 for message to 129.35.213.xx port 500, complainant
129.35.213.xxx: Connection refused [errno 111, origin ICMP type 3 code 3
(not authenticated)]
Jan 19 17:00:03 havyatta-3 pluto[15748]: ERROR: asynchronous network error
report on eth1 for message to 129.35.213.xx port 500, complainant
129.35.213.xx: Connection refused [errno 111, origin ICMP type 3 code 3
(not authenticated)]
Jan 19 17:00:05 havyatta-3 pluto[15748]: packet from 129.35.213.xx:500:
ignoring Vendor ID payload [4f456d406b6753464548407f]
Jan 19 17:00:05 havyatta-3 pluto[15748]: packet from 129.35.213.xx:500:
received Vendor ID payload [Dead Peer Detection]
Jan 19 17:00:05 havyatta-3 pluto[15748]: "peer-129.35.213.xx-tunnel-1"
#1453: responding to Main Mode
Jan 19 17:00:05 havyatta-3 pluto[15748]: "peer-129.35.213.xx-tunnel-1"
#1453: Peer ID is ID_IPV4_ADDR: '129.35.213.xx'
Jan 19 17:00:05 havyatta-3 pluto[15748]: "peer-129.35.213.xx-tunnel-1"
#1453: sent MR3, ISAKMP SA established
Jan 19 17:00:05 havyatta-3 pluto[15748]: "peer-129.35.213.xx-tunnel-1"
#1454: responding to Quick Mode
Jan 19 17:00:05 havyatta-3 pluto[15748]: "peer-129.35.213.xx-tunnel-1"
#1454: IPsec SA established {ESP=>0x33607d15 <0xc4377ca1}
Looks like the tunnel si established....but how can I now coonect from
machine in network 10.1.3.0 to a machine in a network 10.54.229.0???
Could you help me??
thanks in advance
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20140119/1e2ccdbe/attachment.html>
More information about the Users
mailing list