[Openswan Users] Single interface / tunnel will not come up.

Bruce Markey bruce at secryption.com
Fri Jan 31 06:27:01 EST 2014


I'm hoping someone here can point me in the right direction. I'm trying 
to get an ipsec vpn up from a cisco 2811 to a hosted virtual server.  
Shouldn't be that tough from all that I've read. Here's the setup. 
Obviously external ip's have been changed for security purposes..

192.168.300/24-------1.1.1.1-- INTERNET -- 2.2.2.2
---->------------>------>------->--------------->

2.2.2.2 being the only interface that is available on the VPS, and it's 
an external address.  This is my first guess as to where the problem is, 
but I haven't found a good example of how to deal with this.  The end 
goal here is to push all web, and various other traffic over the vpn.  
See config below.

NAT shouldn't be a problem since I have the cisco not natting the 
traffic that I want to flow through the tunnel. Right now it's just icmp 
traffic for testing.

     ip access-list extended NAT
     deny   icmp 192.168.30.0 0.0.0.255 any

Finally there seems to be some discrepancy in encryption methods between 
cisco/openswan. I've tried just about every combination.

So far I can verify that it gets far enough to say the keys match.  Then 
I think it actually finishes the phase 1 tunnel but I'm not exactly 
sure.  Before I make any more changes I want to make sure I have the 
actual openswan config right since the network layout is a little odd.

Configs:

Cisco 2811--
crypto isakmp policy 1
  encr aes 192
  authentication pre-share
  group 2
  lifetime 43200
crypto isakmp key ********** address 2.2.2.2
!
!
crypto ipsec transform-set IOFSET2 esp-aes 192 esp-sha-hmac
!
!
crypto map IOFVPN 1 ipsec-isakmp
  description VPN1
  set peer 2.2.2.2
  set transform-set IOFSET2
  match address 152


access-list 152 permit icmp any any


Openswan:

config setup
         dumpdir=/var/run/pluto/
         nat_traversal=no
         
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
         oe=off
         protostack=netkey
         #plutostderrlog=/dev/null

conn IOF
#               # Left security gateway, subnet behind it, nexthop 
toward right.
                 authby=secret
                 type=tunnel
                 left=2.2.2.2
                 #left=%defaultroute
                 #leftnexthop=%defaultroute
                 #leftsubnet=2.2.2.0/24
                 #leftid=2.2.2.2
                 # Right security gateway, subnet behind it, nexthop 
toward left.
                 right=1.1.1.1
                 rightsubnet=192.168.30.0/24
                 #rightid=192.168.30.1
                 # To authorize this connection, but not actually start 
it,
                 # at startup, uncomment this.
                 #auto=add
                 esp=aes192-sha1
                 keyexchange=ike
                 ike=aes192-sha1
                 phase2=esp
                 #phase2alg=aes192-sha1
                 salifetime=43200s
                 pfs=yes
                 auto=start
                 dpdaction=restart

Watching the logs I'm to the point now where I'm getting this from the 
Cisco
2d11h: IPSEC(validate_transform_proposal): no IPSEC cryptomap exists for 
local address 1.1.1.1
2d11h: ISAKMP:(0:2:SW:1): IPSec policy invalidated proposal
2d11h: ISAKMP:(0:2:SW:1): phase 2 SA policy not acceptable! (local 
1.1.1.1 remote 2.2.2.2)

and this from openswan.
Jan 31 11:13:51 196-55-235-37 pluto[5376]: "IOF" #27: the peer proposed: 
0.0.0.0/0:0/0 -> 0.0.0.0/0:0/0
Jan 31 11:13:51 196-55-235-37 pluto[5376]: "IOF" #27: cannot respond to 
IPsec SA request because no connection is known for 
0.0.0.0/0===2.2.2.2<2.2.2.2>:1/0...1.1.1.1<1.1.1.1>:1/0===0.0.0.0/0
Jan 31 11:13:51 2.2.2.2 pluto[5376]: "IOF" #27: sending encrypted 
notification INVALID_ID_INFORMATION to 1.1.1.1:500

I understand the why, the acl doesn't match on both sides but I'm not 
sure how to get around this with the openswan only having a single nic.

I've tried a few different things but it fails.  I'm half wondering if 
it's not the easies to add a sub interface on the openswan side just so 
it has a second network to make it happy although I'd prefer not to.

I'm open to suggestions.

Thank you
Bruce Markey



~
-- 
Encrypt everything.
Public key: https://www.secryption.com/BruceMarkey.asc

I believe that any violation of privacy is nothing good.
Lech Walesa


More information about the Users mailing list