[Openswan Users] Single interface / tunnel will not come up.
bruce at secryption.com
Fri Jan 31 06:27:01 EST 2014
I'm hoping someone here can point me in the right direction. I'm trying
to get an ipsec vpn up from a cisco 2811 to a hosted virtual server.
Shouldn't be that tough from all that I've read. Here's the setup.
Obviously external ip's have been changed for security purposes..
192.168.300/24-------220.127.116.11-- INTERNET -- 18.104.22.168
22.214.171.124 being the only interface that is available on the VPS, and it's
an external address. This is my first guess as to where the problem is,
but I haven't found a good example of how to deal with this. The end
goal here is to push all web, and various other traffic over the vpn.
See config below.
NAT shouldn't be a problem since I have the cisco not natting the
traffic that I want to flow through the tunnel. Right now it's just icmp
traffic for testing.
ip access-list extended NAT
deny icmp 192.168.30.0 0.0.0.255 any
Finally there seems to be some discrepancy in encryption methods between
cisco/openswan. I've tried just about every combination.
So far I can verify that it gets far enough to say the keys match. Then
I think it actually finishes the phase 1 tunnel but I'm not exactly
sure. Before I make any more changes I want to make sure I have the
actual openswan config right since the network layout is a little odd.
crypto isakmp policy 1
encr aes 192
crypto isakmp key ********** address 126.96.36.199
crypto ipsec transform-set IOFSET2 esp-aes 192 esp-sha-hmac
crypto map IOFVPN 1 ipsec-isakmp
set peer 188.8.131.52
set transform-set IOFSET2
match address 152
access-list 152 permit icmp any any
# # Left security gateway, subnet behind it, nexthop
# Right security gateway, subnet behind it, nexthop
# To authorize this connection, but not actually start
# at startup, uncomment this.
Watching the logs I'm to the point now where I'm getting this from the
2d11h: IPSEC(validate_transform_proposal): no IPSEC cryptomap exists for
local address 184.108.40.206
2d11h: ISAKMP:(0:2:SW:1): IPSec policy invalidated proposal
2d11h: ISAKMP:(0:2:SW:1): phase 2 SA policy not acceptable! (local
220.127.116.11 remote 18.104.22.168)
and this from openswan.
Jan 31 11:13:51 196-55-235-37 pluto: "IOF" #27: the peer proposed:
0.0.0.0/0:0/0 -> 0.0.0.0/0:0/0
Jan 31 11:13:51 196-55-235-37 pluto: "IOF" #27: cannot respond to
IPsec SA request because no connection is known for
Jan 31 11:13:51 22.214.171.124 pluto: "IOF" #27: sending encrypted
notification INVALID_ID_INFORMATION to 126.96.36.199:500
I understand the why, the acl doesn't match on both sides but I'm not
sure how to get around this with the openswan only having a single nic.
I've tried a few different things but it fails. I'm half wondering if
it's not the easies to add a sub interface on the openswan side just so
it has a second network to make it happy although I'd prefer not to.
I'm open to suggestions.
Public key: https://www.secryption.com/BruceMarkey.asc
I believe that any violation of privacy is nothing good.
More information about the Users