[Openswan Users] Single interface / tunnel will not come up.
Bruce Markey
bruce at secryption.com
Fri Jan 31 06:27:01 EST 2014
I'm hoping someone here can point me in the right direction. I'm trying
to get an ipsec vpn up from a cisco 2811 to a hosted virtual server.
Shouldn't be that tough from all that I've read. Here's the setup.
Obviously external ip's have been changed for security purposes..
192.168.300/24-------1.1.1.1-- INTERNET -- 2.2.2.2
---->------------>------>------->--------------->
2.2.2.2 being the only interface that is available on the VPS, and it's
an external address. This is my first guess as to where the problem is,
but I haven't found a good example of how to deal with this. The end
goal here is to push all web, and various other traffic over the vpn.
See config below.
NAT shouldn't be a problem since I have the cisco not natting the
traffic that I want to flow through the tunnel. Right now it's just icmp
traffic for testing.
ip access-list extended NAT
deny icmp 192.168.30.0 0.0.0.255 any
Finally there seems to be some discrepancy in encryption methods between
cisco/openswan. I've tried just about every combination.
So far I can verify that it gets far enough to say the keys match. Then
I think it actually finishes the phase 1 tunnel but I'm not exactly
sure. Before I make any more changes I want to make sure I have the
actual openswan config right since the network layout is a little odd.
Configs:
Cisco 2811--
crypto isakmp policy 1
encr aes 192
authentication pre-share
group 2
lifetime 43200
crypto isakmp key ********** address 2.2.2.2
!
!
crypto ipsec transform-set IOFSET2 esp-aes 192 esp-sha-hmac
!
!
crypto map IOFVPN 1 ipsec-isakmp
description VPN1
set peer 2.2.2.2
set transform-set IOFSET2
match address 152
access-list 152 permit icmp any any
Openswan:
config setup
dumpdir=/var/run/pluto/
nat_traversal=no
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
oe=off
protostack=netkey
#plutostderrlog=/dev/null
conn IOF
# # Left security gateway, subnet behind it, nexthop
toward right.
authby=secret
type=tunnel
left=2.2.2.2
#left=%defaultroute
#leftnexthop=%defaultroute
#leftsubnet=2.2.2.0/24
#leftid=2.2.2.2
# Right security gateway, subnet behind it, nexthop
toward left.
right=1.1.1.1
rightsubnet=192.168.30.0/24
#rightid=192.168.30.1
# To authorize this connection, but not actually start
it,
# at startup, uncomment this.
#auto=add
esp=aes192-sha1
keyexchange=ike
ike=aes192-sha1
phase2=esp
#phase2alg=aes192-sha1
salifetime=43200s
pfs=yes
auto=start
dpdaction=restart
Watching the logs I'm to the point now where I'm getting this from the
Cisco
2d11h: IPSEC(validate_transform_proposal): no IPSEC cryptomap exists for
local address 1.1.1.1
2d11h: ISAKMP:(0:2:SW:1): IPSec policy invalidated proposal
2d11h: ISAKMP:(0:2:SW:1): phase 2 SA policy not acceptable! (local
1.1.1.1 remote 2.2.2.2)
and this from openswan.
Jan 31 11:13:51 196-55-235-37 pluto[5376]: "IOF" #27: the peer proposed:
0.0.0.0/0:0/0 -> 0.0.0.0/0:0/0
Jan 31 11:13:51 196-55-235-37 pluto[5376]: "IOF" #27: cannot respond to
IPsec SA request because no connection is known for
0.0.0.0/0===2.2.2.2<2.2.2.2>:1/0...1.1.1.1<1.1.1.1>:1/0===0.0.0.0/0
Jan 31 11:13:51 2.2.2.2 pluto[5376]: "IOF" #27: sending encrypted
notification INVALID_ID_INFORMATION to 1.1.1.1:500
I understand the why, the acl doesn't match on both sides but I'm not
sure how to get around this with the openswan only having a single nic.
I've tried a few different things but it fails. I'm half wondering if
it's not the easies to add a sub interface on the openswan side just so
it has a second network to make it happy although I'd prefer not to.
I'm open to suggestions.
Thank you
Bruce Markey
~
--
Encrypt everything.
Public key: https://www.secryption.com/BruceMarkey.asc
I believe that any violation of privacy is nothing good.
Lech Walesa
More information about the Users
mailing list