[Openswan Users] Centos 6.3 Site to Site (phase 1 is done, looking for phase 2 to unpend)
Estefanio Brunhara
estefanio at brunhara.com
Sat Aug 29 15:32:34 EDT 2015
Hello friends list!
I have two linux servers with centos 6.3 updated
I'm not getting set ipsec, someone help me?
Configuration SiteA
config setup
plutodebug=all
plutostderrlog=/var/log/pluto.log
virtual_private=%v4:192.168.15.0/24,%v4:192.168.0.0/22
protostack=netkey
nat_traversal=yes
oe=off
nhelpers=0
conn SiteA
pfs=yes
auto=start
compress=yes
type=tunnel
authby=secret
ike=aes128-sha1;modp1024
keyexchange=ike
phase2=esp
phase2alg=aes128-sha1;modp1024
left=189.184.218.234
leftsubnet=192.168.15.0/24
leftnexthop=%defaultroute
right=200.50.14.186
rightsubnet=192.168.0.0/22
rightnexthop=%defaultroute
Configuration SiteB
config setup
plutodebug=all
plutostderrlog=/var/log/pluto.log
virtual_private=%v4:10.0.0.0/24,%v4:192.168.15.0/24,%v4:192.168.0.0/22
protostack=netkey
nat_traversal=yes
oe=off
nhelpers=0
conn SiteB
pfs=yes
auto=add
compress=yes
type=tunnel
authby=secret
ike=aes128-sha1;modp1024
keyexchange=ike
phase2=esp
phase2alg=aes128-sha1;modp1024
left=189.184.218.234
leftsubnet=192.168.15.0/24
leftnexthop=%defaultroute
right=200.50.14.186
rightsubnet=192.168.0.0/22
rightnexthop=%defaultroute
# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.6.32/K2.6.32-279.el6.i686 (netkey)
Checking for IPsec support in kernel [OK]
SAref kernel support [N/A]
NETKEY: Testing for disabled ICMP send_redirects [OK]
NETKEY detected, testing for disabled ICMP accept_redirects [OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for NAT-T on udp 4500 [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing [OK]
Checking for 'ip' command [OK]
Checking /bin/sh is not /bin/dash [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]
# ipsec auto --verbose --up SiteA
002 "SanGEmive" #5: initiating Quick Mode
PSK+ENCRYPT+COMPRESS+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#3
msgid:fe671b8e proposal=AES(12)_128-SHA1(2)_160
pfsgroup=OAKLEY_GROUP_MODP1024}
117 "SanGEmive" #5: STATE_QUICK_I1: initiate
002 "SanGEmive" #5: transition from state STATE_QUICK_I1 to state
STATE_QUICK_I2
004 "SanGEmive" #5: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel
mode {ESP=>0x376c2c89 <0x90af8fa8 xfrm=AES_128-HMAC_SHA1 IPCOMP=>0x0000931f
<0x00004e90 NATOA=none NATD=none DPD=none}
Log
O_CONNECTION='SiteB' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='200.50.14.185'
PLUTO_ME='200.50.14.186' PLUTO_MY_ID='200.50.14.186'
PLUTO_MY_CLIENT='192.168.0.0/22' PLUTO_MY_CLIENT_NET='192.168.0.0'
PLUTO_MY_CLIENT_MASK='255.255.252.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0'
PLUTO_PEER='189.184.218.234' PLUTO_PEER_ID='189.184.218.234'
PLUTO_PEER_CLIENT='192.168.15.0/24' PLUTO_PEER_CLIENT_NET='192.168.15.0'
PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0'
PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey'
PLUTO_CONN_POLICY='PSK+ENCRYPT+COMPRESS+TUNNEL+PFS+IKEv2ALLOW+SAREFTRACK'
PLUTO_XAUTH_USERNAME='' PLUTO_IS_PEER_CISCO='0' PLUTO_CISCO_DNS_INFO=''
PLUTO_CISCO_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_NM_CONFIGURED='0'
ipsec _updown
| popen(): cmd is 821 chars long
| cmd( 0):2>&1 PLUTO_VERB='prepare-client' PLUTO_VERSION='2.0'
PLUTO_CONNECTION='SiteB:
| cmd( 80):' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='200.50.14.185'
PLUTO_ME='200.50.14.186':
| cmd( 160): PLUTO_MY_ID='200.50.14.186' PLUTO_MY_CLIENT='192.168.0.0/22'
PLUTO_MY_CLIENT_NE:
| cmd( 240):T='192.168.0.0' PLUTO_MY_CLIENT_MASK='255.255.252.0'
PLUTO_MY_PORT='0' PLUTO_MY_:
| cmd( 320):PROTOCOL='0' PLUTO_PEER='189.184.218.234'
PLUTO_PEER_ID='189.184.218.234' PLUTO_:
| cmd( 400):PEER_CLIENT='192.168.15.0/24'
PLUTO_PEER_CLIENT_NET='192.168.15.0' PLUTO_PEER_CL:
| cmd( 480):IENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0'
PLUTO_PEER_PROTOCOL='0' PLUTO_PEER:
| cmd( 560):_CA='' PLUTO_STACK='netkey'
PLUTO_CONN_POLICY='PSK+ENCRYPT+COMPRESS+TUNNEL+PFS+:
| cmd( 640):IKEv2ALLOW+SAREFTRACK' PLUTO_XAUTH_USERNAME=''
PLUTO_IS_PEER_CISCO='0' PLUTO_CI:
| cmd( 720):SCO_DNS_INFO='' PLUTO_CISCO_DOMAIN_INFO='' PLUTO_PEER_BANNER=''
PLUTO_NM_CONFIGU:
| cmd( 800):RED='0' ipsec _updown:
| command executing route-client
| executing route-client: 2>&1 PLUTO_VERB='route-client' PLUTO_VERSION='2.0'
PLUTO_CONNECTION='SiteB' PLUTO_INTERFACE='eth1'
PLUTO_NEXT_HOP='200.50.14.185' PLUTO_ME='200.50.14.186'
PLUTO_MY_ID='200.50.14.186' PLUTO_MY_CLIENT='192.168.0.0/22'
PLUTO_MY_CLIENT_NET='192.168.0.0' PLUTO_MY_CLIENT_MASK='255.255.252.0'
PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='189.184.218.234'
PLUTO_PEER_ID='189.184.218.234' PLUTO_PEER_CLIENT='192.168.15.0/24'
PLUTO_PEER_CLIENT_NET='192.168.15.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0'
PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA=''
PLUTO_STACK='netkey'
PLUTO_CONN_POLICY='PSK+ENCRYPT+COMPRESS+TUNNEL+PFS+IKEv2ALLOW+SAREFTRACK'
PLUTO_XAUTH_USERNAME='' PLUTO_IS_PEER_CISCO='0' PLUTO_CISCO_DNS_INFO=''
PLUTO_CISCO_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_NM_CONFIGURED='0'
ipsec _updown
| popen(): cmd is 819 chars long | cmd( 0):2>&1 PLUTO_VERB='route-client'
PLUTO_VERSION='2.0' PLUTO_CONNECTION='SiteB' :
| cmd( 80):PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='200.50.14.185'
PLUTO_ME='200.50.14.186' P:
| cmd( 160):LUTO_MY_ID='200.50.14.186' PLUTO_MY_CLIENT='192.168.0.0/22'
PLUTO_MY_CLIENT_NET=:
| cmd( 240):'192.168.0.0' PLUTO_MY_CLIENT_MASK='255.255.252.0'
PLUTO_MY_PORT='0' PLUTO_MY_PR:
| cmd( 320):OTOCOL='0' PLUTO_PEER='189.184.218.234'
PLUTO_PEER_ID='189.184.218.234' PLUTO_PE:
| cmd( 400):ER_CLIENT='192.168.15.0/24' PLUTO_PEER_CLIENT_NET='192.168.15.0'
PLUTO_PEER_CLIE:
| cmd( 480):NT_MASK='255.255.255.0' PLUTO_PEER_PORT='0'
PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_C:
| cmd( 560):A='' PLUTO_STACK='netkey'
PLUTO_CONN_POLICY='PSK+ENCRYPT+COMPRESS+TUNNEL+PFS+IK:
| cmd( 640):Ev2ALLOW+SAREFTRACK' PLUTO_XAUTH_USERNAME=''
PLUTO_IS_PEER_CISCO='0' PLUTO_CISC:
| cmd( 720):O_DNS_INFO='' PLUTO_CISCO_DOMAIN_INFO='' PLUTO_PEER_BANNER=''
PLUTO_NM_CONFIGURE:
| cmd( 800):D='0' ipsec _updown:
| route_and_eroute: instance "SiteB", setting eroute_owner
{spd=0xb755e438,sr=0xb755e438} to #2 (was #0) (newest_ipsec_sa=#0)
| inI2: instance SiteB[0], setting newest_ipsec_sa to #2 (was #0)
(spd.eroute=#2)
| complete state transition with STF_OK
"SiteB" #2: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
| deleting event for #2
| inserting event EVENT_SA_REPLACE, timeout in 86130 seconds for #2
| event added after event EVENT_LOG_DAILY
"SiteB" #2: STATE_QUICK_R2: IPsec SA established tunnel mode
{ESP=>0x03d37354 <0xd820a81d xfrm=AES_128-HMAC_SHA1 IPCOMP=>0x0000b402
<0x000068fb NATOA=none NATD=none DPD=none}
| modecfg pull: noquirk policy:push not-client
| phase 1 is done, looking for phase 2 to unpend
| * processed 0 messages from cryptographic helpers
| next event EVENT_PENDING_DDNS in 38 seconds
| next event EVENT_PENDING_DDNS in 38 seconds
More information about the Users
mailing list