[Openswan Users] Tunnel failing to come up

Neal Murphy neal.p.murphy at alum.wpi.edu
Wed Jan 21 19:43:38 EST 2015 

On Wednesday, January 21, 2015 04:22:07 PM Managed Pvt nets wrote:
> Hello everyone,
> 
> I am a newbie and I hope someone can save me from pulling my hair out
> here.
> 
> I am trying to setup an IPSec VPN site to site (PSK) with details as
> follows:
> 
> ==>Left Side (Which I am managing)
> 
> Debian GNU/Linux 7.0.0 Wheezy
> Linux hostname 3.2.0-4-amd64
> Linux Openswan U2.6.37/K3.2.0-4-amd64 (netkey)
> 
> 
> ==>Right Side (Provider Side)
> 
> Windows Server 2008R2
> Microsoft Forefront TMG
> 
> Both sides have a
> Phase 1
> Pre-Shared Key, 3des-sha1
> 
> Phase 2
> 3des-sha1
> 
> My tunnel just wont come up. I have checked with:
> 
> ========
> # ipsec verify
> Checking your system to see if IPsec got installed and started
> correctly:
> Version check and ipsec on-path                                 [OK]
> Linux Openswan U2.6.37/K3.2.0-4-amd64 (netkey)
> Checking for IPsec support in kernel                            [OK]
>   SAref kernel support                                           [N/A]
>   NETKEY:  Testing XFRM related proc values                      [OK]
>          [OK]
>          [OK]
> Checking that pluto is running                                  [OK]
>   Pluto listening for IKE on udp 500                             [OK]
>   Pluto listening for NAT-T on udp 4500                          [OK]
> Two or more interfaces found, checking IP forwarding            [OK]
> Checking NAT and MASQUERADEing                                  [OK]
> Checking for 'ip' command                                       [OK]
> Checking /bin/sh is not /bin/dash                               [OK]
> Checking for 'iptables' command                                 [OK]
> Opportunistic Encryption Support
> [DISABLED]
> # service ipsec status
> IPsec running  - pluto pid: 2780
> pluto pid 2780
> No tunnels up
> #ipsec auto --status
> [snip/...]
> 000 #1: "tunnel1":500 STATE_MAIN_I1 (sent MI1, expecting MR1); none in
> -1s; nodpd; idle; import:admin initiate
> 000 #1: pending Phase 2 for "tunnel1" replacing #0
> 000
> ========
> 
> This Debian box is running NAT, and the Debian box is the gateway behind
> the main router leading up to the internet as follows:
> 
> 
> ((left lan))-->{{Debian Linux with Openswan +
> Nat}}-->[router]--><<internet>><--[MS 2008 Forefront]
> 
> Would appreciate some guides on how I can go about this.

Your 'outer' router may need to forward port 500 and UDP port 4500 to your 
system. It may also need to allow protocol 50 (ESP) inbound. And it may need 
to allow them outbound.

More likely you need to use forceencaps=yes in your ipsec config to tell pluto 
to use only port 4500 (NAT-Traversal) for that VPN. And you may need 
auto=start to ensure that your end starts the VPN; otherwise *your* pluto may 
wait forever for start packets that never arrive because of the intervening 
NAT (or double-NAT) on your end.

/var/log/secure may contain useful information about the progress of the VPN 
setup.

More information about the Users mailing list