[Openswan Users] Tunnel failing to come up

Neal Murphy neal.p.murphy at alum.wpi.edu
Thu Jan 22 13:32:04 EST 2015 

On Thursday, January 22, 2015 07:45:42 AM Managed Pvt nets wrote:
> On 22/01/2015 2:43:38 AM, "Neal Murphy" <neal.p.murphy at alum.wpi.edu>
> 
> wrote:
> >>  ==>Left Side (Which I am managing)
> >>  
> >>  Debian GNU/Linux 7.0.0 Wheezy
> >>  Linux hostname 3.2.0-4-amd64
> >>  Linux Openswan U2.6.37/K3.2.0-4-amd64 (netkey)
> >>  
> >>  
> >>  ==>Right Side (Provider Side)
> >>  
> >>  Windows Server 2008R2
> >>  Microsoft Forefront TMG
> >>  
> >>  Both sides have a
> >>  Phase 1
> >>  Pre-Shared Key, 3des-sha1
> >>  
> >>  Phase 2
> >>  3des-sha1
> >>  
> >>  My tunnel just wont come up. I have checked with:
> >>  
> >>  ========
> >>  # ipsec verify
> >>  Checking your system to see if IPsec got installed and started
> >>  correctly:
> >>  Version check and ipsec on-path [OK]
> >>  Linux Openswan U2.6.37/K3.2.0-4-amd64 (netkey)
> >>  Checking for IPsec support in kernel [OK]
> >>  
> >>    SAref kernel support [N/A]
> >>    NETKEY: Testing XFRM related proc values [OK]
> >>    
> >>           [OK]
> >>           [OK]
> >>  
> >>  Checking that pluto is running [OK]
> >>  
> >>    Pluto listening for IKE on udp 500 [OK]
> >>    Pluto listening for NAT-T on udp 4500 [OK]
> >>  
> >>  Two or more interfaces found, checking IP forwarding [OK]
> >>  Checking NAT and MASQUERADEing [OK]
> >>  Checking for 'ip' command [OK]
> >>  Checking /bin/sh is not /bin/dash [OK]
> >>  Checking for 'iptables' command [OK]
> >>  Opportunistic Encryption Support
> >>  [DISABLED]
> >>  # service ipsec status
> >>  IPsec running - pluto pid: 2780
> >>  pluto pid 2780
> >>  No tunnels up
> >>  #ipsec auto --status
> >>  [snip/...]
> >>  000 #1: "tunnel1":500 STATE_MAIN_I1 (sent MI1, expecting MR1); none
> >>
> >>in
> >>
> >>  -1s; nodpd; idle; import:admin initiate
> >>  000 #1: pending Phase 2 for "tunnel1" replacing #0
> >>  000
> >>  ========
> >>  
> >>  This Debian box is running NAT, and the Debian box is the gateway
> >>
> >>behind
> >>
> >>  the main router leading up to the internet as follows:
> >>  
> >>  
> >>  ((left lan))-->{{Debian Linux with Openswan +
> >>  Nat}}-->[router]--><<internet>><--[MS 2008 Forefront]
> >>  
> >>  Would appreciate some guides on how I can go about this.
> >
> >Your 'outer' router may need to forward port 500 and UDP port 4500 to
> >your
> >system. It may also need to allow protocol 50 (ESP) inbound. And it may
> >need
> >to allow them outbound.
> >
> >More likely you need to use forceencaps=yes in your ipsec config to
> >tell pluto
> >to use only port 4500 (NAT-Traversal) for that VPN. And you may need
> >auto=start to ensure that your end starts the VPN; otherwise *your*
> >pluto may
> >wait forever for start packets that never arrive because of the
> >intervening
> >NAT (or double-NAT) on your end.
> 
> Thanks Neal,
> 
> Fortunately this has been done. Maybe my tcpdump may help shed some
> light:

Maybe not. :) Next: what's in /var/log/secure? I think that's where pluto 
'usually' logs its progress. And post your ipsec.conf (obfuscate as little as 
you can).

More information about the Users mailing list