[Openswan Users] Tunnel failing to come up
Neal Murphy
neal.p.murphy at alum.wpi.edu
Thu Jan 22 16:32:24 EST 2015
On Thursday, January 22, 2015 03:39:02 PM Managed Pvt nets wrote:
> On 22/01/2015 8:32:04 PM, "Neal Murphy" <neal.p.murphy at alum.wpi.edu>
>
> wrote:
> >> >Your 'outer' router may need to forward port 500 and UDP port 4500
> >>
> >>to
> >>
> >> >your
> >> >system. It may also need to allow protocol 50 (ESP) inbound. And it
> >>
> >>may
> >>
> >> >need
> >> >to allow them outbound.
> >> >
> >> >More likely you need to use forceencaps=yes in your ipsec config to
> >> >tell pluto
> >> >to use only port 4500 (NAT-Traversal) for that VPN. And you may need
> >> >auto=start to ensure that your end starts the VPN; otherwise *your*
> >> >pluto may
> >> >wait forever for start packets that never arrive because of the
> >> >intervening
> >> >NAT (or double-NAT) on your end.
> >>
> >> Thanks Neal,
> >>
> >> Fortunately this has been done. Maybe my tcpdump may help shed some
> >
> >> light:
> >Maybe not. :) Next: what's in /var/log/secure? I think that's where
> >pluto
> >'usually' logs its progress. And post your ipsec.conf (obfuscate as
> >little as
> >you can).
>
> I am assuming by /var/log/secure you are referring to /var/log/syslog on
> my Debian box. The entries I have in there are:
>
> ===
> Jan 22 22:24:28 jupiter ipsec_setup: ...Openswan IPsec started
> Jan 22 22:24:28 jupiter pluto: adjusting ipsec.d to /etc/ipsec.d
> Jan 22 22:24:28 jupiter ipsec__plutorun: 002 added connection
> description "tunnel1"
> Jan 22 22:24:28 jupiter ipsec__plutorun: 104 "tunnel1" #1:
> STATE_MAIN_I1: initiate
> ===
>
> My ipsec.conf is as follows:
>
You may find more information in /var/run/pluto/* and/or in
/var/log/pluto.log. *Some* log should tell you what pluto doesn't like about
the incoming conn attempts.
I'm more familiar with klips, but it looks like you have the essentials.
You might try 'tcpdump -tlni eth1 port 500 or port 4500 or proto 50' to see
all the traffic at once
Finally, just for grins, try to minimize the config. Delete the config lines
marked with ! and add the lines marked with @.
> cat /etc/ipsec.conf
> # basic configuration
> config setup
> dumpdir=/var/run/pluto/
> nat_traversal=yes
> protostack=netkey
> plutoopts="--perpeerlog"
>
> virtual_private=%v4:103.1.0.0/24,%v4:192.168.0.0/24,%v4:192.168.10.0/24,%v6
> :fd00::/8,%v6:fe80::/10 # Use this to log to a file, or disable logging on
> embedded systems (like openwrt)
> plutodebug=all
> plutostderrlog=/var/log/pluto.log
> interfaces=%defaultroute>
>
> conn %default
!> keyingtries=1
@> keyingtries=0
>
> conn tunnel1
>
!> type=tunnel
!> auth=esp
> authby=secret
@> compress=no
> forceencaps=yes
!> ikelifetime=86400m
!> rekeymargin=10m
!> rekeyfuzz=0%
!> keylife=28800s
> esp=3des-sha1
> ike=3des-sha1
> keyexchange=ike
!> pfs=yes
> left=192.168.0.2
> leftsubnet=192.168.0.0/24
> leftnexthop=%defaultroute
> leftid=a.b.c.d
> right=w.x.y.z
> rightsubnet=192.168.10.0/24
> rightnexthop=%defaultroute
> rightid=w.x.y.z
> auto=start
Below is a klips config I use; it's rather minimal and neither end is behind
NAT. I don't know what translation is needed to make it work with netkey.
version 2
config setup
protostack=klips
interfaces=%defaultroute
klipsdebug=none
plutodebug=none
plutowait=no
uniqueids=yes
conn clear
auto=ignore
conn clear-or-private
auto=ignore
conn private-or-clear
auto=ignore
conn private
auto=ignore
conn block
auto=ignore
conn packetdefault
auto=ignore
conn NAME
ike=3des-md5
esp=3des-md5
authby=secret
keyingtries=0
left=a.b.c.d
leftsubnet=g.h.i.j/24
leftnexthop=%defaultroute
right=w.x.y.z
rightsubnet=m.n.o.p/24
rightnexthop=%defaultroute
compress=no
auto=start
More information about the Users
mailing list