[Openswan Users] Tunnel failing to come up

Managed Pvt nets mpn at icabs.co.zw
Thu Jan 22 15:39:02 EST 2015 

On 22/01/2015 8:32:04 PM, "Neal Murphy" <neal.p.murphy at alum.wpi.edu> 
wrote:

>
>>  >Your 'outer' router may need to forward port 500 and UDP port 4500 
>>to
>>  >your
>>  >system. It may also need to allow protocol 50 (ESP) inbound. And it 
>>may
>>  >need
>>  >to allow them outbound.
>>  >
>>  >More likely you need to use forceencaps=yes in your ipsec config to
>>  >tell pluto
>>  >to use only port 4500 (NAT-Traversal) for that VPN. And you may need
>>  >auto=start to ensure that your end starts the VPN; otherwise *your*
>>  >pluto may
>>  >wait forever for start packets that never arrive because of the
>>  >intervening
>>  >NAT (or double-NAT) on your end.
>>
>>  Thanks Neal,
>>
>>  Fortunately this has been done. Maybe my tcpdump may help shed some
>>  light:
>
>Maybe not. :) Next: what's in /var/log/secure? I think that's where 
>pluto
>'usually' logs its progress. And post your ipsec.conf (obfuscate as 
>little as
>you can).
I am assuming by /var/log/secure you are referring to /var/log/syslog on 
my Debian box. The entries I have in there are:

===
Jan 22 22:24:28 jupiter ipsec_setup: ...Openswan IPsec started
Jan 22 22:24:28 jupiter pluto: adjusting ipsec.d to /etc/ipsec.d
Jan 22 22:24:28 jupiter ipsec__plutorun: 002 added connection 
description "tunnel1"
Jan 22 22:24:28 jupiter ipsec__plutorun: 104 "tunnel1" #1: 
STATE_MAIN_I1: initiate
===

My ipsec.conf is as follows:

cat /etc/ipsec.conf
# basic configuration
config setup
         dumpdir=/var/run/pluto/
         nat_traversal=yes
         protostack=netkey
         plutoopts="--perpeerlog"
         
virtual_private=%v4:103.1.0.0/24,%v4:192.168.0.0/24,%v4:192.168.10.0/24,%v6:fd00::/8,%v6:fe80::/10
         # Use this to log to a file, or disable logging on embedded 
systems (like openwrt)
         plutodebug=all
         plutostderrlog=/var/log/pluto.log
         interfaces=%defaultroute


conn %default
         keyingtries=1

conn tunnel1

         type=tunnel
         auth=esp
         authby=secret
         forceencaps=yes
         ikelifetime=86400m
         rekeymargin=10m
         rekeyfuzz=0%
         keylife=28800s
         esp=3des-sha1
         ike=3des-sha1
         keyexchange=ike
         pfs=yes
         left=192.168.0.2
         leftsubnet=192.168.0.0/24
         leftnexthop=%defaultroute
         leftid=a.b.c.d
         right=w.x.y.z
         rightsubnet=192.168.10.0/24
         rightnexthop=%defaultroute
         rightid=w.x.y.z
         auto=start


Many thanks,

MPN
>

>

More information about the Users mailing list