[Openswan Users] Tunnel failing to come up

andy andy at andynet.net
Thu Jan 22 18:06:25 EST 2015 

On Thu, Jan 22, 2015 at 08:39:02PM +0000, Managed Pvt nets wrote:
> 
> On 22/01/2015 8:32:04 PM, "Neal Murphy" <neal.p.murphy at alum.wpi.edu> wrote:
> 
> >
> >> >Your 'outer' router may need to forward port 500 and UDP port 4500 to
> >> >your
> >> >system. It may also need to allow protocol 50 (ESP) inbound. And it
> >>may
> >> >need
> >> >to allow them outbound.
> >> >
> >> >More likely you need to use forceencaps=yes in your ipsec config to
> >> >tell pluto
> >> >to use only port 4500 (NAT-Traversal) for that VPN. And you may need
> >> >auto=start to ensure that your end starts the VPN; otherwise *your*
> >> >pluto may
> >> >wait forever for start packets that never arrive because of the
> >> >intervening
> >> >NAT (or double-NAT) on your end.
> >>
> >> Thanks Neal,
> >>
> >> Fortunately this has been done. Maybe my tcpdump may help shed some
> >> light:
> >
> >Maybe not. :) Next: what's in /var/log/secure? I think that's where pluto
> >'usually' logs its progress. And post your ipsec.conf (obfuscate as little
> >as
> >you can).
> I am assuming by /var/log/secure you are referring to /var/log/syslog on my
> Debian box. The entries I have in there are:

/var/log/auth.log on Debian

> 
> ===
> Jan 22 22:24:28 jupiter ipsec_setup: ...Openswan IPsec started
> Jan 22 22:24:28 jupiter pluto: adjusting ipsec.d to /etc/ipsec.d
> Jan 22 22:24:28 jupiter ipsec__plutorun: 002 added connection description
> "tunnel1"
> Jan 22 22:24:28 jupiter ipsec__plutorun: 104 "tunnel1" #1: STATE_MAIN_I1:
> initiate
> ===
> 
> My ipsec.conf is as follows:
> 
> cat /etc/ipsec.conf
> # basic configuration
> config setup
>         dumpdir=/var/run/pluto/
>         nat_traversal=yes
>         protostack=netkey
>         plutoopts="--perpeerlog"
> virtual_private=%v4:103.1.0.0/24,%v4:192.168.0.0/24,%v4:192.168.10.0/24,%v6:fd00::/8,%v6:fe80::/10
>         # Use this to log to a file, or disable logging on embedded systems
> (like openwrt)
>         plutodebug=all
>         plutostderrlog=/var/log/pluto.log
>         interfaces=%defaultroute
> 
> 
> conn %default
>         keyingtries=1
> 
> conn tunnel1
> 
>         type=tunnel
>         auth=esp
>         authby=secret
>         forceencaps=yes
>         ikelifetime=86400m
>         rekeymargin=10m
>         rekeyfuzz=0%
>         keylife=28800s
>         esp=3des-sha1
>         ike=3des-sha1
>         keyexchange=ike
>         pfs=yes
>         left=192.168.0.2
>         leftsubnet=192.168.0.0/24
>         leftnexthop=%defaultroute
>         leftid=a.b.c.d
>         right=w.x.y.z
>         rightsubnet=192.168.10.0/24
>         rightnexthop=%defaultroute
>         rightid=w.x.y.z
>         auto=start
> 
> 
> Many thanks,
> 
> MPN
> >
> 
> >
> 
> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
> 
> -- 
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>

More information about the Users mailing list