[Openswan Users] tunnel ok, virtual interface down

Roi Rodríguez roi.rodriguez at qubitia.com
Mon May 4 13:06:30 EDT 2015


I wanted to obfuscate what i call THEIR_PUBLIC_IP in my last email, but 
i didn't in the 'ipsec auto --status' i posted. So, to clarify, 
THEIR_PUBLIC_IP is 198.202.190.103...

El 04/05/15 a las 18:52, Roi Rodríguez escribió:
> Hi,
>
> I'm having difficulties setting up a site-to-site tunnel. I've got no 
> previous backgroud with ipsec or VPNs.
>
> My network setup:
>
> 192.168.0.6-->192.168.0.1(gw:PUBLIC IP 
> IFACE)====THEIR_PUBLIC_IP---192.168.30.0/24
>
> 192.168.0.6 is the machine where i installed and configured openswan. 
> 192.168.0.1 is our office's router. The rest is on their side. I 
> enabled "IPSec passthrough" and redirected UDP 500 and 4500 to 
> 192.168.0.6.
>
>
>
> This is my ipsec.conf file:
>
> version    2.0
>
> config setup
>     plutodebug=none
>     dumpdir=/var/run/pluto/
>     oe=off
>     protostack=netkey
>     interfaces=%defaultroute
>
> conn idata
>     auto=start
>     authby=secret
>     type=tunnel
>     ike=3des-md5;modp1024
>     # Phase 1
>     keyexchange=ike
>     ikelifetime=86400s
>     # Phase 2
>     phase2=esp
>     pfs=no
>     leftid=$THEIR_PUBLIC_IP
>     left=$THEIR_PUBLIC_IP
>     leftnexthop=%defaultroute
>     leftsubnet=192.168.30.0/24
>     rightid=192.168.0.6
>     right=192.168.0.6
>     rightnexthop=192.168.0.1
>     rightsubnet=192.168.0.6/32
>
> COMMENT: 192.168.0.6/32 as the rightsubnet is just a test, i'll setup 
> this once connectivity works.
>
> When i bring up the "idata" connection:
> $ service ipsec status
> IPsec running  - pluto pid: 5112
> pluto pid 5112
> 1 tunnels up
> some eroutes exist
> $ ipsec auto --status
> 000 using kernel interface: netkey
> 000 interface lo/lo ::1
> 000 interface lo/lo 127.0.0.1
> 000 interface lo/lo 127.0.0.1
> 000 interface eth0/eth0 192.168.0.6
> 000 interface eth0/eth0 192.168.0.6
> 000 %myid = (none)
> 000 debug none
> 000
> 000 virtual_private (%priv):
> 000 - allowed 0 subnets:
> 000 - disallowed 0 subnets:
> 000 WARNING: Either virtual_private= is not specified, or there is a 
> syntax
> 000          error in that line. 'left/rightsubnet=vhost:%priv' will 
> not work!
> 000 WARNING: Disallowed subnets in virtual_private= is empty. If you have
> 000          private address space in internal use, it should be excluded!
> 000
> 000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, 
> keysizemax=64
> 000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, 
> keysizemin=192, keysizemax=192
> 000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, 
> keysizemin=40, keysizemax=128
> 000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, 
> keysizemin=40, keysizemax=448
> 000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, 
> keysizemin=0, keysizemax=0
> 000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, 
> keysizemin=128, keysizemax=256
> 000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8, 
> keysizemin=160, keysizemax=288
> 000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8, 
> keysizemin=128, keysizemax=256
> 000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8, 
> keysizemin=128, keysizemax=256
> 000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8, 
> keysizemin=128, keysizemax=256
> 000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8, 
> keysizemin=128, keysizemax=256
> 000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=8, 
> keysizemin=128, keysizemax=256
> 000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=8, 
> keysizemin=128, keysizemax=256
> 000 algorithm ESP encrypt: id=22, name=ESP_CAMELLIA, ivlen=8, 
> keysizemin=128, keysizemax=256
> 000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, 
> keysizemin=128, keysizemax=256
> 000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, 
> keysizemin=128, keysizemax=256
> 000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, 
> keysizemin=128, keysizemax=128
> 000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, 
> keysizemin=160, keysizemax=160
> 000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, 
> keysizemin=256, keysizemax=256
> 000 algorithm ESP auth attr: id=6, name=AUTH_ALGORITHM_HMAC_SHA2_384, 
> keysizemin=384, keysizemax=384
> 000 algorithm ESP auth attr: id=7, name=AUTH_ALGORITHM_HMAC_SHA2_512, 
> keysizemin=512, keysizemax=512
> 000 algorithm ESP auth attr: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD, 
> keysizemin=160, keysizemax=160
> 000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC, 
> keysizemin=128, keysizemax=128
> 000 algorithm ESP auth attr: id=251, name=AUTH_ALGORITHM_NULL_KAME, 
> keysizemin=0, keysizemax=0
> 000
> 000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=131
> 000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, 
> keydeflen=192
> 000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, 
> keydeflen=128
> 000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
> 000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
> 000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32
> 000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64
> 000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
> 000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
> 000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
> 000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
> 000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
> 000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
> 000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
> 000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024
> 000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048
> 000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048
> 000
> 000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0} 
> trans={0,0,0} attrs={0,0,0}
> 000
> 000 "idata": 
> 192.168.0.6/32===192.168.0.6<192.168.0.6>---192.168.0.1...192.168.0.1---198.202.190.103<198.202.190.103>===192.168.30.0/24; 
> erouted; eroute owner: #2
> 000 "idata":     myip=unset; hisip=unset;
> 000 "idata":   ike_life: 86400s; ipsec_life: 28800s; rekey_margin: 
> 540s; rekey_fuzz: 100%; keyingtries: 0
> 000 "idata":   policy: 
> PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 24,32; 
> interface: eth0;
> 000 "idata":   newest ISAKMP SA: #1; newest IPsec SA: #2;
> 000 "idata":   IKE algorithms wanted: 
> 3DES_CBC(5)_000-MD5(1)_000-MODP1024(2); flags=-strict
> 000 "idata":   IKE algorithms found: 
> 3DES_CBC(5)_192-MD5(1)_128-MODP1024(2)
> 000 "idata":   IKE algorithm newest: 3DES_CBC_192-MD5-MODP1024
> 000
> 000 #2: "idata":4500 STATE_QUICK_I2 (sent QI2, IPsec SA established); 
> EVENT_SA_REPLACE in 26911s; newest IPSEC; eroute owner; isakmp#1; 
> idle; import:admin initiate
> 000 #2: "idata" esp.e00edafe at 198.202.190.103 esp.e6393f98 at 192.168.0.6 
> tun.0 at 198.202.190.103 tun.0 at 192.168.0.6 ref=0 refhim=4294901761
> 000 #1: "idata":4500 STATE_MAIN_I4 (ISAKMP SA established); 
> EVENT_SA_REPLACE in 84648s; newest ISAKMP; lastdpd=17s(seq in:0 
> out:0); idle; import:admin initiate
> 000
>
>
> According to the output tunnel seems up, but i can't see any ipsec0 
> interface or such.
> $ cat /var/run/pluto/ipsec.info
> defaultroutephys=eth0
> defaultroutevirt=none
> defaultrouteaddr=192.168.0.6
> defaultroutenexthop=192.168.0.1
>
> defaultroutevirt=none? Also "%myid = (none)", "myip=unset; 
> hisip=unset;"... I'm not sure these are problems.
>
> Can anyone give some help?
>
> Best regards
> -- 
> Roi Rodríguez Méndez
> Partner @ *Qubitia Solutions S.L.*
> Avda. Conde de Bugallal Nº61H 2ºA
> 36004 - Pontevedra (SPAIN)
> Phone. +34886213038
> roi.rodriguez at qubitia.com <mailto:roi.rodriguez at qubitia.com>
> http://www.qubitia.com
>
> El contenido de este e-mail (incluyendo los documentos adjuntos) es 
> privado y confidencial. Si usted no es el destinatario correcto, no 
> debe copiar, distribuir, tomar medida alguna o revelar ningún detalle 
> de este e-mail (incluyendo los documentos adjuntos) a ninguna persona, 
> empresa o corporación. Si usted recibiera este e-mail por error, por 
> favor notifíquenoslo inmediatamente.
>
> The contents of this email (including any attachments) are privileged 
> & confidential. If you are not an intended recipient, you must not 
> copy, distribute, take action in reliance on or disclose any details 
> of the e-mail (including any attachments) to any other person, firm or 
> corporation. If you received this email in error, please notify us 
> immediately.
>
>
>
> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155


-- 
Roi Rodríguez Méndez
Partner @ *Qubitia Solutions S.L.*
Avda. Conde de Bugallal Nº61H 2ºA
36004 - Pontevedra (SPAIN)
Phone. +34886213038
roi.rodriguez at qubitia.com <mailto:roi.rodriguez at qubitia.com>
http://www.qubitia.com

El contenido de este e-mail (incluyendo los documentos adjuntos) es 
privado y confidencial. Si usted no es el destinatario correcto, no debe 
copiar, distribuir, tomar medida alguna o revelar ningún detalle de este 
e-mail (incluyendo los documentos adjuntos) a ninguna persona, empresa o 
corporación. Si usted recibiera este e-mail por error, por favor 
notifíquenoslo inmediatamente.

The contents of this email (including any attachments) are privileged & 
confidential. If you are not an intended recipient, you must not copy, 
distribute, take action in reliance on or disclose any details of the 
e-mail (including any attachments) to any other person, firm or 
corporation. If you received this email in error, please notify us 
immediately.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20150504/38f9a506/attachment-0001.html>


More information about the Users mailing list