[Openswan Users] Why I have 2 tunnels up on Openswan?
Michael Furman
michael_furman at hotmail.com
Wed Oct 14 10:29:17 EDT 2015
Alex,
Thank you for your help!
I have added the allowed network in virtual_private:
virtual_private=%v4:172.16.0.0/16
I still have same warnings but I have one channel :)
In the previous mail I have replaced my real IPs with x.x.
In this mail I do not replace my IPs.
Questions:
1) Why I have same warnings?
2) Do I have problems with configuration of my tunnel?
The configuration:
conn tunnel1
leftid=@172.16.0.2
left=172.16.0.2
leftrsasigkey=0sAQPAhum5UFDrYdMcQChUs2mfDuH1bbJTV9mrA+H+CMWsG9ZoBqD0sAZiEDa7VcckUAzhX0pna99VRMXgyIw39qMplbwl2qPTh0Z3Gh0uU301tF/fqG3onBTkYZ2S2kEt2K4W9NX6kQtUHeS46tfK7EIezLaDAYyzszHCjBI589GPk3ONF5fP+JT32cjjsnSC7UZ42+whsuEYzA4PynRJPe8QZFPidIVAGMrPGM4G+f92Xu18W+nEPQ9F2TNwhonXEnRQm9T8h10VXXMaju76aHT0sFFJIF+usG8gvht+mHuSpVx0hYdvZ6tFeooOS3Y/TBT4Yd2wWyCmvn/M7VRBQXWe/B/ha9pr5A5LeD3Bv8VBfEUuOiJ8DfmCWV9EJVklDb3sSO7e9Ctbh1pMr8LaxBNihZARbk9VXG7Ec7wN3agcNh7AK8hqRHpHYeCI52oTKqW0WLwt7uD58aQaUb9KjJ3v6yyAB41yMk1uldW2Ne4UjVW7LD5KKJlSlcWPX2NMkDFzaLjgQjztDpGv2q1WtCCm3Z01Vygv6I5O0E4C1ho8di1RaHHBxHH1gmU5pEzDY+50JKj+oZMp/MBMm4sKXlIGhtFvL1jb7SKEo28ODA0VyqBOb6qZnqRDLY5wUQ47DpiRnceRVRBTRBGtIo3khYVQwMH9AskpWS5JBSjzs7tiww==
rightid=@172.16.0.1
right=172.16.0.1
rightrsasigkey=0sAQOaklcK7POvVOHl+oD6NoH49/By81rm4mGil+U2PK2caW6/V20eugufjRKMRbP7ubR8EUVzNY7lXj3ylocmysB08rWtCSkecPM3IMVxHusSLok8tv6nIkT/GclBcJlSoorCp+W7KGPVrj+KuCsqmjqpcUTrrsDbkuvt2lD49AoVPEy6ODAj2mEQvRER/Rpm868pGvz0xkGVjCnqKhD7jDdodXhkSJPq1MleRmGt8M17/6Bjk3FAATXCyksZ1kU9+XKhO9C5lajUnaElTXDu9vxuIjkNQ6pYlzagn6OO98WA+HxTwRCGmIxkWMZZ2fUGwHuWz4Kp2cPLgN7Tuxahr/U9NqWCKi7ti751yDiuLaHAu1J15ywUhRMSsQWse+nrDejQ17Pgb9UXqDsbnNNbkD7Lq1C2urUMOoBb0C76XlT5Yyr82phk9YaEj2x7m9AIRHmQMOv4z92po3Gz1mAeFroJJ1/HFF+u+HrMh5bO4tivTAtNNh7R7NfbrhkJtAlUJVfB8NK90DTiCxO9x6oXG1PNGeLT/duJ2H1VatCjkiRcpITX81ytHBUmMjDLpekPOOgSZlWNr+tbn32Li3Mnfx6tBoHjXk5kzSPgYWanfJQFyyczd1js/dG3kmtyQ6Gb8m08T0AN6cJVuezT0mWtLTIyztxdkah1QaLPQZz9W+LqrQ==
authby=rsasig
# load and initiate automatically
auto=start
virtual_private=%v4:172.16.0.0/16
The output of ipsec auto --status:
000 using kernel interface: netkey
000 interface lo/lo ::1
000 interface lo/lo 127.0.0.1
000 interface lo/lo 127.0.0.1
000 interface eth0/eth0 172.16.0.2
000 interface eth0/eth0 172.16.0.2
000 %myid = (none)
000 debug none
000
000 virtual_private (%priv):
000 - allowed 0 subnets:
000 - disallowed 0 subnets:
000 WARNING: Either virtual_private= is not specified, or there is a syntax
000 error in that line. 'left/rightsubnet=vhost:%priv' will not work!
000 WARNING: Disallowed subnets in virtual_private= is empty. If you have
000 private address space in internal use, it should be excluded!
000
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, keysizemin=128, keysizemax=128
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=12, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=16, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=12, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=16, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=22, name=(null), ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=6, name=AUTH_ALGORITHM_HMAC_SHA2_384, keysizemin=384, keysizemax=384
000 algorithm ESP auth attr: id=7, name=AUTH_ALGORITHM_HMAC_SHA2_512, keysizemin=512, keysizemax=512
000 algorithm ESP auth attr: id=8, name=(null), keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=9, name=(null), keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0
000
000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=3, name=OAKLEY_BLOWFISH_CBC, blocksize=8, keydeflen=128
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=65004, name=OAKLEY_SERPENT_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=65005, name=OAKLEY_TWOFISH_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=65289, name=OAKLEY_TWOFISH_CBC_SSH, blocksize=16, keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32
000 algorithm IKE hash: id=5, name=OAKLEY_SHA2_384, hashsize=48
000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024
000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048
000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048
000
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0}
000
000 "tunnel1": 172.16.0.2<172.16.0.2>[@172.16.0.2,+S=C]...172.16.0.1<172.16.0.1>[@172.16.0.1,+S=C]; erouted; eroute owner: #2
000 "tunnel1": myip=unset; hisip=unset;
000 "tunnel1": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; nat_keepalive: yes
000 "tunnel1": policy: RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK; prio: 32,32; interface: eth0;
000 "tunnel1": newest ISAKMP SA: #1; newest IPsec SA: #2;
000 "tunnel1": IKE algorithm newest: AES_CBC_128-SHA1-MODP2048
000
000 #2: "tunnel1":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 27381s; newest IPSEC; eroute owner; isakmp#1; idle; import:admin initiate
000 #2: "tunnel1" esp.6960dfd0 at 172.16.0.1 esp.52077bc8 at 172.16.0.2 tun.0 at 172.16.0.1 tun.0 at 172.16.0.2 ref=0 refhim=4294901761
000 #1: "tunnel1":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 1940s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate
000
From: alex.petcu at sipstatus.com
To: michael_furman at hotmail.com; users at lists.openswan.org
Subject: RE: [Openswan Users] Why I have 2 tunnels up on Openswan?
Date: Wed, 14 Oct 2015 12:42:01 +0000
I think the answer is here:
“000 virtual_private (%priv):
000 - allowed 0 subnets:
000 - disallowed 0 subnets:
000 WARNING: Either virtual_private= is not specified, or there is a syntax
000 error in that line. 'left/rightsubnet=vhost:%priv' will not work!
000 WARNING: Disallowed subnets in virtual_private= is empty. If you have
000 private address space in internal use, it should be excluded!”
You should configure the allowed and blocked networks in the general section of the ipsec.conf file (virtual_private=).
Your tunnel is also not correctly configured:
x.x.0.2<x.x.0.2>[+S=C]...x.x.0.1<x.x.0.1>[+S=C]; erouted; eroute owner: #4
The left and right IPs should be the public IPs of the 2 ends of the tunnel.
From: Users [mailto:users-bounces at lists.openswan.org]
On Behalf Of Michael Furman
Sent: Wednesday, October 14, 2015 3:32 PM
To: users at lists.openswan.org
Subject: Re: [Openswan Users] Why I have 2 tunnels up on Openswan?
Hi,
I get the following output:
Where it is listed that I have 2 channels?
Why I have 2 channels if I have executed the following commands only once?
ipsec auto --add tunnel1
ipsec auto --up tunnel1
000 using kernel interface: netkey
000 interface lo/lo ::1
000 interface lo/lo 127.0.0.1
000 interface lo/lo 127.0.0.1
000 interface eth0/eth0 x.x.0.2
000 interface eth0/eth0 x.x.0.2
000 %myid = (none)
000 debug none
000
000 virtual_private (%priv):
000 - allowed 0 subnets:
000 - disallowed 0 subnets:
000 WARNING: Either virtual_private= is not specified, or there is a syntax
000 error in that line. 'left/rightsubnet=vhost:%priv' will not work!
000 WARNING: Disallowed subnets in virtual_private= is empty. If you have
000 private address space in internal use, it should be excluded!
000
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, keysizemin=128, keysizemax=128
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=12, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=16, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=12, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=16, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=22, name=(null), ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=6, name=AUTH_ALGORITHM_HMAC_SHA2_384, keysizemin=384, keysizemax=384
000 algorithm ESP auth attr: id=7, name=AUTH_ALGORITHM_HMAC_SHA2_512, keysizemin=512, keysizemax=512
000 algorithm ESP auth attr: id=8, name=(null), keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=9, name=(null), keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0
000
000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=3, name=OAKLEY_BLOWFISH_CBC, blocksize=8, keydeflen=128
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=65004, name=OAKLEY_SERPENT_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=65005, name=OAKLEY_TWOFISH_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=65289, name=OAKLEY_TWOFISH_CBC_SSH, blocksize=16, keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32
000 algorithm IKE hash: id=5, name=OAKLEY_SHA2_384, hashsize=48
000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024
000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048
000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048
000
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0}
000
000 "tunnel1": x.x.0.2<x.x.0.2>[+S=C]...x.x.0.1<x.x.0.1>[+S=C]; erouted; eroute owner: #4
000 "tunnel1": myip=unset; hisip=unset;
000 "tunnel1": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; nat_keepalive: yes
000 "tunnel1": policy: RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK; prio: 32,32; interface: eth0;
000 "tunnel1": newest ISAKMP SA: #3; newest IPsec SA: #4;
000 "tunnel1": IKE algorithm newest: AES_CBC_128-SHA1-MODP2048
000
000 #4: "tunnel1":500 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 28147s; newest IPSEC; eroute owner; isakmp#3; idle; import:not set
000 #4: "tunnel1" esp.ff2e9b3f at x.x.0.1
esp.2d2e0f90 at x.x.0.2 tun.0 at x.x.0.1
tun.0 at x.x.0.2 ref=0 refhim=4294901761
000 #3: "tunnel1":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 2947s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:not set
000 #2: "tunnel1":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 27661s; isakmp#1; idle; import:admin initiate
000 #2: "tunnel1" esp.599c11b1 at x.x.0.1
esp.88bbf3fd at x.x.0.2 tun.0 at x.x.0.1
tun.0 at x.x.0.2 ref=0 refhim=4294901761
000 #1: "tunnel1":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 2220s; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate
000
To remind you this is output of service ipsec status
IPsec running - pluto pid: 17009
pluto pid 17009
2 tunnels up
some eroutes exist
From:
alex.petcu at sipstatus.com
To: users at lists.openswan.org
Date: Mon, 12 Oct 2015 15:24:50 +0000
Subject: Re: [Openswan Users] Why I have 2 tunnels up on Openswan?
You can try to see more with
ipsec auto –status
It will show details for each tunnel.
From: Users [mailto:users-bounces at lists.openswan.org]
On Behalf Of Michael Furman
Sent: Monday, October 12, 2015 4:39 PM
To: users at lists.openswan.org
Subject: [Openswan Users] Why I have 2 tunnels up on Openswan?
I have started to use Openswan on Centos6 and was able to configure Host to Host using the following document:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/Host-To-Host_VPN_Using_Openswan.html
My configuration is following (on both sides):
conn tunnel1
left=x.x.0.2
leftrsasigkey=0sA…iww==
right=x.x.0.1
rightrsasigkey=0sA…qrQ==
authby=rsasig
# load and initiate automatically
auto=start
I have enabled tunnel using the following command:
ipsec auto --add tunnel1
ipsec auto --up tunnel1
Why I have 2 tunnels up?
I see it on both sides
service ipsec status
IPsec running - pluto pid: 27830
pluto pid 27830
2 tunnels up
some eroutes exist
_______________________________________________
Users at lists.openswan.org
https://lists.openswan.org/mailman/listinfo/users Micropayments:
https://flattr.com/thing/38387/IPsec-for-Linux-made-easy Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20151014/8767e60b/attachment-0001.html>
More information about the Users
mailing list