[Openswan Users] OpenSwan VPN Server and some firtzboxes as clients

Daniel Pomrehn post at daniel-pomrehn.de
Tue May 31 14:36:24 EDT 2016 

Hi,

 

I'd like to setup OpenSwan 2.6.47.1 on a Linux Server. The server is
installed in a Hyper-V environment with a Windows Server 2012 R2 as Host
System. 

 

The server can be reached under the pulic IP 138.201.xxx.xxx and the
hostname vpn.abc.de

The VPN server should use the virutal subnet 192.168.5.0/24

 

I have 3 fritzboxes which should connect to the VPN Server

*         Fritzbox 1 has the local subnet 192.168.1.0/24

*         Fritzbox 2 has the local subnet 192.168.2.0/24

*         Fritzbox 3 has the local subnet 192.168.3.0/24

 

Because of the fritzboxes I have to use IPSec IKEv1. 

 

That's the configuration of the server: 

Ipsec.conf

 

version 2.0

config setup

        dumpdir=/var/run/pluto/

        nat_traversal=yes

        virtual_private=%v4:192.168.1.0/24

        oe=off

        protostack=netkey

 

conn Fritz1

        authby=secret

        auto=add

        type=tunnel

        aggrmode=yes

        left=138.201.xxx.xxx

        leftid=vpn.abc.de

        leftnexthop=%defaultroute

        leftsourceip=192.168.5.2

        leftsubnet=192.168.5.0/24

        right=%any

        rightsubnet=192.168.1.0/24

        rightid=myfritz1.dyndns.org

        ike=aes256-sha1;modp2048

 

 

ipsec.secrets

 

138.201.xxx.xxx %any: PSK "secretPW"

 

 

 

 

The VPN server can start without any errors. 

 

On my first Fritzbox I used the following to connect: 

vpncfg {

        connections {

                enabled = yes;

                conn_type = conntype_lan;

                name = "VPN OpenSwan1";

                always_renew = yes;

                reject_not_encrypted = no;

                dont_filter_netbios = yes;

                localip = 0.0.0.0;

                local_virtualip = 0.0.0.0;

                remoteip = 138.201.xxx.xxx;

                remote_virtualip = 0.0.0.0;

                localid {

                        fqdn = " myfritz1.dyndns.org ";

                }

                remoteid {

                        ipaddr = 138.201.xxx.xxx;

                }

                mode = phase1_mode_aggressive;

                phase1ss = "all/all/all";

                keytype = connkeytype_pre_shared;

                key = "secretPW";

                cert_do_server_auth = no;

                use_nat_t = yes;

                use_xauth = no;

                use_cfgmode = no;

                phase2localid {

                       ipnet {

                               ipaddr = 192.168.1.0;

                               mask = 255.255.255.0;

                       }

                }

                phase2remoteid {

                        ipnet {

                                ipaddr = 192.168.5.0;

                                mask = 255.255.255.0;

                        }

                }

                phase2ss = "esp-all-all/ah-none/comp-all/pfs";

                accesslist = "permit ip any 192.168.5.0 255.255.255.0";

        }

        ike_forward_rules = "udp 0.0.0.0:500 0.0.0.0:500", 

                            "udp 0.0.0.0:4500 0.0.0.0:4500";

}

 

 

 

 

When I try to connect, the fritzbox shows an error: 

VPN-Fehler: VPN OpenSwan1, IKE-Error 0x1c
<http://fritz.box/help/help.lua?sid=d51981a6bfa537ba&helppage=hilfe_syslog_1
22.html> 

 

In Openswan Server Log, I can't find anything. 

 

Can anyone help me, what I am doing wrong? 

Do I have to connect a virtual Netword card for each oft he fritzbox subnets
to my server? Or can I assign other IPs to the existing card ?

 

Thank you very much in advance! 

 

Best regards

Daniel 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20160531/ddeec7c6/attachment.html>

More information about the Users mailing list