Hi!<div><br></div><div>I'm going through the OpenSwan book by Paul Wouters and was successfully able to get the host-to-host tunnel working. The next step is to get your subnet to subnet tunnel up and running, and this is where I started running into problems. If I don't add the left/rightsubnets in and run tcpdump, I can see the ping packets in the AH stuff. However, once I add those, that is when things start breaking. If I ping 192.168.101.128 from .101.129, the pings aren't going through the tunnel anymore. If I also attempt to ping the other side of the remote gateway, I get...</div>
<div><br></div><div><div>$ ping 192.168.140.20</div><div>connect: Network is unreachable</div></div><div><br></div><div>Since I did this with pfsense and ipsec and things worked out, I would assume that by doing it in Ubuntu would work as well. If anybody can give any suggestions or help, that would be great, because I really have to learn this ipsec thing!</div>
<div><br></div><div>Below is my network information....</div><div><br></div><div>My topology looks like...</div><div><br></div>
<div><a href="http://192.168.140.0/24" target="_blank">192.168.140.0/24</a> -> 192.168.140.20 -> 192.168.101.128 << switch to another machine >> 192.168.101.129 -> 192.168.105.1 -> <a href="http://192.168.105.0/24" target="_blank">192.168.105.0/24</a></div>
<div><br></div><div>My config is as follows....</div><div><br></div><div>############</div><div><div>version<span style="white-space:pre-wrap">        </span>2.0<span style="white-space:pre-wrap">        </span># conforms to second version of ipsec.conf specification</div>
<div><br></div><div>config setup</div><div><span style="white-space:pre-wrap">        </span>interfaces=%defaultroute</div><div><span style="white-space:pre-wrap">        </span>nat_traversal=yes</div>
<div><span style="white-space:pre-wrap">        </span>virtual_private=%v4:<a href="http://10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/1,%v4:!192.168.101.0/24" target="_blank">10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/1,%v4:!192.168.101.0/24</a></div>
<div><br></div><div>conn %default</div><div><span style="white-space:pre-wrap">        </span>authby=rsasig</div><div><span style="white-space:pre-wrap">        </span>auth=ah</div><div><br></div><div>
conn test </div><div><span style="white-space:pre-wrap">        </span>left=192.168.101.128</div><div><span style="white-space:pre-wrap">        </span>leftsubnet=<a href="http://192.168.140.0/24" target="_blank">192.168.140.0/24</a></div>
<div><span style="white-space:pre-wrap">        </span>leftrsasigkey=0sAQOwZ1F.....</div><div><span style="white-space:pre-wrap">        </span>right=192.168.101.129</div><div><span style="white-space:pre-wrap">        </span>rightsubnet=<a href="http://192.168.5.0/24" target="_blank">192.168.5.0/24</a></div>
<div><span style="white-space:pre-wrap">        </span>rightrsasigkey=0sAQOXP.....</div><div><span style="white-space:pre-wrap">        </span>auto=start</div><div><div>############</div><div><br></div>
<div>The log looks like this....</div><div><br></div><div><div>############</div></div><div>Jun 12 15:11:16 attic pluto[6315]: Starting Pluto (Openswan Version 2.6.37; Vendor ID OEu\134d\134jy\134\134ap) pid:6315</div><div>
<div>Jun 12 15:11:16 attic pluto[6315]: LEAK_DETECTIVE support [disabled]</div><div>Jun 12 15:11:16 attic pluto[6315]: OCF support for IKE [disabled]</div><div>Jun 12 15:11:16 attic pluto[6315]: SAref support [disabled]: Protocol not available</div>
<div>Jun 12 15:11:16 attic pluto[6315]: SAbind support [disabled]: Protocol not available</div><div>Jun 12 15:11:16 attic pluto[6315]: NSS support [disabled]</div><div>Jun 12 15:11:16 attic pluto[6315]: HAVE_STATSD notification support not compiled in</div>
<div>Jun 12 15:11:16 attic pluto[6315]: Setting NAT-Traversal port-4500 floating to on</div><div>Jun 12 15:11:16 attic pluto[6315]: port floating activation criteria nat_t=1/port_float=1</div><div>Jun 12 15:11:16 attic pluto[6315]: NAT-Traversal support [enabled]</div>
<div>Jun 12 15:11:16 attic pluto[6315]: using /dev/urandom as source of random entropy</div><div>Jun 12 15:11:16 attic pluto[6315]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)</div><div>Jun 12 15:11:16 attic pluto[6315]: starting up 1 cryptographic helpers</div>
<div>Jun 12 15:11:16 attic pluto[6315]: started helper pid=6318 (fd:6)</div><div>Jun 12 15:11:16 attic pluto[6315]: Kernel interface auto-pick</div><div>Jun 12 15:11:16 attic pluto[6315]: Using Linux 2.6 IPsec interface code on 3.2.0-24-generic (experimental code)</div>
<div>Jun 12 15:11:16 attic pluto[6318]: using /dev/urandom as source of random entropy</div><div>Jun 12 15:11:16 attic pluto[6315]: ike_alg_register_enc(): Activating aes_ccm_8: Ok (ret=0)</div><div>Jun 12 15:11:16 attic pluto[6315]: ike_alg_add(): ERROR: Algorithm already exists</div>
<div>Jun 12 15:11:16 attic pluto[6315]: ike_alg_register_enc(): Activating aes_ccm_12: FAILED (ret=-17)</div><div>Jun 12 15:11:16 attic pluto[6315]: ike_alg_add(): ERROR: Algorithm already exists</div><div>Jun 12 15:11:16 attic pluto[6315]: ike_alg_register_enc(): Activating aes_ccm_16: FAILED (ret=-17)</div>
<div>Jun 12 15:11:16 attic pluto[6315]: ike_alg_add(): ERROR: Algorithm already exists</div><div>Jun 12 15:11:16 attic pluto[6315]: ike_alg_register_enc(): Activating aes_gcm_8: FAILED (ret=-17)</div><div>Jun 12 15:11:16 attic pluto[6315]: ike_alg_add(): ERROR: Algorithm already exists</div>
<div>Jun 12 15:11:16 attic pluto[6315]: ike_alg_register_enc(): Activating aes_gcm_12: FAILED (ret=-17)</div><div>Jun 12 15:11:16 attic pluto[6315]: ike_alg_add(): ERROR: Algorithm already exists</div><div>Jun 12 15:11:16 attic pluto[6315]: ike_alg_register_enc(): Activating aes_gcm_16: FAILED (ret=-17)</div>
<div>Jun 12 15:11:16 attic pluto[6315]: Changed path to directory '/etc/ipsec.d/cacerts'</div><div>Jun 12 15:11:16 attic pluto[6315]: loaded CA cert file 'strongCert.pem' (1407 bytes)</div><div>Jun 12 15:11:16 attic pluto[6315]: Changed path to directory '/etc/ipsec.d/aacerts'</div>
<div>Jun 12 15:11:16 attic pluto[6315]: Changed path to directory '/etc/ipsec.d/ocspcerts'</div><div>Jun 12 15:11:16 attic pluto[6315]: Changing to directory '/etc/ipsec.d/crls'</div><div>Jun 12 15:11:16 attic pluto[6315]: Warning: empty directory</div>
<div>Jun 12 15:11:16 attic pluto[6315]: added connection description "test"</div><div>Jun 12 15:11:16 attic pluto[6315]: listening for IKE messages</div><div>Jun 12 15:11:16 attic pluto[6315]: adding interface eth0/eth0 <a href="http://192.168.101.129:500" target="_blank">192.168.101.129:500</a></div>
<div>Jun 12 15:11:16 attic pluto[6315]: adding interface eth0/eth0 <a href="http://192.168.101.129:4500" target="_blank">192.168.101.129:4500</a></div><div>Jun 12 15:11:16 attic pluto[6315]: adding interface eth1/eth1 <a href="http://192.168.105.1:500" target="_blank">192.168.105.1:500</a></div>
<div>Jun 12 15:11:16 attic pluto[6315]: adding interface eth1/eth1 <a href="http://192.168.105.1:4500" target="_blank">192.168.105.1:4500</a></div><div>Jun 12 15:11:16 attic pluto[6315]: adding interface lo/lo <a href="http://127.0.0.1:500" target="_blank">127.0.0.1:500</a></div>
<div>Jun 12 15:11:16 attic pluto[6315]: adding interface lo/lo <a href="http://127.0.0.1:4500" target="_blank">127.0.0.1:4500</a></div><div>Jun 12 15:11:16 attic pluto[6315]: adding interface lo/lo ::1:500</div><div>Jun 12 15:11:16 attic pluto[6315]: loading secrets from "/etc/ipsec.secrets"</div>
<div>Jun 12 15:11:16 attic pluto[6315]: loaded private key for keyid: PPK_RSA:AQOXP/NQt</div><div>Jun 12 15:11:16 attic pluto[6315]: "test" #1: initiating Main Mode</div><div>Jun 12 15:11:16 attic pluto[6315]: "test" #1: received Vendor ID payload [Openswan (this version) 2.6.37 ]</div>
<div>Jun 12 15:11:16 attic pluto[6315]: "test" #1: received Vendor ID payload [Dead Peer Detection]</div><div>Jun 12 15:11:16 attic pluto[6315]: "test" #1: received Vendor ID payload [RFC 3947] method set to=109 </div>
<div>Jun 12 15:11:16 attic pluto[6315]: "test" #1: enabling possible NAT-traversal with method 4</div><div>Jun 12 15:11:16 attic pluto[6315]: "test" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2</div>
<div>Jun 12 15:11:16 attic pluto[6315]: "test" #1: STATE_MAIN_I2: sent MI2, expecting MR2</div><div>Jun 12 15:11:16 attic pluto[6315]: "test" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected</div>
<div>Jun 12 15:11:16 attic pluto[6315]: "test" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3</div><div>Jun 12 15:11:16 attic pluto[6315]: "test" #1: STATE_MAIN_I3: sent MI3, expecting MR3</div>
<div>Jun 12 15:11:16 attic pluto[6315]: "test" #1: received Vendor ID payload [CAN-IKEv2]</div><div>Jun 12 15:11:16 attic pluto[6315]: "test" #1: Main mode peer ID is ID_IPV4_ADDR: '192.168.101.128'</div>
<div>Jun 12 15:11:16 attic pluto[6315]: "test" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4</div><div>Jun 12 15:11:16 attic pluto[6315]: "test" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=aes_128 prf=oakley_sha group=modp2048}</div>
<div>Jun 12 15:11:16 attic pluto[6315]: "test" #2: initiating Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#1 msgid:9b8ca5cf proposal=defaults pfsgroup=OAKLEY_GROUP_MODP2048}</div>
<div>
Jun 12 15:11:16 attic pluto[6315]: "test" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2</div><div>Jun 12 15:11:16 attic pluto[6315]: "test" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x36bc78bc <0x95684c6d xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=none}</div>
<div>Jun 12 15:11:34 attic pluto[6315]: "test" #1: ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0x7901353b) not found (maybe expired)</div><div>Jun 12 15:11:34 attic pluto[6315]: "test" #1: received and ignored informational message</div>
</div><div><div>############</div></div><div><br></div><div><br></div><div></div></div></div>