Simon,<div><br></div><div>Thanks for the info. You are correct, it should have been <a href="http://192.168.105.0/24">192.168.105.0/24</a>. I suppose I was staring at IP's for too long today.</div><div><br></div><div>
The problem turned out to actually be me not adding something called "leftsourceip" and "righsourceip" to the config. Paul responded and said to add it. I also sawa posting on here about this from last year. </div>
<div><br></div><div>source: <a href="https://lists.openswan.org/pipermail/users/2011-February/020093.html">https://lists.openswan.org/pipermail/users/2011-February/020093.html</a></div><div><br></div><div>After adding these, things started working.</div>
<div><br></div><div>Thanks all! Hopefully things will start working smoother!</div><div><br></div><div><br><br><div class="gmail_quote">On Tue, Jun 12, 2012 at 6:19 PM, simon charles <span dir="ltr"><<a href="mailto:charlessimon@hotmail.com" target="_blank">charlessimon@hotmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div><div dir="ltr">
Hi , <br> Please check your leftsubnet/rightsubnet. Per your topology <br><div class="im"><br><div><a href="http://192.168.140.0/24" target="_blank">192.168.140.0/24</a>
-> 192.168.140.20 -> 192.168.101.128 << switch to another
machine >> 192.168.101.129 -> 192.168.105.1 -> <a href="http://192.168.105.0/24" target="_blank">192.168.105.0/24</a></div>
</div><div><br>it should be <a href="http://192.168.140.0/24" target="_blank">192.168.140.0/24</a> and <a href="http://192.168.105.0/24" target="_blank">192.168.105.0/24</a> but you have them defined as <br></div><br><div>
<span style="white-space:pre-wrap"> </span>leftsubnet=<a href="http://192.168.140.0/24" target="_blank">192.168.140.0/24</a></div>
<div><span style="white-space:pre-wrap"> </span>leftrsasigkey=0sAQOwZ1F.....</div><div><span style="white-space:pre-wrap"> </span>right=192.168.101.129</div><div><span style="white-space:pre-wrap"> </span>rightsubnet=<a href="http://192.168.5.0/24" target="_blank">192.168.5.0/24</a> <== a typo ? / should it be <a href="http://192.168.105.0/24" target="_blank">192.168.105.0/24</a><br>
<br></div><br><br><span style="font-family:Tahoma,Helvetica,Sans-Serif;font-style:italic;font-weight:bold">-<span style="font-family:Times New Roman,Times,Serif"> Simon Charles - </span></span><br><br><br><div><div></div>
<hr>Date: Tue, 12 Jun 2012 15:33:51 -0500<br>From: <a href="mailto:wiz561@gmail.com" target="_blank">wiz561@gmail.com</a><br>To: <a href="mailto:users@lists.openswan.org" target="_blank">users@lists.openswan.org</a><br>Subject: [Openswan Users] Can't get subnets to connect<div>
<div class="h5"><br><br>Hi!<div><br></div><div>I'm going through the OpenSwan book by Paul Wouters and was successfully able to get the host-to-host tunnel working. The next step is to get your subnet to subnet tunnel up and running, and this is where I started running into problems. If I don't add the left/rightsubnets in and run tcpdump, I can see the ping packets in the AH stuff. However, once I add those, that is when things start breaking. If I ping 192.168.101.128 from .101.129, the pings aren't going through the tunnel anymore. If I also attempt to ping the other side of the remote gateway, I get...</div>
<div><br></div><div><div>$ ping 192.168.140.20</div><div>connect: Network is unreachable</div></div><div><br></div><div>Since I did this with pfsense and ipsec and things worked out, I would assume that by doing it in Ubuntu would work as well. If anybody can give any suggestions or help, that would be great, because I really have to learn this ipsec thing!</div>
<div><br></div><div>Below is my network information....</div><div><br></div><div>My topology looks like...</div><div><br></div>
<div><a href="http://192.168.140.0/24" target="_blank">192.168.140.0/24</a> -> 192.168.140.20 -> 192.168.101.128 << switch to another machine >> 192.168.101.129 -> 192.168.105.1 -> <a href="http://192.168.105.0/24" target="_blank">192.168.105.0/24</a></div>
<div><br></div><div>My config is as follows....</div><div><br></div><div>############</div><div><div>version<span style="white-space:pre-wrap"> </span>2.0<span style="white-space:pre-wrap"> </span># conforms to second version of ipsec.conf specification</div>
<div><br></div><div>config setup</div><div><span style="white-space:pre-wrap"> </span>interfaces=%defaultroute</div><div><span style="white-space:pre-wrap"> </span>nat_traversal=yes</div>
<div><span style="white-space:pre-wrap"> </span>virtual_private=%v4:<a href="http://10.0.0.0/8%2c%v4:192.168.0.0/16%2c%v4:172.16.0.0/12%2c%v4:25.0.0.0/8%2c%v6:fd00::/8%2c%v6:fe80::/1%2c%v4:%21192.168.101.0/24" target="_blank">10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/1,%v4:!192.168.101.0/24</a></div>
<div><br></div><div>conn %default</div><div><span style="white-space:pre-wrap"> </span>authby=rsasig</div><div><span style="white-space:pre-wrap"> </span>auth=ah</div><div><br></div><div>
conn test </div><div><span style="white-space:pre-wrap"> </span>left=192.168.101.128</div><div><span style="white-space:pre-wrap"> </span>leftsubnet=<a href="http://192.168.140.0/24" target="_blank">192.168.140.0/24</a></div>
<div><span style="white-space:pre-wrap"> </span>leftrsasigkey=0sAQOwZ1F.....</div><div><span style="white-space:pre-wrap"> </span>right=192.168.101.129</div><div><span style="white-space:pre-wrap"> </span>rightsubnet=<a href="http://192.168.5.0/24" target="_blank">192.168.5.0/24</a></div>
<div><span style="white-space:pre-wrap"> </span>rightrsasigkey=0sAQOXP.....</div><div><span style="white-space:pre-wrap"> </span>auto=start</div><div><div>############</div><div><br></div>
<div>The log looks like this....</div><div><br></div><div><div>############</div></div><div>Jun 12 15:11:16 attic pluto[6315]: Starting Pluto (Openswan Version 2.6.37; Vendor ID OEu\134d\134jy\134\134ap) pid:6315</div><div>
<div>Jun 12 15:11:16 attic pluto[6315]: LEAK_DETECTIVE support [disabled]</div><div>Jun 12 15:11:16 attic pluto[6315]: OCF support for IKE [disabled]</div><div>Jun 12 15:11:16 attic pluto[6315]: SAref support [disabled]: Protocol not available</div>
<div>Jun 12 15:11:16 attic pluto[6315]: SAbind support [disabled]: Protocol not available</div><div>Jun 12 15:11:16 attic pluto[6315]: NSS support [disabled]</div><div>Jun 12 15:11:16 attic pluto[6315]: HAVE_STATSD notification support not compiled in</div>
<div>Jun 12 15:11:16 attic pluto[6315]: Setting NAT-Traversal port-4500 floating to on</div><div>Jun 12 15:11:16 attic pluto[6315]: port floating activation criteria nat_t=1/port_float=1</div><div>Jun 12 15:11:16 attic pluto[6315]: NAT-Traversal support [enabled]</div>
<div>Jun 12 15:11:16 attic pluto[6315]: using /dev/urandom as source of random entropy</div><div>Jun 12 15:11:16 attic pluto[6315]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)</div><div>Jun 12 15:11:16 attic pluto[6315]: starting up 1 cryptographic helpers</div>
<div>Jun 12 15:11:16 attic pluto[6315]: started helper pid=6318 (fd:6)</div><div>Jun 12 15:11:16 attic pluto[6315]: Kernel interface auto-pick</div><div>Jun 12 15:11:16 attic pluto[6315]: Using Linux 2.6 IPsec interface code on 3.2.0-24-generic (experimental code)</div>
<div>Jun 12 15:11:16 attic pluto[6318]: using /dev/urandom as source of random entropy</div><div>Jun 12 15:11:16 attic pluto[6315]: ike_alg_register_enc(): Activating aes_ccm_8: Ok (ret=0)</div><div>Jun 12 15:11:16 attic pluto[6315]: ike_alg_add(): ERROR: Algorithm already exists</div>
<div>Jun 12 15:11:16 attic pluto[6315]: ike_alg_register_enc(): Activating aes_ccm_12: FAILED (ret=-17)</div><div>Jun 12 15:11:16 attic pluto[6315]: ike_alg_add(): ERROR: Algorithm already exists</div><div>Jun 12 15:11:16 attic pluto[6315]: ike_alg_register_enc(): Activating aes_ccm_16: FAILED (ret=-17)</div>
<div>Jun 12 15:11:16 attic pluto[6315]: ike_alg_add(): ERROR: Algorithm already exists</div><div>Jun 12 15:11:16 attic pluto[6315]: ike_alg_register_enc(): Activating aes_gcm_8: FAILED (ret=-17)</div><div>Jun 12 15:11:16 attic pluto[6315]: ike_alg_add(): ERROR: Algorithm already exists</div>
<div>Jun 12 15:11:16 attic pluto[6315]: ike_alg_register_enc(): Activating aes_gcm_12: FAILED (ret=-17)</div><div>Jun 12 15:11:16 attic pluto[6315]: ike_alg_add(): ERROR: Algorithm already exists</div><div>Jun 12 15:11:16 attic pluto[6315]: ike_alg_register_enc(): Activating aes_gcm_16: FAILED (ret=-17)</div>
<div>Jun 12 15:11:16 attic pluto[6315]: Changed path to directory '/etc/ipsec.d/cacerts'</div><div>Jun 12 15:11:16 attic pluto[6315]: loaded CA cert file 'strongCert.pem' (1407 bytes)</div><div>Jun 12 15:11:16 attic pluto[6315]: Changed path to directory '/etc/ipsec.d/aacerts'</div>
<div>Jun 12 15:11:16 attic pluto[6315]: Changed path to directory '/etc/ipsec.d/ocspcerts'</div><div>Jun 12 15:11:16 attic pluto[6315]: Changing to directory '/etc/ipsec.d/crls'</div><div>Jun 12 15:11:16 attic pluto[6315]: Warning: empty directory</div>
<div>Jun 12 15:11:16 attic pluto[6315]: added connection description "test"</div><div>Jun 12 15:11:16 attic pluto[6315]: listening for IKE messages</div><div>Jun 12 15:11:16 attic pluto[6315]: adding interface eth0/eth0 <a href="http://192.168.101.129:500" target="_blank">192.168.101.129:500</a></div>
<div>Jun 12 15:11:16 attic pluto[6315]: adding interface eth0/eth0 <a href="http://192.168.101.129:4500" target="_blank">192.168.101.129:4500</a></div><div>Jun 12 15:11:16 attic pluto[6315]: adding interface eth1/eth1 <a href="http://192.168.105.1:500" target="_blank">192.168.105.1:500</a></div>
<div>Jun 12 15:11:16 attic pluto[6315]: adding interface eth1/eth1 <a href="http://192.168.105.1:4500" target="_blank">192.168.105.1:4500</a></div><div>Jun 12 15:11:16 attic pluto[6315]: adding interface lo/lo <a href="http://127.0.0.1:500" target="_blank">127.0.0.1:500</a></div>
<div>Jun 12 15:11:16 attic pluto[6315]: adding interface lo/lo <a href="http://127.0.0.1:4500" target="_blank">127.0.0.1:4500</a></div><div>Jun 12 15:11:16 attic pluto[6315]: adding interface lo/lo ::1:500</div><div>Jun 12 15:11:16 attic pluto[6315]: loading secrets from "/etc/ipsec.secrets"</div>
<div>Jun 12 15:11:16 attic pluto[6315]: loaded private key for keyid: PPK_RSA:AQOXP/NQt</div><div>Jun 12 15:11:16 attic pluto[6315]: "test" #1: initiating Main Mode</div><div>Jun 12 15:11:16 attic pluto[6315]: "test" #1: received Vendor ID payload [Openswan (this version) 2.6.37 ]</div>
<div>Jun 12 15:11:16 attic pluto[6315]: "test" #1: received Vendor ID payload [Dead Peer Detection]</div><div>Jun 12 15:11:16 attic pluto[6315]: "test" #1: received Vendor ID payload [RFC 3947] method set to=109 </div>
<div>Jun 12 15:11:16 attic pluto[6315]: "test" #1: enabling possible NAT-traversal with method 4</div><div>Jun 12 15:11:16 attic pluto[6315]: "test" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2</div>
<div>Jun 12 15:11:16 attic pluto[6315]: "test" #1: STATE_MAIN_I2: sent MI2, expecting MR2</div><div>Jun 12 15:11:16 attic pluto[6315]: "test" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected</div>
<div>Jun 12 15:11:16 attic pluto[6315]: "test" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3</div><div>Jun 12 15:11:16 attic pluto[6315]: "test" #1: STATE_MAIN_I3: sent MI3, expecting MR3</div>
<div>Jun 12 15:11:16 attic pluto[6315]: "test" #1: received Vendor ID payload [CAN-IKEv2]</div><div>Jun 12 15:11:16 attic pluto[6315]: "test" #1: Main mode peer ID is ID_IPV4_ADDR: '192.168.101.128'</div>
<div>Jun 12 15:11:16 attic pluto[6315]: "test" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4</div><div>Jun 12 15:11:16 attic pluto[6315]: "test" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=aes_128 prf=oakley_sha group=modp2048}</div>
<div>Jun 12 15:11:16 attic pluto[6315]: "test" #2: initiating Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#1 msgid:9b8ca5cf proposal=defaults pfsgroup=OAKLEY_GROUP_MODP2048}</div>
<div>
Jun 12 15:11:16 attic pluto[6315]: "test" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2</div><div>Jun 12 15:11:16 attic pluto[6315]: "test" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x36bc78bc <0x95684c6d xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=none}</div>
<div>Jun 12 15:11:34 attic pluto[6315]: "test" #1: ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0x7901353b) not found (maybe expired)</div><div>Jun 12 15:11:34 attic pluto[6315]: "test" #1: received and ignored informational message</div>
</div><div><div>############</div></div><div><br></div><div><br></div><div></div></div></div>
<br></div></div>_______________________________________________
<a href="mailto:Users@lists.openswan.org" target="_blank">Users@lists.openswan.org</a>
<a href="https://lists.openswan.org/mailman/listinfo/users" target="_blank">https://lists.openswan.org/mailman/listinfo/users</a>
Micropayments: <a href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy" target="_blank">https://flattr.com/thing/38387/IPsec-for-Linux-made-easy</a>
Building and Integrating Virtual Private Networks with Openswan:
<a href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155" target="_blank">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a></div> </div></div>
</blockquote></div><br></div>