Gentoo Forums :: View topic - ipse openswan connecting two networks

ipse openswan connecting two networks

View unanswered posts
View posts from last 24 hours

Gentoo Forums Forum Index

Networking & Security

View previous topic :: View next topic

Author

Message

py-ro
Veteran
Veteran

Joined: 24 Sep 2002
Posts: 1734
Location: Velbert

Posted: Thu Jun 20, 2013 2:31 pm Post subject: ipse openswan connecting two networks

Hi,

I am trying to connect to Nets together.

Booth endpoints are reachable without NAT involved.

ipsec.conf

Code:

version 2.0
config setup

dumpdir=/var/run/pluto/
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
oe=off
protostack=auto

conn %default
keyingtries=3
compress=no
disablearrivalcheck=no
keyexchange=ike
ikelifetime=3600s
keylife=60m

conn Test-5
leftprotoport=17/1701
rightprotoport=17/1701
rekey=no
authby=secret
pfs=no
type=tunnel
left=89.238.81.16
leftnexthop=89.238.81.1
leftsubnet=10.0.0.0/16

right=89.238.aa.aa
rightsubnet=10.1.0.0/16
auto=start

ipsec look

Code:

vpn Thu Jun 20 16:27:20 CEST 2013
XFRM state:
src 89.238.aa.aa dst 89.238.bb.bb
proto esp spi 0x66a1ff40 reqid 16385 mode tunnel
replay-window 32 flag af-unspec
auth-trunc hmac(sha1) 0x051e1d59b0aeb9c0b93bcd7b97af923bdf1dcbbc 96
enc cbc(aes) 0x4b5b73558b5002b9d327fd1fd2e005e3
src 89.238.bb.bb dst 89.238.aa.aa
proto esp spi 0xa80143b3 reqid 16385 mode tunnel
replay-window 32 flag af-unspec
auth-trunc hmac(sha1) 0xdb67fa31e24f526a5565aef59e09ee77f0717fd6 96
enc cbc(aes) 0xf76e56df94de55057cbd2ecad7a33684
src 89.238.bb.bb dst 89.238.aa.aa
proto esp spi 0xfc3b1b4f reqid 16385 mode tunnel
replay-window 32 flag af-unspec
auth-trunc hmac(sha1) 0x114bc1c3561fb599df9df20c41acbba76881c247 96
enc cbc(aes) 0x74bb0e3e42eba42db1f8c38aca096bb3
src 89.238.aa.aa dst 89.238.bb.bb
proto esp spi 0xe8399fa3 reqid 16385 mode tunnel
replay-window 32 flag af-unspec
auth-trunc hmac(sha1) 0xb162c23bc52a450cf363d26e4ce09864dad5db4f 96
enc cbc(aes) 0x45b8e7abcf13686d388dc2013abe50c3
XFRM policy:
src 10.0.0.0/16 dst 10.1.0.0/16 proto udp sport 1701 dport 1701
dir out priority 2608
tmpl src 89.238.aa.aa dst 89.238.bb.bb
proto esp reqid 16385 mode tunnel
src 10.1.0.0/16 dst 10.0.0.0/16 proto udp sport 1701 dport 1701
dir fwd priority 2608
tmpl src 89.238.bb.bb dst 89.238.aa.aa
proto esp reqid 16385 mode tunnel
src 10.1.0.0/16 dst 10.0.0.0/16 proto udp sport 1701 dport 1701
dir in priority 2608
tmpl src 89.238.bb.bb dst 89.238.aa.aa
proto esp reqid 16385 mode tunnel
src ::/0 dst ::/0
socket out priority 0
src ::/0 dst ::/0
socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0
XFRM done
IPSEC mangle TABLES
iptables: No chain/target/match by that name.
ip6tables: No chain/target/match by that name.
NEW_IPSEC_CONN mangle TABLES
iptables: No chain/target/match by that name.
ip6tables: No chain/target/match by that name.
ROUTING TABLES
default via 89.238.81.1 dev ifext metric 3
10.0.0.0/16 dev ifext proto kernel scope link src 10.0.0.16
89.238.aa.aa/24 dev ifext proto kernel scope link src 89.238.aa.aa
fe80::/64 dev ifext proto kernel metric 256

Log:

Code:

Jun 20 16:10:15 vpn pluto[28456]: Starting Pluto (Openswan Version 2.6.38; Vendor ID OEvy\134kgzWq\134s) pid:28456
Jun 20 16:10:15 vpn pluto[28456]: LEAK_DETECTIVE support [disabled]
Jun 20 16:10:15 vpn pluto[28456]: OCF support for IKE [disabled]
Jun 20 16:10:15 vpn pluto[28456]: SAref support [disabled]: Protocol not available
Jun 20 16:10:15 vpn pluto[28456]: SAbind support [disabled]: Protocol not available
Jun 20 16:10:15 vpn pluto[28456]: NSS support [disabled]
Jun 20 16:10:15 vpn pluto[28456]: HAVE_STATSD notification support not compiled in
Jun 20 16:10:15 vpn pluto[28456]: Setting NAT-Traversal port-4500 floating to on
Jun 20 16:10:15 vpn pluto[28456]: port floating activation criteria nat_t=1/port_float=1
Jun 20 16:10:15 vpn pluto[28456]: NAT-Traversal support [enabled]
Jun 20 16:10:15 vpn pluto[28456]: using /dev/urandom as source of random entropy
Jun 20 16:10:15 vpn pluto[28456]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Jun 20 16:10:15 vpn pluto[28456]: ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)
Jun 20 16:10:15 vpn pluto[28456]: ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)
Jun 20 16:10:15 vpn pluto[28456]: starting up 7 cryptographic helpers
Jun 20 16:10:15 vpn pluto[28456]: started helper pid=28458 (fd:6)
Jun 20 16:10:15 vpn pluto[28456]: started helper pid=28460 (fd:7)
Jun 20 16:10:15 vpn pluto[28456]: started helper pid=28461 (fd:8)
Jun 20 16:10:15 vpn pluto[28456]: started helper pid=28462 (fd:9)
Jun 20 16:10:15 vpn pluto[28460]: using /dev/urandom as source of random entropy
Jun 20 16:10:15 vpn pluto[28458]: using /dev/urandom as source of random entropy
Jun 20 16:10:15 vpn pluto[28456]: started helper pid=28463 (fd:10)
Jun 20 16:10:15 vpn pluto[28461]: using /dev/urandom as source of random entropy
Jun 20 16:10:15 vpn pluto[28456]: started helper pid=28465 (fd:11)
Jun 20 16:10:15 vpn pluto[28456]: started helper pid=28466 (fd:12)
Jun 20 16:10:15 vpn pluto[28456]: Kernel interface auto-pick
Jun 20 16:10:15 vpn pluto[28456]: Using Linux 2.6 IPsec interface code on 3.9.1 (experimental code)
Jun 20 16:10:15 vpn pluto[28462]: using /dev/urandom as source of random entropy
Jun 20 16:10:15 vpn pluto[28463]: using /dev/urandom as source of random entropy
Jun 20 16:10:15 vpn pluto[28465]: using /dev/urandom as source of random entropy
Jun 20 16:10:15 vpn pluto[28466]: using /dev/urandom as source of random entropy
Jun 20 16:10:15 vpn pluto[28456]: ike_alg_register_enc(): Activating aes_ccm_8: Ok (ret=0)
Jun 20 16:10:15 vpn pluto[28456]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
Jun 20 16:10:15 vpn pluto[28456]: ike_alg_register_enc(): Activating aes_ccm_12: FAILED (ret=-17)
Jun 20 16:10:15 vpn pluto[28456]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
Jun 20 16:10:15 vpn pluto[28456]: ike_alg_register_enc(): Activating aes_ccm_16: FAILED (ret=-17)
Jun 20 16:10:15 vpn pluto[28456]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
Jun 20 16:10:15 vpn pluto[28456]: ike_alg_register_enc(): Activating aes_gcm_8: FAILED (ret=-17)
Jun 20 16:10:15 vpn pluto[28456]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
Jun 20 16:10:15 vpn pluto[28456]: ike_alg_register_enc(): Activating aes_gcm_12: FAILED (ret=-17)
Jun 20 16:10:15 vpn pluto[28456]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
Jun 20 16:10:15 vpn pluto[28456]: ike_alg_register_enc(): Activating aes_gcm_16: FAILED (ret=-17)
Jun 20 16:10:15 vpn pluto[28456]: added connection description "Test-5"
Jun 20 16:10:15 vpn ipsec__plutorun: 002 added connection description "Test-5"
Jun 20 16:10:15 vpn pluto[28456]: listening for IKE messages
Jun 20 16:10:15 vpn pluto[28456]: adding interface ifext/ifext 10.0.0.16:500
Jun 20 16:10:15 vpn pluto[28456]: adding interface ifext/ifext 10.0.0.16:4500
Jun 20 16:10:15 vpn pluto[28456]: adding interface ifext/ifext 89.238.81.16:500
Jun 20 16:10:15 vpn pluto[28456]: adding interface ifext/ifext 89.238.81.16:4500
Jun 20 16:10:15 vpn pluto[28456]: adding interface lo/lo 127.0.0.1:500
Jun 20 16:10:15 vpn pluto[28456]: adding interface lo/lo 127.0.0.1:4500
Jun 20 16:10:15 vpn pluto[28456]: adding interface lo/lo ::1:500
Jun 20 16:10:15 vpn pluto[28456]: loading secrets from "/etc/ipsec.secrets"
Jun 20 16:10:15 vpn pluto[28456]: loaded private key for keyid: PPK_RSA:AQOGX63hC
Jun 20 16:10:15 vpn pluto[28456]: "Test-5" #1: initiating Main Mode
Jun 20 16:10:15 vpn ipsec__plutorun: 104 "Test-5" #1: STATE_MAIN_I1: initiate
Jun 20 16:10:15 vpn pluto[28456]: "Test-5" #1: received Vendor ID payload [Openswan (this version) 2.6.38 ]
Jun 20 16:10:15 vpn pluto[28456]: "Test-5" #1: received Vendor ID payload [Dead Peer Detection]
Jun 20 16:10:15 vpn pluto[28456]: "Test-5" #1: received Vendor ID payload [RFC 3947] method set to=115
Jun 20 16:10:15 vpn pluto[28456]: "Test-5" #1: enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal)
Jun 20 16:10:15 vpn pluto[28456]: "Test-5" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
Jun 20 16:10:15 vpn pluto[28456]: "Test-5" #1: STATE_MAIN_I2: sent MI2, expecting MR2
Jun 20 16:10:15 vpn pluto[28456]: "Test-5" #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): no NAT detected
Jun 20 16:10:15 vpn pluto[28456]: "Test-5" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Jun 20 16:10:15 vpn pluto[28456]: "Test-5" #1: STATE_MAIN_I3: sent MI3, expecting MR3
Jun 20 16:10:15 vpn pluto[28456]: "Test-5" #1: received Vendor ID payload [CAN-IKEv2]
Jun 20 16:10:15 vpn pluto[28456]: "Test-5" #1: Main mode peer ID is ID_IPV4_ADDR: '89.238.75.159'
Jun 20 16:10:15 vpn pluto[28456]: "Test-5" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
Jun 20 16:10:15 vpn pluto[28456]: "Test-5" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_128 prf=oakley_sha group=modp2048}
Jun 20 16:10:15 vpn pluto[28456]: "Test-5" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+DONTREKEY+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#1 msgid:216579df proposal=defaults pfsgroup=no-pfs}
Jun 20 16:10:15 vpn pluto[28456]: "Test-5" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Jun 20 16:10:15 vpn pluto[28456]: "Test-5" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0xe8399fa3 <0xfc3b1b4f xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=none}
Jun 20 16:10:19 vpn pluto[28456]: packet from 89.238.75.159:500: received Vendor ID payload [Openswan (this version) 2.6.38 ]
Jun 20 16:10:19 vpn pluto[28456]: packet from 89.238.75.159:500: received Vendor ID payload [Dead Peer Detection]
Jun 20 16:10:19 vpn pluto[28456]: packet from 89.238.75.159:500: received Vendor ID payload [RFC 3947] method set to=115
Jun 20 16:10:19 vpn pluto[28456]: packet from 89.238.75.159:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 115
Jun 20 16:10:19 vpn pluto[28456]: packet from 89.238.75.159:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 115
Jun 20 16:10:19 vpn pluto[28456]: packet from 89.238.75.159:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 115
Jun 20 16:10:19 vpn pluto[28456]: packet from 89.238.75.159:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Jun 20 16:10:19 vpn pluto[28456]: "Test-5" #3: responding to Main Mode
Jun 20 16:10:19 vpn pluto[28456]: "Test-5" #3: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Jun 20 16:10:19 vpn pluto[28456]: "Test-5" #3: STATE_MAIN_R1: sent MR1, expecting MI2
Jun 20 16:10:19 vpn pluto[28456]: "Test-5" #3: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): no NAT detected
Jun 20 16:10:19 vpn pluto[28456]: "Test-5" #3: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Jun 20 16:10:19 vpn pluto[28456]: "Test-5" #3: STATE_MAIN_R2: sent MR2, expecting MI3
Jun 20 16:10:19 vpn pluto[28456]: "Test-5" #3: Main mode peer ID is ID_IPV4_ADDR: '89.238.75.159'
Jun 20 16:10:19 vpn pluto[28456]: "Test-5" #3: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Jun 20 16:10:19 vpn pluto[28456]: "Test-5" #3: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_128 prf=oakley_sha group=modp2048}
Jun 20 16:10:19 vpn pluto[28456]: "Test-5" #3: the peer proposed: 10.0.0.0/16:17/1701 -> 10.1.0.0/16:17/1701
Jun 20 16:10:19 vpn pluto[28456]: "Test-5" #4: responding to Quick Mode proposal {msgid:57241b03}
Jun 20 16:10:19 vpn pluto[28456]: "Test-5" #4: us: 10.0.0.0/16===89.238.81.16<89.238.81.16>:17/1701---89.238.81.1
Jun 20 16:10:19 vpn pluto[28456]: "Test-5" #4: them: 89.238.75.159<89.238.75.159>:17/1701===10.1.0.0/16
Jun 20 16:10:19 vpn pluto[28456]: "Test-5" #4: keeping refhim=4294901761 during rekey
Jun 20 16:10:19 vpn pluto[28456]: "Test-5" #4: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Jun 20 16:10:19 vpn pluto[28456]: "Test-5" #4: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Jun 20 16:10:19 vpn pluto[28456]: "Test-5" #4: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Jun 20 16:10:19 vpn pluto[28456]: "Test-5" #4: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP=>0x66a1ff40 <0xa80143b3 xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=none}

I assigned 10.0.0.16 to 89.238.aa.aa and 10.1.0.1 to 89.238.bb.bb, but can't getting a connection over these IPs.

Some Hint would be useful.

Display posts from previous:

	Gentoo Forums Forum Index Networking & Security	All times are GMT
Page 1 of 1

Jump to:

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Copyright 2001-2025 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy