Hi all, I have 3 linux box that I want to connect by a ipsec vpn: I
mean fw1 connects with fw2 and fw1 connects with fw3. Here ipsec.conf
of fw1:
version 2.0 # conforms to second version of ipsec.conf
specification
# basic configuration
config setup
#Debug-logging controls: all #e" for (almost) none, "all" for
lots.
klipsdebug=all
plutodebug=all # "control parsing"
nat_traversal=yes
conn fw1fw2
left=217.57.85.18
leftsubnet=217.57.85.16/255.255.255.248
leftrsasigkey=0sAQP0UhWiH...
leftnexthop=217.57.85.17
right=88.51.97.34
rightsubnet=88.51.97.32/255.255.255.248
rightrsasigkey=0sAQNxXhUNwUKfNH....
rightnexthop=88.51.97.33 # correct in many situations
auto=add
conn fw1fw3
left=217.57.85.18
leftsubnet=217.57.85.16/255.255.255.248
leftrsasigkey=0sAQP0UhWiHm...
leftnexthop=217.57.85.17
right=88.46.243.74
rightsubnet=88.46.243.72/255.255.255.248
rightrsasigkey=0sAQNZwcN5mfKB6lctl...
rightnexthop=88.46.243.73 # correct in many situations
auto=add # authorizes but doesn't start
include /etc/ipsec.d/*.conf
include file is no_oe.conf
So If I start the first connection I get:
[root@fw1 ~]# ipsec auto --verbose --up fw1fw2
002 "fw1fw2" #1: initiating Main Mode
104 "fw1fw2" #1: STATE_MAIN_I1: initiate
003 "fw1fw2" #1: received Vendor ID payload [Openswan (this version)
2.4.5 X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR]
003 "fw1fw2" #1: received Vendor ID payload [Dead Peer Detection]
002 "fw1fw2" #1: transition from state STATE_MAIN_I1 to state
STATE_MAIN_I2
106 "fw1fw2" #1: STATE_MAIN_I2: sent MI2, expecting MR2
002 "fw1fw2" #1: I did not send a certificate because I do not have
one.
002 "fw1fw2" #1: transition from state STATE_MAIN_I2 to state
STATE_MAIN_I3
108 "fw1fw2" #1: STATE_MAIN_I3: sent MI3, expecting MR3
002 "fw1fw2" #1: Main mode peer ID is ID_IPV4_ADDR: '88.51.97.34'
002 "fw1fw2" #1: transition from state STATE_MAIN_I3 to state
STATE_MAIN_I4
004 "fw1fw2" #1: STATE_MAIN_I4: ISAKMP SA established
{auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_md5
group=modp1536}
002 "fw1fw2" #2: initiating Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS+UP
{using isakmp#1}
117 "fw1fw2" #2: STATE_QUICK_I1: initiate
002 "fw1fw2" #2: transition from state STATE_QUICK_I1 to state
STATE_QUICK_I2
004 "fw1fw2" #2: STATE_QUICK_I2: sent QI2, IPsec SA established
{ESP=>0x84f7df29 <0x2052a452 xfrm=AES_0-HMAC_SHA1 NATD=none DPD=none}
It seems ok but if I try to ping from 192.168.1.1 to 192.168.2.250 I
get:
[root@192.168.1.1 ~]# ping 192.168.2.250
PING 192.168.2.250 (192.168.2.250) 56(84) bytes of data.
>From 82.186.69.157 icmp_seq=1 Packet filtered
>From 82.186.69.157 icmp_seq=2 Packet filtered
>From 82.186.69.157 icmp_seq=3 Packet filtered
and also:
[root@192.168.1.1 ~]# telnet 192.168.2.250 5900
Trying 192.168.2.250...
telnet: connect to address 192.168.2.250: No route to host
Why? do you have any suggestion?
Here is status:
[root@fw1 ~]# ipsec auto --verbose --status
000 interface lo/lo 127.0.0.1
000 interface eth0/eth0 217.57.85.18
000 interface eth1/eth1 192.168.1.254
000 %myid = (none)
000 debug none
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64,
keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8,
keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8,
keysizemin=40, keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0,
keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256,
keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0,
keysizemax=0
000
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048,
bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072,
bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096,
bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144,
bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192,
bits=8192
000
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,0,0}
trans={0,0,0} attrs={0,0,0}
000
000 "fw1fw2":
217.57.85.16/29===217.57.85.18---217.57.85.17...88.51.97.33---88.51.97.34===88.51.97.32/29;
ero
uted; eroute owner: #2
000 "fw1fw2": srcip=unset; dstip=unset; srcup=ipsec _updown;
dstup=ipsec _updown;
000 "fw1fw2": ike_life: 3600s; ipsec_life: 28800s; rekey_margin:
540s; rekey_fuzz: 100%; keyingtries: 0
000 "fw1fw2": policy: RSASIG+ENCRYPT+TUNNEL+PFS+UP; prio: 29,29;
interface: eth0;
000 "fw1fw2": newest ISAKMP SA: #1; newest IPsec SA: #2;
000 "fw1fw2": IKE algorithm newest: 3DES_CBC_192-MD5-MODP1536
000 "fw1fw3":
217.57.85.16/29===217.57.85.18---217.57.85.17...88.46.243.73---88.46.243.74===88.46.243.72/29;
unrouted; eroute owner: #0
000 "fw1fw3": srcip=unset; dstip=unset; srcup=ipsec _updown;
dstup=ipsec _updown;
000 "fw1fw3": ike_life: 3600s; ipsec_life: 28800s; rekey_margin:
540s; rekey_fuzz: 100%; keyingtries: 0
000 "fw1fw3": policy: RSASIG+ENCRYPT+TUNNEL+PFS; prio: 29,29;
interface: eth0;
000 "fw1fw3": newest ISAKMP SA: #0; newest IPsec SA: #0;
000
000 #2: "fw1fw2":500 STATE_QUICK_I2 (sent QI2, IPsec SA established);
EVENT_SA_REPLACE in 27376s; newest IPSE
C; eroute owner
000 #2: "fw1fw2" esp.84f7df29@88.51.97.34 esp.2052a452@217.57.85.18
tun.0@88.51.97.34 tun.0@217.57.85.18
000 #1: "fw1fw2":500 STATE_MAIN_I4 (ISAKMP SA established);
EVENT_SA_REPLACE in 2180s; newest ISAKMP; lastdpd
=-1s(seq in:0 out:0)
000
Similar Threads
Linear Mode
