'[Openswan Users] OpenSwan VPN connectivity to VPN 3030 I need Help from you Guys'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openswan-users
Subject:    [Openswan Users] OpenSwan VPN connectivity to VPN 3030 I need Help from you Guys
From:       Imran Shakir <shaker.emran () gmail ! com>
Date:       2012-03-30 8:14:18
Message-ID: CAEAzGOLOG5u05SArSqYeyg_809sZ2V0GndTo_L2rYtHz4r+xFw () mail ! gmail ! com
[Download RAW message or body]

Hi

 I've installed Openswan on Ubuntu 10.04.

it has two interfaces

eth0   10.202.70.227
eth0:0   192.168.222.66
live/public  or peer ip from my side is    50.17.183.241

other side is VPN 3030

peer ip from their side is   202.125.152.237
subnet from their side is   172.16.5.0/24
host from their side that sends request to my machine is   172.16.5.67/32

 I've one network interface: eth0 = 10.202.70.227.

 I've created another Virtual Network Interface: eth0:0 = 192.168.222.66.

 I've Elastic IP: 50.17.183.241.

 I've done natting with following commands:

 iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

 then used more commands like this:

 iptables --flush
 iptables -t nat --flush
 iptables --delete-chain
 iptables -t nat --delete-chain
 iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE iptables -A
 FORWARD -i eth0:0 -j ACCEPT

 I've configured my connection as under:

 conn TEST

 type=tunnel
 authby=secret
 ike=es-md5-modp1024
 ikelifetime†400s

 phase2=esp
 phase2alg=es-md5;modp1024
 lifetime(800s
 forceencaps=yes
 pfs=no

 left.202.70.227
 leftidP.17.183.241
 leftnexthop=%defaultroute
 leftsubnet2.168.222.66/32

 right 2.125.152.237
 rightid 2.125.152.237
 rightsubnet2.16.5.67/32
 rightnexthop=%defaultroute
 dpdaction=restart
 dpddelay0
 dpdtimeoutE

 autod

 now when I try to start a tunnel with command: ipsec auto --up TEST, but
tunnel is not coming up and ping is not being done to other side ip
addresses. when i ping 172.16.b.b. I don't get
 any reply.

 All ports opened for all IP Addresses, firewall allow all. Still no
 success.

 My routing table is as under:

 Destination Gateway Genmask Flags Metric Ref Use Iface
 192.168.222.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
 10.202.70.0 0.0.0.0 255.255.254.0 U 0 0 0 eth0
 0.0.0.0 10.202.70.1 0.0.0.0 UG 100 0 0 eth0
 0.0.0.0 10.202.70.1 0.0.0.0 UG 100 0 0 eth0


 iptables -L show:

 Chain INPUT (policy ACCEPT)

 target     prot opt source               destination


 Chain FORWARD (policy ACCEPT)

 target     prot opt source               destination

 ACCEPT     all  --  anywhere             anywhere


 Chain OUTPUT (policy ACCEPT)

 target     prot opt source               destination

 kindly guide me what i am missing, tunnel is being established
 successfully but cannot ping other side, and they cannot ping me?


 A I missing any route? Kindly do let me know what route to add, if
 missed any?

 Thank you very much. Waiting for any answer. Thank you guys.

 Regards

 Imran

 LOG is:

> Mar 29 09:51:49 mx2 pluto[10593]: "ufoneIN" #2236: Dead Peer Detection
> (RFC 3706): enabled Mar 29 09:51:49 mx2 pluto[10593]: "ufoneIN" #2237:
> initiating Quick Mode
> PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW {using isakmp#2236 msgid:a2d8cddd
> proposal=ES(3)_192-MD5(1)_128 pfsgroup=no-pfs} Mar 29 09:51:49 mx2
> pluto[10593]: "ufoneIN" #2236: ignoring informational payload, type
> IPSEC_RESPONDER_LIFETIME msgid000000 Mar 29 09:51:49 mx2
> pluto[10593]: "ufoneIN" #2236: received and ignored informational
> message Mar 29 09:51:50 mx2 pluto[10593]: "ufoneIN" #2236: received
> Delete SA
> payload: deleting ISAKMP State #2236
> Mar 29 09:51:50 mx2 pluto[10593]: packet from 202.125.152.237:4500:
> received and ignored informational message Mar 29 09:52:01 mx2
> CRON[21635]: pam_unix(cron:session): session opened for user root by
> (uid=0) Mar 29 09:52:01 mx2 CRON[21635]: pam_unix(cron:session):
> session closed for user root Mar 29 09:52:32 mx2 pluto[10593]:
> "ufoneIN": deleting connection Mar 29 09:52:32 mx2 pluto[10593]:
> "ufoneIN" #2237: deleting state
> (STATE_QUICK_I1)
> Mar 29 09:52:32 mx2 pluto[10593]: added connection description "ufoneIN"
> Mar 29 09:52:36 mx2 pluto[10593]: "ufoneIN" #2238: initiating Main
> Mode Mar 29 09:52:37 mx2 pluto[10593]: "ufoneIN" #2238: received
> Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to6
> Mar 29 09:52:37 mx2 pluto[10593]: "ufoneIN" #2238: ignoring Vendor ID
> payload [FRAGMENTATION c0000000] Mar 29 09:52:37 mx2 pluto[10593]:
> "ufoneIN" #2238: enabling possible NAT-traversal with method
> draft-ietf-ipsec-nat-t-ike-05 Mar 29 09:52:37 mx2 pluto[10593]:
> "ufoneIN" #2238: transition from state
> STATE_MAIN_I1 to state STATE_MAIN_I2
> Mar 29 09:52:37 mx2 pluto[10593]: "ufoneIN" #2238: STATE_MAIN_I2: sent
> MI2, expecting MR2 Mar 29 09:52:37 mx2 pluto[10593]: "ufoneIN" #2238:
> received Vendor ID payload [Cisco-Unity] Mar 29 09:52:37 mx2
> pluto[10593]: "ufoneIN" #2238: received Vendor ID payload [XAUTH] Mar
> 29 09:52:37 mx2 pluto[10593]: "ufoneIN" #2238: ignoring unknown Vendor
> ID payload [938d9ec7b1eb6956bf8485a99551f9b7]
> Mar 29 09:52:37 mx2 pluto[10593]: "ufoneIN" #2238: ignoring Vendor ID
> payload [Cisco VPN 3000 Series] Mar 29 09:52:37 mx2 pluto[10593]:
> "ufoneIN" #2238: NAT-Traversal: Result using
> draft-ietf-ipsec-nat-t-ike-02/03: both are NATed Mar 29 09:52:37 mx2
> pluto[10593]: "ufoneIN" #2238: transition from state
> STATE_MAIN_I2 to state STATE_MAIN_I3
> Mar 29 09:52:37 mx2 pluto[10593]: "ufoneIN" #2238: STATE_MAIN_I3: sent
> MI3, expecting MR3 Mar 29 09:52:37 mx2 pluto[10593]: "ufoneIN" #2238:
> received Vendor ID payload [Dead Peer Detection] Mar 29 09:52:37 mx2
> pluto[10593]: | protocol/port in Phase 1 ID Payload is 17/0. accepted
> with port_floating NAT-T Mar 29 09:52:37 mx2 pluto[10593]: "ufoneIN"
> #2238: Main mode peer ID is
> ID_IPV4_ADDR: '202.125.152.237'
> Mar 29 09:52:37 mx2 pluto[10593]: "ufoneIN" #2238: transition from
> state
> STATE_MAIN_I3 to state STATE_MAIN_I4
> Mar 29 09:52:37 mx2 pluto[10593]: "ufoneIN" #2238: STATE_MAIN_I4:
> ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
> cipher=oakley_3des_cbc_192
> prf=oakley_md5 group=modp1024}
> Mar 29 09:52:37 mx2 pluto[10593]: "ufoneIN" #2238: Dead Peer Detection
> (RFC 3706): enabled Mar 29 09:52:37 mx2 pluto[10593]: "ufoneIN" #2239:
> initiating Quick Mode
> PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW {using isakmp#2238 msgid:3544a45b
> proposal=ES(3)_192-MD5(1)_128 pfsgroup=no-pfs} Mar 29 09:52:37 mx2
> pluto[10593]: "ufoneIN" #2238: ignoring informational payload, type
> IPSEC_RESPONDER_LIFETIME msgid000000 Mar 29 09:52:37 mx2
> pluto[10593]: "ufoneIN" #2238: received and ignored informational
> message Mar 29 09:52:38 mx2 pluto[10593]: "ufoneIN" #2238: received
> Delete SA
> payload: deleting ISAKMP State #2238
> Mar 29 09:52:38 mx2 pluto[10593]: packet from 202.125.152.237:4500:
> received and ignored informational message
>
> Any idea how to resolve it?
>

[Attachment #3 (text/html)]

<div><br></div><div> Hi</div><div><br></div><div> I&#39;ve installed Openswan on \
Ubuntu 10.04.</div><div><br></div><div>it has two \
interfaces</div><div><br></div><div>eth0   10.202.70.227</div><div>eth0:0   \
192.168.222.66</div> <div>live/public  or peer ip from my side is    \
50.17.183.241</div><div><br></div><div>other side is VPN \
3030</div><div><br></div><div>peer ip from their side is   \
202.125.152.237</div><div>subnet from their side is   <a \
href="http://172.16.5.0/24">172.16.5.0/24</a></div> <div>host from their side that \
sends request to my machine is   <a \
href="http://172.16.5.67/32">172.16.5.67/32</a></div><div><br></div><div> I&#39;ve \
one network interface: eth0 = 10.202.70.227.</div><div><br></div><div> I&#39;ve \
created another Virtual Network Interface: eth0:0 = 192.168.222.66.</div> \
<div><br></div><div> I&#39;ve Elastic IP: 50.17.183.241.</div><div><br></div><div> \
I&#39;ve done natting with following commands:</div><div><br></div><div> iptables -t \
nat -A POSTROUTING -o eth0 -j MASQUERADE</div><div><br> </div><div> then used more \
commands like this:</div><div><br></div><div> iptables --flush</div><div> iptables -t \
nat --flush</div><div> iptables --delete-chain</div><div> iptables -t nat \
--delete-chain</div><div> iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE \
iptables -A </div> <div> FORWARD -i eth0:0 -j ACCEPT</div><div><br></div><div> \
I&#39;ve configured my connection as under:</div><div><br></div><div> conn \
TEST</div><div><br></div><div> type=tunnel</div><div> authby=secret</div><div> \
ike=3des-md5-modp1024</div> <div> ikelifetime=86400s</div><div><br></div><div> \
phase2=esp</div><div> phase2alg=3des-md5;modp1024</div><div> \
lifetime=28800s</div><div> forceencaps=yes</div><div> \
pfs=no</div><div><br></div><div> left=10.202.70.227</div> <div> \
leftid=50.17.183.241</div><div> leftnexthop=%defaultroute</div><div> leftsubnet=<a \
href="http://192.168.222.66/32">192.168.222.66/32</a></div><div><br></div><div> \
right=202.125.152.237</div><div> rightid=202.125.152.237</div> <div> rightsubnet=<a \
href="http://172.16.5.67/32">172.16.5.67/32</a></div><div> \
rightnexthop=%defaultroute</div><div> dpdaction=restart</div><div> \
dpddelay=30</div><div> dpdtimeout=45</div><div><br></div><div> auto=add</div> \
<div><br></div><div> now when I try to start a tunnel with command: ipsec auto --up \
TEST, but tunnel is not coming up and ping is not being done to other side ip \
addresses. when i ping 172.16.b.b. I don&#39;t get </div><div>  any \
reply.</div><div><br></div><div> All ports opened for all IP Addresses, firewall \
allow all. Still no </div><div> success.</div><div><br></div><div> My routing table \
is as under:</div><div><br></div><div> Destination Gateway Genmask Flags Metric Ref \
Use Iface</div> <div> 192.168.222.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0</div><div> \
10.202.70.0 0.0.0.0 255.255.254.0 U 0 0 0 eth0</div><div> 0.0.0.0 10.202.70.1 0.0.0.0 \
UG 100 0 0 eth0</div><div> 0.0.0.0 10.202.70.1 0.0.0.0 UG 100 0 0 eth0</div> \
<div><br></div><div><br></div><div> iptables -L show:</div><div><br></div><div> Chain \
INPUT (policy ACCEPT)</div><div><br></div><div> target     prot opt source            \
destination</div><div><br></div><div><br></div> <div> Chain FORWARD (policy \
ACCEPT)</div><div><br></div><div> target     prot opt source               \
destination</div><div><br></div><div> ACCEPT     all  --  anywhere             \
anywhere</div><div><br></div><div><br></div> <div> Chain OUTPUT (policy \
ACCEPT)</div><div><br></div><div> target     prot opt source               \
destination</div><div><br></div><div> kindly guide me what i am missing, tunnel is \
being established </div><div> successfully but cannot ping other side, and they \
cannot ping me?</div> <div><br></div><div><br></div><div> A I missing any route? \
Kindly do let me know what route to add, if </div><div> missed \
any?</div><div><br></div><div> Thank you very much. Waiting for any answer. Thank you \
guys.</div><div> <br></div><div> Regards</div><div><br></div><div> \
Imran</div><div><br></div><div> LOG is:</div><div><br></div><div>&gt; Mar 29 09:51:49 \
mx2 pluto[10593]: &quot;ufoneIN&quot; #2236: Dead Peer Detection </div><div>&gt; (RFC \
3706): enabled Mar 29 09:51:49 mx2 pluto[10593]: &quot;ufoneIN&quot; #2237: </div> \
<div>&gt; initiating Quick Mode</div><div>&gt; PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW \
{using isakmp#2236 msgid:a2d8cddd</div><div>&gt; proposal=3DES(3)_192-MD5(1)_128 \
pfsgroup=no-pfs} Mar 29 09:51:49 mx2 </div><div>&gt; pluto[10593]: \
&quot;ufoneIN&quot; #2236: ignoring informational payload, type </div> <div>&gt; \
IPSEC_RESPONDER_LIFETIME msgid=00000000 Mar 29 09:51:49 mx2 </div><div>&gt; \
pluto[10593]: &quot;ufoneIN&quot; #2236: received and ignored informational \
</div><div>&gt; message Mar 29 09:51:50 mx2 pluto[10593]: &quot;ufoneIN&quot; #2236: \
received </div> <div>&gt; Delete SA</div><div>&gt; payload: deleting ISAKMP State \
#2236</div><div>&gt; Mar 29 09:51:50 mx2 pluto[10593]: packet from <a \
href="http://202.125.152.237:4500">202.125.152.237:4500</a>:</div><div>&gt; received \
and ignored informational message Mar 29 09:52:01 mx2 </div> <div>&gt; CRON[21635]: \
pam_unix(cron:session): session opened for user root by </div><div>&gt; (uid=0) Mar \
29 09:52:01 mx2 CRON[21635]: pam_unix(cron:session): </div><div>&gt; session closed \
for user root Mar 29 09:52:32 mx2 pluto[10593]: </div> <div>&gt; &quot;ufoneIN&quot;: \
deleting connection Mar 29 09:52:32 mx2 pluto[10593]: </div><div>&gt; \
&quot;ufoneIN&quot; #2237: deleting state</div><div>&gt; \
(STATE_QUICK_I1)</div><div>&gt; Mar 29 09:52:32 mx2 pluto[10593]: added connection \
description &quot;ufoneIN&quot;</div> <div>&gt; Mar 29 09:52:36 mx2 pluto[10593]: \
&quot;ufoneIN&quot; #2238: initiating Main </div><div>&gt; Mode Mar 29 09:52:37 mx2 \
pluto[10593]: &quot;ufoneIN&quot; #2238: received </div><div>&gt; Vendor ID payload \
[draft-ietf-ipsec-nat-t-ike-02_n] method set to=106 </div> <div>&gt; Mar 29 09:52:37 \
mx2 pluto[10593]: &quot;ufoneIN&quot; #2238: ignoring Vendor ID </div><div>&gt; \
payload [FRAGMENTATION c0000000] Mar 29 09:52:37 mx2 pluto[10593]: </div><div>&gt; \
&quot;ufoneIN&quot; #2238: enabling possible NAT-traversal with method </div> \
<div>&gt; draft-ietf-ipsec-nat-t-ike-05 Mar 29 09:52:37 mx2 pluto[10593]: \
</div><div>&gt; &quot;ufoneIN&quot; #2238: transition from state</div><div>&gt; \
STATE_MAIN_I1 to state STATE_MAIN_I2</div><div>&gt; Mar 29 09:52:37 mx2 pluto[10593]: \
&quot;ufoneIN&quot; #2238: STATE_MAIN_I2: sent </div> <div>&gt; MI2, expecting MR2 \
Mar 29 09:52:37 mx2 pluto[10593]: &quot;ufoneIN&quot; #2238: </div><div>&gt; received \
Vendor ID payload [Cisco-Unity] Mar 29 09:52:37 mx2 </div><div>&gt; pluto[10593]: \
&quot;ufoneIN&quot; #2238: received Vendor ID payload [XAUTH] Mar </div> <div>&gt; 29 \
09:52:37 mx2 pluto[10593]: &quot;ufoneIN&quot; #2238: ignoring unknown Vendor \
</div><div>&gt; ID payload [938d9ec7b1eb6956bf8485a99551f9b7]</div><div>&gt; Mar 29 \
09:52:37 mx2 pluto[10593]: &quot;ufoneIN&quot; #2238: ignoring Vendor ID </div> \
<div>&gt; payload [Cisco VPN 3000 Series] Mar 29 09:52:37 mx2 pluto[10593]: \
</div><div>&gt; &quot;ufoneIN&quot; #2238: NAT-Traversal: Result using \
</div><div>&gt; draft-ietf-ipsec-nat-t-ike-02/03: both are NATed Mar 29 09:52:37 mx2 \
</div> <div>&gt; pluto[10593]: &quot;ufoneIN&quot; #2238: transition from \
state</div><div>&gt; STATE_MAIN_I2 to state STATE_MAIN_I3</div><div>&gt; Mar 29 \
09:52:37 mx2 pluto[10593]: &quot;ufoneIN&quot; #2238: STATE_MAIN_I3: sent </div> \
<div>&gt; MI3, expecting MR3 Mar 29 09:52:37 mx2 pluto[10593]: &quot;ufoneIN&quot; \
#2238: </div><div>&gt; received Vendor ID payload [Dead Peer Detection] Mar 29 \
09:52:37 mx2 </div><div>&gt; pluto[10593]: | protocol/port in Phase 1 ID Payload is \
17/0. accepted </div> <div>&gt; with port_floating NAT-T Mar 29 09:52:37 mx2 \
pluto[10593]: &quot;ufoneIN&quot; </div><div>&gt; #2238: Main mode peer ID \
is</div><div>&gt; ID_IPV4_ADDR: &#39;202.125.152.237&#39;</div><div>&gt; Mar 29 \
09:52:37 mx2 pluto[10593]: &quot;ufoneIN&quot; #2238: transition from </div> \
<div>&gt; state</div><div>&gt; STATE_MAIN_I3 to state STATE_MAIN_I4</div><div>&gt; \
Mar 29 09:52:37 mx2 pluto[10593]: &quot;ufoneIN&quot; #2238: STATE_MAIN_I4: \
</div><div>&gt; ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY </div> <div>&gt; \
cipher=oakley_3des_cbc_192</div><div>&gt; prf=oakley_md5 \
group=modp1024}</div><div>&gt; Mar 29 09:52:37 mx2 pluto[10593]: &quot;ufoneIN&quot; \
#2238: Dead Peer Detection </div><div>&gt; (RFC 3706): enabled Mar 29 09:52:37 mx2 \
pluto[10593]: &quot;ufoneIN&quot; #2239: </div> <div>&gt; initiating Quick \
Mode</div><div>&gt; PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW {using isakmp#2238 \
msgid:3544a45b</div><div>&gt; proposal=3DES(3)_192-MD5(1)_128 pfsgroup=no-pfs} Mar 29 \
09:52:37 mx2 </div><div>&gt; pluto[10593]: &quot;ufoneIN&quot; #2238: ignoring \
informational payload, type </div> <div>&gt; IPSEC_RESPONDER_LIFETIME msgid=00000000 \
Mar 29 09:52:37 mx2 </div><div>&gt; pluto[10593]: &quot;ufoneIN&quot; #2238: received \
and ignored informational </div><div>&gt; message Mar 29 09:52:38 mx2 pluto[10593]: \
&quot;ufoneIN&quot; #2238: received </div> <div>&gt; Delete SA</div><div>&gt; \
payload: deleting ISAKMP State #2238</div><div>&gt; Mar 29 09:52:38 mx2 pluto[10593]: \
packet from <a href="http://202.125.152.237:4500">202.125.152.237:4500</a>:</div><div>&gt; \
received and ignored informational message</div> <div>&gt;</div><div>&gt; Any idea \
how to resolve it?</div><div>&gt;</div><div><br></div>



[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic