[prev in list] [next in list] [prev in thread] [next in thread]
List: openswan-users
Subject: [Openswan Users] No tunnel up
From: users-bounces () lists ! openswan ! org
Date: 2013-09-10 21:44:08
Message-ID: mailman.31.1378849448.2700.users () lists ! openswan ! org
[Download RAW message or body]
Saved from the spam bucket. Please remember to subscribe to the mailing before \
posting to it.
From: Marcelo Martins <martinsmc@gmail.com>
Subject: No tunnel up
Date: 10 September, 2013 5:44:04 PM EDT
To: users@lists.openswan.org
Hi all
I try a lab to solve a issue on my site.
But my lab not up ipsec tunnel.. is possible any tips for where I am wrong?
I using 2 linux on my vmware workstation with openswan-2.6.16
Machine1 - eth0 IP 172.17.2.50 and eth1 IP 192.168.0.1/24
machine 2 - eth0 ip 172.17.2.35 and eth1 10.3.0.0/16
I try up a vpn on 2 machines, but tunnel not up, I receive this information on status \
on both servers
#rcipsec status
IPsec running - pluto pid: 15363
pluto pid 15363
No tunnels up
I try a simple configuration,same /etc/ipsec.cong on twos Servers bellow:
version 2.0 # conforms to second version of ipsec.conf specification
config setup
interfaces=%defaultroute
protostack=netkey
uniqueids=no
oe=no
conn teste-1
left=172.17.2.50
leftsubnet=192.168.0.0/24
leftrsasigkey=0sAQNiR10vw0...< cut.>
right=172.17.2.35
rightsubnet=10.3.0.0/16
rightrsasigkey=0sAQN5cjrUq <cut>..
auto=start
include /etc/ipsec.d/no_oe.conf
run:
# rcipsec start
run ipsec verify
SLES11SP2:~ # ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.6.16/K3.0.13-0.27-default (netkey)
Checking for IPsec support in kernel [OK]
NETKEY detected, testing for disabled ICMP send_redirects [OK]
NETKEY detected, testing for disabled ICMP accept_redirects [OK]
Checking for RSA private key (/etc/ipsec.secrets) [OK]
Checking that pluto is running [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing [N/A]
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]
Logs are same on two machines
#grep pluto /var/log/messages
Sep 4 17:16:59 SLES11SP2 pluto[15064]: "teste-1" #1: received Vendor ID payload \
[Openswan (this version) 2.6.16 ]
Sep 4 17:16:59 SLES11SP2 pluto[15064]: "teste-1" #1: received Vendor ID payload \
[Dead Peer Detection]
Sep 4 17:16:59 SLES11SP2 pluto[15064]: "teste-1" #1: transition from state \
STATE_MAIN_I1 to state STATE_MAIN_I2
Sep 4 17:16:59 SLES11SP2 pluto[15064]: "teste-1" #1: STATE_MAIN_I2: sent MI2, \
expecting MR2
Sep 4 17:16:59 SLES11SP2 pluto[15064]: "teste-1" #1: transition from state \
STATE_MAIN_I2 to state STATE_MAIN_I3
Sep 4 17:16:59 SLES11SP2 pluto[15064]: "teste-1" #1: STATE_MAIN_I3: sent MI3, \
expecting MR3
Sep 4 17:16:59 SLES11SP2 pluto[15064]: "teste-1" #1: received Vendor ID payload \
[CAN-IKEv2]
Sep 4 17:16:59 SLES11SP2 pluto[15064]: "teste-1" #1: Main mode peer ID is \
ID_IPV4_ADDR: '172.17.2.35'
Sep 4 17:16:59 SLES11SP2 pluto[15064]: "teste-1" #1: transition from state \
STATE_MAIN_I3 to state STATE_MAIN_I4
Sep 4 17:16:59 SLES11SP2 pluto[15064]: "teste-1" #1: STATE_MAIN_I4: ISAKMP SA \
established {auth=OAKLEY_RSA_SIG cipher=aes_128 prf=oakley_sha \
group=modp2048}
Sep 4 17:16:59 SLES11SP2 pluto[15064]: "teste-1" #4: initiating Quick Mode \
RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW {using isakmp#1 msgid:1c47c6f9 \
proposal=defaults pfsgroup=OAKLEY_GROUP_MODP2048}
Sep 4 17:16:59 SLES11SP2 pluto[15064]: "teste-1" #4: transition from state \
STATE_QUICK_I1 to state STATE_QUICK_I2
Sep 4 17:16:59 SLES11SP2 pluto[15064]: "teste-1" #4: STATE_QUICK_I2: sent QI2, IPsec \
SA established tunnel mode {ESP=>0x90471c5e <0x648edcc2 xfrm=AES_128-HMAC_SHA1 \
NATOA=none NATD=none DPD=none}
I see IPSEC SA established, but tunnel not up.
If any ideas, let me know :)
Thanks
-
Marcelo Martins
http://martinsmc.blogspot.com
Grupo Astronomia Nevoeiro
http://www.nevoeiro.org
[Attachment #3 (unknown)]
<html><head><meta http-equiv="Content-Type" content="text/html \
charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: \
space; -webkit-line-break: after-white-space; "><div style="margin-top: 0px; \
margin-right: 0px; margin-bottom: 0px; margin-left: 0px;"><font \
color="#7f7f7f"><b>Saved from the spam bucket. Please remember to subscribe to \
the mailing before posting to it.</b></font></div><div style="margin-top: 0px; \
margin-right: 0px; margin-bottom: 0px; margin-left: 0px;"><font \
color="#7f7f7f"><b><br></b></font></div><div style="margin-top: 0px; margin-right: \
0px; margin-bottom: 0px; margin-left: 0px;"><span style="font-family:'Helvetica'; \
font-size:medium; color:rgba(127, 127, 127, 1.0);"><b><br></b></span></div><div \
style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: \
0px;"><span style="font-family:'Helvetica'; font-size:medium; color:rgba(127, 127, \
127, 1.0);"><b>From: </b></span><span style="font-family:'Helvetica'; \
font-size:medium;">Marcelo Martins <<a \
href="mailto:martinsmc@gmail.com">martinsmc@gmail.com</a>><br></span></div><div \
style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: \
0px;"><span style="font-family:'Helvetica'; font-size:medium; color:rgba(127, 127, \
127, 1.0);"><b>Subject: </b></span><span style="font-family:'Helvetica'; \
font-size:medium;"><b>No tunnel up</b><br></span></div><div style="margin-top: 0px; \
margin-right: 0px; margin-bottom: 0px; margin-left: 0px;"><span \
style="font-family:'Helvetica'; font-size:medium; color:rgba(127, 127, 127, \
1.0);"><b>Date: </b></span><span style="font-family:'Helvetica'; \
font-size:medium;">10 September, 2013 5:44:04 PM EDT<br></span></div><div \
style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: \
0px;"><span style="font-family:'Helvetica'; font-size:medium; color:rgba(127, 127, \
127, 1.0);"><b>To: </b></span><span style="font-family:'Helvetica'; \
font-size:medium;"><a \
href="mailto:users@lists.openswan.org">users@lists.openswan.org</a><br></span></div><br><br><div \
dir="ltr"><div>Hi all </div><div><br></div><div>I try a lab to solve a issue on \
my site. </div><div> </div><div>But my lab not up ipsec tunnel.. is \
possible any tips for where I am wrong? </div><div><br></div><div>I using 2 \
linux on my vmware workstation with openswan-2.6.16</div> \
<div><br></div><div>Machine1 - eth0 IP 172.17.2.50 and eth1 \
IP <a href="http://192.168.0.1/24">192.168.0.1/24</a> </div><div>machine \
2 - eth0 ip 172.17.2.35 and eth1 <a \
href="http://10.3.0.0/16">10.3.0.0/16</a> </div> <div><br></div><div>I try up a \
vpn on 2 machines, but tunnel not up, I receive this information on status on both \
servers</div><div><br></div><div>#rcipsec status </div><div>IPsec running \
- pluto pid: 15363 </div><div>pluto pid 15363 </div> <div>No tunnels \
up </div><div><br></div><div>I try a simple configuration,same /etc/ipsec.cong \
on twos Servers bellow: </div><div><br></div><div>version 2.0 <span class="" \
style="white-space:pre"> </span># conforms to second version of ipsec.conf \
specification </div> <div>config setup </div><div><span class="" \
style="white-space:pre"> </span>interfaces=%defaultroute </div><div><span \
class="" style="white-space:pre"> </span>protostack=netkey </div><div><span \
class="" style="white-space:pre"> </span>uniqueids=no </div> <div><span \
class="" style="white-space:pre"> </span>oe=no </div><div>conn \
teste-1 </div><div><span class="" \
style="white-space:pre"> </span>left=172.17.2.50 </div><div><span class="" \
style="white-space:pre"> </span>leftsubnet=<a \
href="http://192.168.0.0/24">192.168.0.0/24</a><span class="" \
style="white-space:pre"> </span></div> <div> \
leftrsasigkey=0sAQNiR10vw0...< cut.> </div><div><span \
class="" style="white-space:pre"> </span>right=172.17.2.35 </div><div><span \
class="" style="white-space:pre"> </span>rightsubnet=<a \
href="http://10.3.0.0/16">10.3.0.0/16</a> </div> <div><span class="" \
style="white-space:pre"> </span>rightrsasigkey=0sAQN5cjrUq \
<cut>.. </div><div><span class="" \
style="white-space:pre"> </span>auto=start </div><div>include \
/etc/ipsec.d/no_oe.conf </div><div><br> </div><div>run: </div><div># \
rcipsec start </div><div><br></div><div>run ipsec \
verify </div><div><br></div><div>SLES11SP2:~ # ipsec \
verify </div><div>Checking your system to see if IPsec got installed and started \
correctly: </div> <div>Version check and ipsec on-path <span class="" \
style="white-space:pre"> </span>[OK] </div><div>Linux Openswan \
U2.6.16/K3.0.13-0.27-default (netkey) </div><div>Checking for IPsec support in \
kernel <span class="" style="white-space:pre"> </span> [OK] </div> \
<div>NETKEY detected, testing for disabled ICMP send_redirects \
[OK] </div><div>NETKEY detected, testing for disabled ICMP accept_redirects \
[OK] </div><div>Checking for RSA private key (/etc/ipsec.secrets) <span class="" \
style="white-space:pre"> </span> [OK] </div> <div>Checking that pluto is \
running <span class="" style="white-space:pre"> </span> \
[OK] </div><div>Two or more interfaces found, checking IP forwarding <span \
class="" style="white-space:pre"> </span> [OK] </div><div> Checking NAT \
and MASQUERADEing <span class="" style="white-space:pre"> </span> \
[N/A] </div><div>Checking for 'ip' command <span class="" \
style="white-space:pre"> </span> [OK] </div><div>Checking for \
'iptables' command <span class="" \
style="white-space:pre"> </span>[OK] </div> <div>Opportunistic Encryption \
Support <span class="" style="white-space:pre"> </span> \
[DISABLED] </div><div><br></div><div>Logs are same on two \
machines</div><div><br></div><div>#grep pluto /var/log/messages </div> <div>Sep \
4 17:16:59 SLES11SP2 pluto[15064]: "teste-1" #1: received Vendor ID payload \
[Openswan (this version) 2.6.16 ] </div><div>Sep 4 17:16:59 SLES11SP2 \
pluto[15064]: "teste-1" #1: received Vendor ID payload [Dead Peer \
Detection] </div> <div>Sep 4 17:16:59 SLES11SP2 pluto[15064]: "teste-1" \
#1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2 </div><div>Sep \
4 17:16:59 SLES11SP2 pluto[15064]: "teste-1" #1: STATE_MAIN_I2: sent MI2, \
expecting MR2 </div> <div>Sep 4 17:16:59 SLES11SP2 pluto[15064]: "teste-1" \
#1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3 </div><div>Sep \
4 17:16:59 SLES11SP2 pluto[15064]: "teste-1" #1: STATE_MAIN_I3: sent MI3, \
expecting MR3 </div> <div>Sep 4 17:16:59 SLES11SP2 pluto[15064]: "teste-1" \
#1: received Vendor ID payload [CAN-IKEv2] </div><div>Sep 4 17:16:59 \
SLES11SP2 pluto[15064]: "teste-1" #1: Main mode peer ID is ID_IPV4_ADDR: \
'172.17.2.35' </div> <div>Sep 4 17:16:59 SLES11SP2 pluto[15064]: "teste-1" \
#1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4 </div><div>Sep \
4 17:16:59 SLES11SP2 pluto[15064]: "teste-1" #1: STATE_MAIN_I4: ISAKMP SA \
established {auth=OAKLEY_RSA_SIG cipher=aes_128 prf=oakley_sha \
group=modp2048} </div> <div>Sep 4 17:16:59 SLES11SP2 pluto[15064]: \
"teste-1" #4: initiating Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW {using \
isakmp#1 msgid:1c47c6f9 proposal=defaults \
pfsgroup=OAKLEY_GROUP_MODP2048} </div><div> Sep 4 17:16:59 SLES11SP2 \
pluto[15064]: "teste-1" #4: transition from state STATE_QUICK_I1 to state \
STATE_QUICK_I2 </div><div>Sep 4 17:16:59 SLES11SP2 pluto[15064]: "teste-1" \
#4: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x90471c5e \
<0x648edcc2 xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=none} </div> \
<div><br></div><div>I see IPSEC SA established, but tunnel not up. \
</div><div><br></div><div><br></div><div>If any ideas, let me know \
:) </div><div><br></div><div>Thanks </div><div>-<br>Marcelo Martins<br><a \
href="http://martinsmc.blogspot.com/" \
target="_blank">http://martinsmc.blogspot.com</a><br> <br>Grupo Astronomia \
Nevoeiro<br><a href="http://www.nevoeiro.org/" \
target="_blank">http://www.nevoeiro.org</a></div> </div>
<br><br></body></html>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic