[prev in list] [next in list] [prev in thread] [next in thread]
List: openswan-users
Subject: [Openswan Users] Tunnel built but no routes
From: Dan August <danaug23 () gmail ! com>
Date: 2016-01-13 20:53:58
Message-ID: CAPp_i+z-zMcMgS3Le9TDeSLvcw+Upekmx6p8c9Y2t3SODSFPcg () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Hello,
I'm creating what should be a simple VPN from a linux box to a Fortigate
Firewall. Everything seems to be up and established(I can see the session
built in the Fortigate and the Linux machine), but I'm not seeing any
routes in my routing table(also no tunnel/ipsec interface). I would like
to tunnel all traffic(not required) from the linux box to the Fortigate.
Let me know what other information would be helpful. Thank you for your
help!
ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.6.38/K3.13.0-48-generic (netkey)
Checking for IPsec support in kernel [OK]
SAref kernel support [N/A]
NETKEY: Testing XFRM related proc values [OK]
[OK]
[OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for NAT-T on udp 4500 [OK]
Checking for 'ip' command [OK]
Checking /bin/sh is not /bin/dash [WARNING]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]
------------------------------------------------
service ipsec status
IPsec running - pluto pid: 6986
pluto pid 6986
1 tunnels up
some eroutes exist
------------------------------------------------
cat /etc/ipsec.conf
# basic configuration
config setup
nat_traversal=yes
virtual_private=%v4:192.168.0.0/16
oe=off
protostack=netkey
------------------------------------------------
cat /etc/ipsec.d/linux-fortigate.conf
conn LinuxFortigate
type=tunnel
authby=secret
pfs=yes
ike=aes128-sha1
phase2alg=aes128-sha1
#ike=3des-md5
#phase2alg=3des-md5
aggrmode=no
keylife=86400s
ikelifetime=28800s
left=LEFT PUBLIC IP
leftnexthop=%defaultroute
leftsubnet=192.168.25.175/32
right=RIGHT PUBLIC IP
rightnexthop=%defaultroute
rightsubnet=0.0.0.0/0
auto=start
------------------------------------------------
netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt
Iface
0.0.0.0 GATEWAY 0.0.0.0 UG 0 0 0 eth0
PUBLIC IP 0.0.0.0 255.255.240.0 U 0 0 0 eth0
------------------------------------------------
ip xfrm state
src FORTIGATE dst LINUX
proto esp spi 0xdd25af12 reqid 16385 mode tunnel
replay-window 32 flag af-unspec
auth-trunc hmac(sha1) 0x8de9a0f329851a2b78aa6dc47c72d1d32f0dc4d7 96
enc cbc(aes) 0x0d4ada3372a3001f7033e63409508020
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
src LINUX dst FORTIGATE
proto esp spi 0xff6dd9ba reqid 16385 mode tunnel
replay-window 32 flag af-unspec
auth-trunc hmac(sha1) 0x2d9fe5a9d38fffee9f0e24dfccdcf77190e48760 96
enc cbc(aes) 0x0d98dec84f1e3fabc1888cfadccfddfa
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
[Attachment #5 (text/html)]
<div dir="ltr"><div style="color:rgb(0,0,0);font-family:Tahoma;text-align:-webkit-auto">Hello,</div><div \
style="color:rgb(0,0,0);font-family:Tahoma;text-align:-webkit-auto"> I'm \
creating what should be a simple VPN from a linux box to a Fortigate Firewall. \
Everything seems to be up and established(I can see the session built in the \
Fortigate and the Linux machine), but I'm not seeing any routes in my routing \
table(also no tunnel/ipsec interface). I would like to tunnel all traffic(not \
required) from the linux box to the Fortigate. Let me know what other information \
would be helpful. Thank you for your help!</div><div \
style="color:rgb(0,0,0);font-family:Tahoma;text-align:-webkit-auto"><br></div><div \
style="color:rgb(0,0,0);font-family:Tahoma;text-align:-webkit-auto"><br></div><div \
style="color:rgb(0,0,0);font-family:Tahoma;text-align:-webkit-auto"><br></div><div \
style="color:rgb(0,0,0);font-family:Tahoma;text-align:-webkit-auto">ipsec \
verify</div><div style="color:rgb(0,0,0);font-family:Tahoma;text-align:-webkit-auto">Checking \
your system to see if IPsec got installed and started correctly:</div><div \
style="color:rgb(0,0,0);font-family:Tahoma;text-align:-webkit-auto">Version check and \
ipsec on-path [OK]</div><div \
style="color:rgb(0,0,0);font-family:Tahoma;text-align:-webkit-auto">Linux Openswan \
U2.6.38/K3.13.0-48-generic (netkey)</div><div \
style="color:rgb(0,0,0);font-family:Tahoma;text-align:-webkit-auto">Checking for \
IPsec support in kernel [OK]</div><div \
style="color:rgb(0,0,0);font-family:Tahoma;text-align:-webkit-auto"> SAref kernel \
support \
[N/A]</div><div style="color:rgb(0,0,0);font-family:Tahoma;text-align:-webkit-auto"> \
NETKEY: Testing XFRM related proc values \
[OK]</div><div style="color:rgb(0,0,0);font-family:Tahoma;text-align:-webkit-auto"> \
[OK]</div><div style="color:rgb(0,0,0);font-family:Tahoma;text-align:-webkit-auto"> \
[OK]</div><div style="color:rgb(0,0,0);font-family:Tahoma;text-align:-webkit-auto">Checking \
that pluto is running \
[OK]</div><div style="color:rgb(0,0,0);font-family:Tahoma;text-align:-webkit-auto"> \
Pluto listening for IKE on udp 500 \
[OK]</div><div style="color:rgb(0,0,0);font-family:Tahoma;text-align:-webkit-auto"> \
Pluto listening for NAT-T on udp 4500 \
[OK]</div><div style="color:rgb(0,0,0);font-family:Tahoma;text-align:-webkit-auto">Checking \
for 'ip' command \
[OK]</div><div style="color:rgb(0,0,0);font-family:Tahoma;text-align:-webkit-auto">Checking \
/bin/sh is not /bin/dash \
[WARNING]</div><div style="color:rgb(0,0,0);font-family:Tahoma;text-align:-webkit-auto">Checking \
for 'iptables' command \
[OK]</div><div style="color:rgb(0,0,0);font-family:Tahoma;text-align:-webkit-auto">Opportunistic \
Encryption Support \
[DISABLED]</div><div \
style="color:rgb(0,0,0);font-family:Tahoma;text-align:-webkit-auto"><br></div><div \
style="color:rgb(0,0,0);font-family:Tahoma;text-align:-webkit-auto"><br></div><div \
style="color:rgb(0,0,0);font-family:Tahoma;text-align:-webkit-auto">------------------------------------------------</div><div \
style="color:rgb(0,0,0);font-family:Tahoma;text-align:-webkit-auto"><br></div><div \
style="color:rgb(0,0,0);font-family:Tahoma;text-align:-webkit-auto">service ipsec \
status</div><div style="color:rgb(0,0,0);font-family:Tahoma;text-align:-webkit-auto">IPsec \
running - pluto pid: 6986</div><div \
style="color:rgb(0,0,0);font-family:Tahoma;text-align:-webkit-auto">pluto pid \
6986</div><div style="color:rgb(0,0,0);font-family:Tahoma;text-align:-webkit-auto">1 \
tunnels up</div><div \
style="color:rgb(0,0,0);font-family:Tahoma;text-align:-webkit-auto">some eroutes \
exist</div><div style="color:rgb(0,0,0);font-family:Tahoma;text-align:-webkit-auto"><br></div><div \
style="color:rgb(0,0,0);font-family:Tahoma;text-align:-webkit-auto"><br></div><div \
style="color:rgb(0,0,0);font-family:Tahoma;text-align:-webkit-auto"><br></div><div \
style="color:rgb(0,0,0);font-family:Tahoma;text-align:-webkit-auto"><br></div><div \
style="color:rgb(0,0,0);font-family:Tahoma;text-align:-webkit-auto"><br></div><div \
style="color:rgb(0,0,0);font-family:Tahoma;text-align:-webkit-auto">------------------------------------------------</div><div \
style="color:rgb(0,0,0);font-family:Tahoma;text-align:-webkit-auto"><br></div><div \
style="color:rgb(0,0,0);font-family:Tahoma;text-align:-webkit-auto"><br></div><div \
style="color:rgb(0,0,0);font-family:Tahoma;text-align:-webkit-auto"><br></div><div \
style="color:rgb(0,0,0);font-family:Tahoma;text-align:-webkit-auto">cat \
/etc/ipsec.conf</div><div \
style="color:rgb(0,0,0);font-family:Tahoma;text-align:-webkit-auto"><br></div><div \
style="color:rgb(0,0,0);font-family:Tahoma;text-align:-webkit-auto"># basic \
configuration</div><div \
style="color:rgb(0,0,0);font-family:Tahoma;text-align:-webkit-auto">config \
setup</div><div style="color:rgb(0,0,0);font-family:Tahoma;text-align:-webkit-auto"> \
nat_traversal=yes</div><div \
style="color:rgb(0,0,0);font-family:Tahoma;text-align:-webkit-auto"> \
virtual_private=%v4:<a href="http://192.168.0.0/16">192.168.0.0/16</a></div><div \
style="color:rgb(0,0,0);font-family:Tahoma;text-align:-webkit-auto"> \
oe=off</div><div style="color:rgb(0,0,0);font-family:Tahoma;text-align:-webkit-auto"> \
protostack=netkey</div><div \
style="color:rgb(0,0,0);font-family:Tahoma;text-align:-webkit-auto"><br></div><div \
style="color:rgb(0,0,0);font-family:Tahoma;text-align:-webkit-auto"><br></div><div \
style="color:rgb(0,0,0);font-family:Tahoma;text-align:-webkit-auto"><br></div><div \
style="color:rgb(0,0,0);font-family:Tahoma;text-align:-webkit-auto"><br></div><div \
style="color:rgb(0,0,0);font-family:Tahoma;text-align:-webkit-auto">------------------------------------------------</div><div \
style="color:rgb(0,0,0);font-family:Tahoma;text-align:-webkit-auto"><br></div><div \
style="color:rgb(0,0,0);font-family:Tahoma;text-align:-webkit-auto">cat \
/etc/ipsec.d/linux-fortigate.conf</div><div \
style="color:rgb(0,0,0);font-family:Tahoma;text-align:-webkit-auto">conn \
LinuxFortigate</div><div \
style="color:rgb(0,0,0);font-family:Tahoma;text-align:-webkit-auto"> \
type=tunnel</div><div \
style="color:rgb(0,0,0);font-family:Tahoma;text-align:-webkit-auto"> \
authby=secret</div><div \
style="color:rgb(0,0,0);font-family:Tahoma;text-align:-webkit-auto"> \
pfs=yes</div><div style="color:rgb(0,0,0);font-family:Tahoma;text-align:-webkit-auto"> \
ike=aes128-sha1</div><div \
style="color:rgb(0,0,0);font-family:Tahoma;text-align:-webkit-auto"> \
phase2alg=aes128-sha1</div><div \
style="color:rgb(0,0,0);font-family:Tahoma;text-align:-webkit-auto"> \
#ike=3des-md5</div><div \
style="color:rgb(0,0,0);font-family:Tahoma;text-align:-webkit-auto"> \
#phase2alg=3des-md5</div><div \
style="color:rgb(0,0,0);font-family:Tahoma;text-align:-webkit-auto"> \
aggrmode=no</div><div \
style="color:rgb(0,0,0);font-family:Tahoma;text-align:-webkit-auto"> \
keylife=86400s</div><div \
style="color:rgb(0,0,0);font-family:Tahoma;text-align:-webkit-auto"> \
ikelifetime=28800s</div><div \
style="color:rgb(0,0,0);font-family:Tahoma;text-align:-webkit-auto"> left=LEFT \
PUBLIC IP</div><div style="color:rgb(0,0,0);font-family:Tahoma;text-align:-webkit-auto"> \
leftnexthop=%defaultroute</div><div \
style="color:rgb(0,0,0);font-family:Tahoma;text-align:-webkit-auto"> \
leftsubnet=<a href="http://192.168.25.175/32">192.168.25.175/32</a></div><div \
style="color:rgb(0,0,0);font-family:Tahoma;text-align:-webkit-auto"> right=RIGHT \
PUBLIC IP</div><div style="color:rgb(0,0,0);font-family:Tahoma;text-align:-webkit-auto"> \
rightnexthop=%defaultroute</div><div \
style="color:rgb(0,0,0);font-family:Tahoma;text-align:-webkit-auto"> \
rightsubnet=<a href="http://0.0.0.0/0">0.0.0.0/0</a></div><div \
style="color:rgb(0,0,0);font-family:Tahoma;text-align:-webkit-auto"> \
auto=start</div><div \
style="color:rgb(0,0,0);font-family:Tahoma;text-align:-webkit-auto"><br></div><div \
style="color:rgb(0,0,0);font-family:Tahoma;text-align:-webkit-auto">------------------------------------------------</div><div \
style="color:rgb(0,0,0);font-family:Tahoma;text-align:-webkit-auto"><br></div><div \
style="color:rgb(0,0,0);font-family:Tahoma;text-align:-webkit-auto"><br></div><div \
style="color:rgb(0,0,0);font-family:Tahoma;text-align:-webkit-auto">netstat \
-nr</div><div style="color:rgb(0,0,0);font-family:Tahoma;text-align:-webkit-auto">Kernel \
IP routing table</div><div \
style="color:rgb(0,0,0);font-family:Tahoma;text-align:-webkit-auto">Destination \
Gateway Genmask Flags MSS Window irtt Iface</div><div \
style="color:rgb(0,0,0);font-family:Tahoma;text-align:-webkit-auto">0.0.0.0 \
GATEWAY 0.0.0.0 UG 0 0 0 eth0</div><div \
style="color:rgb(0,0,0);font-family:Tahoma;text-align:-webkit-auto">PUBLIC IP \
0.0.0.0 255.255.240.0 U 0 0 0 eth0</div><div \
style="color:rgb(0,0,0);font-family:Tahoma;text-align:-webkit-auto"><br></div><div \
style="color:rgb(0,0,0);font-family:Tahoma;text-align:-webkit-auto">------------------------------------------------</div><div \
style="color:rgb(0,0,0);font-family:Tahoma;text-align:-webkit-auto"><br></div><div \
style="color:rgb(0,0,0);font-family:Tahoma;text-align:-webkit-auto">ip xfrm \
state</div><div style="color:rgb(0,0,0);font-family:Tahoma;text-align:-webkit-auto">src \
FORTIGATE dst LINUX</div><div \
style="color:rgb(0,0,0);font-family:Tahoma;text-align:-webkit-auto"> proto \
esp spi 0xdd25af12 reqid 16385 mode tunnel</div><div \
style="color:rgb(0,0,0);font-family:Tahoma;text-align:-webkit-auto"> \
replay-window 32 flag af-unspec</div><div \
style="color:rgb(0,0,0);font-family:Tahoma;text-align:-webkit-auto"> \
auth-trunc hmac(sha1) 0x8de9a0f329851a2b78aa6dc47c72d1d32f0dc4d7 96</div><div \
style="color:rgb(0,0,0);font-family:Tahoma;text-align:-webkit-auto"> enc \
cbc(aes) 0x0d4ada3372a3001f7033e63409508020</div><div \
style="color:rgb(0,0,0);font-family:Tahoma;text-align:-webkit-auto"> encap \
type espinudp sport 4500 dport 4500 addr 0.0.0.0</div><div \
style="color:rgb(0,0,0);font-family:Tahoma;text-align:-webkit-auto">src LINUX dst \
FORTIGATE</div><div style="color:rgb(0,0,0);font-family:Tahoma;text-align:-webkit-auto"> \
proto esp spi 0xff6dd9ba reqid 16385 mode tunnel</div><div \
style="color:rgb(0,0,0);font-family:Tahoma;text-align:-webkit-auto"> \
replay-window 32 flag af-unspec</div><div \
style="color:rgb(0,0,0);font-family:Tahoma;text-align:-webkit-auto"> \
auth-trunc hmac(sha1) 0x2d9fe5a9d38fffee9f0e24dfccdcf77190e48760 96</div><div \
style="color:rgb(0,0,0);font-family:Tahoma;text-align:-webkit-auto"> enc \
cbc(aes) 0x0d98dec84f1e3fabc1888cfadccfddfa</div><div \
style="color:rgb(0,0,0);font-family:Tahoma;text-align:-webkit-auto"> encap \
type espinudp sport 4500 dport 4500 addr 0.0.0.0</div><br></div>
[Attachment #6 (text/plain)]
_______________________________________________
Users@lists.openswan.org
https://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic