# OpenSwan - can't ping remote subnet :(

## mallchin

Someone please help me diagnose a VPN setup issue with OpenSwan -- It says connection established but I am unable to ping the remote subnet  :Sad: 

I used this guide: http://gentoo-wiki.com/HOWTO_OpenSwan_2.6_kernel

Here's my setup (sorry for the long post):

```

# /etc/ipsec.conf - Openswan IPsec configuration file

# RCSID $Id: ipsec.conf.in,v 1.13 2004/03/24 04:14:39 ken Exp $

# This file:  /usr/share/doc/openswan-2.3.1/ipsec.conf-sample

#

# Manual:     ipsec.conf.5

version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration

config setup

        #forwardcontrol=no

        klipsdebug=all

        plutodebug=all

        #nat_traversal=yes

#Disable Opportunistic Encryption

include /etc/ipsec/ipsec.d/examples/no_oe.conf

include /etc/ipsec/openswana-openswanb.conf

```

```

/etc/ipsec/ipsec.d/examples/no_oe.conf

# 'include' this file to disable Opportunistic Encryption.

# See /usr/share/doc/openswan-2.3.1/policygroups.html for details.

#

# RCSID $Id: no_oe.conf.in,v 1.2 2004/10/03 19:33:10 paul Exp $

conn block

    auto=ignore

conn private

    auto=ignore

conn private-or-clear

    auto=ignore

conn clear-or-private

    auto=ignore

conn clear

    auto=ignore

conn packetdefault

    auto=ignore

```

```

/etc/ipsec/openswana-openswanb.conf

conn openswana-openswanb

        left=80.194.34.18

        leftsubnet=192.168.214.0/24

        leftnexthop=80.194.34.17

        leftid=@basildon.technowaste.com                        

        leftrsasigkey=0sAQNmKCKh...

        right=86.132.10.115

        rightsubnet=192.168.1.0/24

        rightnexthop=217.47.66.140

        rightid=@brighton.technowaste.com

        rightrsasigkey=0sAQN7M7S3...

        authby=rsasig

        auto=start

```

```

/etc/racoon/racoon.conf

# $KAME: racoon.conf.in,v 1.18 2001/08/16 06:33:40 itojun Exp $

# "path" must be placed before it should be used.

# You can overwrite which you defined, but it should not use due to confusing.

path include "/etc/racoon";

#include "remote.conf";

# search this file for pre_shared_key with various ID key.

path pre_shared_key "/etc/racoon/psk.txt";

# racoon will look for certificate file in the directory,

# if the certificate/certificate request payload is received.

path certificate "/etc/cert";

# "log" specifies logging level.  It is followed by either "notify", "debug"

# or "debug2".

#log debug;

# "padding" defines some parameter of padding.  You should not touch these.

padding

{

        maximum_length 20;      # maximum padding length.

        randomize off;          # enable randomize length.

        strict_check off;       # enable strict check.

        exclusive_tail off;     # extract last one octet.

}

# if no listen directive is specified, racoon will listen to all

# available interface addresses.

listen

{

        #isakmp ::1 [7000];

        #isakmp 202.249.11.124 [500];

        #admin [7002];          # administrative's port by kmpstat.

        #strict_address;        # required all addresses must be bound.

}

# Specification of default various timer.

timer

{

        # These value can be changed per remote node.

        counter 5;              # maximum trying count to send.

        interval 20 sec;        # maximum interval to resend.

        persend 1;              # the number of packets per a send.

        # timer for waiting to complete each phase.

        phase1 30 sec;

        phase2 15 sec;

}

remote anonymous

{

        exchange_mode main,aggressive;

        doi ipsec_doi;

        situation identity_only;

        my_identifier asn1dn;

        certificate_type x509 "my.cert.pem" "my.key.pem";

        nonce_size 16;

        initial_contact on;

        proposal_check obey;    # obey, strict or claim

        proposal {

                encryption_algorithm 3des;

                hash_algorithm sha1;

                authentication_method rsasig;

                dh_group 2;

        }

}

remote ::1 [8000]

{

        #exchange_mode main,aggressive;

        exchange_mode aggressive,main;

        doi ipsec_doi;

        situation identity_only;

        my_identifier user_fqdn "sakane@kame.net";

        peers_identifier user_fqdn "sakane@kame.net";

        #certificate_type x509 "mycert" "mypriv";

        nonce_size 16;

        lifetime time 1 min;    # sec,min,hour

        proposal {

                encryption_algorithm 3des;

                hash_algorithm sha1;

                authentication_method pre_shared_key;

                dh_group 2;

        }

}

sainfo anonymous

{

        pfs_group 2;

        encryption_algorithm 3des;

        authentication_algorithm hmac_sha1;

        compression_algorithm deflate;

}

sainfo address 203.178.141.209 any address 203.178.141.218 any

{

        pfs_group 2;

        lifetime time 30 sec;

        encryption_algorithm des;

        authentication_algorithm hmac_md5;

        compression_algorithm deflate;

}

sainfo address ::1 icmp6 address ::1 icmp6

{

        pfs_group 3;

        lifetime time 60 sec;

        encryption_algorithm 3des, blowfish, aes;

        authentication_algorithm hmac_sha1, hmac_md5;

        compression_algorithm deflate;

}

```

Still with me... I hope so...

Here's the log when I start ipsec:

```

Aug 22 19:37:27 [ipsec_setup] Starting Openswan IPsec U2.3.1/K2.6.12-gentoo-r6...

Aug 22 19:37:27 [ipsec_setup] insmod /lib/modules/2.6.12-gentoo-r6/kernel/net/ipv4/xfrm4_tunnel.ko

Aug 22 19:37:27 [ipsec_setup] insmod /lib/modules/2.6.12-gentoo-r6/kernel/crypto/sha1.ko

Aug 22 19:37:27 [ipsec_setup] insmod /lib/modules/2.6.12-gentoo-r6/kernel/crypto/md5.ko

Aug 22 19:37:27 [ipsec_setup] insmod /lib/modules/2.6.12-gentoo-r6/kernel/crypto/des.ko

Aug 22 19:37:27 [ipsec_setup] insmod /lib/modules/2.6.12-gentoo-r6/kernel/arch/i386/crypto/aes-i586.ko

Aug 22 19:37:27 [ipsec_setup] KLIPS ipsec0 on eth1 80.194.34.18/255.255.255.240 broadcast 80.194.34.255

Aug 22 19:37:28 [ipsec__plutorun] Starting Pluto subsystem...

Aug 22 19:37:28 [ipsec_setup] ...Openswan IPsec started

Aug 22 19:37:28 [pluto] Starting Pluto (Openswan Version 2.3.1 X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID OEExalF{_o`m)

Aug 22 19:37:28 [pluto] Setting port floating to on

Aug 22 19:37:28 [pluto] port floating activate 1/1

Aug 22 19:37:28 [pluto] including NAT-Traversal patch (Version 0.6c)

Aug 22 19:37:28 [pluto] ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)

Aug 22 19:37:28 [pluto] starting up 1 cryptographic helpers

Aug 22 19:37:28 [pluto] started helper pid=7233 (fd:6)

Aug 22 19:37:28 [pluto] Using Linux 2.6 IPsec interface code

Aug 22 19:37:28 [pluto] Changing to directory '/etc/ipsec/ipsec.d/cacerts'

Aug 22 19:37:28 [pluto] Changing to directory '/etc/ipsec/ipsec.d/aacerts'

Aug 22 19:37:28 [pluto] Changing to directory '/etc/ipsec/ipsec.d/ocspcerts'

Aug 22 19:37:28 [pluto] Changing to directory '/etc/ipsec/ipsec.d/crls'

Aug 22 19:37:28 [pluto] Warning: empty directory

Aug 22 19:37:28 [pluto] added connection description "openswana-openswanb"

Aug 22 19:37:28 [pluto] listening for IKE messages

Aug 22 19:37:28 [pluto] adding interface lo/lo 127.0.0.1:500

Aug 22 19:37:28 [pluto] adding interface lo/lo 127.0.0.1:4500

Aug 22 19:37:28 [pluto] adding interface eth1:3/eth1:3 80.194.34.22:500

Aug 22 19:37:28 [pluto] adding interface eth1:3/eth1:3 80.194.34.22:4500

Aug 22 19:37:28 [pluto] adding interface eth1:2/eth1:2 80.194.34.21:500

Aug 22 19:37:28 [pluto] adding interface eth1:2/eth1:2 80.194.34.21:4500

Aug 22 19:37:28 [pluto] adding interface eth1:1/eth1:1 80.194.34.20:500

Aug 22 19:37:28 [pluto] adding interface eth1:1/eth1:1 80.194.34.20:4500

Aug 22 19:37:28 [pluto] adding interface eth1:0/eth1:0 80.194.34.19:500

Aug 22 19:37:28 [pluto] adding interface eth1:0/eth1:0 80.194.34.19:4500

Aug 22 19:37:28 [pluto] adding interface eth1/eth1 80.194.34.18:500

Aug 22 19:37:28 [pluto] adding interface eth1/eth1 80.194.34.18:4500

Aug 22 19:37:28 [pluto] adding interface eth0/eth0 192.168.214.5:500

Aug 22 19:37:28 [pluto] adding interface eth0/eth0 192.168.214.5:4500

Aug 22 19:37:28 [pluto] loading secrets from "/etc/ipsec/ipsec.secrets"

Aug 22 19:37:28 [pluto] "openswana-openswanb" #1: initiating Main Mode

Aug 22 19:37:28 [ipsec__plutorun] 104 "openswana-openswanb" #1: STATE_MAIN_I1: initiate

Aug 22 19:37:28 [ipsec__plutorun] ...could not start conn "openswana-openswanb"

Aug 22 19:37:29 [pluto] unknown cmsg: level 0, type 8, len 24

Aug 22 19:37:29 [pluto] "openswana-openswanb" #1: ERROR: asynchronous network error report on eth1 for message to 86.132.10.115 port 500, complainant 86.132.10.115: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]

Aug 22 19:37:38 [pluto] unknown cmsg: level 0, type 8, len 24

Aug 22 19:37:38 [pluto] "openswana-openswanb" #1: ERROR: asynchronous network error report on eth1 for message to 86.132.10.115 port 500, complainant 86.132.10.115: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]

Aug 22 19:37:55 [pluto] packet from 86.132.10.115:500: received Vendor ID payload [Openswan (this version) 2.3.1  X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR]

Aug 22 19:37:55 [pluto] packet from 86.132.10.115:500: received Vendor ID payload [Dead Peer Detection]

Aug 22 19:37:55 [pluto] packet from 86.132.10.115:500: received Vendor ID payload [RFC 3947] method set to=109

Aug 22 19:37:55 [pluto] packet from 86.132.10.115:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 109

Aug 22 19:37:55 [pluto] packet from 86.132.10.115:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109

Aug 22 19:37:55 [pluto] packet from 86.132.10.115:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]

Aug 22 19:37:55 [pluto] "openswana-openswanb" #2: responding to Main Mode

Aug 22 19:37:55 [pluto] "openswana-openswanb" #2: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1

Aug 22 19:37:55 [pluto] "openswana-openswanb" #2: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected

Aug 22 19:37:55 [pluto] "openswana-openswanb" #2: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2

Aug 22 19:37:55 [pluto] "openswana-openswanb" #2: Main mode peer ID is ID_FQDN: '@brighton.technowaste.com'

Aug 22 19:37:55 [pluto] "openswana-openswanb" #2: I did not send a certificate because I do not have one.

Aug 22 19:37:55 [pluto] "openswana-openswanb" #2: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3

Aug 22 19:37:55 [pluto] "openswana-openswanb" #2: sent MR3, ISAKMP SA established

Aug 22 19:37:56 [pluto] "openswana-openswanb" #3: responding to Quick Mode {msgid:d2bd715c}

Aug 22 19:37:56 [pluto] "openswana-openswanb" #3: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1

Aug 22 19:37:56 [pluto] "openswana-openswanb" #3: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2

Aug 22 19:37:56 [pluto] "openswana-openswanb" #3: IPsec SA established {ESP=>0xa6e8fb7d <0xcea24f00 xfrm=AES_0-HMAC_SHA1}

Aug 22 19:37:58 [pluto] "openswana-openswanb" #1: received Vendor ID payload [Openswan (this version) 2.3.1  X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR]

Aug 22 19:37:58 [pluto] "openswana-openswanb" #1: received Vendor ID payload [Dead Peer Detection]

Aug 22 19:37:58 [pluto] "openswana-openswanb" #1: received Vendor ID payload [RFC 3947] method set to=109

Aug 22 19:37:58 [pluto] "openswana-openswanb" #1: enabling possible NAT-traversal with method 3

Aug 22 19:37:58 [pluto] "openswana-openswanb" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2

Aug 22 19:37:58 [pluto] "openswana-openswanb" #1: I did not send a certificate because I do not have one.

Aug 22 19:37:58 [pluto] "openswana-openswanb" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected

Aug 22 19:37:58 [pluto] "openswana-openswanb" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3

Aug 22 19:37:58 [pluto] "openswana-openswanb" #1: Main mode peer ID is ID_FQDN: '@brighton.technowaste.com'

Aug 22 19:37:58 [pluto] "openswana-openswanb" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4

Aug 22 19:37:58 [pluto] "openswana-openswanb" #1: ISAKMP SA established

Aug 22 19:37:58 [pluto] "openswana-openswanb" #4: initiating Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1}

Aug 22 19:37:58 [pluto] "openswana-openswanb" #4: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2

Aug 22 19:37:58 [pluto] "openswana-openswanb" #4: sent QI2, IPsec SA established {ESP=>0xf1c2b16f <0x8110c882 xfrm=AES_0-HMAC_SHA1}

```

Now, the connection seems to go okay and I get the all important 'IPsec SA established' on both sides, but if I try to ping from one subnet to the other I get this in the logs:

```

Aug 22 21:35:56 [kernel] PING:IN=eth1 OUT= MAC=00:02:b3:d7:e2:f3:00:0e:84:d7:14:87:08:00 SRC=80.191.151.11 DST=80.194.34.18 LEN=92 TOS=0x00 PREC=0x00 TTL=108 ID=28778 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=27868

Aug 22 21:35:56 [kernel] PING:IN=eth1 OUT= MAC=00:02:b3:d7:e2:f3:00:0e:84:d7:14:87:08:00 SRC=80.191.151.11 DST=80.194.34.19 LEN=92 TOS=0x00 PREC=0x00 TTL=108 ID=28779 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=28124

Aug 22 21:35:56 [kernel] PING:IN=eth1 OUT= MAC=00:02:b3:d7:e2:f3:00:0e:84:d7:14:87:08:00 SRC=80.191.151.11 DST=80.194.34.20 LEN=92 TOS=0x00 PREC=0x00 TTL=108 ID=28781 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=28380

Aug 22 21:35:56 [kernel] PING:IN=eth1 OUT= MAC=00:02:b3:d7:e2:f3:00:0e:84:d7:14:87:08:00 SRC=80.191.151.11 DST=80.194.34.21 LEN=92 TOS=0x00 PREC=0x00 TTL=108 ID=28782 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=28636

```

It all appears to work fine except I can't ping the other side (I'm pinging properly, not using the gateways)... Ipsec starts fine, 'ipsec verify' says all is okay, can't figure it out...

I think it might be a firewall/routing issue. Unsure what the kernel error is above, though I only get it when the firewall is up (I can't ping if it's up or down), and I've added the required ports...

If anyone can spot a mistake or have any suggestions as to the kernel error message please post...

Many thanks,

M

----------

## kayvis

I didn't know if this could help, but it seems to be not a problem of OpenSwan.

Your firewalling blocks the packages. What kind of firewall are you using? 

I prefer the shorewall scripts. Because there are usefull ipsec-parts for kernel 2.6.

With kernel 2.4 you have an extra interface (ipsecX) so the routing gets through this interface.

In kernel 2.6 this interface no longer exists so you need to match the ipsec-trafic and allow it

to pass the interface (in your case eth1).

Hope this points you in the right direction

Greetings

Kayvis

----------

