# openswan ipsec

## vinz

hello

i'd like to connect from my home box to my works network. 

the authentication works fine so far. 

the problem is, it does not create the tunnel interface for the static ip (192.168.0.94) i would use at the works network.

thanks in advance

```

# /etc/ipsec.conf - Openswan IPsec configuration file

# RCSID $Id: ipsec.conf.in,v 1.15.2.6 2006/10/19 03:49:46 paul Exp $

# This file:  /usr/share/doc/openswan-2.4.7/ipsec.conf-sample

#

# Manual:     ipsec.conf.5

version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration

config setup

        # plutodebug / klipsdebug = "all", "none" or a combation from below:

        # "raw crypt parsing emitting control klips pfkey natt x509 private"

        # eg: plutodebug="control parsing"

        #

        # ONLY enable plutodebug=all or klipsdebug=all if you are a developer !!

        #

        # NAT-TRAVERSAL support, see README.NAT-Traversal

        #nat_traversal=yes

        # virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12

        #virtual_private=%v4:192.168.0.0/16

        #

        # enable this if you see "failed to find any available worker"

        nhelpers=0

# Add connections here

conn vpn-blub

        authby=rsasig

        pfs=no

        rekey=no

        keyingtries=3

        type=tunnel

        auth=esp

        esp=aes128-md5

        ike=aes128-md5

        #

        left=%defaultroute

        leftrsasigkey=%cert

        leftsubnet=192.168.0.94/32

        leftcert=/etc/ipsec.d/private/usercert.pem

        #

        right=193.8.xx.xxx

        rightsubnet=192.168.0.0/23

        rightnexthop=193.8.xx.xxx

        rightid="xxx"

        auto=start

# sample VPN connections, see /etc/ipsec.d/examples/

#Disable Opportunistic Encryption

include /etc/ipsec/ipsec.d/examples/no_oe.conf

```

```

 # ifconfig

eth0      Link encap:Ethernet  HWaddr 00:30:1B:B8:xx:xx

          inet addr:62.12.xxx.xxx  Bcast:62.12.xxx.255  Mask:255.255.255.248

          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

          RX packets:44040 errors:0 dropped:0 overruns:0 frame:0

          TX packets:44123 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000

          RX bytes:4235431 (4.0 Mb)  TX bytes:7079583 (6.7 Mb)

          Interrupt:10

lo        Link encap:Local Loopback

          inet addr:127.0.0.1  Mask:255.0.0.0

          UP LOOPBACK RUNNING  MTU:16436  Metric:1

          RX packets:46157 errors:0 dropped:0 overruns:0 frame:0

          TX packets:46157 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:0

          RX bytes:6277894 (5.9 Mb)  TX bytes:6277894 (5.9 Mb)

ppp0      Link encap:Point-to-Point Protocol

          inet addr:62.12.xxx.xxx  P-t-P:212.55.xxx.xx  Mask:255.255.255.255

          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1492  Metric:1

          RX packets:39607 errors:0 dropped:0 overruns:0 frame:0

          TX packets:38457 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:3

          RX bytes:3712999 (3.5 Mb)  TX bytes:5965246 (5.6 Mb)

```

----------

## dashnu

You wont see a tunnel interface. 

My config, same on both ends. I do not use x509 which it looks like you are. but the configs should be the same. I have three remote offices set up this way.

```
conn port-knowtech

       type=tunnel

       authby=rsasig

       left=63.XX.XX.XX

       leftsourceip=172.18.187.1

       leftsubnet=172.18.187.0/24

       leftid=@knowtech.domain.net

       leftrsasigkey=0sAQPTzMsa9IpxxxxxxxxxBXXXXX

       leftnexthop=%defaultroute

       right=24.XX.XX.XX

       rightsourceip=172.17.187.1

       rightsubnet=172.17.187.0/24

       rightid=@port.domain.net

       rightrsasigkey=0sAQNrHKjVkfpXXXXXXXXXXXXXXXXXXXXX

       rightnexthop=%defaultroute

       rekey=yes

       auto=start

```

The left & rightid with the @ is just a way for openswan to identify which conn to use.  the @ just means don't look up DNS so it could be anything...

Your log might help a bit also.

----------

## vinz

the only diff i've seen is the left-/rightsourceip

i've added them and in my log i get the following:

```

Aug  6 16:30:38 vodka pluto[25852]: "vpn-blub": route-client output: /usr/lib/ipsec/_updown: doroute `ip route add 192.168.0.0/23 via 212.55.xxx.xx dev eth0  src 192.168.0.94' failed (RTNETLINK answers: Network is unreachable)

```

----------

## dashnu

I have seen that error since 2.6.18 it has caused no problems for me.. I had some disscussion on the lists about it and was suppose to follow up but never did. However I only see this error on my roadwarrior connection not my tunnels.

are you getting SA established?

iptables running on both endpoints?

if so proper firewall rules set?

----------

## vinz

not quite sure what SA means but it says "ISAKMP SA established"

i've disabled ip tables for now on my end, the vpn server is used by a few other people by windows clients, so I'm sure the vpn server is properly set up.

here is the full log:

```

Aug  6 16:52:16 vodka ipsec__plutorun: Starting Pluto subsystem...

Aug  6 16:52:16 vodka pluto[27546]: Starting Pluto (Openswan Version 2.4.7 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID OEZ~BaB]r\134p_)

Aug  6 16:52:16 vodka pluto[27546]: Setting NAT-Traversal port-4500 floating to off

Aug  6 16:52:16 vodka pluto[27546]:    port floating activation criteria nat_t=0/port_fload=1

Aug  6 16:52:16 vodka pluto[27546]:   including NAT-Traversal patch (Version 0.6c) [disabled]

Aug  6 16:52:16 vodka pluto[27546]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)

Aug  6 16:52:16 vodka pluto[27546]: no helpers will be started, all cryptographic operations will be done inline

Aug  6 16:52:16 vodka pluto[27546]: Using NETKEY IPsec interface code on 2.6.22-gentoo-r2

Aug  6 16:52:16 vodka pluto[27546]: Changing to directory '/etc/ipsec/ipsec.d/cacerts'

Aug  6 16:52:16 vodka pluto[27546]:   loaded CA cert file 'ca_xxx.pem' (1306 bytes)

Aug  6 16:52:16 vodka pluto[27546]: Could not change to directory '/etc/ipsec/ipsec.d/aacerts'

Aug  6 16:52:16 vodka pluto[27546]: Could not change to directory '/etc/ipsec/ipsec.d/ocspcerts'

Aug  6 16:52:16 vodka pluto[27546]: Could not change to directory '/etc/ipsec/ipsec.d/crls'

Aug  6 16:52:16 vodka pluto[27546]:   loaded host cert file '/etc/ipsec.d/private/xxx_usercert.pem' (1733 bytes)

Aug  6 16:52:16 vodka pluto[27546]: added connection description "vpn-blub"

Aug  6 16:52:16 vodka pluto[27546]: listening for IKE messages

Aug  6 16:52:16 vodka pluto[27546]: adding interface eth0/eth0 192.168.0.94:500

Aug  6 16:52:16 vodka pluto[27546]: adding interface eth0/eth0 192.168.0.1:500

Aug  6 16:52:16 vodka pluto[27546]: adding interface eth0/eth0 62.12.14x.xxx:500

Aug  6 16:52:16 vodka pluto[27546]: adding interface eth0/eth0 62.12.16x.xxx:500

Aug  6 16:52:16 vodka pluto[27546]: adding interface lo/lo 127.0.0.1:500

Aug  6 16:52:16 vodka pluto[27546]: loading secrets from "/etc/ipsec/ipsec.secrets"

Aug  6 16:52:16 vodka pluto[27546]:   loaded private key file '/etc/ipsec.d/private/xxx_key.pem' (1120 bytes)

Aug  6 16:52:16 vodka pluto[27546]: "vpn-blub": route-client output: /usr/lib/ipsec/_updown: doroute `ip route add 192.168.0.0/23 via 212.55.xxx.xx dev eth0  src 192.168.0.94' failed (RTNETLINK answers: Network is unreachable)

Aug  6 16:52:16 vodka pluto[27546]: "vpn-blub" #1: initiating Main Mode

Aug  6 16:52:16 vodka pluto[27546]: "vpn-blub" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2

Aug  6 16:52:16 vodka pluto[27546]: "vpn-blub" #1: STATE_MAIN_I2: sent MI2, expecting MR2

Aug  6 16:52:16 vodka pluto[27546]: "vpn-blub" #1: I am sending my cert

Aug  6 16:52:16 vodka pluto[27546]: "vpn-blub" #1: I am sending a certificate request

Aug  6 16:52:16 vodka pluto[27546]: "vpn-blub" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3

Aug  6 16:52:16 vodka pluto[27546]: "vpn-blub" #1: STATE_MAIN_I3: sent MI3, expecting MR3

Aug  6 16:52:16 vodka pluto[27546]: "vpn-blub" #1: Main mode peer ID is ID_DER_ASN1_DN: 'xxx'

Aug  6 16:52:16 vodka pluto[27546]: "vpn-blub" #1: no crl from issuer "xxx" found (strict=no)

Aug  6 16:52:16 vodka pluto[27546]: "vpn-blub" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4

Aug  6 16:52:16 vodka pluto[27546]: "vpn-blub" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=aes_128 prf=oakley_md5 group=modp1536}

Aug  6 16:52:16 vodka pluto[27546]: "vpn-blub" #2: initiating Quick Mode RSASIG+ENCRYPT+TUNNEL+DONTREKEY+UP {using isakmp#1}

Aug  6 16:52:16 vodka pluto[27546]: "vpn-blub" #1: ignoring informational payload, type NO_PROPOSAL_CHOSEN

Aug  6 16:52:16 vodka pluto[27546]: "vpn-blub" #1: received and ignored informational message

```

```

# route -n

Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

212.55.xxx.xx   0.0.0.0         255.255.255.255 UH    0      0        0 ppp0

62.12.xxx.xxx   0.0.0.0         255.255.255.248 U     0      0        0 eth0

127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo

0.0.0.0         212.55.xxx.xx   0.0.0.0         UG    0      0        0 ppp0

```

----------

## dashnu

I might be a bit confused?..? 

Do you have access to the server? Did you create a new conn for your home network? I am afraid if ' the server is used by a few other people by windows clients' it is a different connection then the one you will need.

I am now assuming these logs are on your endpoint not the remote?

We can take this to jabber if you have an account.. dashnu@12jabber.com so I can get a better understanding of what is going on... just post your results if we come up with any here after..

-b

----------

## vinz

i do not have shell access to the remote vpn gateway, but the entries for my connection have been created.

will try to catch you on jabber...

----------

## dashnu

fscking jabber went down  :Sad:  Anyways first thing I noticed is your remote endpoint is using KLIPS.. Gentoo ebuild by default uses NETKEY. I have no idea how to configure the ebuild to use KLIPS.. This is most likely the first step you need to take..

----------

## vinz

i've resolved this issue, the _updown script of ipsec was using a wrong device parameter in the doroute method.

thanks for your help  :Smile: 

----------

