General discussion

Locked

Serius VPN Problem

By felix836 ·
I used Openswan to set up VPN in Fedora Core 2 but face a problem, hope someone can answer me what's wrong. Thanks!

I am trying to setup a simple "test" connection and pings route accross fine but there seems to be no tunnel up

192.168.2.0/24===192.168.1.105---192.168.1.106===192.168.2.0/24

When running 'ipsec auto --up conn-name' I get:

104 "net" #5: STATE_MAIN_I1: initiate
003 "net" #5: received Vendor ID payload [Dead Peer Detection]
106 "net" #5: STATE_MAIN_I2: sent MI2, expecting MR2
108 "net" #5: STATE_MAIN_I3: sent MI3, expecting MR3
004 "net" #5: STATE_MAIN_I4: ISAKMP SA established
117 "net" #6: STATE_QUICK_I1: initiate
004 "net" #6: STATE_QUICK_I2: sent QI2, IPsec SA established
{ESP=>0xe44c222a <0x44ef47be}

If I run a 'service ipsec status' I get the following output:

IPsec running
pluto pid ......
No tunnels up

And if I run a 'ipsec look', then I get the following:

VPN Wed May 18 18:12:49 MYT 2005
cat: /proc/net/ipsec_spigrp: No such file or directory
cat: /proc/net/ipsec_eroute: No such file or directory
egrep: /proc/net/ipsec_tncfg: No such file or directory
sort: open failed: /proc/net/ipsec_spi: No such file or directory

ipsec.conf is setup as follows ...

version 2.3.1-1

# basic configuration
config setup
interfaces="ipsec0=eth0"
klipsdebug=none
plutodebug=none
uniqueids=yes
conn net
left=192.168.1.105
leftsubnet=192.198.2.0/24
leftrsasigkey=<a very long key>
leftnexthop=192.168.1.106
right=192.168.1.106
rightsubnet=192.198.2.0/24
rightrsasigkey=<a very long key>
rightnexthop=192.168.1.105
auto=add

I verified my rsasigkeys to what is in the ipsec.secrets files.

The addresses 192.168.1.105 and 192.168.1.106 are aliases, there's
any problem?
So, I don't know what's wrong ....

This conversation is currently closed to new comments.

2 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

by Nico Baggus In reply to Serius VPN Problem

192.168.2.0/24===192.168.1.105---192.168.1.106===192.168.2.0/24

Are you really sure about this config?, in that
case the remote is never reached through the
tunnel as the network is 192.168.2.0/24 on both
sides.

To route across the tunnel the left network
could be 192.168.2.0/25 and the right network
be 192.168.2.128/25 (split the network in two
halves) of modify either left or right network
to a different address range like
192.168.3.0/24.

The network base addresses really need to be
different, otherwise everything will just go to
the local network.

Kind regards,
Nico Baggus

Collapse -

by Nico Baggus In reply to

btw
ipsec auto --status
will tell if you have active links or not...

Back to Networks Forum
2 total posts (Page 1 of 1)  

Related Discussions

Related Forums