Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: VPN IPSec Openswan
Special Forums IP Networking VPN IPSec Openswan Post 302909827 by ivancd on Sunday 20th of July 2014 07:34:22 AM
Old 07-20-2014
Hi,

As i can see now, the packets start to go through the right interface with the right address but no reply still. The tunnels after a long time it getting established. If i make service ipsec restart ... the first think what iv got from the ipsec auto --up tunnel name or ipsec auto --status is this:

Quote:
000 #7: "tunnelname":500 STATE_MAIN_I1 (sent MI1, expecting MR1); EVENT_RETRANSMIT in 2s; nodpd; idle; import:admin initiate
000 #7: pending Phase 2 for "tunnelname" replacing #0
After some time the tunnels status is:

Quote:
000 #22: "tunnelname":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE_IF_USED in 27637s; newest IPSEC; eroute owner; isakmp#7; idle; import:admin initiate
000 #22: "tunnelname" esp.b18cc17@<pub_ip_other_site> esp.c59dvg@<pub_ip_my_site> tun.0@<pub_ip_other_site> tun.0@<pub_ip_my_site> ref=0 refhim=4294901761
000 #7: "tunnelname":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE_IF_USED in 27870s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate
000
Here is the list of the iptables:

Quote:
iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MYNAT all -- 172.28.2.0/24 anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain MYNAT (4 references)
target prot opt source destination
MASQUERADE all -- anywhere anywhere

[Itecor_VPN:main.linux64 ipsec.d]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
And this is the ping and tracepath results:

Quote:
ping 172.16.3.9
PING 172.16.3.9 (172.16.3.9) 56(84) bytes of data.
^C
--- 172.16.3.9 ping statistics ---
12 packets transmitted, 0 received, 100% packet loss, time 11338ms

tracepath -n 172.16.3.9
1?: [LOCALHOST] pmtu 1464
1: 172.28.2.1 0.943ms pmtu 1446
1: no reply
^C
 

9 More Discussions You Might Find Interesting

1. Cybersecurity

IPSec - VPN using shared key

Hello! I have some trouble trying to configure a VPN with two gateways. One of them uses IPSec with a single key, 256bits length, specified in /etc/ipsec.secrets. As FreeSwan manual page says, if i put esp=3des-md5-96, will be used a "64bit IV key (internally generated), a 192bit 3des ekey and a... (3 Replies)
Discussion started by: eNTer
3 Replies

2. IP Networking

IPSec VPN Routing

Hello, I'm trying to setup a gateway VPN between two routers across an unsecured network between two local networks. The routers are both linux and I'm using the ipsec tools, racoon and setkey. So far hosts from either local net can successfully ping hosts on the other local net without issue. ... (0 Replies)
Discussion started by: salukibob
0 Replies

3. BSD

Problem on IPSec

Hi, this is my first post...:p Hello Admin :) Can I have an ask for something with my configuration ? I have finished some kind of the tutorial to build ipsec site to site, and the "step" has finished completely. I have a simulation with a local design topology with two PC's (FreeBSD ... (0 Replies)
Discussion started by: aulia
0 Replies

4. UNIX for Advanced & Expert Users

Ipsec implementation

How can i implement Ipsec between two machines in linux_ ubuntu? any link?? suggestion?? (0 Replies)
Discussion started by: elinaz
0 Replies

5. Cybersecurity

IPSEC

hello, after configuration ipsec in ip4 I can not ping between client and server whereas I had success ping before configuration! I also generate different key for AH and ESP as i have shown below. what is my problem and what should i do to have ping and test the configuration? code: ... (0 Replies)
Discussion started by: elinaz
0 Replies

6. AIX

Allow port range using IPsec?

Hi Guys, Please could you tell me if it is possible to have a single rule/filter to allow a certain port range instead of a separate rule for each port? I'm sure it must be possible but I am unable to find the syntax. Thanks Chris (4 Replies)
Discussion started by: chrisstevens
4 Replies

7. IP Networking

IPSec Openswan Site to Site VPN - Big Pain

Hi @all, I try to connect 2 LANs with IPSec/Openswan LAN 1: 192.168.0.0/24 LAN 2: 192.168.1.0/24 This is my Config: conn HomeVPN # # Left security gateway, subnet behind it, nexthop toward right. left=192.168.1.29 ... (1 Reply)
Discussion started by: bahnhasser83
1 Replies

8. IP Networking

Openswan with Cisco ASA

Hi all, I need this as soon as possible to solve it or at least to find out what is the problem. I have configured IPSec tunnels with Openswan and Cisco ASA, i have established a connection and the ping was fine, but after some time there is request time out from both sites. I don't have ASA... (0 Replies)
Discussion started by: ivancd
0 Replies

9. IP Networking

Best tool to monitor VPN IPSEC Tunneling

We are using cyberoam device, VPN IPSEC tunnel is going of frequently even the traffic is throug. Please suggest what may be the cause for the above mentioned issue. Also suggest a best tool to monitor the same VPN IPSEC tunnel connectivity. (4 Replies)
Discussion started by: marunmeera
4 Replies

LEARN ABOUT DEBIAN

ipsec_spi

IPSEC_SPI(5)							  [FIXME: manual]						      IPSEC_SPI(5)

NAME

       ipsec_spi - list IPSEC Security Associations

SYNOPSIS

       ipsec spi
	     cat/proc/net/ipsec_spi

OBSOLETE

       Note that eroute is only supported on the classic KLIPS stack. It is not supported on any other stack and will be completely removed in
       future versions. A replacement command still needs to be designed

DESCRIPTION

       /proc/net/ipsec_spi is a read-only file that lists the current IPSEC Security Associations. A Security Association (SA) is a transform
       through which packet contents are to be processed before being forwarded. A transform can be an IPv4-in-IPv4 or IPv6-in-IPv6 encapsulation,
       an IPSEC Authentication Header (authentication with no encryption), or an IPSEC Encapsulation Security Payload (encryption, possibly
       including authentication).

       When a packet is passed from a higher networking layer through an IPSEC virtual interface, a search in the extended routing table (see
       ipsec_eroute(5)) yields a IP protocol number , a Security Parameters Index (SPI) and an effective destination address When an IPSEC packet
       arrives from the network, its ostensible destination, an SPI and an IP protocol specified by its outermost IPSEC header are used. The
       destination/SPI/protocol combination is used to select a relevant SA. (See ipsec_spigrp(5) for discussion of how multiple transforms are
       combined.)

       An spi , proto, daddr and address_family arguments specify an SAID.  Proto is an ASCII string, "ah", "esp", "comp" or "tun", specifying the
       IP protocol.  Spi is a number, preceded by '.' indicating hexadecimal and IPv4 or by ':' indicating hexadecimal and IPv6, where each
       hexadecimal digit represents 4 bits, between 0x100 and 0xffffffff; values from 0x0 to 0xff are reserved.  Daddr is a dotted-decimal IPv4
       destination address or a coloned hex IPv6 destination address.

       An SAID combines the three parameters above, such as: "tun.101@1.2.3.4" for IPv4 or "tun:101@3049:1::1" for IPv6

       A table entry consists of:

       +
	   SAID

       +
	   <transform name (proto,encalg,authalg)>:

       +
	   direction (dir=)

       +
	   source address (src=)

       +
	   source and destination addresses and masks for inner header policy check addresses (policy=), as dotted-quads or coloned hex, separated
	   by '->', for IPv4-in-IPv4 or IPv6-in-IPv6 SAs only

       +
	   initialisation vector length and value (iv_bits=, iv=) if non-zero

       +
	   out-of-order window size, number of out-of-order errors, sequence number, recently received packet bitmask, maximum difference between
	   sequence numbers (ooowin=, ooo_errs=, seq=, bit=, max_seq_diff=) if SA is AH or ESP and if individual items are non-zero

       +
	   extra flags (flags=) if any are set

       +
	   authenticator length in bits (alen=) if non-zero

       +
	   authentication key length in bits (aklen=) if non-zero

       +
	   authentication errors (auth_errs=) if non-zero

       +
	   encryption key length in bits (eklen=) if non-zero

       +
	   encryption size errors (encr_size_errs=) if non-zero

       +
	   encryption padding error warnings (encr_pad_errs=) if non-zero

       +
	   lifetimes legend, c=Current status, s=Soft limit when exceeded will initiate rekeying, h=Hard limit will cause termination of SA
	   (life(c,s,h)=)

       +
	   number of connections to which the SA is allocated (c), that will cause a rekey (s), that will cause an expiry (h) (alloc=), if any
	   value is non-zero

       +
	   number of bytes processesd by this SA (c), that will cause a rekey (s), that will cause an expiry (h) (bytes=), if any value is
	   non-zero

       +
	   time since the SA was added (c), until rekey (s), until expiry (h), in seconds (add=)

       +
	   time since the SA was first used (c), until rekey (s), until expiry (h), in seconds (used=), if any value is non-zero

       +
	   number of packets processesd by this SA (c), that will cause a rekey (s), that will cause an expiry (h) (packets=), if any value is
	   non-zero

       +
	   time since the last packet was processed, in seconds (idle=), if SA has been used

	   average compression ratio (ratio=)

EXAMPLES

       tun.12a@192.168.43.1 IPIP: dir=out src=192.168.43.2

	life(c,s,h)=bytes(14073,0,0)add(269,0,0)

	use(149,0,0)packets(14,0,0)

	idle=23

       is an outbound IPv4-in-IPv4 (protocol 4) tunnel-mode SA set up between machines 192.168.43.2 and 192.168.43.1 with an SPI of 12a in
       hexadecimal that has passed about 14 kilobytes of traffic in 14 packets since it was created, 269 seconds ago, first used 149 seconds ago
       and has been idle for 23 seconds.

       esp:9a35fc02@3049:1::1 ESP_3DES_HMAC_MD5:

	dir=in src=9a35fc02@3049:1::2

	ooowin=32 seq=7149 bit=0xffffffff

	alen=128 aklen=128 eklen=192

	life(c,s,h)=bytes(1222304,0,0)add(4593,0,0)

	use(3858,0,0)packets(7149,0,0)

	idle=23

       is an inbound Encapsulating Security Payload (protocol 50) SA on machine 3049:1::1 with an SPI of 9a35fc02 that uses 3DES as the encryption
       cipher, HMAC MD5 as the authentication algorithm, an out-of-order window of 32 packets, a present sequence number of 7149, every one of the
       last 32 sequence numbers was received, the authenticator length and keys is 128 bits, the encryption key is 192 bits (actually 168 for 3DES
       since 1 of 8 bits is a parity bit), has passed 1.2 Mbytes of data in 7149 packets, was added 4593 seconds ago, first used 3858 seconds ago
       and has been idle for 23 seconds.

FILES

       /proc/net/ipsec_spi, /usr/local/bin/ipsec

SEE ALSO

       ipsec(8), ipsec_manual(8), ipsec_tncfg(5), ipsec_eroute(5), ipsec_spigrp(5), ipsec_klipsdebug(5), ipsec_spi(8), ipsec_version(5),
       ipsec_pf_key(5)

HISTORY

       Written for the Linux FreeS/WAN project <http://www.freeswan.org/> by Richard Guy Briggs.

BUGS

       The add and use times are awkward, displayed in seconds since machine start. It would be better to display them in seconds before now for
       human readability.

[FIXME: source] 						    10/06/2010							      IPSEC_SPI(5)
All times are GMT -4. The time now is 07:58 AM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy