gmane.network.openswan.user

Re: [Openswan Users] Questions around Hub and spoke config androuting using Draytek 28x series

Giles — 2012-05-25T16:38:39

Hi,

I run a small company and interestingly am just putting in a set of 4
Draytek routers all connected to an OpenSwan endpoint in our data centre. As
there are relatively few Drayteks I have opted to mesh them together instead
of using a hub/spoke arrangement. This also saves on bandwidth to the data
centre.

I am using Vigor 2830Ns, and on those there is a "more" option in the VPN
configuration which, according to the manual lets you "Add a static route to
direct all traffic destined to more Remote Network IP Addresses/ Remote
Network Mask through the VPN connection. This is usually used when you find
there are several subnets behind the remote VPN router". This sounds like
what you want - so looks like it's a feature Draytek added to the newer
model.

My 4 Drayteks dial into the OpenSwan server, on which all profiles are set
as "auto=route". I've not noticed them stop forwarding traffic although I do
have the keepalive pings turned on from the Draytek end, and DPD enabled
with a fairly low timeout on the

[Openswan Users] Questions around Hub and spoke config and routing using Draytek 28x series

Daniel Cave — 2012-05-25T14:35:03

Hi all

Firstly I would like to introduce myself, I'm an IT professional based in the UK.. We have been using OpenSwan for a little while and My questions are around inter-op.

We are moving towards using Openswan exclusively to connect third parties and connecting to third party devices.


recently, I setup  central host hosted with my provider using OpenSwan2.6 using netkey..   I also connected to it via our office Draytek 2820n, which was simple and easy enough. The routing was straight forward and we can do simple things like monitoring and SNMP via the tunnel between the 'hub' and office router .

A while later, I setup a 2nd node to another site, this was another linux host using  2.6.32.6 [ stock centos 5.8]  with netkey also. 

I wanted to route between this new node and our office via the hub, so i setup the appropriate routes to send traffic to our office node (which is terminated on the 2820n.)

However.. I discovered that the 2820n does not let me route traffic from the office lan to the new 2nd

[Openswan Users] Openswan 2.6.35 interop with fortigate 200B

Siegfried Müller - MB Connect Line GmbH — 2012-05-24T15:14:50

Solved!
We disabled the ipsec replay windows with "echo "0" > /sys/module/ipsec/parameters/ipsec_replaywin_override" and after then everything was fine. The debug of klipsdebug = rcv shows an issue with "double packets" and replay. So I decided to disable replay. I have no idea why this helps, but it helps:-)
Maybe someone knows that problem, I would like to know!
Cheers
Siegfried

-----Ursprüngliche Nachricht-----
Von: Goffe, Don [mailto:Donald.Goffe< at >GTECH.COM] 
Gesendet: Freitag, 27. April 2012 17:39
An: Siegfried Müller - MB Connect Line GmbH; users< at >lists.openswan.org
Betreff: RE: [Openswan Users] Openswan 2.6.35 interop with fortigate 200B

I did see something like this once, I had two PC connected thru the same DSL modem. The first PC would connect and get an IP address, the second would then connect and get the same IP assigned to it and of course the first PC would stop. From the Fortinet point of view it was receiving the same source IP and port number of the DSL modem so it just assigned the same

[Openswan Users] netkey openswan Hardware Acceleration

Ozai — 2012-05-24T09:47:06

Sorry,re-sent it.
  ----- Original Message ----- 
  From: Ozai 
  To: users< at >lists.openswan.org 
  Sent: Thursday, May 24, 2012 5:44 PM
  Subject: [Openswan Users] netkey openswan Hardware Acceleration

  Dear Sirs,

  About the openswan with netkey stack,I ever tried it before.But it's failed.
  PC1 can ping to PC2 but PC2 can not ping to PC1. I do not know what the 
  procedures I lost.Could someone help me on this question?thank's.
  ====================================
  <My test environment>
  PC1----------------GW1(ipsec-tool)------------------GW2(openswan)-------------PC2
  192.168.6.1        172.17.21.87                     172.17.21.80             192.168.1.100
  ================================
  <ipsec.conf >
  config setup
   interfaces=%defaultroute
   oe=off
   protostack=netkey

  conn %default
    connaddrfamily=ipv4
    keyexchange=ike
    ike=3des-md5;modp1024
    phase2alg=3des-md5;modp1024
    auth=esp
    type=tunnel
    authby=secret
    auto=start

  conn sample
    left=172.17.21.80

[Openswan Users] netkey openswan Hardware Acceleration

Ozai — 2012-05-24T09:44:42

Dear Sirs,

About the openswan with netkey stack,I ever tried it before.But it's failed.
PC1 can ping to PC2 but PC2 can not ping to PC1. I do not know what the 
procedures I lost.Could someone help me on this question?thank's.
====================================
<My test environment>
PC1----------------GW1(ipsec-tool)------------------GW2(openswan)-------------PC2
192.168.6.1        172.17.21.87                     172.17.21.80             192.168.1.100
================================
<ipsec.conf >
config setup
 interfaces=%defaultroute
 oe=off
 protostack=netkey

conn %default
  connaddrfamily=ipv4
  keyexchange=ike
  ike=3des-md5;modp1024
  phase2alg=3des-md5;modp1024
  auth=esp
  type=tunnel
  authby=secret
  auto=start

conn sample
  left=172.17.21.80
  leftsubnet=192.168.1.0/24
  right=172.17.21.87
  rightsubnet=192.168.6.0/24
==============================
<ipsec.secrets>
172.17.21.80 172.17.21.87 : PSK "12345"
========================================
<Kernel feature>
CONFIG_XFRM=y
CONFIG_XFRM_USER=

[Openswan Users] netkey openswan Hardware Acceleration

Ozai — 2012-05-24T08:06:31

 Dear Sirs,

 About the openswan with netkey stack,I ever tried it before.But it's 
failed.
 PC1 can ping to PC2 but PC2 can not ping to PC1. I do not know what the
 procedures I lost. Could someone help me on this question?thank's.
 ====================================
 <My test environment>
 PC1----------------GW1(ipsec-tool)----------------GW2(openswan)-------------PC2192.168.6.1        172.17.21.87172.17.21.80             192.168.1.100 ================================ <ipsec.conf > config setup interfaces=%defaultroute oe=offprotostack=netkey conn %default  connaddrfamily=ipv4  keyexchange=ike  ike=3des-md5;modp1024  phase2alg=3des-md5;modp1024  auth=esp  type=tunnel  authby=secret  auto=start conn sample  left=172.17.21.80  leftsubnet=192.168.1.0/24  right=172.17.21.87  rightsubnet=192.168.6.0/24 ============================== <ipsec.secrets> 172.17.21.80 172.17.21.87 : PSK "12345" ======================================== <Kernel feature> CONFIG_XFRM=y CONFIG_XFRM_USER=m CONFIG_XFRM_MIGRATE=y CONFIG_NET

[Openswan Users] tunnels timing out since upgrading to 3.2.0

Brian J. Murrell — 2012-05-23T12:35:30

I did an upgrade of my Ubuntu system which included an upgrade of the
kernel to 3.2.0.  Since then, my l2tp tunnels seem to be timing out and
being destroyed, at which point I have to manually restart it.

On the 3.2.0 end, the following is logged when this happens:

May 23 08:07:03 brian-laptop pluto[14651]: "nm-ipsec-l2tpd-14325" #80: IPsec SA expired (LATEST!)
May 23 08:07:07 brian-laptop pluto[14651]: initiate on demand from 10.75.22.228:55728 to 2.1.21.22:1701 proto=17 state: fos_start because: acquire
May 23 08:07:39 brian-laptop pluto[14651]: initiate on demand from 10.75.22.228:55728 to 2.1.21.22:1701 proto=17 state: fos_start because: acquire
May 23 08:07:41 brian-laptop dbus[1536]: [system] Rejected send message, 2 matched rules; type="error", sender=":1.479" (uid=0 pid=14325 comm="/usr/lib/NetworkManager/nm-l2tp-service ") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.UnknownMethod" requested_reply="0" destination=":1.480" (uid=0 pid=14382 comm="/usr/sbin/pppd passive

Re: [Openswan Users] openswan Hardware Acceleration

David McCullough — 2012-05-22T22:27:22

Jivin Ozai lays it down ...

You have 2 options for HW accelerating Openswan.

If there are native linux drivers for your HW crypto accelerator,  then just
use the netkey stack in linux with openswan.

Otherwise you can use ocf-linux + klips to get HW acceleration.

Cheers,
Davidm

[Openswan Users] openswan Hardware Acceleration

Ozai — 2012-05-22T09:41:58

Dear Sirs,

I merged the openswan 2.6.38 into embedded linux(2.6.30 mips).protostack is klips.Does openswan support the hardware acceleration?If yes,How could I enable it?thank's. 

Best Regards,
Ozai
_______________________________________________
Users< at >lists.openswan.org
https://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

Re: [Openswan Users] Trying to get openswan working with android

Patrick Lists — 2012-05-21T09:02:16

That's very cool. Thank you Paul!

Regards,
Patrick



_______________________________________________
Users< at >lists.openswan.org
https://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

[Openswan Users] Tunnels up,packets from routed machines not going through tunnel

Paul Goldbaum — 2012-05-21T08:09:36

Hi,

we have openswan running on our network's gateway and correctly negotiating
the tunnels. Here's how we are configuring it:
conn csq
        type=tunnel
        left=90.45.241.242 # left is our side
        leftsubnets={90.45.241.242/32,90.45.110.60/32}
        right=33.99.102.36
        rightsubnet=192.168.1.6/32
        authby=secret
        keyexchange=ike
        ikelifetime=24h
        ike=3des-md5;modp1024
        phase2=esp
        phase2alg=3des-md5;modp1024
        salifetime=24h
        auto=add

The gateway has two interfaces(90.45.110.1 and 90.45.241.242) configured to
do IP forwarding and there are no related iptables rules. All IPs on the
network are publicly accessible.

Our problem is that, while we can ping the machine on the other side from
our gateway just fine, the other machine in our subnet(90.45.110.60) is
apparently not being routed through one of the established tunnels but is
instead provoking the negotiation of a new tunnel in it's name. This fails
because on the other side, on

Re: [Openswan Users] Trying to get openswan working with android

Tuomo Soini — 2012-05-21T04:57:40

On Sat, 19 May 2012 22:55:25 +0300
Tuomo Soini <tis< at >foobar.fi> wrote:


Paul was able to generate a patch to work-around the problem at
openswan end.

http://people.redhat.com/pwouters/openswan-android-ics-natoa.patch

Re: [Openswan Users] Trying to get openswan working with android

Patrick Lists — 2012-05-20T12:05:57

[snip]

At least Google is aware of the issue:
http://code.google.com/p/android/issues/detail?id=23124

Regards,
Patrick
_______________________________________________
Users< at >lists.openswan.org
https://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

Re: [Openswan Users] Trying to get openswan working with android

John A. Sullivan III — 2012-05-19T20:32:18

Ouch! I do hope someone has reported it to the ipsec-tools maintainer -
John

_______________________________________________
Users< at >lists.openswan.org
https://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

Re: [Openswan Users] Trying to get openswan working with android

Patrick Lists — 2012-05-19T20:28:30

Thanks for that info Tuomo. Hopefully Google will soon provide an update 
that fixes this issue. I tried to connect my Nexus S with ICS 4.0.4 to a 
CentOS 6.2 x86_64 box with Openswan 2.6.38 and only got the previously 
reported error.

Regards,
Patrick


_______________________________________________
Users< at >lists.openswan.org
https://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

Re: [Openswan Users] Trying to get openswan working with android

Tuomo Soini — 2012-05-19T19:55:25

On Fri, 18 May 2012 14:35:59 +0100
Robert Laverick <robert+vpn< at >scabserver.com> wrote:



The problem can't be fixed in openswan - ipsec-tools do have a bug
where it behaves against spec.

Re: [Openswan Users] Trying to get openswan working with android

Robert Laverick — 2012-05-18T13:35:59

I have tried Paul's test server from Android 4.0.4 and see the same failure
to connect behaviour as on my local Fedora based VPN running the older
2.6.37 F16 RPM, tho obviously I can't see what his logs say it "feels" the
same in terms of time to failure on my android device.

Rob
_______________________________________________
Users< at >lists.openswan.org
https://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

Re: [Openswan Users] Trying to get openswan working with android

Robert Laverick — 2012-05-18T11:44:19


Actually the problem from the originally linked bug report appears to have only 
been introduced with Android 4.0.x and above when they moved to ipsec-tools 
0.8.0 so a test from 2.3.6 doesn't actually test if this is resolved

http://code.google.com/p/android/issues/detail?id=23124

I've attempted to connect to the test VPN you mentioned from my Android 4.0.4 
device and I get timeout failures which mirror the ones I get using 
openswan-2.6.37-1.fc16.x86_64 on my own server.

I'm more than happy to help test this, but I'm a beginner at this VPN stuff, all 
I know is that I've got it configured to that my Windows 7 laptop can connect to 
the VPN just fine.

Here's an example of what I see in the logs from when I was trying to get this 
working last night on my own fedora 16 box from Android 4.0.4 on my Nexus S:

May 17 00:13:27 gozer pluto[5124]: "home-ipsec"[7] 149.254.180.87 #6: responding 
to Main Mode from unknown peer 149.254.180.87
May 17 00:13:27 gozer pluto[5124]: "home-ipsec"[7] 149.254.180.87 #6:

[Openswan Users] No routing done

Wilfredo I. Pachón López — 2012-05-16T15:21:47

Hello friends

I'm configuring a site-to-site VPN for a client but have problems with 
the routes, my tunnel is up and everything seems to be ok, but i have no 
communication between my two networks.

If the openswan service is down and i try to do a "traceroute" against 
the subnet i'm trying to connect the package is send trough the default 
route an jump until didn't find the route, this is obviously a normal 
behaviour:

$ traceroute 192.168.202.22
traceroute to 192.168.202.22 (192.168.202.22), 30 hops max, 60 byte packets
  1  * * *
  2  172.31.250.46 (172.31.250.46)  14.903 ms  14.916 ms  16.554 ms
  3  190.157.7.149 (190.157.7.149)  17.566 ms  17.568 ms  17.570 ms
  4  10.14.14.126 (10.14.14.126)  79.087 ms  79.102 ms  79.106 ms
  5  64.86.28.41 (64.86.28.41)  73.006 ms !H * *

But if the service is up and the tunnel established, the package doesn't 
route:
$ traceroute 192.168.202.22
traceroute to 192.168.202.22 (192.168.202.22), 30 hops max, 60 byte packets
  1  * * *
  2  * * *
  3  * * *
  4  * *

Re: [Openswan Users] Ipsec Linux-L2TP Windows

SVM — 2012-05-13T21:29:01

Hm... but, maybe I wasn't right...

_______________________________________________
Users< at >lists.openswan.org
https://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

Re: [Openswan Users] Ipsec Linux-L2TP Windows

SVM — 2012-05-13T21:07:55


There is no problem with IPSec/Openswan at all.

You have ip range, left and right in the same subnet 192.168.0.0/24
Change your ip range to the other subnet, 192.168.1.0/24, for example.

_______________________________________________
Users< at >lists.openswan.org
https://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155