2

I'm new to IPsec and struggling with a setup that might soon be widely used in our operations (provided I do understand it, eventually...).

A cellular router (blackbox by netModule, from its log messages it seems to be running Linux and OpenSwan) connects a sensor network on customers' sites with our public server. We need to be able to connect into the local network, so I had the cell provider give me a public IP (a dynamic one). The way their setup works, the public IPs only allow IPsec traffic.

I set up OpenSwan on our Ubuntu server (running Jaunty). This is my connection config from /etc/ipsec.conf:

conn gprs-field-devices
    left=my.pub.lic.ip
    leftid=@vpngate.econemon.com
    #leftsubnet=192.168.1.129/25
    right=%any
    rightid=@field.econemon.com
    #rightsubnet=192.168.1.1/25
    #rightnexthop=%defaultroute
    auto=add

On the router, all I have is the Web UI, in which I made the following settings:

  • "Remote endpoint": public IP of server, same as "left" above
  • "Local Network Address": 192.168.1.1
  • "Local Network Mask": 255.255.255.128
  • "Remote Network Address": 192.168.1.129
  • "Remote Network Mask": 255.255.255.128

The pluto process on the server is listening for connections on port 500. It can't open a tunnel, obviously, because it doesn't know at which IP the client is.

I set up a passphrase as PSK for @field.econemon.com in /etc/ipsec.secrets and also configured it in the router (which doesn't seem to support certificates).

My problem is, nothing happens. The router just says, IPsec is "down". When I copy-paste the IP into ipsec.conf (for "right="), and ask the server to ipsec auto --up gprs-field-devices, it just hangs until I press Ctrl-C.

Is there anything wrong with my setup? How can I debug this further?

My router gives the following loglines that seem related, but don't tell me anything:

Feb 21 23:08:20 Netbox authpriv.warn pluto[2497]: loading secrets from "/etc/ipsec.secrets"

Feb 21 23:08:20 Netbox authpriv.warn pluto[2497]: loading secrets from "/etc/ipsec.d/hostkey.secrets"

Feb 21 23:08:20 Netbox authpriv.warn pluto[2497]: loading secrets from "/etc/ipsec.d/netbox0.secrets"

Feb 21 23:08:20 Netbox authpriv.warn pluto[2497]: "netbox00" #1: initiating Main Mode

Feb 21 23:08:20 Netbox daemon.err ipsec__plutorun: 104 "netbox00" #1: STATE_MAIN_I1: initiate

Feb 21 23:08:20 Netbox daemon.err ipsec__plutorun: ...could not start conn "netbox00"

Feb 21 23:08:22 Netbox authpriv.warn pluto[2497]: packet from 188.40.57.4:500: ignoring informational payload, type NO_PROPOSAL_CHOSEN

Feb 21 23:08:22 Netbox authpriv.warn pluto[2497]: packet from 188.40.57.4:500: received and ignored informational message

Feb 21 23:08:28 Netbox user.warn parrot.system_controller[762]: IPSECCTRLR: Tunnel 0 is down for 0 seconds

Feb 21 23:08:40 Netbox user.warn parrot.system_controller[762]: IPSECCTRLR: Tunnel 0 is down for 10 seconds

Feb 21 23:08:52 Netbox authpriv.warn pluto[2497]: packet from 188.40.57.4:500: ignoring informational payload, type NO_PROPOSAL_CHOSEN

Hanno Fietz
  • 992
  • 2
  • 11
  • 23

1 Answers1

2

Some initial thoughts:

  • Are the leftsubnet, rightsubnet and rightnexthop entries commented out on purpose?
  • leftsubnet and rightsubnet should be network addresses, not node addresses.
  • left and right should be the public IP addresses of the devices. %any is fine for the right address.
  • the leftid and rightid are what the vpn devices are going to advertise themselves as. Sometimes this is their public IP address. It depends on the device.

A good place to start is the ipsec.conf man page, which gives some good info on setup.

ipsec whack --status is also a good command to know when troubleshooting openswan. Here is it's man page.

JakeRobinson
  • 2,886
  • 17
  • 26