I have been trying to set up ipsec with virtual IP (so I can use NAT-Traversal), yet have had no luck. I spent most of my evening playing with it and have narrowed down the problem to the 'rightsubnet' setting on my laptop I am just not sure what it should be to work. I can get it worked without a virtual IP though. Below is a very detailed result summary with debug output, plese help me.
the ipsec is of type roadwarrior on astaro and 'tunnel' on laptop.
they are set to use 3DES_PFS_COMP using RSA keys with astaro server being identified by its IP and laptop by an Email address.
scenerio #1;
everything works pefectly, but without static IP [:(]
astaro set:
virtual ip:
filter: on
laptop set:
rightsubnet="172.16.100.10/24"
%route
dialupGW * 255.255.255.255 UH 0 0 0 ppp0
dialupGW * 255.255.255.255 UH 0 0 0 ipsec0
172.16.100.0 dialupGW 255.255.255.0 UG 0 0 0 ipsec0
loopback localhost 255.0.0.0 UG 0 0 0 lo
default dialupGW 0.0.0.0 UG 0 0 0 ppp0
scenerio #2:
+ipsec connection estableshed successfully
-can't ping anything on 172.16.100.* traffic seems to still be going through the dialup.
astaro set:
virtual ip: 172.16.100.1
filter: on
laptop set:
rightsubnet="172.16.100.10/32"
dialup.
%route
Destination Gateway Genmask Flags Metric Ref Use Iface
172.16.100.10 dialupGW 255.255.255.255 UGH 0 0 0 ipsec0
dialupGW * 255.255.255.255 UH 0 0 0 ppp0
dialupGW * 255.255.255.255 UH 0 0 0 ipsec0
loopback localhost 255.0.0.0 UG 0 0 0 lo
default dialupGW 0.0.0.0 UG 0 0 0 ppp0
-=-=-=-=-=-=--=--0-0-0-00-0-0-0-0-0-0-0-0-0-0-0-0-0-
scenerio #3 (what I think should be right, yet doesn't work):
astaro set:
virtual ip: 172.16.100.1
filter: on
laptop set:
rightsubnet="172.16.100.10/24"
laptop log:
104 "cons" #1: STATE_MAIN_I1: initiate
106 "cons" #1: STATE_MAIN_I2: sent MI2, expecting MR2
108 "cons" #1: STATE_MAIN_I3: sent MI3, expecting MR3
004 "cons" #1: STATE_MAIN_I4: ISAKMP SA established
112 "cons" #2: STATE_QUICK_I1: initiate
010 "cons" #2: STATE_QUICK_I1: retransmission; will wait 20s for response
astaro ipsec says:
2003-Sep 17 04:37:07 prometheus pluto[2476]: "ipsec_1"[1] 67.74.225.108 #1: responding to Main Mode from unknown peer 67.74.225.108
2003-Sep 17 04:37:08 prometheus pluto[2476]: "ipsec_1"[1] 67.74.225.108 #1: Main mode peer ID is ID_USER_FQDN: 'emailid@oflaptop.com'
2003-Sep 17 04:37:08 prometheus pluto[2476]: "ipsec_1"[1] 67.74.225.108 #1: cannot respond to IPsec SA request because no connection is known for 172.16.100.0/24===LAPTOP.IP...67.74.225.108[emailid@oflaptop.com]
2003-Sep 17 04:37:08 prometheus pluto[2476]: "ipsec_1"[1] 67.74.225.108 #1: sending encrypted notification INVALID_ID_INFORMATION to 67.74.225.108:500
2003-Sep 17 04:37:08 prometheus pluto[2476]: "ipsec_1"[1] 67.74.225.108 #1: sent MR3, ISAKMP SA established
2003-Sep 17 04:37:18 prometheus pluto[2476]: "sputnik_1"[1] 67.74.225.108 #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0xfea6c271 (perhaps this is a duplicated packet)
2003-Sep 17 04:37:18 prometheus pluto[2476]: "sputnik_1"[1] 67.74.225.108 #1: sending encrypted notification INVALID_MESSAGE_ID to 67.74.225.108:500
(...repeat forever...)
where 67.74.225.108 is my laptops current dynamic IP appress...
%route
Destination Gateway Genmask Flags Metric Ref Use Iface
dialupGW * 255.255.255.255 UH 0 0 0 ppp0
dialupGW * 255.255.255.255 UH 0 0 0 ipsec0
loopback localhost 255.0.0.0 UG 0 0 0 lo
default dialupGW 0.0.0.0 UG 0 0 0 ppp0
This thread was automatically locked due to age.
