I try this for at least three months now and can't get this to work. I have absolutely no idea why the site-to-site VPN won't establish. On one site I have the Astaro which is configured like this:
Connection
Remote Gateway
Policy
The ipsec.conf on the OpenSwan Server:
# NODES S2S VPN Config
#--------------------------
# Last changed: 20.08.2011
version 2.0
#Grundkonfiguration
config setup
forwardcontrol=yes
interfaces="ipsec0=eth0"
nat_traversal=yes
uniqueids=no
klipsdebug=all
plutodebug=all
nhelpers=0
# protostack=netkey
#Default Parameter
conn %default
disablearrivalcheck=no
#Site 2 Site VPN NODES.net Hainburg
conn CORE-S2S-HIB
type=tunnel
authby=secret
pfs=no
compress=no
keyexchange=ike
auth=esp
ike=aes256-md5-modp2048
ikelifetime=7800s
esp=3des-sha1
keylife=3600s
left=212.72.184.221
leftsubnet=172.21.0.0/16
leftsourceip=172.21.0.1
leftnexthop=212.72.184.1
right=nodes.webhop.net
rightsubnet=192.168.210.0/24
rightsourceip=192.168.210.1
rightnexthop=212.72.184.1
auto=add
The status of ipsec auto --status looks like this:
000 interface lo/lo ::1
000 interface lo/lo 127.0.0.1
000 interface lo/lo 127.0.0.1
000 interface eth0/eth0 212.72.184.221
000 interface eth0/eth0 212.72.184.221
000 interface eth0/eth0 172.21.0.1
000 interface eth0/eth0 172.21.0.1
000 %myid = (none)
000 debug raw+crypt+parsing+emitting+control+lifecycle+klips+dns+oppo+controlmore+pfkey+nattraversal+x509
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=13, name=(null), ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=22, name=(null), ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0
000
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,4,36} trans={0,4,540} attrs={0,4,360}
000
000 "CORE-S2S-HIB": 172.21.0.0/16===212.72.184.221---212.72.184.1...212.72.184.1---84.165.201.247===192.168.210.0/24; unrouted; eroute owner: #0
000 "CORE-S2S-HIB": srcip=172.21.0.1; dstip=192.168.210.1; srcup=ipsec _updown; dstup=ipsec _updown;
000 "CORE-S2S-HIB": ike_life: 7800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "CORE-S2S-HIB": policy: PSK+ENCRYPT+TUNNEL+UP; prio: 16,24; interface: eth0; encap: esp;
000 "CORE-S2S-HIB": newest ISAKMP SA: #1; newest IPsec SA: #0;
000 "CORE-S2S-HIB": IKE algorithms wanted: AES_CBC(7)_256-MD5(1)-MODP2048(14); flags=strict
000 "CORE-S2S-HIB": IKE algorithms found: AES_CBC(7)_256-MD5(1)_128-MODP2048(14)
000 "CORE-S2S-HIB": IKE algorithm newest: AES_CBC_256-MD5-MODP2048
000 "CORE-S2S-HIB": ESP algorithms wanted: 3DES(3)_000-SHA1(2); flags=strict
000 "CORE-S2S-HIB": ESP algorithms loaded: 3DES(3)_000-SHA1(2); flags=strict
000
000 #1: "CORE-S2S-HIB":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 6178s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0)
000
And the connection status on the ASG shows this:
What am I doing wrong? Please help me I'm almost out of hairs on my head ...
Kind regards,
Hyperlord
This thread was automatically locked due to age.
