2

My connection IPSec have problem. This is my Diagram. Diagram

Connect VPN is not OK must be restart IPsec ==> OK and after that not OK 

root@vungtau:~# telnet 10.225.198.3 3900
Trying 10.225.198.3...
telnet: Unable to connect to remote host: Connection timed out
root@vungtau:~# /etc/init.d/ipsec restart 
ipsec_setup: Stopping Openswan IPsec...
ipsec_setup: Starting Openswan IPsec U2.6.38/K3.19.0-25-generic...
root@vungtau:~# telnet 10.225.198.3 3900
Trying 10.225.198.3...
Escape character is '^]'.
^[$^]
telnet> q
Connection closed.

And for 5m after cannot telnet to 10.225.198.3 3900 (Tunnel VPN still up )

root@vungtau:~# telnet 10.225.198.3 3900
Trying 10.225.198.3...
telnet: Unable to connect to remote host: Connection timed out
root@vungtau:~# telnet 10.225.198.3 3900
Trying 10.225.198.3...
telnet: Unable to connect to remote host: Connection timed out

Status VPN 

IPsec running  - pluto pid: 11088
pluto pid 11088
1 tunnels up
some eroutes exist

Some time status is 2 or 3 or 4 or 5 or 0 tunnel UP

IPsec running  - pluto pid: 11088
pluto pid 11088
3 tunnels up
some eroutes exist

=> What happened with my VPN connection, and why? What can I do?

This is my config

# /etc/ipsec.conf - Openswan IPsec configuration file

# This file:  /usr/share/doc/openswan/ipsec.conf-sample
#
# Manual:     ipsec.conf.5


version 2.0 # conforms to second version of ipsec.conf specification

# basic configuration
config setup
    # Do not set debug options to debug configuration issues!
    # plutodebug / klipsdebug = "all", "none" or a combation from below:
    # "raw crypt parsing emitting control klips pfkey natt x509 dpd private"
    # eg:
    # plutodebug="control parsing"
    # Again: only enable plutodebug or klipsdebug when asked by a developer
    #
    # enable to get logs per-peer
    # plutoopts="--perpeerlog"
    #
    # Enable core dumps (might require system changes, like ulimit -C)
    # This is required for abrtd to work properly
    # Note: incorrect SElinux policies might prevent pluto writing the core
    dumpdir=/var/run/pluto/
    #
    # NAT-TRAVERSAL support, see README.NAT-Traversal
    nat_traversal=yes
    # exclude networks used on server side by adding %v4:!a.b.c.0/24
    # It seems that T-Mobile in the US and Rogers/Fido in Canada are
    # using 25/8 as "private" address space on their 3G network.
    # This range has not been announced via BGP (at least upto 2010-12-21)
    virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
    # OE is now off by default. Uncomment and change to on, to enable.
    oe=off
    # which IPsec stack to use. auto will try netkey, then klips then mast


    #protostack=auto
    protostack=netkey

    # Use this to log to a file, or disable logging on embedded systems (like openwrt)
    #plutostderrlog=/dev/null


conn vpntanza
        authby=secret
        auto=start
        ike=aes128-sha1;modp1024
        ## phase 1 ##
        keyexchange=ike
        ## phase 2 ##
        phase2=esp
        phase2alg=3des,aes
        compress=no
        pfs=yes
        type=tunnel

        #FROM TTV
        left=125.X.X.X.X
        leftsourceip=10.58.82.179
#        leftsourceip=125.X.X.X
        leftsubnet=10.58.82.0/24

        ## for direct routing ##
        leftnexthop=%defaultroute
        rightnexthop=%defaultroute

        #TO 
        right=169.255.X.X
        rightsubnet=10.225.196.0/22


#include /etc/ipsec.d/*.conf
Jeff Schaller
  • 67,283
  • 35
  • 116
  • 255
Uncelvel
  • 345

0 Answers0