I am having problem in setting my Centos 6.9 connected to Juniper box with IPsec and libreswan. I can get the tunnel up but I cannot get nothing going through that tunnel. Others are able to connect to the same Juniper box just fine but not me even though they are using same configurations on the Juniper end. Therefore I believe it is something in my configurations. Any ideas on how I could get it running?
Configuration is done between these servers:
My Centos server: 10.1.0.101
Centos subnet: 10.1.0.0/24
My WAN IP: 192.100.30.120
External internal subnet: 10.40.17.0/24
External WAN IP: 82.230.50.17
External server: 10.40.17.16/24
ipsec.conf
Code: Select all
version 2.0
# basic configuration
config setup
protostack=netkey
nat_traversal=yes
virtual_private=%v4:10.40.17.0/24
conn VPN
authby=secret
auto=start
type=tunnel
left=10.1.0.101
leftid=192.100.30.120
leftsubnet=10.1.0.0/24
leftnexthop=%defaultroute
right=82.230.50.17
rightsubnet=10.40.17.0/24
rightnexthop=%defaultroute
ike=aes256-sha1;modp1536
phase2=esp
phase2alg=aes256-sha1
keyexchange=ike
pfs=yes
Code: Select all
sh-4.1# ipsec verify
Verifying installed system and configuration files
Version check and ipsec on-path [OK]
Libreswan 3.15 (netkey) on 2.6.32-696.6.3.el6.x86_64
Checking for IPsec support in kernel [OK]
NETKEY: Testing XFRM related proc values
ICMP default/send_redirects [OK]
ICMP default/accept_redirects [OK]
XFRM larval drop [OK]
Pluto ipsec.conf syntax [OK]
Hardware random device [N/A]
Checking rp_filter [OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for IKE/NAT-T on udp 4500 [OK]
Pluto ipsec.secret syntax [OK]
Checking 'ip' command [OK]
Checking 'iptables' command [OK]
Checking 'prelink' command does not interfere with FIPS [PRESENT]
Checking for obsolete ipsec.conf options [OK]
Opportunistic Encryption [DISABLED]
Code: Select all
000 #583: "VPN":4500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 1596s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate
000 #548: "VPN":4500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 1261s; newest IPSEC; eroute owner; isakmp#547; idle; import:admin initiate
000 #548: "VPN" esp.4677d4c@82.230.50.17 esp.df2d00af@10.1.0.101 tun.0@82.230.50.17 tun.0@10.1.0.101 ref=0 refhim=4294901761 Traffic: ESPout=0B ESPin=0B! ESPmax=4194303B
000 #581: "VPN":4500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_EXPIRE in 22s; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate
What should I do now to get it working?