How do I troubleshoot an IPsec tunnel (from a cellular router to a public server)?
Posted
by
Hanno Fietz
on Server Fault
See other posts from Server Fault
or by Hanno Fietz
Published on 2011-02-21T21:50:20Z
Indexed on
2011/02/21
23:27 UTC
Read the original article
Hit count: 259
I'm new to IPsec and struggling with a setup that might soon be widely used in our operations (provided I do understand it, eventually...).
A cellular router (blackbox by netModule, from its log messages it seems to be running Linux and OpenSwan) connects a sensor network on customers' sites with our public server. We need to be able to connect into the local network, so I had the cell provider give me a public IP (a dynamic one). The way their setup works, the public IPs only allow IPsec traffic.
I set up OpenSwan on our Ubuntu server (running Jaunty). This is my connection config from /etc/ipsec.conf:
conn gprs-field-devices
left=my.pub.lic.ip
[email protected]
#leftsubnet=192.168.1.129/25
right=%any
[email protected]
#rightsubnet=192.168.1.1/25
#rightnexthop=%defaultroute
auto=add
On the router, all I have is the Web UI, in which I made the following settings:
- "Remote endpoint": public IP of server, same as "left" above
- "Local Network Address": 192.168.1.1
- "Local Network Mask": 255.255.255.128
- "Remote Network Address": 192.168.1.129
- "Remote Network Mask": 255.255.255.128
The pluto process on the server is listening for connections on port 500. It can't open a tunnel, obviously, because it doesn't know at which IP the client is.
I set up a passphrase as PSK for @field.econemon.com in /etc/ipsec.secrets and also configured it in the router (which doesn't seem to support certificates).
My problem is, nothing happens. The router just says, IPsec is "down". When I copy-paste the IP into ipsec.conf (for "right="), and ask the server to ipsec auto --up gprs-field-devices, it just hangs until I press Ctrl-C.
Is there anything wrong with my setup? How can I debug this further?
My router gives the following loglines that seem related, but don't tell me anything:
Feb 21 23:08:20 Netbox authpriv.warn pluto[2497]: loading secrets from "/etc/ipsec.secrets"
Feb 21 23:08:20 Netbox authpriv.warn pluto[2497]: loading secrets from "/etc/ipsec.d/hostkey.secrets"
Feb 21 23:08:20 Netbox authpriv.warn pluto[2497]: loading secrets from "/etc/ipsec.d/netbox0.secrets"
Feb 21 23:08:20 Netbox authpriv.warn pluto[2497]: "netbox00" #1: initiating Main Mode
Feb 21 23:08:20 Netbox daemon.err ipsec__plutorun: 104 "netbox00" #1: STATE_MAIN_I1: initiate
Feb 21 23:08:20 Netbox daemon.err ipsec__plutorun: ...could not start conn "netbox00"
Feb 21 23:08:22 Netbox authpriv.warn pluto[2497]: packet from 188.40.57.4:500: ignoring informational payload, type NO_PROPOSAL_CHOSEN
Feb 21 23:08:22 Netbox authpriv.warn pluto[2497]: packet from 188.40.57.4:500: received and ignored informational message
Feb 21 23:08:28 Netbox user.warn parrot.system_controller[762]: IPSECCTRLR: Tunnel 0 is down for 0 seconds
Feb 21 23:08:40 Netbox user.warn parrot.system_controller[762]: IPSECCTRLR: Tunnel 0 is down for 10 seconds
Feb 21 23:08:52 Netbox authpriv.warn pluto[2497]: packet from 188.40.57.4:500: ignoring informational payload, type NO_PROPOSAL_CHOSEN
© Server Fault or respective owner
