How do I troubleshoot an IPsec tunnel (from a cellular router to a public server)?

Posted by Hanno Fietz on Server Fault See other posts from Server Fault or by Hanno Fietz
Published on 2011-02-21T21:50:20Z Indexed on 2011/02/21 23:27 UTC
Read the original article Hit count: 290

Filed under:
|
|

I'm new to IPsec and struggling with a setup that might soon be widely used in our operations (provided I do understand it, eventually...).

A cellular router (blackbox by netModule, from its log messages it seems to be running Linux and OpenSwan) connects a sensor network on customers' sites with our public server. We need to be able to connect into the local network, so I had the cell provider give me a public IP (a dynamic one). The way their setup works, the public IPs only allow IPsec traffic.

I set up OpenSwan on our Ubuntu server (running Jaunty). This is my connection config from /etc/ipsec.conf:

conn gprs-field-devices
    left=my.pub.lic.ip
    [email protected]
    #leftsubnet=192.168.1.129/25
    right=%any
    [email protected]
    #rightsubnet=192.168.1.1/25
    #rightnexthop=%defaultroute
    auto=add

On the router, all I have is the Web UI, in which I made the following settings:

  • "Remote endpoint": public IP of server, same as "left" above
  • "Local Network Address": 192.168.1.1
  • "Local Network Mask": 255.255.255.128
  • "Remote Network Address": 192.168.1.129
  • "Remote Network Mask": 255.255.255.128

The pluto process on the server is listening for connections on port 500. It can't open a tunnel, obviously, because it doesn't know at which IP the client is.

I set up a passphrase as PSK for @field.econemon.com in /etc/ipsec.secrets and also configured it in the router (which doesn't seem to support certificates).

My problem is, nothing happens. The router just says, IPsec is "down". When I copy-paste the IP into ipsec.conf (for "right="), and ask the server to ipsec auto --up gprs-field-devices, it just hangs until I press Ctrl-C.

Is there anything wrong with my setup? How can I debug this further?

My router gives the following loglines that seem related, but don't tell me anything:

Feb 21 23:08:20 Netbox authpriv.warn pluto[2497]: loading secrets from "/etc/ipsec.secrets"

Feb 21 23:08:20 Netbox authpriv.warn pluto[2497]: loading secrets from "/etc/ipsec.d/hostkey.secrets"

Feb 21 23:08:20 Netbox authpriv.warn pluto[2497]: loading secrets from "/etc/ipsec.d/netbox0.secrets"

Feb 21 23:08:20 Netbox authpriv.warn pluto[2497]: "netbox00" #1: initiating Main Mode

Feb 21 23:08:20 Netbox daemon.err ipsec__plutorun: 104 "netbox00" #1: STATE_MAIN_I1: initiate

Feb 21 23:08:20 Netbox daemon.err ipsec__plutorun: ...could not start conn "netbox00"

Feb 21 23:08:22 Netbox authpriv.warn pluto[2497]: packet from 188.40.57.4:500: ignoring informational payload, type NO_PROPOSAL_CHOSEN

Feb 21 23:08:22 Netbox authpriv.warn pluto[2497]: packet from 188.40.57.4:500: received and ignored informational message

Feb 21 23:08:28 Netbox user.warn parrot.system_controller[762]: IPSECCTRLR: Tunnel 0 is down for 0 seconds

Feb 21 23:08:40 Netbox user.warn parrot.system_controller[762]: IPSECCTRLR: Tunnel 0 is down for 10 seconds

Feb 21 23:08:52 Netbox authpriv.warn pluto[2497]: packet from 188.40.57.4:500: ignoring informational payload, type NO_PROPOSAL_CHOSEN

© Server Fault or respective owner

Related posts about vpn

Related posts about ipsec