Hi,<br>
<br>
I'm trying to configure a road warrior node to access a private network
whose router I administer. My laptop is running openswan 2.4.0 and the
router has openswan 2.2.0. I configured both ends, but when I start the
connection, it gives me the following output and hangs:<br>
<br>
root@amilcar:/etc# ipsec auto --verbose --up road-lcc-cluster64<br>
002 "road-lcc-cluster64" #7: initiating Main Mode<br>
104 "road-lcc-cluster64" #7: STATE_MAIN_I1: initiate<br>
002 "road-lcc-cluster64" #7: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2<br>
106 "road-lcc-cluster64" #7: STATE_MAIN_I2: sent MI2, expecting MR2<br>
002 "road-lcc-cluster64" #7: I did not send a certificate because I do not have one.<br>
002 "road-lcc-cluster64" #7: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3<br>
108 "road-lcc-cluster64" #7: STATE_MAIN_I3: sent MI3, expecting MR3<br>
002 "road-lcc-cluster64" #7: Main mode peer ID is ID_FQDN: '@<a href="http://cluster64.speed.dcc.ufmg.br">cluster64.speed.dcc.ufmg.br</a>'<br>
002 "road-lcc-cluster64" #7: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4<br>
004 "road-lcc-cluster64" #7: STATE_MAIN_I4: ISAKMP SA established
{auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_md5
group=modp1536}<br>
002 "road-lcc-cluster64" #8: initiating Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS+UP {using isakmp#7}<br>
117 "road-lcc-cluster64" #8: STATE_QUICK_I1: initiate<br>
010 "road-lcc-cluster64" #8: STATE_QUICK_I1: retransmission; will wait 20s for response<br>
010 "road-lcc-cluster64" #8: STATE_QUICK_I1: retransmission; will wait 40s for response<br>
<br>
The two ipsec.conf files follow:<br>
<br>
---> In the road warrior node (my laptop, for instance):<br>
<br>
# /etc/ipsec.conf - Openswan IPsec configuration file<br>
# RCSID $Id: <a href="http://ipsec.conf.in">ipsec.conf.in</a>,v <a href="http://1.15.2.1"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "1.15.2.1" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 1.15.2.1</a> 2005/07/26 12:28:39 ken Exp $<br>
<br>
# This file: /usr/share/doc/openswan/ipsec.conf-sample<br>
#<br>
# Manual: ipsec.conf.5<br>
<br>
<br>
version 2.0 # conforms to second version of ipsec.conf specification<br>
<br>
# basic configuration<br>
config setup<br>
# interfaces=%defaultroute<br>
# plutodebug / klipsdebug = "all", "none" or a combation from below:<br>
# "raw crypt parsing emitting control klips pfkey natt x509 private"<br>
# eg:<br>
# plutodebug="control parsing"<br>
#<br>
# Only enable klipsdebug=all if you are a developer<br>
#<br>
# NAT-TRAVERSAL support, see README.NAT-Traversal<br>
# nat_traversal=yes<br>
# virtual_private=%v4:<a href="http://10.0.0.0/8,%v4:192.168.0.0/16,%4:172.16.0.0/12"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "10.0.0.0" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 10.0.0.0/8,%v4:192.168.0.0/16,%4:172.16.0.0/12</a><br>
<br>
conn road-lcc-cluster64<br>
left=%defaultroute<br>
leftid=@<a href="http://diniz.amilcar.lcc.ufmg.br">diniz.amilcar.lcc.ufmg.br</a><br>
leftrsasigkey=...<br>
right=<a href="http://150.164.254.225"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "150.164.254.225" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 150.164.254.225</a><br>
rightsubnet=<a href="http://192.168.64.0/24"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "192.168.64.0" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 192.168.64.0/24</a><br>
rightid=@<a href="http://cluster64.speed.dcc.ufmg.br">cluster64.speed.dcc.ufmg.br</a><br>
rightrsasigkey=...<br>
rightnexthop=%defaultroute<br>
authby=rsasig<br>
auto=add<br>
<br>
#Disable Opportunistic Encryption<br>
include /etc/ipsec.d/examples/no_oe.conf<br>
<br>
---> In the gateway:<br>
<br>
# /etc/ipsec.conf - Openswan IPsec configuration file<br>
# RCSID $Id: <a href="http://ipsec.conf.in">ipsec.conf.in</a>,v 1.13 2004/03/24 04:14:39 ken Exp $<br>
<br>
# This file: /usr/share/doc/openswan/ipsec.conf-sample<br>
#<br>
# Manual: ipsec.conf.5<br>
<br>
<br>
version 2.0 # conforms to second version of ipsec.conf specification<br>
<br>
# basic configuration<br>
config setup<br>
# interfaces=%defaultroute<br>
# nat_traversal=yes<br>
# Debug-logging controls: "none" for (almost) none, "all" for lots.<br>
# klipsdebug=none<br>
# plutodebug="control parsing"<br>
<br>
conn road-lcc-cluster64<br>
left=<a href="http://150.164.254.225"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "150.164.254.225" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 150.164.254.225</a><br>
leftsubnet=<a href="http://192.168.64.0/24"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "192.168.64.0" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 192.168.64.0/24</a><br>
leftid=@<a href="http://cluster64.speed.dcc.ufmg.br">cluster64.speed.dcc.ufmg.br</a><br>
leftrsasigkey=...<br>
leftnexthop=%defaultroute<br>
right=%any<br>
rightnexthop=%defaultroute<br>
rightid=@<a href="http://diniz.amilcar.lcc.ufmg.br">diniz.amilcar.lcc.ufmg.br</a><br>
rightrsasigkey=...<br>
authby=rsasig<br>
auto=add<br>
<br>
#Disable Opportunistic Encryption<br>
include /etc/ipsec.d/examples/no_oe.conf<br>
<br>-- <br>Bruno Diniz de Paula