<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 TRANSITIONAL//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=UTF-8">
<META NAME="GENERATOR" CONTENT="GtkHTML/3.10.1">
</HEAD>
<BODY>
I'm try to make a road warrior connection but don't work.<BR>
<BR>
In sever i have result:<BR>
[root@fw02 fred]# /usr/sbin/ipsec verify<BR>
<BR>
Checking your system to see if IPsec got installed and started correctly:<BR>
Version check and ipsec on-path [OK]<BR>
Linux Openswan U2.4.4/K2.6.15-1.1830_FC4 (netkey)<BR>
Checking for IPsec support in kernel [OK]<BR>
Checking for RSA private key (/etc/ipsec.secrets) [OK]<BR>
Checking that pluto is running [OK]<BR>
Two or more interfaces found, checking IP forwarding [OK]<BR>
Checking NAT and MASQUERADEing [N/A]<BR>
Checking for 'ip' command [OK]<BR>
Checking for 'iptables' command [OK]<BR>
Checking for 'setkey' command for NETKEY IPsec stack support [OK]<BR>
Opportunistic Encryption Support [DISABLED]<BR>
[root@fw02 fred]#<BR>
<BR>
in client road warrior i got:<BR>
[root@notebook_02 ~]# ipsec verify<BR>
<BR>
Checking your system to see if IPsec got installed and started correctly:<BR>
Version check and ipsec on-path [OK]<BR>
Linux Openswan U2.4.4/K2.6.16-1.2111_FC5 (netkey)<BR>
Checking for IPsec support in kernel [OK]<BR>
Checking for RSA private key (/etc/ipsec.secrets) [OK]<BR>
Checking that pluto is running [OK]<BR>
Two or more interfaces found, checking IP forwarding [FAILED]<BR>
Checking for 'ip' command [OK]<BR>
Checking for 'iptables' command [OK]<BR>
Checking for 'setkey' command for NETKEY IPsec stack support [OK]<BR>
Opportunistic Encryption Support [DISABLED]<BR>
[root@notebook_02 ~]#<BR>
<BR>
The server have real ip, the client is behind a nat on adsl link.<BR>
<BR>
My ipsec.conf on client is:<BR>
<BR>
config setup<BR>
# Debug-logging controls: "none" for (almost) none, "all" for lots.<BR>
# klipsdebug=none<BR>
# plutodebug="control parsing"<BR>
nat_traversal=yes<BR>
interfaces=%defaultroute<BR>
#interfaces="ipsec0=eth0"<BR>
virtual_private=%v4:192.168.0.0/24<BR>
include /etc/ipsec.d/*.conf<BR>
<BR>
conn road<BR>
left=%defaultroute # Gateway's information<BR>
leftid=@note<BR>
leftrsasigkey=<BR>
right=200.199.xxx.xxx # Wildcard: we don't know<BR>
rightsubnet=10.60.60.0/24<BR>
rightid=@fw02<BR>
rightrsasigkey=....<BR>
auto=add # authorizes but doesn't start this<BR>
# connection at startup<BR>
<BR>
My ipsec.conf on server is:<BR>
<BR>
config setup<BR>
# Debug-logging controls: "none" for (almost) none, "all" for lots.<BR>
klipsdebug=all<BR>
# plutodebug="control parsing"<BR>
nat_traversal=yes<BR>
interfaces=%defaultroute<BR>
#interfaces="ipsec0=eth0"<BR>
conn road<BR>
left=200.199.xxx.xxx # Gateway's information<BR>
leftid=@fw02<BR>
leftsubnet=10.60.60.0/24<BR>
leftrsasigkey=<BR>
rightnexthop=%defaultroute<BR>
right=%any<BR>
rightid=@note<BR>
rightrsasigkey=<BR>
auto=add # authorizes but doesn't start this<BR>
# connection at startup<BR>
<BR>
<BR>
when i start a road connection, i got on /var/log/secure in server:<BR>
<BR>
<BR>
May 22 19:00:08 fw02 pluto[18305]: "road"[1] 201.9.143.99: deleting connection "road" instance with peer 201.9.143.99 {isakmp=#0/ipsec=#0}<BR>
May 22 19:00:08 fw02 pluto[18305]: packet from 201.9.143.99:61766: received and ignored informational message<BR>
May 22 19:01:10 fw02 pluto[18305]: packet from 201.9.143.99:500: received Vendor ID payload [Openswan (this version) 2.4.4 X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR]<BR>
May 22 19:01:10 fw02 pluto[18305]: packet from 201.9.143.99:500: received Vendor ID payload [Dead Peer Detection]<BR>
May 22 19:01:10 fw02 pluto[18305]: packet from 201.9.143.99:500: received Vendor ID payload [RFC 3947] method set to=109<BR>
May 22 19:01:10 fw02 pluto[18305]: packet from 201.9.143.99:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 109<BR>
May 22 19:01:10 fw02 pluto[18305]: packet from 201.9.143.99:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109<BR>
May 22 19:01:10 fw02 pluto[18305]: packet from 201.9.143.99:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]<BR>
May 22 19:01:10 fw02 pluto[18305]: "road"[2] 201.9.143.99 #2: responding to Main Mode from unknown peer 201.9.143.99<BR>
May 22 19:01:10 fw02 pluto[18305]: "road"[2] 201.9.143.99 #2: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1<BR>
May 22 19:01:10 fw02 pluto[18305]: "road"[2] 201.9.143.99 #2: STATE_MAIN_R1: sent MR1, expecting MI2<BR>
May 22 19:01:10 fw02 pluto[18305]: "road"[2] 201.9.143.99 #2: NAT-Traversal: Result using 3: peer is NATed<BR>
May 22 19:01:10 fw02 pluto[18305]: "road"[2] 201.9.143.99 #2: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2<BR>
May 22 19:01:10 fw02 pluto[18305]: "road"[2] 201.9.143.99 #2: STATE_MAIN_R2: sent MR2, expecting MI3<BR>
May 22 19:01:10 fw02 pluto[18305]: "road"[2] 201.9.143.99 #2: Main mode peer ID is ID_FQDN: <A HREF="mailto:'@note.farmaciadospobres.com.br">'@note</A>'<BR>
May 22 19:01:10 fw02 pluto[18305]: "road"[2] 201.9.143.99 #2: I did not send a certificate because I do not have one.<BR>
May 22 19:01:10 fw02 pluto[18305]: "road"[2] 201.9.143.99 #2: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3<BR>
May 22 19:01:10 fw02 pluto[18305]: | NAT-T: new mapping 201.9.143.99:500/61949)<BR>
May 22 19:01:10 fw02 pluto[18305]: "road"[2] 201.9.143.99 #2: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1536}<BR>
May 22 19:01:10 fw02 pluto[18305]: "road"[2] 201.9.143.99 #2: cannot respond to IPsec SA request because no connection is known for 10.60.60.0/24===200.199.xxx.xxx[@fw02]...201.9.143.99[@note]===192.168.0.7/32<BR>
May 22 19:01:10 fw02 pluto[18305]: "road"[2] 201.9.143.99 #2: sending encrypted notification INVALID_ID_INFORMATION to 201.9.143.99:61949<BR>
May 22 19:01:20 fw02 pluto[18305]: "road"[2] 201.9.143.99 #2: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x1a75fa3d (perhaps this is a duplicated packet)<BR>
May 22 19:01:20 fw02 pluto[18305]: "road"[2] 201.9.143.99 #2: sending encrypted notification INVALID_MESSAGE_ID to 201.9.143.99:61949<BR>
May 22 19:01:40 fw02 pluto[18305]: "road"[2] 201.9.143.99 #2: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x1a75fa3d (perhaps this is a duplicated packet)<BR>
May 22 19:01:40 fw02 pluto[18305]: "road"[2] 201.9.143.99 #2: sending encrypted notification INVALID_MESSAGE_ID to 201.9.143.99:61949<BR>
May 22 19:02:20 fw02 pluto[18305]: "road"[2] 201.9.143.99 #2: cannot respond to IPsec SA request because no connection is known for 10.60.60.0/24===200.199.xxx.xxx[@fw02]...201.9.143.99[@note]===192.168.0.7/32<BR>
May 22 19:02:20 fw02 pluto[18305]: "road"[2] 201.9.143.99 #2: sending encrypted notification INVALID_ID_INFORMATION to 201.9.143.99:61949<BR>
May 22 19:02:31 fw02 pluto[18305]: "road"[2] 201.9.143.99 #2: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0xa3061b07 (perhaps this is a duplicated packet)<BR>
May 22 19:02:31 fw02 pluto[18305]: "road"[2] 201.9.143.99 #2: sending encrypted notification INVALID_MESSAGE_ID to 201.9.143.99:61949<BR>
May 22 19:02:36 fw02 pluto[18305]: "road"[2] 201.9.143.99 #2: received Delete SA payload: deleting ISAKMP State #2<BR>
May 22 19:02:36 fw02 pluto[18305]: "road"[2] 201.9.143.99: deleting connection "road" instance with peer 201.9.143.99 {isakmp=#0/ipsec=#0}<BR>
May 22 19:02:36 fw02 pluto[18305]: packet from 201.9.143.99:61949: received and ignored informational message<BR>
<BR>
I only install openswan package using yum. Need else more??<BR>
<BR>
What i doning wrong ??<BR>
<BR>
Tanks.<BR>
<BR>
<BR>
Fred<BR>
<BR>
<BR>
</BODY>
</HTML>