<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=windows-1251"
http-equiv="Content-Type">
<title></title>
</head>
<body bgcolor="#ffffff" text="#000000">
<tt><font size="-1">Some updates..</font></tt><br>
<blockquote cite="mid:481C31D6.6010808@in.if.ua" type="cite"><tt><font
size="-1">Hello,<br>
<br>
Got back to you with another issue... :)<br>
<br>
I have successfully set up Linux Openswan server and Windows XP client.
And the last one successfully connects to the server.<br>
<br>
I have another Linux machine in the same network where Windows is. And,
currently, I can't make it working. :(<br>
<br>
Okey... ipsec.conf:<br>
<font color="#3333ff"><br>
version 2.0<br>
<br>
config setup<br>
nat_traversal=yes<br>
<br>
conn nung<br>
left=%defaultroute<br>
leftrsasigkey=%cert<br>
leftcert=/etc/ipsec.d/certs/s-andy-cert.pem<br>
leftprotoport=17/1701<br>
right=vpn.hostname<br>
rightrsasigkey=%cert<br>
rightca=%same<br>
rightid="C=UA, ST=Ivano-Frankivsk, L=Ivano-Frankivsk, O=...,
OU=..., CN=..., E=...' # removed for confidence<br>
rightprotoport=17/1701<br>
authby=rsasig<br>
pfs=no<br>
rekey=no<br>
keyingtries=3<br>
auto=add<br>
<br>
# Disable Opportunistic Encryption<br>
include /etc/ipsec.d/examples/no_oe.conf</font><br>
<br>
The logs when trying to connect:<br>
<font color="#3333ff"><br>
andrix:~# ipsec auto --up nung<br>
104 "nung" #1: STATE_MAIN_I1: initiate<br>
003 "nung" #1: ignoring unknown Vendor ID payload
[4f456c4c4f5d5264574e5244]<br>
003 "nung" #1: received Vendor ID payload [Dead Peer Detection]<br>
003 "nung" #1: received Vendor ID payload [RFC 3947] method set to=109<br>
106 "nung" #1: STATE_MAIN_I2: sent MI2, expecting MR2<br>
003 "nung" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): i
am NATed<br>
108 "nung" #1: STATE_MAIN_I3: sent MI3, expecting MR3<br>
004 "nung" #1: STATE_MAIN_I4: ISAKMP SA established
{auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_md5
group=modp1536}<br>
117 "nung" #2: STATE_QUICK_I1: initiate<br>
010 "nung" #2: STATE_QUICK_I1: retransmission; will wait 20s for
response<br>
010 "nung" #2: STATE_QUICK_I1: retransmission; will wait 40s for
response<br>
031 "nung" #2: max number of retransmissions (2) reached
STATE_QUICK_I1. No acceptable response to our first Quick Mode
message: perhaps peer likes no proposal<br>
000 "nung" #2: starting keying attempt 2 of at most 3, but releasing
whack</font><br>
<br>
The logs from the server:<br>
<br>
<font color="#3333ff">May 3 12:13:32 base pluto[18567]: packet from </font></font></tt><font
color="#3333ff"><small><font face="Terminus">92.30.44.50</font></small><tt><font
size="-1">:500: ignoring unknown Vendor ID payload
[4f45606c50487c5662707575]<br>
May 3 12:13:32 base pluto[18567]: packet from </font></tt><small><font
face="Terminus">92.30.44.50</font></small><tt><font size="-1">:500:
received Vendor ID payload [Dead Peer Detection]<br>
May 3 12:13:32 base pluto[18567]: "nung-server"[42] </font></tt><small><font
face="Terminus">92.30.44.50</font></small><tt><font size="-1"> #40:
responding to Main Mode from unknown peer </font></tt><small><font
face="Terminus">92.30.44.50</font></small><br>
<tt><font size="-1">May 3 12:13:32 base pluto[18567]:
"nung-server"[42] </font></tt><small><font face="Terminus">92.30.44.50</font></small><tt><font
size="-1"> #40: transition from state STATE_MAIN_R0 to state
STATE_MAIN_R1<br>
May 3 12:13:32 base pluto[18567]: "nung-server"[42] </font></tt><small><font
face="Terminus">92.30.44.50</font></small><tt><font size="-1"> #40:
STATE_MAIN_R1: sent MR1, expecting MI2<br>
May 3 12:13:32 base pluto[18567]: "nung-server"[42] </font></tt><small><font
face="Terminus">92.30.44.50</font></small><tt><font size="-1"> #40:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2<br>
May 3 12:13:32 base pluto[18567]: "nung-server"[42] </font></tt><small><font
face="Terminus">92.30.44.50</font></small><tt><font size="-1"> #40:
STATE_MAIN_R2: sent MR2, expecting MI3<br>
May 3 12:13:32 base pluto[18567]: "nung-server"[42] </font></tt><small><font
face="Terminus">92.30.44.50</font></small><tt><font size="-1"> #40:
Main mode peer ID is ID_DER_ASN1_DN: 'C=UA, ST=Ivano-Frankivsk,
L=Ivano-Frankivsk, O=..., OU=..., CN=..., E=...'<br>
May 3 12:13:32 base pluto[18567]: "nung-server"[42] </font></tt><small><font
face="Terminus">92.30.44.50</font></small><tt><font size="-1"> #40:
switched from "nung-server" to "nung-server"<br>
May 3 12:13:32 base pluto[18567]: "nung-server"[43] </font></tt><small><font
face="Terminus">92.30.44.50</font></small><tt><font size="-1"> #40:
deleting connection "nung-server" instance with peer </font></tt><small><font
face="Terminus">92.30.44.50</font></small><tt><font size="-1"><font
face="Terminus"> </font>{isakmp=#0/ipsec=#0}<br>
May 3 12:13:32 base pluto[18567]: "nung-server"[43] </font></tt><small><font
face="Terminus">92.30.44.50</font></small><tt><font size="-1"> #40: I
am sending my cert<br>
May 3 12:13:32 base pluto[18567]: "nung-server"[43] </font></tt><small><font
face="Terminus">92.30.44.50</font></small><tt><font size="-1"> #40:
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3<br>
May 3 12:13:32 base pluto[18567]: "nung-server"[43] </font></tt><small><font
face="Terminus">92.30.44.50</font></small><tt><font size="-1"> #40:
STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG
cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1536}<br>
May 3 12:13:32 base pluto[18567]: "nung-server"[43] </font></tt><small><font
face="Terminus">92.30.44.50</font></small><tt><font size="-1"> #40:
cannot respond to IPsec SA request because no connection is known for
68.68.44.42[C=UA, ST=Ivano-Frankivsk, L=Ivano-Frankivsk, O=..., OU=...,
CN=..., E=...]:17/1701...</font></tt><small><font face="Terminus">92.30.44.50</font></small><tt><font
size="-1">[C=UA, ST=Ivano-Frankivsk, L=Ivano-Frankivsk, O=..., OU=...,
CN=..., E=...]:17/1701===192.168.14.2/32<br>
May 3 12:13:32 base pluto[18567]: "nung-server"[43] </font></tt><small><font
face="Terminus">92.30.44.50</font></small><tt><font size="-1"> #40:
sending encrypted notification INVALID_ID_INFORMATION to </font></tt><small><font
face="Terminus">92.30.44.50</font></small><tt><font size="-1">:500<br>
May 3 12:13:43 base pluto[18567]: "nung-server"[43] </font></tt><small><font
face="Terminus">92.30.44.50</font></small><tt><font size="-1"> #40:
Quick Mode I1 message is unacceptable because it uses a previously used
Message ID 0x23d79a89 (perhaps this is a duplicated packet)<br>
May 3 12:13:43 base pluto[18567]: "nung-server"[43] </font></tt><small><font
face="Terminus">92.30.44.50</font></small><tt><font size="-1"> #40:
sending encrypted notification INVALID_MESSAGE_ID to </font></tt><small><font
face="Terminus">92.30.44.50</font></small></font><tt><font size="-1"><font
color="#3333ff">:500</font><br>
<br>
I have the feeling that something is wrong with NAT-T on the client
side... Sample logs for successfull Windows connection:<br>
<br>
<font color="#3333ff">May 3 12:07:42 base pluto[18567]:
"nung-server"[41] </font></font></tt><font color="#3333ff"><small><font
face="Terminus">92.30.44.50</font></small><tt><font size="-1"> #38:
responding to Main Mode from unknown peer </font></tt><small><font
face="Terminus">92.30.44.50</font></small><br>
<tt><font size="-1">May 3 12:07:42 base pluto[18567]:
"nung-server"[41] </font></tt><small><font face="Terminus">92.30.44.50</font></small><tt><font
size="-1"> #38: transition from state STATE_MAIN_R0 to state
STATE_MAIN_R1<br>
May 3 12:07:42 base pluto[18567]: "nung-server"[41] </font></tt><small><font
face="Terminus">92.30.44.50</font></small><tt><font size="-1"> #38:
STATE_MAIN_R1: sent MR1, expecting MI2<br>
May 3 12:07:43 base pluto[18567]: "nung-server"[41] </font></tt><small><font
face="Terminus">92.30.44.50</font></small><tt><font size="-1"> #38:
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: <br>
May 3 12:07:43 base pluto[18567]: "nung-server"[41] </font></tt><small><font
face="Terminus">92.30.44.50</font></small><tt><font size="-1"> #38:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2<br>
May 3 12:07:43 base pluto[18567]: "nung-server"[41] </font></tt><small><font
face="Terminus">92.30.44.50</font></small><tt><font size="-1"> #38:
STATE_MAIN_R2: sent MR2, expecting MI3<br>
May 3 12:07:43 base pluto[18567]: "nung-server"[41] </font></tt><small><font
face="Terminus">92.30.44.50</font></small><tt><font size="-1"> #38:
Main mode peer ID is ID_DER_ASN1_DN: 'C=UA, ST=Ivano-Frankivsk<br>
May 3 12:07:43 base pluto[18567]: "nung-server"[41] </font></tt><small><font
face="Terminus">92.30.44.50</font></small><tt><font size="-1"> #38: I
am sending my cert<br>
May 3 12:07:43 base pluto[18567]: "nung-server"[41] </font></tt><small><font
face="Terminus">92.30.44.50</font></small><tt><font size="-1"> #38:
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3<br>
May 3 12:07:43 base pluto[18567]: | NAT-T: new mapping </font></tt><small><font
face="Terminus">92.30.44.50</font></small><tt><font size="-1">:500/60514)<br>
May 3 12:07:43 base pluto[18567]: "nung-server"[41] </font></tt><small><font
face="Terminus">92.30.44.50</font></small><tt><font size="-1"> #38:
STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG<br>
May 3 12:07:43 base pluto[18567]: "nung-server"[41] </font></tt><small><font
face="Terminus">92.30.44.50</font></small><tt><font size="-1"> #39:
responding to Quick Mode {msgid:ba87b79c}<br>
May 3 12:07:43 base pluto[18567]: "nung-server"[41] </font></tt><small><font
face="Terminus">92.30.44.50</font></small><tt><font size="-1"> #39:
transition from state STATE_QUICK_R0 to state STATE_QUICK_R1<br>
May 3 12:07:43 base pluto[18567]: "nung-server"[41] </font></tt><small><font
face="Terminus">92.30.44.50</font></small><tt><font size="-1"> #39:
STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2<br>
May 3 12:07:43 base pluto[18567]: "nung-server"[41] </font></tt><small><font
face="Terminus">92.30.44.50</font></small><tt><font size="-1"> #39:
transition from state STATE_QUICK_R1 to state STATE_QUICK_R2<br>
May 3 12:07:43 base pluto[18567]: "nung-server"[41] </font></tt><small><font
face="Terminus">92.30.44.50</font></small><tt><font size="-1"> #39:
STATE_QUICK_R2: IPsec SA established {ESP=>0xb40fab5b <0xde368f17<br>
May 3 12:07:56 base pluto[18567]: "nung-server"[41] </font></tt><small><font
face="Terminus">92.30.44.50</font></small><tt><font size="-1"> #37:
Quick Mode I1 message is unacceptable because it uses a previously<br>
May 3 12:07:56 base pluto[18567]: "nung-server"[41] </font></tt><small><font
face="Terminus">92.30.44.50</font></small><tt><font size="-1"> #37:
sending encrypted notification INVALID_MESSAGE_ID to </font></tt><small><font
face="Terminus">92.30.44.50</font></small></font><tt><font size="-1"><font
color="#3333ff">:60381</font><br>
<br>
I have mentioned that numbers (eg, #38, #39) for different parts of
connection for successful connection differ. And for the failure it
remains the same...<br>
</font></tt></blockquote>
I have found somewhere that I need to be sure that both ends use the
same algo...<br>
<br>
Windows connection has <font color="#3333ff">{auth=OAKLEY_RSA_SIG
cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp2048}</font> and
Linux uses <font color="#3333ff">{auth=OAKLEY_RSA_SIG
cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1536}</font>. So I
tried to set the algo as follows:<br>
<br>
<font color="#3333ff">conn nung<br>
ike=3des-sha1<br>
</font><br>
Tried also adding <font color="#3333ff">3des-sha1-</font><font
color="#3333ff">modp2048</font>... None helps... :(<font
color="#3333ff"><br>
</font>
<blockquote cite="mid:481C31D6.6010808@in.if.ua" type="cite"><tt><font
size="-1">
<br>
Here is ipsec verify:<br>
<br>
<font color="#3333ff">andrix:~# ipsec verify<br>
Checking your system to see if IPsec got installed and started
correctly:<br>
Version check and ipsec on-path [OK]<br>
Linux Openswan U2.4.12/K2.6.22-3-k7 (netkey)<br>
Checking for IPsec support in kernel [OK]<br>
NETKEY detected, testing for disabled ICMP send_redirects [FAILED]<br>
<br>
Please disable /proc/sys/net/ipv4/conf/*/send_redirects<br>
or NETKEY will cause the sending of bogus ICMP redirects!<br>
<br>
NETKEY detected, testing for disabled ICMP accept_redirects [FAILED]<br>
<br>
Please disable /proc/sys/net/ipv4/conf/*/accept_redirects<br>
or NETKEY will accept bogus ICMP redirects!<br>
<br>
Checking for RSA private key (/etc/ipsec.secrets)
[DISABLED]<br>
ipsec showhostkey: no default key in "/etc/ipsec.secrets"<br>
Checking that pluto is running [OK]<br>
Two or more interfaces found, checking IP forwarding [OK]<br>
Checking NAT and MASQUERADEing [N/A]<br>
Checking for 'ip' command [OK]<br>
Checking for 'iptables' command [OK]<br>
Opportunistic Encryption Support
[DISABLED]</font><br>
<br>
I'm using built-in IPSec... I guess there should be NAT-T...<br>
<br>
I have also two [FAILED] tests but I can't do anything with it: "echo 0
> /proc/sys/net/ipv4/conf/all/send_redirects" does not help... :(<br>
</font></tt></blockquote>
Okey, this is not the issue any more - I needed to reboot... Now all
tests are OK.<br>
<br>
Andriy
</body>
</html>