Now that you have used the rsasigkey,maybe there is no need to use rightid.You may find more diagnostic info from /var/log/secure<br><br><div class="gmail_quote">2009/4/15 Aasim Ajaz <span dir="ltr"><<a href="mailto:aasim.ajaz@gmail.com">aasim.ajaz@gmail.com</a>></span><br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">Hello Guys,<br><br>I am trying to create IPSEC tunnel between two linux system Suse 8 running freeswan 1.98 & Suse 10 running openswan 2.4 and so far no success. I have verified network setting few times and they all look good.<br>
<br>thanks in advance...<br><br>this is traffic flow from right to left side...<br>86: 23:38:48.479208 49.***.29.12.500 > 142.***.208.44.500: udp 212
<br>87: 23:38:58.481145 49.***.29.12.500 > 142.***.208.44.500: udp 212
<br>88: 23:39:18.483480 49.***.29.12.500 > 142.***.208.44.500: udp 212
<br>89: 23:39:23.330823 142.***.208.44.500 > 49.***.29.12.500: udp 176
<br>90: 23:39:23.339673 49.***.29.12.500 > 142.***.208.44.500: udp 116
<br>91: 23:39:33.345563 49.***.29.12.500 > 142.***.208.44.500: udp 116
<br>92: 23:39:33.440742 142.***.208.44.500 > 49.***.29.12.500: udp 176
<br>93: 23:39:33.451896 49.***.29.12.500 > 142.***.208.44.500: udp 116
<br>94: 23:39:43.478490 49.***.29.12.500 > 142.***.208.44.500: udp 116<br><br>system2 # tcpdump -vv -ni eth0 host 142.***.208.44<br>49.***.29.12.500: isakmp 1.0 msgid cookie ->: phase 1 I ident: [|sa]
<br>00:20:13.087518 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: UDP (17), length: 144) 49.***.29.12.500 > 142.***.208.44.500: isakmp 1.0 msgid cookie ->: phase 1 R ident: [|sa]
<br>00:20:22.112828 IP (tos 0x0, ttl 63, id 25805, offset 0, flags [DF], proto: UDP (17), length: 204) 142.***.208.44.500 > 49.***.29.12.500: isakmp 1.0 msgid cookie ->: phase 1 I ident: [|sa]
<br>00:20:22.135080 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: UDP (17), length: 144) 49.***.29.12.500 > 142.***.208.44.500: isakmp 1.0 msgid cookie ->: phase 1 R ident: [|sa]
<br>00:20:23.143086 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto: UDP (17), length: 144) 49.***.29.12.500 > 142.***.208.44.500: isakmp 1.0 msgid cookie ->: phase 1 R ident: [|sa]
<br> <br><br>below are configs from both hosts...<br><br>Two System---<br><br>RIGHT SIDE <br>==========<br>SUSE Linux Enterprise Server 10 (x86_64)<br>VERSION = 10<br>PATCHLEVEL = 2<br>System2:~ # rpm -qa | grep openswan<br>
openswan-2.4.4-18.9<br>System2:~ # rpm -qa | grep ipsec<br>ipsec-tools-0.6.5-10.10<br><br># more /etc/ipsec.conf<br># /etc/ipsec.conf - Openswan IPsec configuration file<br># RCSID $Id: <a href="http://ipsec.conf.in" target="_blank">ipsec.conf.in</a>,v 1.15.2.2 2005/11/14 20:10:27 paul Exp $<br>
<br># This file: /usr/share/doc/packages/openswan/ipsec.conf-sample<br># Manual: ipsec.conf.5<br><br>version 2.0 # conforms to second version of ipsec.conf specification<br># basic configuration<br>config setup<br>
# THIS SETTING MUST BE CORRECT or almost nothing will work;<br> # %defaultroute is okay for most simple cases.<br> #interfaces=%defaultroute<br> interfaces="ipsec0=eth0"<br> forwardcontrol=yes<br>
klipsdebug=none<br> plutodebug=all<br> pluto=yes<br> uniqueids=yes<br> <br>conn %default<br> keyingtries=0<br> disablearrivalcheck=no<br> authby=rsasig<br> leftrsasigkey=%dnsondemand<br>
rightrsasigkey=%dnsondemand<br>include /etc/ipsec.d/examples/no_oe.conf<br> <br>conn system1-system2<br> left=142.***.208.44<br> leftnexthop=142.***.208.1<br> leftid=@<a href="http://system01.cibg.tdbank.ca" target="_blank">system01.cibg.tdbank.ca</a><br>
leftrsasigkey=0sAQN105Q2huAvZHceifNlX/iGxyZm8B9IsXJGogIXror1InOB0uLrgdb30C0FvXszAyC6Pgfs1H1Wgr8kITug8mDlN5D3ZpHR<br>fltEQ5CQElPqqG30l3v/IjyCzgd....<br> right=49.***.29.12<br> rightnexthop=49.***.29.1<br>
rightid=@<a href="http://system02.cibg.tdbank.ca" target="_blank">system02.cibg.tdbank.ca</a><br> rightrsasigkey=0sAQOYhKIj1Q9+vMLtnVpSDtsiD90FtYhuk5ugUAy3FuBWi7Vj+CYBs3L635QjO4xmbGxxchaZX+idfGkIg00Wv26gGJXfsIp
<br>AFbwpfLsX0Okefhp9zaEMZO4JyruyV70T82ncZKyvc8R51wMOIpgTGb0YK649CZFYKmk...<br> auto=add<br><br>system02:~ # ipsec auto status<br>ipsec auto: warning: obsolete command syntax used<br>000 interface lo/lo ::1<br>000 interface lo/lo 127.0.0.1<br>
000 interface eth0/eth0 49.***.29.12<br>000 %myid = (none)<br>000 debug raw+crypt+parsing+emitting+control+lifecycle+klips+dns+oppo+controlmore+pfkey+nattraversal+x509<br>000<br>000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64<br>
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192<br>000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448<br>000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0<br>
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256<br>000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256<br>000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256<br>
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128<br>000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160<br>000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256<br>
000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC, keysizemin=128, keysizemax=128<br>000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0<br>000<br>000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192<br>
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128<br>000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16<br>000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20<br>000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024<br>
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536<br>000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048<br>000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072<br>
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096<br>000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144<br>000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192<br>
000<br>000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0}<br>000<br>000 "system01-system02": 49.***.29.12[@system1]---49.***.29.1...142.***.208.1---142.***.208.44[@system2]; unrouted; eroute owner: #0<br>
000 "system01-system02": srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;<br>000 "system01-system02": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0<br>
000 "system01-system02": policy: RSASIG+ENCRYPT+TUNNEL+PFS; prio: 32,32; interface: eth0;<br>000 "system01-system02": newest ISAKMP SA: #0; newest IPsec SA: #0;<br>000<br>000<br>system02:~ # ipsec auto --verbose --up system1-system2<br>
002 "system01-system02" #3: initiating Main Mode<br>104 "system01-system02" #3: STATE_MAIN_I1: initiate<br>010 "system01-system02" #3: STATE_MAIN_I1: retransmission; will wait 20s for response<br>
010 "system01-system02" #3: STATE_MAIN_I1: retransmission; will wait 20s for response<br>010 "system01-system02" #3: STATE_MAIN_I1: retransmission; will wait 40s for response<br>010 "system01-system02" #3: STATE_MAIN_I1: retransmission; will wait 40s for response<br>
010 "system01-system02" #3: STATE_MAIN_I1: retransmission; will wait 40s for response<br><br>....<br>000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0}<br>000<br>000 "system01-system02": 49.***.29.12[@system1]---49.***.29.1...142.***.208.1---142.***.208.44[@system2]; unrouted; eroute owner: #0<br>
000 "system01-system02": srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;<br>000 "system01-system02": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0<br>
000 "system01-system02": policy: RSASIG+ENCRYPT+TUNNEL+PFS+UP; prio: 32,32; interface: eth0;<br>000 "system01-system02": newest ISAKMP SA: #0; newest IPsec SA: #0;<br>000<br>000 #3: "system01-system02":500 STATE_MAIN_I1 (sent MI1, expecting MR1); EVENT_RETRANSMIT in 22s; nodpd<br>
000 #3: pending Phase 2 for "system01-system02" replacing #0<br>000 #6: "system01-system02":500 STATE_MAIN_R1 (sent MR1, expecting MI2); EVENT_RETRANSMIT in 26s; nodpd<br>000 #7: "system01-system02":500 STATE_MAIN_R1 (sent MR1, expecting MI2); EVENT_RETRANSMIT in 7s; nodpd<br>
<br><br>LEFT SIDE<br>=============<br><br># more /etc/SuSE-release
<br>SuSE SLES-8 (i386)
<br>VERSION = 8.1
<br># rpm -qa | grep freeswan
<br>freeswan-1.98_0.9.14-404
<br><br># more /etc/ipsec.conf
<br># /etc/ipsec.conf - FreeS/WAN IPsec configuration file
<br> <br># More elaborate and more varied sample configurations can be found
<br># in FreeS/WAN's doc/examples file, and in the HTML documentation.
<br> <br> <br># basic configuration
<br>config setup
<br> # THIS SETTING MUST BE CORRECT or almost nothing will work;
<br> # %defaultroute is okay for most simple cases.
<br> ##interfaces=%defaultroute
<br> interfaces="ipsec0=eth0"
<br> # autoenable forwarding in kernel as needed
<br> forwardcontrol=yes
<br> # Debug-logging controls: "none" for (almost) none, "all" for lots.
<br> klipsdebug=none
<br> plutodebug=all
<br> # Use auto= parameters in conn descriptions to control startup actions.
<br> plutoload=%search
<br> plutostart=%search
<br> # Close down old connection when new one using same ID shows up.
<br> uniqueids=yes
<br> <br> <br># defaults for subsequent connection descriptions
<br># (these defaults will soon go away)
<br>conn %default
<br> keyingtries=0
<br> disablearrivalcheck=no
<br> authby=rsasig
<br> leftrsasigkey=%dnsondemand
<br> rightrsasigkey=%dnsondemand
<br> <br><br>conn system01-system02
<br> # Left security gateway, subnet behind it, next hop toward right.
<br> left=142.***.208.44
<br> leftnexthop=142.***.208.1
<br> leftid=@system01
<br> leftrsasigkey=0sAQN105Q2huAvZHceifNlX/iGxyZm8B9IsXJGogIXror1InOB0uLrgdb30C0FvXszAyC6Pgfs1H1Wgr8kITug8mDlN5D3ZpHR
<br>fltEQ5CQElPqqG30l3v/IjyCzgd+...
<br> # Right security gateway, subnet behind it, next hop toward right.
<br> right=49.***.29.12
<br> rightnexthop=49.***.29.1
<br> rightid=@system02
<br> rightrsasigkey=0sAQOYhKIj1Q9+vMLtnVpSDtsiD90FtYhuk5ugUAy3FuBWi7Vj+CYBs3L635QjO4xmbGxxchaZX+idfGkIg00Wv26gGJXfsIp
<br>AFbwpfLsX0Okefhp9zaEMZO4JyruyV70T82ncZKyvc8R51wMOIpgTGb0YK649CZFYKmk...
<br> auto=add<br><br># ipsec auto status
<br>ipsec auto: warning: obsolete command syntax used
<br>000 interface ipsec0/eth0 fe80::20b:cdff:feef:27f5
<br>000 interface ipsec0/eth0 142.***.208.44
<br>000
<br>000 "system01-system02": 142.***.208.44[@system01 ]---142.***.208.1...49.***.29.1---49.***.29.12[@system02]
<br>000 "system01-system02": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
<br>000 "system01-system02": policy: RSASIG+ENCRYPT+TUNNEL+PFS; interface: eth0; unrouted
<br>000 "system01-system02": newest ISAKMP SA: #0; newest IPsec SA: #0; eroute owner: #0
<br>000
<br>000 #16: "system01-system02" STATE_MAIN_I1 (sent MI1, expecting MR1); EVENT_RETRANSMIT in 14s
<br>
<br> <br><br><br>
<br>_______________________________________________<br>
<a href="mailto:Users@openswan.org">Users@openswan.org</a><br>
<a href="http://lists.openswan.org/mailman/listinfo/users" target="_blank">http://lists.openswan.org/mailman/listinfo/users</a><br>
Building and Integrating Virtual Private Networks with Openswan:<br>
<a href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155" target="_blank">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a><br>
<br></blockquote></div><br>