<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
Sven<br>
<br>
You may find Openswan-2.2.0 (as in CC) is using different defaults to
2.4.x. I would look at encryption algorithms and things like AH and PFS.<br>
<br>
I have seen that from the man pages options occasionally work
differently to what has been written, for example salifetime and
lifetime do not work as aliases for keylife. Also some units of time
work but you cannot use m as the unit for ikelifetime. Perhaps it works
in 2.6.x.<br>
<br>
I think you now need someone else to help here.<br>
<br>
Sorry to all if I have been multiple posting. Google keeps changing my
outbound sender's address to googlemail.com rather than gmail.com, so I
have been reposting to correct it. I've now switched to an alternative
smtp server!<br>
<br>
Nick<br>
<br>
Sven J. van Rooij wrote:
<blockquote
cite="mid:6419E7A547E85541BEA8BFCCEF87C4944BC2A5@dcserver.digitalcarmel.local"
type="cite">
<meta http-equiv="Content-Type" content="text/html; ">
<meta name="Generator" content="Microsoft Word 12 (filtered medium)">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style>
<![endif]-->
<style>
<!--
/* Font Definitions */
@font-face
        {font-family:"Cambria Math";
        panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
        {font-family:Tahoma;
        panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
        {font-family:Consolas;
        panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0in;
        margin-bottom:.0001pt;
        font-size:11.0pt;
        font-family:"Calibri","sans-serif";
        color:black;}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:purple;
        text-decoration:underline;}
pre
        {mso-style-priority:99;
        mso-style-link:"HTML Preformatted Char";
        margin:0in;
        margin-bottom:.0001pt;
        font-size:10.0pt;
        font-family:"Courier New";
        color:black;}
span.HTMLPreformattedChar
        {mso-style-name:"HTML Preformatted Char";
        mso-style-priority:99;
        mso-style-link:"HTML Preformatted";
        font-family:Consolas;
        color:black;}
span.EmailStyle19
        {mso-style-type:personal;
        font-family:"Calibri","sans-serif";
        color:windowtext;}
span.EmailStyle20
        {mso-style-type:personal;
        font-family:"Calibri","sans-serif";
        color:#1F497D;}
span.EmailStyle21
        {mso-style-type:personal;
        font-family:"Calibri","sans-serif";
        color:#1F497D;}
span.EmailStyle22
        {mso-style-type:personal-reply;
        font-family:"Calibri","sans-serif";
        color:#1F497D;}
.MsoChpDefault
        {mso-style-type:export-only;
        font-size:10.0pt;}
@page Section1
        {size:8.5in 11.0in;
        margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
        {page:Section1;}
-->
</style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="Section1">
<p class="MsoNormal"><span style="color: rgb(31, 73, 125);">Nick,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color: rgb(31, 73, 125);"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color: rgb(31, 73, 125);">Yes, the
2.4.11 is due to the
post… I tried the .14 as well as a 2.6.18 I believe that lead to the
exact same
issue…<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color: rgb(31, 73, 125);"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color: rgb(31, 73, 125);">No
traffic over the VPN tunnel.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color: rgb(31, 73, 125);"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color: rgb(31, 73, 125);">The cisco
issue is not pressing…
had that already working and then they tried something else… <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color: rgb(31, 73, 125);">MAJROR
issue at this moment is
that the VPN that worked this morning with the original Openswan
shipped with
the CC box, but when upgrading I run into the issue that no data can go
via VPN…<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color: rgb(31, 73, 125);"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color: rgb(31, 73, 125);">Sven<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color: rgb(31, 73, 125);"><o:p> </o:p></span></p>
<div>
<div
style="border-style: solid none none; border-color: rgb(181, 196, 223) -moz-use-text-color -moz-use-text-color; border-width: 1pt medium medium; padding: 3pt 0in 0in;">
<p class="MsoNormal"><b><span
style="font-size: 10pt; font-family: "Tahoma","sans-serif"; color: windowtext;">From:</span></b><span
style="font-size: 10pt; font-family: "Tahoma","sans-serif"; color: windowtext;">
Nick Howitt
[<a class="moz-txt-link-freetext" href="mailto:n1ck.h0w1tt@gmail.com">mailto:n1ck.h0w1tt@gmail.com</a>] <br>
<b>Sent:</b> Tuesday, May 19, 2009 2:23 PM<br>
<b>To:</b> Sven J. van Rooij<br>
<b>Cc:</b> <a class="moz-txt-link-abbreviated" href="mailto:users@openswan.org">users@openswan.org</a><br>
<b>Subject:</b> Re: [Openswan Users] upgrade openswan on CC 4.3 box<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Sven,<br>
<br>
Any obvious reason for using 2.4.11 and not the latest 2.4 series
(2.4.14) -
(except that is probably what the CC forum post says)?<br>
Also I cannot help you with the next bit as I know nothing about
setting up to
connect to a CISCO device and I've seen in some posts that they can be
tricky
and use an odd (XAUTH?) setup. I suggest you post your ipsec.conf file
and hope
someone else jumps in. There are instructions for a PIX at <a
moz-do-not-send="true"
href="http://wiki.openswan.org/index.php/Openswan/CiscoPIX">http://wiki.openswan.org/index.php/Openswan/CiscoPIX</a>
but they probably for not apply to you. You may also want to check out
the
strongswan (sorry everyone) website as well in case they have some
pointers,
but some of their config options are slightly different.<br>
<br>
Nick<br>
<br>
Sven J. van Rooij wrote: <o:p></o:p></p>
<p class="MsoNormal"><span style="color: rgb(31, 73, 125);">Nick,</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color: rgb(31, 73, 125);"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="color: rgb(31, 73, 125);">Did as
you said and here’s my
log…</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-family: Consolas; color: rgb(31, 73, 125);"> </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size: 8pt; font-family: Consolas; color: rgb(31, 73, 125);">May
19 13:12:06 firewall ipsec__plutorun: Unknown default RSA
hostkey scheme, not generating a default hostkey</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size: 8pt; font-family: Consolas; color: rgb(31, 73, 125);">May
19 13:12:06 firewall ipsec__plutorun: Starting Pluto
subsystem...</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size: 8pt; font-family: Consolas; color: rgb(31, 73, 125);">May
19 13:12:06 firewall pluto[17118]: Starting Pluto (Openswan
Version 2.4.11 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID
OE{dD^fJcUvk)</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size: 8pt; font-family: Consolas; color: rgb(31, 73, 125);">May
19 13:12:06 firewall pluto[17118]: Setting NAT-Traversal
port-4500 floating to on</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size: 8pt; font-family: Consolas; color: rgb(31, 73, 125);">May
19 13:12:06 firewall pluto[17118]: port floating activation
criteria nat_t=1/port_fload=1</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size: 8pt; font-family: Consolas; color: rgb(31, 73, 125);">May
19 13:12:06 firewall pluto[17118]: including NAT-Traversal
patch (Version 0.6c)</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size: 8pt; font-family: Consolas; color: rgb(31, 73, 125);">May
19 13:12:06 firewall pluto[17118]: ike_alg_register_enc():
Activating OAKLEY_AES_CBC: Ok (ret=0)</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size: 8pt; font-family: Consolas; color: rgb(31, 73, 125);">May
19 13:12:06 firewall pluto[17118]: starting up 1
cryptographic helpers</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size: 8pt; font-family: Consolas; color: rgb(31, 73, 125);">May
19 13:12:06 firewall pluto[17118]: started helper pid=17124
(fd:6)</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size: 8pt; font-family: Consolas; color: rgb(31, 73, 125);">May
19 13:12:06 firewall pluto[17118]: Using NETKEY IPsec
interface code on 2.6.18-93.cc4</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size: 8pt; font-family: Consolas; color: rgb(31, 73, 125);">May
19 13:12:06 firewall pluto[17118]: Changing to directory
'/etc/ipsec.d/cacerts'</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size: 8pt; font-family: Consolas; color: rgb(31, 73, 125);">May
19 13:12:06 firewall pluto[17118]: Changing to directory
'/etc/ipsec.d/aacerts'</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size: 8pt; font-family: Consolas; color: rgb(31, 73, 125);">May
19 13:12:06 firewall pluto[17118]: Changing to directory
'/etc/ipsec.d/ocspcerts'</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size: 8pt; font-family: Consolas; color: rgb(31, 73, 125);">May
19 13:12:06 firewall pluto[17118]: Changing to directory
'/etc/ipsec.d/crls'</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size: 8pt; font-family: Consolas; color: rgb(31, 73, 125);">May
19 13:12:06 firewall pluto[17118]: Warning: empty directory</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size: 8pt; font-family: Consolas; color: rgb(31, 73, 125);">May
19 13:12:06 firewall pluto[17118]: loading secrets from
"/etc/ipsec.secrets"</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size: 8pt; font-family: Consolas; color: rgb(31, 73, 125);">May
19 13:12:06 firewall pluto[17118]: loading secrets from
"/etc/ipsec.CCC.secrets"</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size: 8pt; font-family: Consolas; color: rgb(31, 73, 125);">May
19 13:12:06 firewall pluto[17118]: loading secrets from
"/etc/ipsec.CHOMP.secrets"</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size: 8pt; font-family: Consolas; color: rgb(31, 73, 125);">May
19 13:12:06 firewall pluto[17118]: added connection
description "hqgateCHOMP-satnetCHOMP"</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size: 8pt; font-family: Consolas; color: rgb(31, 73, 125);">May
19 13:12:06 firewall pluto[17118]: added connection
description "CCC"</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size: 8pt; font-family: Consolas; color: rgb(31, 73, 125);">May
19 13:12:07 firewall pluto[17118]: added connection
description "hqnetCHOMP-satgateCHOMP"</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size: 8pt; font-family: Consolas; color: rgb(31, 73, 125);">May
19 13:12:07 firewall pluto[17118]: added connection
description "hqgateCHOMP-satgateCHOMP"</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size: 8pt; font-family: Consolas; color: rgb(31, 73, 125);">May
19 13:12:07 firewall pluto[17118]: added connection
description "hqnetCHOMP-satnetCHOMP"</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size: 8pt; font-family: Consolas; color: rgb(31, 73, 125);">May
19 13:12:07 firewall pluto[17118]: listening for IKE messages</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size: 8pt; font-family: Consolas; color: rgb(31, 73, 125);">May
19 13:12:07 firewall pluto[17118]: adding interface
eth3/eth3 12.54.126.107:500</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size: 8pt; font-family: Consolas; color: rgb(31, 73, 125);">May
19 13:12:07 firewall pluto[17118]: adding interface
eth3/eth3 12.54.126.107:4500</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size: 8pt; font-family: Consolas; color: rgb(31, 73, 125);">May
19 13:12:07 firewall pluto[17118]: adding interface
eth2/eth2 10.0.0.1:500</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size: 8pt; font-family: Consolas; color: rgb(31, 73, 125);">May
19 13:12:07 firewall pluto[17118]: adding interface
eth2/eth2 10.0.0.1:4500</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size: 8pt; font-family: Consolas; color: rgb(31, 73, 125);">May
19 13:12:07 firewall pluto[17118]: adding interface
eth1/eth1 192.168.112.1:500</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size: 8pt; font-family: Consolas; color: rgb(31, 73, 125);">May
19 13:12:07 firewall pluto[17118]: adding interface
eth1/eth1 192.168.112.1:4500</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size: 8pt; font-family: Consolas; color: rgb(31, 73, 125);">May
19 13:12:07 firewall pluto[17118]: adding interface
eth0/eth0 12.54.126.106:500</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size: 8pt; font-family: Consolas; color: rgb(31, 73, 125);">May
19 13:12:07 firewall pluto[17118]: adding interface
eth0/eth0 12.54.126.106:4500</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size: 8pt; font-family: Consolas; color: rgb(31, 73, 125);">May
19 13:12:07 firewall pluto[17118]: adding interface lo/lo
127.0.0.1:500</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size: 8pt; font-family: Consolas; color: rgb(31, 73, 125);">May
19 13:12:07 firewall pluto[17118]: adding interface lo/lo
127.0.0.1:4500</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size: 8pt; font-family: Consolas; color: rgb(31, 73, 125);">May
19 13:12:07 firewall pluto[17118]: adding interface lo/lo
::1:500</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size: 8pt; font-family: Consolas; color: rgb(31, 73, 125);">May
19 13:12:07 firewall pluto[17118]: forgetting secrets</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size: 8pt; font-family: Consolas; color: rgb(31, 73, 125);">May
19 13:12:07 firewall pluto[17118]: loading secrets from
"/etc/ipsec.secrets"</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size: 8pt; font-family: Consolas; color: rgb(31, 73, 125);">May
19 13:12:07 firewall pluto[17118]: loading secrets from
"/etc/ipsec.CCC.secrets"</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size: 8pt; font-family: Consolas; color: rgb(31, 73, 125);">May
19 13:12:07 firewall pluto[17118]: loading secrets from
"/etc/ipsec.CHOMP.secrets"</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size: 8pt; font-family: Consolas; color: rgb(31, 73, 125);">May
19 13:12:07 firewall pluto[17118]:
"hqgateCHOMP-satnetCHOMP" #1: initiating Main Mode</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size: 8pt; font-family: Consolas; color: rgb(31, 73, 125);">May
19 13:12:07 firewall pluto[17118]: "CCC" #2:
initiating Main Mode</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size: 8pt; font-family: Consolas; color: rgb(31, 73, 125);">May
19 13:12:07 firewall pluto[17118]:
"hqgateCHOMP-satnetCHOMP" #1: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02_n] method set to=106</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size: 8pt; font-family: Consolas; color: rgb(31, 73, 125);">May
19 13:12:07 firewall pluto[17118]:
"hqgateCHOMP-satnetCHOMP" #1: ignoring Vendor ID payload
[FRAGMENTATION c0000000]</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size: 8pt; font-family: Consolas; color: rgb(31, 73, 125);">May
19 13:12:07 firewall pluto[17118]:
"hqgateCHOMP-satnetCHOMP" #1: enabling possible NAT-traversal with
method draft-ietf-ipsec-nat-t-ike-02/03</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size: 8pt; font-family: Consolas; color: rgb(31, 73, 125);">May
19 13:12:07 firewall pluto[17118]: "CCC" #2:
ignoring unknown Vendor ID payload
[166f932d55eb64d8e4df4fd37e2313f0d0fd84510000000000000000]</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size: 8pt; font-family: Consolas; color: rgb(31, 73, 125);">May
19 13:12:07 firewall pluto[17118]: "CCC" #2:
received Vendor ID payload [Dead Peer Detection]</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size: 8pt; font-family: Consolas; color: rgb(31, 73, 125);">May
19 13:12:07 firewall pluto[17118]: "CCC" #2:
ignoring Vendor ID payload [HeartBeat Notify 386b0100]</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size: 8pt; font-family: Consolas; color: rgb(31, 73, 125);">May
19 13:12:07 firewall pluto[17118]:
"hqgateCHOMP-satnetCHOMP" #1: transition from state STATE_MAIN_I1 to
state STATE_MAIN_I2</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size: 8pt; font-family: Consolas; color: rgb(31, 73, 125);">May
19 13:12:07 firewall pluto[17118]: "hqgateCHOMP-satnetCHOMP"
#1: STATE_MAIN_I2: sent MI2, expecting MR2</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size: 8pt; font-family: Consolas; color: rgb(31, 73, 125);">May
19 13:12:07 firewall pluto[17118]: "CCC" #2:
transition from state STATE_MAIN_I1 to state STATE_MAIN_I2</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size: 8pt; font-family: Consolas; color: rgb(31, 73, 125);">May
19 13:12:07 firewall pluto[17118]: "CCC" #2: STATE_MAIN_I2:
sent MI2, expecting MR2</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size: 8pt; font-family: Consolas; color: rgb(31, 73, 125);">May
19 13:12:07 firewall pluto[17118]: "CCC" #2: I did
not send a certificate because I do not have one.</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size: 8pt; font-family: Consolas; color: rgb(31, 73, 125);">May
19 13:12:07 firewall pluto[17118]: "CCC" #2:
transition from state STATE_MAIN_I2 to state STATE_MAIN_I3</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size: 8pt; font-family: Consolas; color: rgb(31, 73, 125);">May
19 13:12:07 firewall pluto[17118]: "CCC" #2:
STATE_MAIN_I3: sent MI3, expecting MR3</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size: 8pt; font-family: Consolas; color: rgb(31, 73, 125);">May
19 13:12:07 firewall pluto[17118]: "CCC" #2: Main
mode peer ID is ID_IPV4_ADDR: '206.71.166.194'</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size: 8pt; font-family: Consolas; color: rgb(31, 73, 125);">May
19 13:12:07 firewall pluto[17118]: "CCC" #2:
transition from state STATE_MAIN_I3 to state STATE_MAIN_I4</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size: 8pt; font-family: Consolas; color: rgb(31, 73, 125);">May
19 13:12:07 firewall pluto[17118]: "CCC" #2:
STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size: 8pt; font-family: Consolas; color: rgb(31, 73, 125);">May
19 13:12:07 firewall pluto[17118]: "CCC" #3:
initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#2}</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size: 8pt; font-family: Consolas; color: rgb(31, 73, 125);">May
19 13:12:07 firewall pluto[17118]:
"hqgateCHOMP-satnetCHOMP" #1: received Vendor ID payload [Cisco-Unity]</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size: 8pt; font-family: Consolas; color: rgb(31, 73, 125);">May
19 13:12:07 firewall pluto[17118]: "hqgateCHOMP-satnetCHOMP"
#1: received Vendor ID payload [XAUTH]</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size: 8pt; font-family: Consolas; color: rgb(31, 73, 125);">May
19 13:12:07 firewall pluto[17118]:
"hqgateCHOMP-satnetCHOMP" #1: ignoring unknown Vendor ID payload
[206827036be3230041d197ac232e3099]</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size: 8pt; font-family: Consolas; color: rgb(31, 73, 125);">May
19 13:12:07 firewall pluto[17118]: "hqgateCHOMP-satnetCHOMP"
#1: ignoring Vendor ID payload [Cisco VPN 3000 Series]</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size: 8pt; font-family: Consolas; color: rgb(31, 73, 125);">May
19 13:12:07 firewall pluto[17118]:
"hqgateCHOMP-satnetCHOMP" #1: I did not send a certificate because I
do not have one.</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size: 8pt; font-family: Consolas; color: rgb(31, 73, 125);">May
19 13:12:07 firewall pluto[17118]:
"hqgateCHOMP-satnetCHOMP" #1: NAT-Traversal: Result using
draft-ietf-ipsec-nat-t-ike-02/03: no NAT detected</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size: 8pt; font-family: Consolas; color: rgb(31, 73, 125);">May
19 13:12:07 firewall pluto[17118]:
"hqgateCHOMP-satnetCHOMP" #1: transition from state STATE_MAIN_I2 to
state STATE_MAIN_I3</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size: 8pt; font-family: Consolas; color: rgb(31, 73, 125);">May
19 13:12:07 firewall pluto[17118]: "hqgateCHOMP-satnetCHOMP"
#1: STATE_MAIN_I3: sent MI3, expecting MR3</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size: 8pt; font-family: Consolas; color: rgb(31, 73, 125);">May
19 13:12:07 firewall pluto[17118]: "CCC" #3:
ignoring informational payload, type IPSEC_RESPONDER_LIFETIME</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size: 8pt; font-family: Consolas; color: rgb(31, 73, 125);">May
19 13:12:07 firewall pluto[17118]: "CCC" #3:
transition from state STATE_QUICK_I1 to state STATE_QUICK_I2</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size: 8pt; font-family: Consolas; color: rgb(31, 73, 125);">May
19 13:12:07 firewall pluto[17118]: "CCC" #3:
STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x5074876f
<0xe6a4d1b3 xfrm=3DES_0-HMAC_SHA1 NATD=none DPD=none}</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size: 8pt; font-family: Consolas; color: rgb(31, 73, 125);">May
19 13:12:08 firewall pluto[17118]:
"hqgateCHOMP-satnetCHOMP" #1: received Vendor ID payload [Dead Peer
Detection]</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size: 8pt; font-family: Consolas; color: rgb(31, 73, 125);">May
19 13:12:08 firewall pluto[17118]: | protocol/port in Phase
1 ID Payload is 17/0. accepted with port_floating NAT-T</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size: 8pt; font-family: Consolas; color: rgb(31, 73, 125);">May
19 13:12:08 firewall pluto[17118]:
"hqgateCHOMP-satnetCHOMP" #1: Main mode peer ID is ID_IPV4_ADDR:
'204.179.192.22'</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size: 8pt; font-family: Consolas; color: rgb(31, 73, 125);">May
19 13:12:08 firewall pluto[17118]:
"hqgateCHOMP-satnetCHOMP" #1: transition from state STATE_MAIN_I3 to
state STATE_MAIN_I4</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size: 8pt; font-family: Consolas; color: rgb(31, 73, 125);">May
19 13:12:08 firewall pluto[17118]:
"hqgateCHOMP-satnetCHOMP" #1: STATE_MAIN_I4: ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5
group=modp1024}</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size: 8pt; font-family: Consolas; color: rgb(31, 73, 125);">May
19 13:12:08 firewall pluto[17118]:
"hqnetCHOMP-satnetCHOMP" #4: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1}</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size: 8pt; font-family: Consolas; color: rgb(31, 73, 125);">May
19 13:12:08 firewall pluto[17118]:
"hqgateCHOMP-satgateCHOMP" #5: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1}</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size: 8pt; font-family: Consolas; color: rgb(31, 73, 125);">May
19 13:12:08 firewall pluto[17118]:
"hqnetCHOMP-satgateCHOMP" #6: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1}</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size: 8pt; font-family: Consolas; color: rgb(31, 73, 125);">May
19 13:12:08 firewall pluto[17118]:
"hqnetCHOMP-satgateCHOMP" #6: can not start crypto helper: failed to
find any available worker</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size: 8pt; font-family: Consolas; color: rgb(31, 73, 125);">May
19 13:12:08 firewall pluto[17118]:
"hqgateCHOMP-satnetCHOMP" #7: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1}</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size: 8pt; font-family: Consolas; color: rgb(31, 73, 125);">May
19 13:12:08 firewall pluto[17118]:
"hqgateCHOMP-satnetCHOMP" #7: can not start crypto helper: failed to
find any available worker</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size: 8pt; font-family: Consolas; color: rgb(31, 73, 125);">May
19 13:12:08 firewall pluto[17118]:
"hqnetCHOMP-satnetCHOMP" #4: transition from state STATE_QUICK_I1 to
state STATE_QUICK_I2</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size: 8pt; font-family: Consolas; color: rgb(31, 73, 125);">May
19 13:12:08 firewall pluto[17118]:
"hqnetCHOMP-satnetCHOMP" #4: STATE_QUICK_I2: sent QI2, IPsec SA
established {ESP=>0x2500faab <0x9f6adb8c xfrm=3DES_0-HMAC_MD5
NATD=none
DPD=none}</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size: 8pt; font-family: Consolas; color: rgb(31, 73, 125);">May
19 13:12:24 firewall pluto[17118]: initiate on demand from
12.54.126.106:0 to 204.179.196.30:0 proto=0 state: fos_start because:
acquire</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size: 8pt; font-family: Consolas; color: rgb(31, 73, 125);">May
19 13:12:24 firewall pluto[17118]:
"hqgateCHOMP-satnetCHOMP" #8: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1}</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size: 8pt; color: rgb(31, 73, 125);"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="color: rgb(31, 73, 125);"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="color: rgb(31, 73, 125);"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="color: rgb(31, 73, 125);">So I’m
not sure how it went from
working in the version shipped on the CC box and now I can’t get even a
ping!</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color: rgb(31, 73, 125);"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="color: rgb(31, 73, 125);">Sven</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color: rgb(31, 73, 125);"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="color: rgb(31, 73, 125);"> </span><o:p></o:p></p>
<div>
<div
style="border-style: solid none none; border-color: -moz-use-text-color; border-width: 1pt medium medium; padding: 3pt 0in 0in;">
<p class="MsoNormal"><b><span
style="font-size: 10pt; font-family: "Tahoma","sans-serif"; color: windowtext;">From:</span></b><span
style="font-size: 10pt; font-family: "Tahoma","sans-serif"; color: windowtext;">
Nick Howitt [<a moz-do-not-send="true"
href="mailto:n1ck.h0w1tt@googlemail.com">mailto:n1ck.h0w1tt@googlemail.com</a>]
<br>
<b>Sent:</b> Tuesday, May 19, 2009 12:57 PM<br>
<b>To:</b> Sven J. van Rooij<br>
<b>Cc:</b> <a moz-do-not-send="true" href="mailto:users@openswan.org">users@openswan.org</a><br>
<b>Subject:</b> Re: [Openswan Users] upgrade openswan on CC 4.3 box</span><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Sven,<br>
<br>
Those errors are not key to setting up Openswan. I had my tunnels
working
despite the errors. However, to fix them you need to edit
/etc/sysctl.conf.<br>
Change:<br>
net.ipv4.ip_forward = 0 -> 1<br>
net.ipv4.conf.default.rp_filter = 1 -> 0<br>
<br>
Add:<br>
net.ipv4.conf.all.accept_redirects = 0<br>
net.ipv4.conf.default.accept_redirects = 0<br>
net.ipv4.conf.all.send_redirects = 0<br>
net.ipv4.conf.default.send_redirects = 0<br>
(there may be a better way to do it)<br>
<br>
Save the file and reload it using:<br>
sysctl -p<br>
sysctl -w net.ipv4.route.flush=1<br>
<br>
As I said before, VPN traffic goes through the tunnel LAN-LAN, but I
have
problems with anything to the gateway.<br>
Sometimes I can ping the far router from the gateway, sometimes I
cannot. If I
cannot, if I set up a continuous ping it will generally start working
within a
minute or two. I also have a problem getting the far router to ping the
LAN
address of the CC box (unpredictably unreliable), but it can ping
everything
behind the CC box.<br>
<br>
If I set up a virtual LAN interface on the CC box (eth1:0,
192.168.2.10) I can
always ping the far router with the command "ping -I 192.168.2.10
192.168.20.1" even if pinging 192.168.20.1 directly fails. I am trying
to
find out if my brother can browse the Samba shares using
\\192.168.2.10\xyz
instead of \\192.168.2.1\xyz (after adding the interface eth1:0 to
smb.conf).<br>
<br>
If anyone can help me (us?) with this one, I'd love to hear. If not,
I'll wait
for CC5 before asking again.<br>
<br>
Regards,<br>
<br>
Nick<br>
<br>
Sven J. van Rooij wrote: <o:p></o:p></p>
<p class="MsoNormal"><span style="color: rgb(31, 73, 125);">Nick,</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color: rgb(31, 73, 125);"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="color: rgb(31, 73, 125);">Thanks
for the quick response.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color: rgb(31, 73, 125);">So I did
do the upgrade and same
issue…</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color: rgb(31, 73, 125);"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="color: rgb(31, 73, 125);">I get my
tunnels up, but now no
traffic seems to go across the tunnel.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color: rgb(31, 73, 125);">Pings
time out.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color: rgb(31, 73, 125);"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="color: rgb(31, 73, 125);">And the
ipsec verify gives
me this</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color: rgb(31, 73, 125);"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="color: rgb(31, 73, 125);">Checking
your system to see if
IPsec got installed and started correctly:</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color: rgb(31, 73, 125);">Version
check and ipsec
on-path
[OK]</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color: rgb(31, 73, 125);">Linux
Openswan
U2.4.9/K2.6.18-93.cc4 (netkey)</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color: rgb(31, 73, 125);">Checking
for IPsec support in
kernel
[OK]</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color: rgb(31, 73, 125);">NETKEY
detected, testing for
disabled ICMP send_redirects [FAILED]</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color: rgb(31, 73, 125);"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="color: rgb(31, 73, 125);"> Please
disable
/proc/sys/net/ipv4/conf/*/send_redirects</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color: rgb(31, 73, 125);"> or
NETKEY will cause the
sending of bogus ICMP redirects!</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color: rgb(31, 73, 125);"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="color: rgb(31, 73, 125);">NETKEY
detected, testing for
disabled ICMP accept_redirects [FAILED]</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color: rgb(31, 73, 125);"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="color: rgb(31, 73, 125);"> Please
disable
/proc/sys/net/ipv4/conf/*/accept_redirects</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color: rgb(31, 73, 125);"> or
NETKEY will accept
bogus ICMP redirects!</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-family: Consolas; color: rgb(31, 73, 125);"> </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-family: Consolas; color: rgb(31, 73, 125);">Checking
for RSA private key
(/etc/ipsec.secrets)
[DISABLED]</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-family: Consolas; color: rgb(31, 73, 125);"> ipsec
showhostkey: no default key in "/etc/ipsec.secrets"</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-family: Consolas; color: rgb(31, 73, 125);">Checking
that pluto is
running
[OK]</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-family: Consolas; color: rgb(31, 73, 125);">Two or more
interfaces found, checking IP
forwarding
[OK]</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-family: Consolas; color: rgb(31, 73, 125);">Checking
NAT and
MASQUERADEing
</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-family: Consolas; color: rgb(31, 73, 125);">Checking
for 'ip'
command
[OK]</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-family: Consolas; color: rgb(31, 73, 125);">Checking
for 'iptables'
command
[OK]</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-family: Consolas; color: rgb(31, 73, 125);">cat:
ipsec.*.conf: No such file or directory</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-family: Consolas; color: rgb(31, 73, 125);">Opportunistic
Encryption
Support
[DISABLED]</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-family: Consolas; color: rgb(31, 73, 125);">
Cannot execute command "which iptables": No such file or directory</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-family: Consolas; color: rgb(31, 73, 125);"> cat:
ipsec.*.conf: No such file or directory</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-family: Consolas; color: rgb(31, 73, 125);"> </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-family: Consolas; color: rgb(31, 73, 125);"> </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-family: Consolas; color: rgb(31, 73, 125);">Even though
I have disabled the send and accept redirects….</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-family: Consolas; color: rgb(31, 73, 125);"> </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-family: Consolas; color: rgb(31, 73, 125);">Any ideas??</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-family: Consolas; color: rgb(31, 73, 125);"> </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-family: Consolas; color: rgb(31, 73, 125);">Sven</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color: rgb(31, 73, 125);"> </span><o:p></o:p></p>
<div>
<div
style="border-style: solid none none; border-color: -moz-use-text-color; border-width: 1pt medium medium; padding: 3pt 0in 0in;">
<p class="MsoNormal"><b><span
style="font-size: 10pt; font-family: "Tahoma","sans-serif"; color: windowtext;">From:</span></b><span
style="font-size: 10pt; font-family: "Tahoma","sans-serif"; color: windowtext;">
Nick Howitt [<a moz-do-not-send="true"
href="mailto:n1ck.h0w1tt@googlemail.com">mailto:n1ck.h0w1tt@googlemail.com</a>]
<br>
<b>Sent:</b> Tuesday, May 19, 2009 10:51 AM<br>
<b>To:</b> Sven J. van Rooij<br>
<b>Cc:</b> <a moz-do-not-send="true" href="mailto:users@openswan.org">users@openswan.org</a><br>
<b>Subject:</b> Re: [Openswan Users] upgrade openswan on CC 4.3 box</span><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Sven,<br>
<br>
The instructions in <a moz-do-not-send="true"
href="http://forums.clarkconnect.com/showthreaded.php?Cat=0&Number=103109&page=0&vc=1">this</a>
thread in the CC forums work fine for Openswan-2.4.14. I could not make
it work
with 2.6.18 or 2.6.21. 2.6.18 may compile but won't run. 2.6.21 will
not
compile.<br>
<br>
I have Openswan working fine as a VPN gateway/router. I just cannot get
the
file server to work properly through the VPN, not can I get pings to
and from
the gateway work reliably through the tunnel. LAN-LAN traffic through
the
gateway is OK.<br>
<br>
I was going to wait until CC5 (Openswan-2.6.14) is released before
troubleshooting this any further.<br>
<br>
Nick<br>
<br>
Sven J. van Rooij wrote: <o:p></o:p></p>
<p class="MsoNormal">An anyone direct me towards a good set of
instructions on
how to upgrade openswan on a clark connect box.<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Regardless which version (besides the original)
I
choose, I end up with a tunnel, but no traffic on it.<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">PLEASE HELP!<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Thanks,<o:p></o:p></p>
<p class="MsoNormal">Sven<o:p></o:p></p>
<pre> <o:p></o:p></pre>
<pre style="text-align: center;"> <o:p></o:p></pre>
<pre style="text-align: center;">
<hr align="center" size="4" width="90%">
</pre>
<pre style="text-align: center;"><o:p> </o:p></pre>
<pre style="text-align: center;"><o:p> </o:p></pre>
<pre style="text-align: center;"> <o:p></o:p></pre>
<pre style="text-align: center;"> <o:p></o:p></pre>
<pre style="text-align: center;"> <o:p></o:p></pre>
<pre style="text-align: center;"> <o:p></o:p></pre>
<pre> <o:p></o:p></pre>
<pre>_______________________________________________<o:p></o:p></pre>
<pre><a moz-do-not-send="true" href="mailto:Users@openswan.org">Users@openswan.org</a><o:p></o:p></pre>
<pre><a moz-do-not-send="true"
href="http://lists.openswan.org/mailman/listinfo/users">http://lists.openswan.org/mailman/listinfo/users</a><o:p></o:p></pre>
<pre>Building and Integrating Virtual Private Networks with Openswan: <o:p></o:p></pre>
<pre><a moz-do-not-send="true"
href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a><o:p></o:p></pre>
<pre> <o:p></o:p></pre>
</div>
</blockquote>
</body>
</html>