<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style>
<![endif]-->
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:black;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;
color:black;}
span.EmailStyle19
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.EmailStyle20
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle21
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle22
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle23
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body bgcolor=white lang=EN-US link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal><span style='color:#1F497D'>Nick,<o:p></o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'>I think I have a routing issue…<o:p></o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'>If I do a traceroute to the IP
on my VPN, it does this<o:p></o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'>traceroute to 10.205.0.148
(10.205.0.148), 30 hops max, 38 byte packets<o:p></o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'> 1 12.54.126.105
(12.54.126.105) 0.723 ms 0.773 ms 0.754 ms<o:p></o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'> 2 12.91.241.97 (12.91.241.97)
9.117 ms !X * 9.118 ms !X<o:p></o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'>It’s going out via the gateway’s
IP and then just stops…<o:p></o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'>Is that normal??<o:p></o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'>Sven<o:p></o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p>
<div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";
color:windowtext'>From:</span></b><span style='font-size:10.0pt;font-family:
"Tahoma","sans-serif";color:windowtext'> Nick Howitt
[mailto:n1ck.h0w1tt@gmail.com] <br>
<b>Sent:</b> Tuesday, May 19, 2009 2:47 PM<br>
<b>To:</b> Sven J. van Rooij<br>
<b>Cc:</b> users@openswan.org<br>
<b>Subject:</b> Re: [Openswan Users] upgrade openswan on CC 4.3 box<o:p></o:p></span></p>
</div>
</div>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>Sven<br>
<br>
You may find Openswan-2.2.0 (as in CC) is using different defaults to 2.4.x. I
would look at encryption algorithms and things like AH and PFS.<br>
<br>
I have seen that from the man pages options occasionally work differently to
what has been written, for example salifetime and lifetime do not work as
aliases for keylife. Also some units of time work but you cannot use m as the
unit for ikelifetime. Perhaps it works in 2.6.x.<br>
<br>
I think you now need someone else to help here.<br>
<br>
Sorry to all if I have been multiple posting. Google keeps changing my outbound
sender's address to googlemail.com rather than gmail.com, so I have been
reposting to correct it. I've now switched to an alternative smtp server!<br>
<br>
Nick<br>
<br>
Sven J. van Rooij wrote: <o:p></o:p></p>
<p class=MsoNormal><span style='color:#1F497D'>Nick,</span><o:p></o:p></p>
<p class=MsoNormal><span style='color:#1F497D'> </span><o:p></o:p></p>
<p class=MsoNormal><span style='color:#1F497D'>Yes, the 2.4.11 is due to the
post… I tried the .14 as well as a 2.6.18 I believe that lead to the exact same
issue…</span><o:p></o:p></p>
<p class=MsoNormal><span style='color:#1F497D'> </span><o:p></o:p></p>
<p class=MsoNormal><span style='color:#1F497D'>No traffic over the VPN tunnel.</span><o:p></o:p></p>
<p class=MsoNormal><span style='color:#1F497D'> </span><o:p></o:p></p>
<p class=MsoNormal><span style='color:#1F497D'>The cisco issue is not pressing…
had that already working and then they tried something else… </span><o:p></o:p></p>
<p class=MsoNormal><span style='color:#1F497D'>MAJROR issue at this moment is
that the VPN that worked this morning with the original Openswan shipped with
the CC box, but when upgrading I run into the issue that no data can go via VPN…</span><o:p></o:p></p>
<p class=MsoNormal><span style='color:#1F497D'> </span><o:p></o:p></p>
<p class=MsoNormal><span style='color:#1F497D'>Sven</span><o:p></o:p></p>
<p class=MsoNormal><span style='color:#1F497D'> </span><o:p></o:p></p>
<div>
<div style='border:none;border-top:solid windowtext 1.0pt;padding:3.0pt 0in 0in 0in;
border-color:-moz-use-text-color -moz-use-text-color'>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";
color:windowtext'>From:</span></b><span style='font-size:10.0pt;font-family:
"Tahoma","sans-serif";color:windowtext'> Nick Howitt [<a
href="mailto:n1ck.h0w1tt@gmail.com">mailto:n1ck.h0w1tt@gmail.com</a>] <br>
<b>Sent:</b> Tuesday, May 19, 2009 2:23 PM<br>
<b>To:</b> Sven J. van Rooij<br>
<b>Cc:</b> <a href="mailto:users@openswan.org">users@openswan.org</a><br>
<b>Subject:</b> Re: [Openswan Users] upgrade openswan on CC 4.3 box</span><o:p></o:p></p>
</div>
</div>
<p class=MsoNormal> <o:p></o:p></p>
<p class=MsoNormal>Sven,<br>
<br>
Any obvious reason for using 2.4.11 and not the latest 2.4 series (2.4.14) - (except
that is probably what the CC forum post says)?<br>
Also I cannot help you with the next bit as I know nothing about setting up to
connect to a CISCO device and I've seen in some posts that they can be tricky
and use an odd (XAUTH?) setup. I suggest you post your ipsec.conf file and hope
someone else jumps in. There are instructions for a PIX at <a
href="http://wiki.openswan.org/index.php/Openswan/CiscoPIX">http://wiki.openswan.org/index.php/Openswan/CiscoPIX</a>
but they probably for not apply to you. You may also want to check out the
strongswan (sorry everyone) website as well in case they have some pointers,
but some of their config options are slightly different.<br>
<br>
Nick<br>
<br>
Sven J. van Rooij wrote: <o:p></o:p></p>
<p class=MsoNormal><span style='color:#1F497D'>Nick,</span><o:p></o:p></p>
<p class=MsoNormal><span style='color:#1F497D'> </span><o:p></o:p></p>
<p class=MsoNormal><span style='color:#1F497D'>Did as you said and here’s my
log…</span><o:p></o:p></p>
<p class=MsoNormal><span style='font-family:Consolas;color:#1F497D'> </span><o:p></o:p></p>
<p class=MsoNormal><span style='font-size:8.0pt;font-family:Consolas;
color:#1F497D'>May 19 13:12:06 firewall ipsec__plutorun: Unknown default RSA
hostkey scheme, not generating a default hostkey</span><o:p></o:p></p>
<p class=MsoNormal><span style='font-size:8.0pt;font-family:Consolas;
color:#1F497D'>May 19 13:12:06 firewall ipsec__plutorun: Starting Pluto
subsystem...</span><o:p></o:p></p>
<p class=MsoNormal><span style='font-size:8.0pt;font-family:Consolas;
color:#1F497D'>May 19 13:12:06 firewall pluto[17118]: Starting Pluto (Openswan
Version 2.4.11 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID OE{dD^fJcUvk)</span><o:p></o:p></p>
<p class=MsoNormal><span style='font-size:8.0pt;font-family:Consolas;
color:#1F497D'>May 19 13:12:06 firewall pluto[17118]: Setting NAT-Traversal
port-4500 floating to on</span><o:p></o:p></p>
<p class=MsoNormal><span style='font-size:8.0pt;font-family:Consolas;
color:#1F497D'>May 19 13:12:06 firewall pluto[17118]: port floating activation
criteria nat_t=1/port_fload=1</span><o:p></o:p></p>
<p class=MsoNormal><span style='font-size:8.0pt;font-family:Consolas;
color:#1F497D'>May 19 13:12:06 firewall pluto[17118]: including NAT-Traversal
patch (Version 0.6c)</span><o:p></o:p></p>
<p class=MsoNormal><span style='font-size:8.0pt;font-family:Consolas;
color:#1F497D'>May 19 13:12:06 firewall pluto[17118]: ike_alg_register_enc():
Activating OAKLEY_AES_CBC: Ok (ret=0)</span><o:p></o:p></p>
<p class=MsoNormal><span style='font-size:8.0pt;font-family:Consolas;
color:#1F497D'>May 19 13:12:06 firewall pluto[17118]: starting up 1
cryptographic helpers</span><o:p></o:p></p>
<p class=MsoNormal><span style='font-size:8.0pt;font-family:Consolas;
color:#1F497D'>May 19 13:12:06 firewall pluto[17118]: started helper pid=17124
(fd:6)</span><o:p></o:p></p>
<p class=MsoNormal><span style='font-size:8.0pt;font-family:Consolas;
color:#1F497D'>May 19 13:12:06 firewall pluto[17118]: Using NETKEY IPsec
interface code on 2.6.18-93.cc4</span><o:p></o:p></p>
<p class=MsoNormal><span style='font-size:8.0pt;font-family:Consolas;
color:#1F497D'>May 19 13:12:06 firewall pluto[17118]: Changing to directory
'/etc/ipsec.d/cacerts'</span><o:p></o:p></p>
<p class=MsoNormal><span style='font-size:8.0pt;font-family:Consolas;
color:#1F497D'>May 19 13:12:06 firewall pluto[17118]: Changing to directory
'/etc/ipsec.d/aacerts'</span><o:p></o:p></p>
<p class=MsoNormal><span style='font-size:8.0pt;font-family:Consolas;
color:#1F497D'>May 19 13:12:06 firewall pluto[17118]: Changing to directory
'/etc/ipsec.d/ocspcerts'</span><o:p></o:p></p>
<p class=MsoNormal><span style='font-size:8.0pt;font-family:Consolas;
color:#1F497D'>May 19 13:12:06 firewall pluto[17118]: Changing to directory
'/etc/ipsec.d/crls'</span><o:p></o:p></p>
<p class=MsoNormal><span style='font-size:8.0pt;font-family:Consolas;
color:#1F497D'>May 19 13:12:06 firewall pluto[17118]: Warning: empty directory</span><o:p></o:p></p>
<p class=MsoNormal><span style='font-size:8.0pt;font-family:Consolas;
color:#1F497D'>May 19 13:12:06 firewall pluto[17118]: loading secrets from
"/etc/ipsec.secrets"</span><o:p></o:p></p>
<p class=MsoNormal><span style='font-size:8.0pt;font-family:Consolas;
color:#1F497D'>May 19 13:12:06 firewall pluto[17118]: loading secrets from
"/etc/ipsec.CCC.secrets"</span><o:p></o:p></p>
<p class=MsoNormal><span style='font-size:8.0pt;font-family:Consolas;
color:#1F497D'>May 19 13:12:06 firewall pluto[17118]: loading secrets from
"/etc/ipsec.CHOMP.secrets"</span><o:p></o:p></p>
<p class=MsoNormal><span style='font-size:8.0pt;font-family:Consolas;
color:#1F497D'>May 19 13:12:06 firewall pluto[17118]: added connection
description "hqgateCHOMP-satnetCHOMP"</span><o:p></o:p></p>
<p class=MsoNormal><span style='font-size:8.0pt;font-family:Consolas;
color:#1F497D'>May 19 13:12:06 firewall pluto[17118]: added connection
description "CCC"</span><o:p></o:p></p>
<p class=MsoNormal><span style='font-size:8.0pt;font-family:Consolas;
color:#1F497D'>May 19 13:12:07 firewall pluto[17118]: added connection
description "hqnetCHOMP-satgateCHOMP"</span><o:p></o:p></p>
<p class=MsoNormal><span style='font-size:8.0pt;font-family:Consolas;
color:#1F497D'>May 19 13:12:07 firewall pluto[17118]: added connection
description "hqgateCHOMP-satgateCHOMP"</span><o:p></o:p></p>
<p class=MsoNormal><span style='font-size:8.0pt;font-family:Consolas;
color:#1F497D'>May 19 13:12:07 firewall pluto[17118]: added connection
description "hqnetCHOMP-satnetCHOMP"</span><o:p></o:p></p>
<p class=MsoNormal><span style='font-size:8.0pt;font-family:Consolas;
color:#1F497D'>May 19 13:12:07 firewall pluto[17118]: listening for IKE messages</span><o:p></o:p></p>
<p class=MsoNormal><span style='font-size:8.0pt;font-family:Consolas;
color:#1F497D'>May 19 13:12:07 firewall pluto[17118]: adding interface
eth3/eth3 12.54.126.107:500</span><o:p></o:p></p>
<p class=MsoNormal><span style='font-size:8.0pt;font-family:Consolas;
color:#1F497D'>May 19 13:12:07 firewall pluto[17118]: adding interface
eth3/eth3 12.54.126.107:4500</span><o:p></o:p></p>
<p class=MsoNormal><span style='font-size:8.0pt;font-family:Consolas;
color:#1F497D'>May 19 13:12:07 firewall pluto[17118]: adding interface
eth2/eth2 10.0.0.1:500</span><o:p></o:p></p>
<p class=MsoNormal><span style='font-size:8.0pt;font-family:Consolas;
color:#1F497D'>May 19 13:12:07 firewall pluto[17118]: adding interface
eth2/eth2 10.0.0.1:4500</span><o:p></o:p></p>
<p class=MsoNormal><span style='font-size:8.0pt;font-family:Consolas;
color:#1F497D'>May 19 13:12:07 firewall pluto[17118]: adding interface
eth1/eth1 192.168.112.1:500</span><o:p></o:p></p>
<p class=MsoNormal><span style='font-size:8.0pt;font-family:Consolas;
color:#1F497D'>May 19 13:12:07 firewall pluto[17118]: adding interface
eth1/eth1 192.168.112.1:4500</span><o:p></o:p></p>
<p class=MsoNormal><span style='font-size:8.0pt;font-family:Consolas;
color:#1F497D'>May 19 13:12:07 firewall pluto[17118]: adding interface
eth0/eth0 12.54.126.106:500</span><o:p></o:p></p>
<p class=MsoNormal><span style='font-size:8.0pt;font-family:Consolas;
color:#1F497D'>May 19 13:12:07 firewall pluto[17118]: adding interface
eth0/eth0 12.54.126.106:4500</span><o:p></o:p></p>
<p class=MsoNormal><span style='font-size:8.0pt;font-family:Consolas;
color:#1F497D'>May 19 13:12:07 firewall pluto[17118]: adding interface lo/lo
127.0.0.1:500</span><o:p></o:p></p>
<p class=MsoNormal><span style='font-size:8.0pt;font-family:Consolas;
color:#1F497D'>May 19 13:12:07 firewall pluto[17118]: adding interface lo/lo
127.0.0.1:4500</span><o:p></o:p></p>
<p class=MsoNormal><span style='font-size:8.0pt;font-family:Consolas;
color:#1F497D'>May 19 13:12:07 firewall pluto[17118]: adding interface lo/lo
::1:500</span><o:p></o:p></p>
<p class=MsoNormal><span style='font-size:8.0pt;font-family:Consolas;
color:#1F497D'>May 19 13:12:07 firewall pluto[17118]: forgetting secrets</span><o:p></o:p></p>
<p class=MsoNormal><span style='font-size:8.0pt;font-family:Consolas;
color:#1F497D'>May 19 13:12:07 firewall pluto[17118]: loading secrets from
"/etc/ipsec.secrets"</span><o:p></o:p></p>
<p class=MsoNormal><span style='font-size:8.0pt;font-family:Consolas;
color:#1F497D'>May 19 13:12:07 firewall pluto[17118]: loading secrets from
"/etc/ipsec.CCC.secrets"</span><o:p></o:p></p>
<p class=MsoNormal><span style='font-size:8.0pt;font-family:Consolas;
color:#1F497D'>May 19 13:12:07 firewall pluto[17118]: loading secrets from
"/etc/ipsec.CHOMP.secrets"</span><o:p></o:p></p>
<p class=MsoNormal><span style='font-size:8.0pt;font-family:Consolas;
color:#1F497D'>May 19 13:12:07 firewall pluto[17118]:
"hqgateCHOMP-satnetCHOMP" #1: initiating Main Mode</span><o:p></o:p></p>
<p class=MsoNormal><span style='font-size:8.0pt;font-family:Consolas;
color:#1F497D'>May 19 13:12:07 firewall pluto[17118]: "CCC" #2:
initiating Main Mode</span><o:p></o:p></p>
<p class=MsoNormal><span style='font-size:8.0pt;font-family:Consolas;
color:#1F497D'>May 19 13:12:07 firewall pluto[17118]: "hqgateCHOMP-satnetCHOMP"
#1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set
to=106</span><o:p></o:p></p>
<p class=MsoNormal><span style='font-size:8.0pt;font-family:Consolas;
color:#1F497D'>May 19 13:12:07 firewall pluto[17118]:
"hqgateCHOMP-satnetCHOMP" #1: ignoring Vendor ID payload
[FRAGMENTATION c0000000]</span><o:p></o:p></p>
<p class=MsoNormal><span style='font-size:8.0pt;font-family:Consolas;
color:#1F497D'>May 19 13:12:07 firewall pluto[17118]:
"hqgateCHOMP-satnetCHOMP" #1: enabling possible NAT-traversal with
method draft-ietf-ipsec-nat-t-ike-02/03</span><o:p></o:p></p>
<p class=MsoNormal><span style='font-size:8.0pt;font-family:Consolas;
color:#1F497D'>May 19 13:12:07 firewall pluto[17118]: "CCC" #2:
ignoring unknown Vendor ID payload
[166f932d55eb64d8e4df4fd37e2313f0d0fd84510000000000000000]</span><o:p></o:p></p>
<p class=MsoNormal><span style='font-size:8.0pt;font-family:Consolas;
color:#1F497D'>May 19 13:12:07 firewall pluto[17118]: "CCC" #2:
received Vendor ID payload [Dead Peer Detection]</span><o:p></o:p></p>
<p class=MsoNormal><span style='font-size:8.0pt;font-family:Consolas;
color:#1F497D'>May 19 13:12:07 firewall pluto[17118]: "CCC" #2:
ignoring Vendor ID payload [HeartBeat Notify 386b0100]</span><o:p></o:p></p>
<p class=MsoNormal><span style='font-size:8.0pt;font-family:Consolas;
color:#1F497D'>May 19 13:12:07 firewall pluto[17118]: "hqgateCHOMP-satnetCHOMP"
#1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2</span><o:p></o:p></p>
<p class=MsoNormal><span style='font-size:8.0pt;font-family:Consolas;
color:#1F497D'>May 19 13:12:07 firewall pluto[17118]:
"hqgateCHOMP-satnetCHOMP" #1: STATE_MAIN_I2: sent MI2, expecting MR2</span><o:p></o:p></p>
<p class=MsoNormal><span style='font-size:8.0pt;font-family:Consolas;
color:#1F497D'>May 19 13:12:07 firewall pluto[17118]: "CCC" #2:
transition from state STATE_MAIN_I1 to state STATE_MAIN_I2</span><o:p></o:p></p>
<p class=MsoNormal><span style='font-size:8.0pt;font-family:Consolas;
color:#1F497D'>May 19 13:12:07 firewall pluto[17118]: "CCC" #2:
STATE_MAIN_I2: sent MI2, expecting MR2</span><o:p></o:p></p>
<p class=MsoNormal><span style='font-size:8.0pt;font-family:Consolas;
color:#1F497D'>May 19 13:12:07 firewall pluto[17118]: "CCC" #2: I did
not send a certificate because I do not have one.</span><o:p></o:p></p>
<p class=MsoNormal><span style='font-size:8.0pt;font-family:Consolas;
color:#1F497D'>May 19 13:12:07 firewall pluto[17118]: "CCC" #2:
transition from state STATE_MAIN_I2 to state STATE_MAIN_I3</span><o:p></o:p></p>
<p class=MsoNormal><span style='font-size:8.0pt;font-family:Consolas;
color:#1F497D'>May 19 13:12:07 firewall pluto[17118]: "CCC" #2:
STATE_MAIN_I3: sent MI3, expecting MR3</span><o:p></o:p></p>
<p class=MsoNormal><span style='font-size:8.0pt;font-family:Consolas;
color:#1F497D'>May 19 13:12:07 firewall pluto[17118]: "CCC" #2: Main
mode peer ID is ID_IPV4_ADDR: '206.71.166.194'</span><o:p></o:p></p>
<p class=MsoNormal><span style='font-size:8.0pt;font-family:Consolas;
color:#1F497D'>May 19 13:12:07 firewall pluto[17118]: "CCC" #2:
transition from state STATE_MAIN_I3 to state STATE_MAIN_I4</span><o:p></o:p></p>
<p class=MsoNormal><span style='font-size:8.0pt;font-family:Consolas;
color:#1F497D'>May 19 13:12:07 firewall pluto[17118]: "CCC" #2:
STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}</span><o:p></o:p></p>
<p class=MsoNormal><span style='font-size:8.0pt;font-family:Consolas;
color:#1F497D'>May 19 13:12:07 firewall pluto[17118]: "CCC" #3:
initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#2}</span><o:p></o:p></p>
<p class=MsoNormal><span style='font-size:8.0pt;font-family:Consolas;
color:#1F497D'>May 19 13:12:07 firewall pluto[17118]:
"hqgateCHOMP-satnetCHOMP" #1: received Vendor ID payload [Cisco-Unity]</span><o:p></o:p></p>
<p class=MsoNormal><span style='font-size:8.0pt;font-family:Consolas;
color:#1F497D'>May 19 13:12:07 firewall pluto[17118]:
"hqgateCHOMP-satnetCHOMP" #1: received Vendor ID payload [XAUTH]</span><o:p></o:p></p>
<p class=MsoNormal><span style='font-size:8.0pt;font-family:Consolas;
color:#1F497D'>May 19 13:12:07 firewall pluto[17118]:
"hqgateCHOMP-satnetCHOMP" #1: ignoring unknown Vendor ID payload
[206827036be3230041d197ac232e3099]</span><o:p></o:p></p>
<p class=MsoNormal><span style='font-size:8.0pt;font-family:Consolas;
color:#1F497D'>May 19 13:12:07 firewall pluto[17118]:
"hqgateCHOMP-satnetCHOMP" #1: ignoring Vendor ID payload [Cisco VPN
3000 Series]</span><o:p></o:p></p>
<p class=MsoNormal><span style='font-size:8.0pt;font-family:Consolas;
color:#1F497D'>May 19 13:12:07 firewall pluto[17118]:
"hqgateCHOMP-satnetCHOMP" #1: I did not send a certificate because I
do not have one.</span><o:p></o:p></p>
<p class=MsoNormal><span style='font-size:8.0pt;font-family:Consolas;
color:#1F497D'>May 19 13:12:07 firewall pluto[17118]:
"hqgateCHOMP-satnetCHOMP" #1: NAT-Traversal: Result using
draft-ietf-ipsec-nat-t-ike-02/03: no NAT detected</span><o:p></o:p></p>
<p class=MsoNormal><span style='font-size:8.0pt;font-family:Consolas;
color:#1F497D'>May 19 13:12:07 firewall pluto[17118]:
"hqgateCHOMP-satnetCHOMP" #1: transition from state STATE_MAIN_I2 to
state STATE_MAIN_I3</span><o:p></o:p></p>
<p class=MsoNormal><span style='font-size:8.0pt;font-family:Consolas;
color:#1F497D'>May 19 13:12:07 firewall pluto[17118]:
"hqgateCHOMP-satnetCHOMP" #1: STATE_MAIN_I3: sent MI3, expecting MR3</span><o:p></o:p></p>
<p class=MsoNormal><span style='font-size:8.0pt;font-family:Consolas;
color:#1F497D'>May 19 13:12:07 firewall pluto[17118]: "CCC" #3:
ignoring informational payload, type IPSEC_RESPONDER_LIFETIME</span><o:p></o:p></p>
<p class=MsoNormal><span style='font-size:8.0pt;font-family:Consolas;
color:#1F497D'>May 19 13:12:07 firewall pluto[17118]: "CCC" #3:
transition from state STATE_QUICK_I1 to state STATE_QUICK_I2</span><o:p></o:p></p>
<p class=MsoNormal><span style='font-size:8.0pt;font-family:Consolas;
color:#1F497D'>May 19 13:12:07 firewall pluto[17118]: "CCC" #3:
STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x5074876f
<0xe6a4d1b3 xfrm=3DES_0-HMAC_SHA1 NATD=none DPD=none}</span><o:p></o:p></p>
<p class=MsoNormal><span style='font-size:8.0pt;font-family:Consolas;
color:#1F497D'>May 19 13:12:08 firewall pluto[17118]:
"hqgateCHOMP-satnetCHOMP" #1: received Vendor ID payload [Dead Peer
Detection]</span><o:p></o:p></p>
<p class=MsoNormal><span style='font-size:8.0pt;font-family:Consolas;
color:#1F497D'>May 19 13:12:08 firewall pluto[17118]: | protocol/port in Phase
1 ID Payload is 17/0. accepted with port_floating NAT-T</span><o:p></o:p></p>
<p class=MsoNormal><span style='font-size:8.0pt;font-family:Consolas;
color:#1F497D'>May 19 13:12:08 firewall pluto[17118]:
"hqgateCHOMP-satnetCHOMP" #1: Main mode peer ID is ID_IPV4_ADDR:
'204.179.192.22'</span><o:p></o:p></p>
<p class=MsoNormal><span style='font-size:8.0pt;font-family:Consolas;
color:#1F497D'>May 19 13:12:08 firewall pluto[17118]:
"hqgateCHOMP-satnetCHOMP" #1: transition from state STATE_MAIN_I3 to
state STATE_MAIN_I4</span><o:p></o:p></p>
<p class=MsoNormal><span style='font-size:8.0pt;font-family:Consolas;
color:#1F497D'>May 19 13:12:08 firewall pluto[17118]:
"hqgateCHOMP-satnetCHOMP" #1: STATE_MAIN_I4: ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5
group=modp1024}</span><o:p></o:p></p>
<p class=MsoNormal><span style='font-size:8.0pt;font-family:Consolas;
color:#1F497D'>May 19 13:12:08 firewall pluto[17118]:
"hqnetCHOMP-satnetCHOMP" #4: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP
{using isakmp#1}</span><o:p></o:p></p>
<p class=MsoNormal><span style='font-size:8.0pt;font-family:Consolas;
color:#1F497D'>May 19 13:12:08 firewall pluto[17118]:
"hqgateCHOMP-satgateCHOMP" #5: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1}</span><o:p></o:p></p>
<p class=MsoNormal><span style='font-size:8.0pt;font-family:Consolas;
color:#1F497D'>May 19 13:12:08 firewall pluto[17118]:
"hqnetCHOMP-satgateCHOMP" #6: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1}</span><o:p></o:p></p>
<p class=MsoNormal><span style='font-size:8.0pt;font-family:Consolas;
color:#1F497D'>May 19 13:12:08 firewall pluto[17118]:
"hqnetCHOMP-satgateCHOMP" #6: can not start crypto helper: failed to
find any available worker</span><o:p></o:p></p>
<p class=MsoNormal><span style='font-size:8.0pt;font-family:Consolas;
color:#1F497D'>May 19 13:12:08 firewall pluto[17118]: "hqgateCHOMP-satnetCHOMP"
#7: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1}</span><o:p></o:p></p>
<p class=MsoNormal><span style='font-size:8.0pt;font-family:Consolas;
color:#1F497D'>May 19 13:12:08 firewall pluto[17118]:
"hqgateCHOMP-satnetCHOMP" #7: can not start crypto helper: failed to
find any available worker</span><o:p></o:p></p>
<p class=MsoNormal><span style='font-size:8.0pt;font-family:Consolas;
color:#1F497D'>May 19 13:12:08 firewall pluto[17118]:
"hqnetCHOMP-satnetCHOMP" #4: transition from state STATE_QUICK_I1 to
state STATE_QUICK_I2</span><o:p></o:p></p>
<p class=MsoNormal><span style='font-size:8.0pt;font-family:Consolas;
color:#1F497D'>May 19 13:12:08 firewall pluto[17118]:
"hqnetCHOMP-satnetCHOMP" #4: STATE_QUICK_I2: sent QI2, IPsec SA
established {ESP=>0x2500faab <0x9f6adb8c xfrm=3DES_0-HMAC_MD5 NATD=none
DPD=none}</span><o:p></o:p></p>
<p class=MsoNormal><span style='font-size:8.0pt;font-family:Consolas;
color:#1F497D'>May 19 13:12:24 firewall pluto[17118]: initiate on demand from
12.54.126.106:0 to 204.179.196.30:0 proto=0 state: fos_start because: acquire</span><o:p></o:p></p>
<p class=MsoNormal><span style='font-size:8.0pt;font-family:Consolas;
color:#1F497D'>May 19 13:12:24 firewall pluto[17118]:
"hqgateCHOMP-satnetCHOMP" #8: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1}</span><o:p></o:p></p>
<p class=MsoNormal><span style='font-size:8.0pt;color:#1F497D'> </span><o:p></o:p></p>
<p class=MsoNormal><span style='color:#1F497D'> </span><o:p></o:p></p>
<p class=MsoNormal><span style='color:#1F497D'> </span><o:p></o:p></p>
<p class=MsoNormal><span style='color:#1F497D'>So I’m not sure how it went from
working in the version shipped on the CC box and now I can’t get even a ping!</span><o:p></o:p></p>
<p class=MsoNormal><span style='color:#1F497D'> </span><o:p></o:p></p>
<p class=MsoNormal><span style='color:#1F497D'>Sven</span><o:p></o:p></p>
<p class=MsoNormal><span style='color:#1F497D'> </span><o:p></o:p></p>
<p class=MsoNormal><span style='color:#1F497D'> </span><o:p></o:p></p>
<div>
<div style='border:none;border-top:solid windowtext 1.0pt;padding:3.0pt 0in 0in 0in;
border-color:-moz-use-text-color'>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";
color:windowtext'>From:</span></b><span style='font-size:10.0pt;font-family:
"Tahoma","sans-serif";color:windowtext'> Nick Howitt [<a
href="mailto:n1ck.h0w1tt@googlemail.com">mailto:n1ck.h0w1tt@googlemail.com</a>]
<br>
<b>Sent:</b> Tuesday, May 19, 2009 12:57 PM<br>
<b>To:</b> Sven J. van Rooij<br>
<b>Cc:</b> <a href="mailto:users@openswan.org">users@openswan.org</a><br>
<b>Subject:</b> Re: [Openswan Users] upgrade openswan on CC 4.3 box</span><o:p></o:p></p>
</div>
</div>
<p class=MsoNormal> <o:p></o:p></p>
<p class=MsoNormal>Sven,<br>
<br>
Those errors are not key to setting up Openswan. I had my tunnels working
despite the errors. However, to fix them you need to edit /etc/sysctl.conf.<br>
Change:<br>
net.ipv4.ip_forward = 0 -> 1<br>
net.ipv4.conf.default.rp_filter = 1 -> 0<br>
<br>
Add:<br>
net.ipv4.conf.all.accept_redirects = 0<br>
net.ipv4.conf.default.accept_redirects = 0<br>
net.ipv4.conf.all.send_redirects = 0<br>
net.ipv4.conf.default.send_redirects = 0<br>
(there may be a better way to do it)<br>
<br>
Save the file and reload it using:<br>
sysctl -p<br>
sysctl -w net.ipv4.route.flush=1<br>
<br>
As I said before, VPN traffic goes through the tunnel LAN-LAN, but I have
problems with anything to the gateway.<br>
Sometimes I can ping the far router from the gateway, sometimes I cannot. If I
cannot, if I set up a continuous ping it will generally start working within a
minute or two. I also have a problem getting the far router to ping the LAN
address of the CC box (unpredictably unreliable), but it can ping everything
behind the CC box.<br>
<br>
If I set up a virtual LAN interface on the CC box (eth1:0, 192.168.2.10) I can
always ping the far router with the command "ping -I 192.168.2.10
192.168.20.1" even if pinging 192.168.20.1 directly fails. I am trying to
find out if my brother can browse the Samba shares using \\192.168.2.10\xyz
instead of \\192.168.2.1\xyz (after adding the interface eth1:0 to smb.conf).<br>
<br>
If anyone can help me (us?) with this one, I'd love to hear. If not, I'll wait
for CC5 before asking again.<br>
<br>
Regards,<br>
<br>
Nick<br>
<br>
Sven J. van Rooij wrote: <o:p></o:p></p>
<p class=MsoNormal><span style='color:#1F497D'>Nick,</span><o:p></o:p></p>
<p class=MsoNormal><span style='color:#1F497D'> </span><o:p></o:p></p>
<p class=MsoNormal><span style='color:#1F497D'>Thanks for the quick response.</span><o:p></o:p></p>
<p class=MsoNormal><span style='color:#1F497D'>So I did do the upgrade and same
issue…</span><o:p></o:p></p>
<p class=MsoNormal><span style='color:#1F497D'> </span><o:p></o:p></p>
<p class=MsoNormal><span style='color:#1F497D'>I get my tunnels up, but now no
traffic seems to go across the tunnel.</span><o:p></o:p></p>
<p class=MsoNormal><span style='color:#1F497D'>Pings time out.</span><o:p></o:p></p>
<p class=MsoNormal><span style='color:#1F497D'> </span><o:p></o:p></p>
<p class=MsoNormal><span style='color:#1F497D'>And the ipsec verify gives
me this</span><o:p></o:p></p>
<p class=MsoNormal><span style='color:#1F497D'> </span><o:p></o:p></p>
<p class=MsoNormal><span style='color:#1F497D'>Checking your system to see if
IPsec got installed and started correctly:</span><o:p></o:p></p>
<p class=MsoNormal><span style='color:#1F497D'>Version check and ipsec
on-path
[OK]</span><o:p></o:p></p>
<p class=MsoNormal><span style='color:#1F497D'>Linux Openswan
U2.4.9/K2.6.18-93.cc4 (netkey)</span><o:p></o:p></p>
<p class=MsoNormal><span style='color:#1F497D'>Checking for IPsec support in
kernel
[OK]</span><o:p></o:p></p>
<p class=MsoNormal><span style='color:#1F497D'>NETKEY detected, testing for
disabled ICMP send_redirects [FAILED]</span><o:p></o:p></p>
<p class=MsoNormal><span style='color:#1F497D'> </span><o:p></o:p></p>
<p class=MsoNormal><span style='color:#1F497D'> Please disable
/proc/sys/net/ipv4/conf/*/send_redirects</span><o:p></o:p></p>
<p class=MsoNormal><span style='color:#1F497D'> or NETKEY will cause the
sending of bogus ICMP redirects!</span><o:p></o:p></p>
<p class=MsoNormal><span style='color:#1F497D'> </span><o:p></o:p></p>
<p class=MsoNormal><span style='color:#1F497D'>NETKEY detected, testing for
disabled ICMP accept_redirects [FAILED]</span><o:p></o:p></p>
<p class=MsoNormal><span style='color:#1F497D'> </span><o:p></o:p></p>
<p class=MsoNormal><span style='color:#1F497D'> Please disable
/proc/sys/net/ipv4/conf/*/accept_redirects</span><o:p></o:p></p>
<p class=MsoNormal><span style='color:#1F497D'> or NETKEY will accept
bogus ICMP redirects!</span><o:p></o:p></p>
<p class=MsoNormal><span style='font-family:Consolas;color:#1F497D'> </span><o:p></o:p></p>
<p class=MsoNormal><span style='font-family:Consolas;color:#1F497D'>Checking
for RSA private key
(/etc/ipsec.secrets)
[DISABLED]</span><o:p></o:p></p>
<p class=MsoNormal><span style='font-family:Consolas;color:#1F497D'>
ipsec showhostkey: no default key in "/etc/ipsec.secrets"</span><o:p></o:p></p>
<p class=MsoNormal><span style='font-family:Consolas;color:#1F497D'>Checking
that pluto is
running
[OK]</span><o:p></o:p></p>
<p class=MsoNormal><span style='font-family:Consolas;color:#1F497D'>Two or more
interfaces found, checking IP forwarding
[OK]</span><o:p></o:p></p>
<p class=MsoNormal><span style='font-family:Consolas;color:#1F497D'>Checking
NAT and
MASQUERADEing
</span><o:p></o:p></p>
<p class=MsoNormal><span style='font-family:Consolas;color:#1F497D'>Checking
for 'ip'
command
[OK]</span><o:p></o:p></p>
<p class=MsoNormal><span style='font-family:Consolas;color:#1F497D'>Checking
for 'iptables'
command
[OK]</span><o:p></o:p></p>
<p class=MsoNormal><span style='font-family:Consolas;color:#1F497D'>cat:
ipsec.*.conf: No such file or directory</span><o:p></o:p></p>
<p class=MsoNormal><span style='font-family:Consolas;color:#1F497D'>Opportunistic
Encryption
Support
[DISABLED]</span><o:p></o:p></p>
<p class=MsoNormal><span style='font-family:Consolas;color:#1F497D'>
Cannot execute command "which iptables": No such file or directory</span><o:p></o:p></p>
<p class=MsoNormal><span style='font-family:Consolas;color:#1F497D'> cat:
ipsec.*.conf: No such file or directory</span><o:p></o:p></p>
<p class=MsoNormal><span style='font-family:Consolas;color:#1F497D'> </span><o:p></o:p></p>
<p class=MsoNormal><span style='font-family:Consolas;color:#1F497D'> </span><o:p></o:p></p>
<p class=MsoNormal><span style='font-family:Consolas;color:#1F497D'>Even though
I have disabled the send and accept redirects….</span><o:p></o:p></p>
<p class=MsoNormal><span style='font-family:Consolas;color:#1F497D'> </span><o:p></o:p></p>
<p class=MsoNormal><span style='font-family:Consolas;color:#1F497D'>Any ideas??</span><o:p></o:p></p>
<p class=MsoNormal><span style='font-family:Consolas;color:#1F497D'> </span><o:p></o:p></p>
<p class=MsoNormal><span style='font-family:Consolas;color:#1F497D'>Sven</span><o:p></o:p></p>
<p class=MsoNormal><span style='color:#1F497D'> </span><o:p></o:p></p>
<div>
<div style='border:none;border-top:solid windowtext 1.0pt;padding:3.0pt 0in 0in 0in;
border-color:-moz-use-text-color'>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";
color:windowtext'>From:</span></b><span style='font-size:10.0pt;font-family:
"Tahoma","sans-serif";color:windowtext'> Nick Howitt [<a
href="mailto:n1ck.h0w1tt@googlemail.com">mailto:n1ck.h0w1tt@googlemail.com</a>]
<br>
<b>Sent:</b> Tuesday, May 19, 2009 10:51 AM<br>
<b>To:</b> Sven J. van Rooij<br>
<b>Cc:</b> <a href="mailto:users@openswan.org">users@openswan.org</a><br>
<b>Subject:</b> Re: [Openswan Users] upgrade openswan on CC 4.3 box</span><o:p></o:p></p>
</div>
</div>
<p class=MsoNormal> <o:p></o:p></p>
<p class=MsoNormal>Sven,<br>
<br>
The instructions in <a
href="http://forums.clarkconnect.com/showthreaded.php?Cat=0&Number=103109&page=0&vc=1">this</a>
thread in the CC forums work fine for Openswan-2.4.14. I could not make it work
with 2.6.18 or 2.6.21. 2.6.18 may compile but won't run. 2.6.21 will not
compile.<br>
<br>
I have Openswan working fine as a VPN gateway/router. I just cannot get the
file server to work properly through the VPN, not can I get pings to and from
the gateway work reliably through the tunnel. LAN-LAN traffic through the
gateway is OK.<br>
<br>
I was going to wait until CC5 (Openswan-2.6.14) is released before
troubleshooting this any further.<br>
<br>
Nick<br>
<br>
Sven J. van Rooij wrote: <o:p></o:p></p>
<p class=MsoNormal>An anyone direct me towards a good set of instructions on
how to upgrade openswan on a clark connect box.<o:p></o:p></p>
<p class=MsoNormal> <o:p></o:p></p>
<p class=MsoNormal>Regardless which version (besides the original) I
choose, I end up with a tunnel, but no traffic on it.<o:p></o:p></p>
<p class=MsoNormal> <o:p></o:p></p>
<p class=MsoNormal>PLEASE HELP!<o:p></o:p></p>
<p class=MsoNormal> <o:p></o:p></p>
<p class=MsoNormal>Thanks,<o:p></o:p></p>
<p class=MsoNormal>Sven<o:p></o:p></p>
<pre> <o:p></o:p></pre><pre style='text-align:center'> <o:p></o:p></pre><pre
style='text-align:center'><o:p> </o:p></pre><pre style='text-align:center'>
<hr size=4 width="90%" align=center>
</pre><pre style='text-align:center'><o:p> </o:p></pre><pre
style='text-align:center'><o:p> </o:p></pre><pre style='text-align:center'> <o:p></o:p></pre><pre
style='text-align:center'> <o:p></o:p></pre><pre style='text-align:center'> <o:p></o:p></pre><pre
style='text-align:center'> <o:p></o:p></pre><pre style='text-align:center'> <o:p></o:p></pre><pre
style='text-align:center'> <o:p></o:p></pre><pre style='text-align:center'> <o:p></o:p></pre><pre> <o:p></o:p></pre><pre>_______________________________________________<o:p></o:p></pre><pre><a
href="mailto:Users@openswan.org">Users@openswan.org</a><o:p></o:p></pre><pre><a
href="http://lists.openswan.org/mailman/listinfo/users">http://lists.openswan.org/mailman/listinfo/users</a><o:p></o:p></pre><pre>Building and Integrating Virtual Private Networks with Openswan: <o:p></o:p></pre><pre><a
href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a><o:p></o:p></pre><pre> <o:p></o:p></pre></div>
</body>
</html>