<font face="arial,helvetica,sans-serif">Hi,</font><div><font face="arial, helvetica, sans-serif"><br></font></div><div><font face="arial, helvetica, sans-serif">A good sign is that we have a connection and that seems to be working, but... am I right that there is a routing problem preventing the tunnel to work properly...?</font></div>
<div><font face="arial, helvetica, sans-serif"><br></font></div><div><font face="arial, helvetica, sans-serif">I have a dedicated server with eth0 set <b>to my-gateway-ip. </b>There is also another subinterface: eth0:1 with ip 192.168.5.1. There is a virtual machine with 192.168.5.2 on this dedicated server which is supposed to be contacting "</font><b style="font-family:arial,helvetica,sans-serif">remote-ip-inside-vpn</b><span style="font-family:arial,helvetica,sans-serif">". Do you think it might be somehow related to the problem (output below)?</span></div>
<div><span style="font-family:arial,helvetica,sans-serif"><br></span></div><div><span style="font-family:arial,helvetica,sans-serif">I cannot ping "<b>remote-ip-inside-vpn</b>".</span></div><div><font face="arial, helvetica, sans-serif"><br>
</font></div><div><font face="arial, helvetica, sans-serif"><div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
Aug 29 11:35:46 : "conn" #2075: sending encrypted notification INVALID_ID_INFORMATION to <b>remote-gateway-ip:500<br></b>Aug 29 11:35:47 : packet from <b>remote-gateway-ip:500</b>: received Vendor ID payload [Dead Peer Detection]<br>
Aug 29 11:35:47 : packet from <b>remote-gateway-ip:500</b>: ignoring unknown Vendor ID payload [xxx]<br>Aug 29 11:35:47 : "conn" #2076: responding to Main Mode<br>Aug 29 11:35:47 : "conn" #2076: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1<br>
Aug 29 11:35:47 : "conn" #2076: STATE_MAIN_R1: sent MR1, expecting MI2<br>Aug 29 11:35:47 : "conn" #2076: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2<br>Aug 29 11:35:47 : "conn" #2076: STATE_MAIN_R2: sent MR2, expecting MI3<br>
Aug 29 11:35:47 : "conn" #2076: ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000<br>Aug 29 11:35:47 : "conn" #2076: Main mode peer ID is ID_IPV4_ADDR: <b>'remote-gateway-ip'<br>
</b>Aug 29 11:35:47 : "conn" #2076: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3<br>Aug 29 11:35:47 : "conn" #2076: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp1536}<br>
Aug 29 11:35:48 : "conn" #2076: the peer proposed: <a href="http://192.168.5.2/32:0/0">192.168.5.2/32:0/0</a> -> <b>remote-ip-inside-vpn</b>/32:0/0<br>Aug 29 11:35:48 : "conn" #2076: cannot respond to IPsec SA request because no connection is known for <a href="http://192.168.5.2/32===my-gateway-ip">192.168.5.2/32===my-gateway-ip</a><
my-gateway-ip >[+S=C]...remote-gateway-ip<remote-gateway-ip>[+S=C]===<b>remote-ip-inside-vpn</b>/32</blockquote></div><div><br></div></font></div><div><div>Regards,</div><div>Jakub</div><br>
<br><br><div class="gmail_quote">2012/8/29 Roel van Meer <span dir="ltr"><<a href="mailto:roel.vanmeer@bokxing.nl" target="_blank">roel.vanmeer@bokxing.nl</a>></span><br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div class="im">Jakub Sobczak writes:<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Each time I changed something I did:<br>
<br>
ipsec auto --delete conn<br>
ipsec auto --add conn<br>
ipsec auto --up conn<br>
</blockquote>
<br></div>
This reloads the connection config, but not the shared secrets.<div class="im"><br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
But it seems that it has failed to work. After this command:<br>
<br>
ipsec auto --rereadsecrets<br>
<br>
I think it has negotiated the first phase, but there seems to be a problem with the second phase. <br>
</blockquote>
<br></div>
Do you have any logs of openswan? E.g. the output of:<div class="im"><br>
<br>
ipsec auto --delete conn<br>
ipsec auto --add conn<br>
ipsec auto --up conn<br>
<br></div>
or recent content of the log file you posted before..<br>
<br>
Regards,<br>
<br>
Roel<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="im">
<br>
<br>
<br>
11:01:19.533205 IP remote-ip > my-ip.500: isakmp: phase 1 I ident<br>
11:01:19.533365 IP my-ip.500 > remote-ip: isakmp: phase 1 R ident<br>
11:01:20.127518 IP remote-ip > my-ip.500: isakmp: phase 1 I ident<br>
11:01:20.128536 IP my-ip.500 > remote-ip: isakmp: phase 1 R ident<br>
11:01:20.210036 IP remote-ip > my-ip.500: isakmp: phase 1 I ident[E]<br>
11:01:20.210213 IP my-ip.500 > remote-ip: isakmp: phase 1 R ident[E]<br>
11:01:20.303975 IP remote-ip > my-ip.500: isakmp: phase 2/others I oakley-quick[E]<br>
11:01:20.304176 IP my-ip.500 > remote-ip: isakmp: phase 2/others R inf[E]<br>
<br>
<br>
<br></div>
Thanks for the info about UDP port, I was expecting it to rather look like this: <URL:<a href="http://1.2.3.4:500" target="_blank">http://1.2.3.4:500</a>><a href="http://1.2.3.4:500" target="_blank">1.2.3.<u></u>4:500</a> and not separated wit the dot (.). <br>
<br>
<br>
Regards,<br>
Jakub <br>
<br>
<br>
<br><div class="im">
2012/8/29 Roel van Meer <<URL:mailto:<a href="mailto:roel.vanmeer@bokxing.nl" target="_blank">roel.vanmeer@<u></u>bokxing.nl</a>><a href="mailto:roel.vanmeer@bokxing.nl" target="_blank">roel.vanmeer@<u></u>bokxing.nl</a>><br>
<br>
Jakub Sobczak writes:<br></div>
tcpdump shows:<br>
10:37:<URL:tel:<a href="tel:17.007960" value="+4817007960" target="_blank">17.007960</a>><a href="tel:17.007960" value="+4817007960" target="_blank">17.007960</a> IP remote-ip.500 > my-ip.500 : isakmp: phase 1 I ident<br>
10:37:<URL:tel:<a href="tel:17.008104" value="+4817008104" target="_blank">17.008104</a>><a href="tel:17.008104" value="+4817008104" target="_blank">17.008104</a> IP my-ip.500 > remote-ip.500 : isakmp: phase 1 R inf<br>
I do not know where this .500 comes from, it looks like this: <URL:tel:<a href="tel:1.2.3.4.500" value="+481234500" target="_blank">1.2.3.4.500</a>><a href="tel:1.2.3.4.500" value="+481234500" target="_blank">1.2.3.4.500</a>, but anyway it seems fine. What worries me however is:<div class="im">
<br>
.500 is the udp port that is used for setting up the connection.<br>
104 "conn" #1806: STATE_MAIN_I1: initiate<br>
003 "conn" #1806: received Vendor ID payload [Dead Peer Detection]<br>
003 "conn" #1806: ignoring unknown Vendor ID payload [<u></u>699369228741c6d4ca094c93e242c9<u></u>de19e7b7c60000000500000500]<br>
003 "conn" #1806: Can't authenticate: no preshared key found for `my-ip' and `remote-ip'. Attribute OAKLEY_AUTHENTICATION_METHOD<br>
Ok, you do receive traffic from the remote, so the firewall is not the problem. It can't find a secret for your configured connection, however.<br>
Openswan does not pick up changes in your secrets file automatically.<br>
Have you restarted openswan since you put the secret in ipsec.secrets? You can also run<br>
ipsec auto --rereadsecrets<br>
to make sure Openswan picks up any changes there.<br>
Regards,<br>
Roel<br>
003 "conn" #1806: no acceptable Oakley Transform<br>
214 "conn" #1806: STATE_MAIN_I1: NO_PROPOSAL_CHOSEN<br>
Again, my ipsec.secrets looks like this (copy-paste): my-ip remote-ip : PSK "some-presharedkey"<br>
What is going on? Maybe I have to install something?<br>
Regards,<br>
Jakub <br></div><div class="im">
2012/8/29 Roel van Meer <<URL:mailto:<URL:mailto:<a href="mailto:roel.vanmeer@bokxing.nl" target="_blank">roel.<u></u>vanmeer@bokxing.nl</a>>roel.<u></u>vanmeer@bokxing. nl><URL:mailto:<a href="mailto:roel.vanmeer@bokxing.nl" target="_blank">roel.vanmeer@<u></u>bokxing.nl</a>><a href="mailto:roel.vanmeer@bokxing.nl" target="_blank">roel.vanmeer@<u></u>bokxing.nl</a>><br>
Jakub Sobczak writes:<br></div>
Yes, the shared key line is formatted in the following way: 1.2.3.4 <URL:<URL:<URL:<a href="http://5.6.7.8/" target="_blank">http:/<u></u>/5.6.7.8/</a>><a href="http://5.6.7.8/" target="_blank">http://5.6.7.8/</a>><<u></u>URL:<a href="http://5" target="_blank">http://5</a>. 6.7.8/><a href="http://5.6.7.8/" target="_blank">http://5.6.7.8/</a>><URL:<<u></u>URL:<a href="http://5.6.7.8" target="_blank">http://5.6.7.8</a>><a href="http://5.6.7.8" target="_blank">http://5.6.<u></u>7.8</a>> <URL:<a href="http://5.6.7.8" target="_blank">http://5.6.7.8</a>><a href="http://5.6.7.8" target="_blank">5.6.7.8</a>: PSK "sharedkey" . I changed auto=add to auto=start hoping it would help, but it didn't:<div class="im">
<br>
ipsec auto --up conn<br>
104 "conn" #1616: STATE_MAIN_I1: initiate<br>
010 "conn" #1616: STATE_MAIN_I1: retransmission; will wait 20s for response<br>
010 "conn" #1616: STATE_MAIN_I1: retransmission; will wait 40s for response<br>
031 "conn" #1616: max number of retransmissions (2) reached STATE_MAIN_I1. No response (or no acceptable response) to our first IKE message<br>
The other side is not responding. Your firewall might not be set up correctly. Can you see anything in the logs that indicate the other side is trying to make a connection? If not, you could try to see if there is traffic coming in from the other side.<br>
With a command like<br>
tcpdump -nli eth0 host 1.2.3.4<br>
(assuming eth0 is the network device of your internet connection, and replacing 1.2.3.4 by the ip address of the remote endpoint) you can see what is happening on the wire.<br>
Can you try to start the connection while running the tcpdump command and post its output?<br>
I'm not sure if that's correct: ike=aes256-sha1-<u></u>modp1536, but if they say: Key Exchange Encryption: AES256 Data integrity: SHA1 and DH group 5, do you think this line is not correct (ike=aes256-sha1-modp1536)? I cannot influence that, I have to adjust... I am using: Linux Openswan U2.6.23/K2.6.32-31-server (netkey) Maybe the problem is that I am not using certificates but psk?<br>
The config details say the you need to use a shared key, so I assume the problem is not related to certificates.<br>
How do I check if I can use klips (which I believe I should use instead of netkey). You are already using klips, since you have this in your config:<br>
protostack=klips<br>
Regards,<br>
Roel<br>
Kind regards,<br>
Jakub<br></div>
2012/8/29 Roel van Meer <<URL:mailto:<URL:mailto:<<u></u>URL:mailto:<a href="mailto:roel.vanmeer@bokxing.nl" target="_blank">roel.vanmeer@<u></u>bokxing.nl</a>>roel.van <a href="mailto:meer@bokxing.nl" target="_blank">meer@bokxing.nl</a>>roel.vanmeer@<u></u>bokxing. nl><URL:mailto:<URL:mailto:<a href="mailto:roel.vanmeer@bokxing.nl" target="_blank">ro<u></u>el.vanmeer@bokxing.nl</a>>roel.<u></u>vanmeer@bokxi <a href="http://ng.nl" target="_blank">ng.nl</a>><URL:mailto:<a href="mailto:roel.vanmeer@bokxing.nl" target="_blank">roel.<u></u>vanmeer@bokxing.nl</a>><a href="mailto:roel.vanmeer@bokxing.nl" target="_blank">roel.<u></u>vanmeer@bokxing.nl</a>><div class="im">
<br>
Jakub Sobczak writes:<br>
I have never setup a live openSwan VPN tunnel, so please be understanding =)<br>
I received the following config details to establish connection to the other<br>
company's gateway:<br>
Key Exchange Encryption: AES256 Data integrity: SHA1<br>
IKE SA renegotiation: 8 hrs Aggresive mode: No<br>
Use DH group: 1536 (group 5)<br>
Authentication: PSK<br>
IKE phase 2<br>
Data Encryption: AES256 Data integrity: SHA1<br>
IPSec SA renegotiation: 1 hr Aggresive mode: No<br>
Perfect forward secrecy: Yes<br>
Use DH group (Perfect forward secrecy) : 1536 (group 5)<br>
This is my config from ipsec.conf (below). Apart from that, I also have<br>
ipsec.secret with the following content: left_IP(mine)<br>
right_IP(othercompany) "PSK"<br>
Just to be sure, the format of this needs to be:<br></div>
1.2.3.4 <URL:<URL:<URL:<a href="http://5.6.7.8" target="_blank">http://5.6.7.8</a><u></u>><a href="http://5.6.7.8" target="_blank">http://5.6.7.8</a>><URL:<a href="http://5.6.7.8" target="_blank">http://5.<u></u>6.7.8</a>>http ://<a href="http://5.6.7.8" target="_blank">5.6.7.8</a>><URL:<URL:<a href="http://5.6.7.8" target="_blank">http://5.<u></u>6.7.8</a>><a href="http://5.6.7.8" target="_blank">http://5.6.7.8</a>><URL:<a href="http://5.6.7.8" target="_blank">http<u></u>://5.6.7.8</a> ><a href="http://5.6.7.8" target="_blank">5.6.7.8</a>: PSK "sharedkey"<br>
config setup<br>
nat_traversal=yes<br>
virtual_private=%v4:<URL:<<u></u>URL:<URL:<a href="http://10.0.0.0/8,%v4:192.168.0.0" target="_blank">http://10.0.0.0/8,%<u></u>v4:192.168.0.0</a> /16,%v><a href="http://10.0.0.0/8,%v4:192.168.0.0/16,%v" target="_blank">http://10.0.0.0/8,%v4:<u></u>192.168.0.0/16,%v</a> 4:172><URL:<a href="http://10.0.0.0/8,%v4:192.168.0.0/16,%v4:172" target="_blank">http://10.0.0.0/8,<u></u>%v4:192.168.0.0/16,%v4:172</a>><a href="http://10.0.0" target="_blank">htt<u></u>p://10.0.0</a> .0/8,%v4:<a href="http://192.168.0.0/16,%v4:172" target="_blank">192.168.0.0/16,%v4:<u></u>172</a>. 16.0.0/12><URL:<URL:<a href="http://10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16" target="_blank">http://<u></u>10.0.0.0/8,%v4:192.168.0.0/16,<u></u>%v4:172.16</a>. 0.0/12><a href="http://10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12" target="_blank">http://10.0.0.0/8,%v4:<u></u>192.168.0.0/16,%v4:172.16.0.0/<u></u>12</a> ><URL:<a href="http://10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12" target="_blank">http://10.0.0.0/8,%v4:<u></u>192.168.0.0/16,%v4:172.16.0.0/<u></u>12</a>>10.0.0.0 /8,%v4:<a href="http://192.168.0.0/16,%v4:172.16.0.0/12" target="_blank">192.168.0.0/16,%v4:172.<u></u>16.0.0/12</a><div class="im">
<br>
oe=off<br>
protostack=klips<br>
conn abc<br>
#General<br>
keyingtries=1<br>
auto=add<br>
If you specify "auto=add" the other end will have to initiate the connection. Can you post the logs that show what happens during this time?<br>
#IKE Params<br>
authby=secret<br>
keyexchange=ike<br>
This parameter does not occur in my manpage. Which version of openswan are you using?<br>
ikelifetime=8h<br>
ike=aes256-sha1-modp1536<br>
#IPSec Params<br>
type=tunnel<br>
auth=esp<br>
pfs=yes<br>
compress=no<br>
keylife=60m<br>
esp=aes256-sha1<br>
#pfsgroup=modp1536<br>
# Left security gateway, subnet behind it, nexthop toward right.<br>
left=my_IP<br></div>
leftsubnet=<URL:<URL:<URL:<a href="http://192.168.5.1/32" target="_blank">htt<u></u>p://192.168.5.1/32</a>><a href="http://192.168.5.1/32" target="_blank">http://192.<u></u>168.5.1/32</a> ><URL:<a href="http://192.168.5.1/32" target="_blank">http://192.168.5.1/32</a>><a href="http://192.168.5.1/32" target="_blank">ht<u></u>tp://192.168.5.1/32</a>><URL: <URL:<a href="http://192.168.5.1/32" target="_blank">http://192.168.5.1/32</a>><a href="http://192.168.5.1/32" target="_blank">ht<u></u>tp://192.168.5.1/32</a>><URL:<a href="http://192.168" target="_blank">http:<u></u>//192.168</a>. 5.1/32><a href="http://192.168.5.1/32" target="_blank">192.168.5.1/32</a> right=other_comp_IP<div class="im">
<br>
rightsubnet=some_subnet<br>
As far as I can see, this is all correct.<br>
A general remark: in my experience it is often easier to begin with less specific configuration, for example:<br>
ike=aes<br>
instead of<br>
ike=aes256-sha1-modp1536<br>
The second phase does not seem to be established. What is wrong? I believe<br>
something with pfsgroup? How to properly set DH group?<br>
Best regards,<br>
Roel<br>
<br>
<br>
</div></blockquote>
</blockquote></div><br></div>