<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"></head><body>I appreciate what you are trying to do here, i feel that it would benefit you if you started off a fresh and just configured one vpn tunnel to start with so at least you know what you have works on both sides.. Ie one lhs /rhs on both hosts, 1 ip etc.. Rather than trying to do it all from the start. It would also help you concentrate on understanding the bigger picture..<br><br><br><span style="font-size:87%">Sent from Samsung Mobile</span> </body></html><br><br>
-------- Original message --------
Subject: Re: [Openswan Users] Problem with a simple connection.
From: adstar@genis-x.com
To: paul@nohats.ca
CC: users@lists.openswan.org
<br><br><body><div style="word-break:break-all;">Hi Paul and list,<br><br>Ok thanks you for your help, things have moved a little bit better.<br>Removing the rightnexthop allows the vpn to come up now.<br>I'm now have an established VPN but I'm not seeing any traffic come out of my end of the link.<br>The other end shows traffic being sent over but I get nothing out my end.<br>I'm not showing any packets dropped on the firewall, but there just doesn't seem to be anything coming out my end of the VPN.<br>How do I go about debugging this?<br><br>I still get this error on startup<br>firewall# /etc/init.d/ipsec restart<br>ipsec_setup: Stopping Openswan IPsec...<br>ipsec_setup: Starting Openswan IPsec 2.6.37...<br>ipsec_setup: ipsec0 -> NULL mtu=0(0) -> 0<br><br>but at least I get <br>151: ipsec0: <NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 10<br> link/ether 00:25:90:35:35:9e brd ff:ff:ff:ff:ff:ff<br> inet 103.29.172.1/32 scope global ipsec0<br> inet 172.16.0.100/32 scope global ipsec0<br> inet 103.29.172.40/32 scope global ipsec0<br><br>The ip I want to listen on listed under ipsec0 now.<br>Also it is now dropping in the default route when the VPN comes up.<br><br>firewall# ip route<br>144.55.124.122 dev ipsec0 scope link<br>202.45.103.160/30 dev eth1 proto kernel scope link src 202.45.103.162<br>172.16.0.0/24 dev eth0 proto kernel scope link src 172.16.0.100<br>103.29.172.0/24 dev eth0 proto kernel scope link src 103.29.172.40<br>103.29.172.0/22 dev eth0 proto kernel scope link src 103.29.172.1<br>default via 202.45.103.161 dev eth1<br><br>My Current config<br><br># bconn configuration<br>config setup<br> #plutodebug = "all"<br> #klipsdebug = "all"<br> #plutoopts="--perpeerlog"<br> dumpdir=/var/run/pluto/<br> nat_traversal=yes<br> virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10<br> oe=off<br> protostack=auto<br> plutostderrlog=/var/log/pluto.log<br> interfaces="ipsec0=eth0"<br> #listen=103.29.172.40<br><br>conn multi-conn<br> rightsubnets={144.55.124.122/32,144.55.123.187/32,144.55.122.67/32,144.55.123.63/32,172.27.130.1/32,172.27.130.2/32,192.168.11.51/32,144.55.124.206/32} leftsubnets={103.29.173.70/32,103.29.173.71/32,103.29.173.72/32,103.29.173.73/32,103.29.173.74/32,103.29.173.75/32,103.29.173.76/32,103.29.173.80/32,103.29.173.81/32,103.29.173.82/32,103.29.173.83/32,103.29.173.84/32,103.29.173.8<br> also=conn<br><br>conn conn<br> type = tunnel<br> authby = secret<br> left = 103.29.172.40<br> leftnexthop = 202.45.103.161<br> right = 119.225.115.131<br> ike = aes256-sha1-modp1536<br> esp = aes256-sha1<br> keyexchange = ike<br> pfs = no<br> auto = add<br><br>firewall# ipsec auto --status<br>000 using kernel interface: klips<br>000 interface ipsec0/eth0 103.29.172.1<br>000 interface ipsec0/eth0 103.29.172.1<br>000 interface ipsec0/eth0:2 172.16.0.100<br>000 interface ipsec0/eth0:2 172.16.0.100<br>000 interface ipsec0/eth0:1 103.29.172.40<br>000 interface ipsec0/eth0:1 103.29.172.40<br>000 %myid = (none)<br>000 debug none<br>000<br>000 virtual_private (%priv):<br>000 - allowed 6 subnets: 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 25.0.0.0/8, fd00::/8, fe80::/10<br>000 - disallowed 0 subnets:<br>000 WARNING: Disallowed subnets in virtual_private= is empty. If you have<br>000 private address space in internal use, it should be excluded!<br>000<br>000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=64, keysizemin=192, keysizemax=192<br>000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=128, keysizemin=128, keysizemax=256<br>000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128<br>000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160<br>000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC, keysizemin=128, keysizemax=128<br>000<br>000 algorithm IKE encrypt: id=3, name=OAKLEY_BLOWFISH_CBC, blocksize=8, keydeflen=128<br>000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192<br>000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128<br>000 algorithm IKE encrypt: id=65004, name=OAKLEY_SERPENT_CBC, blocksize=16, keydeflen=128<br>000 algorithm IKE encrypt: id=65005, name=OAKLEY_TWOFISH_CBC, blocksize=16, keydeflen=128<br>000 algorithm IKE encrypt: id=65289, name=OAKLEY_TWOFISH_CBC_SSH, blocksize=16, keydeflen=128<br>000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16<br>000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20<br>000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32<br>000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64<br>000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024<br>000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536<br>000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048<br>000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072<br>000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096<br>000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144<br>000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192<br>000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024<br>000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048<br>000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048<br>000<br>000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0}<br>000<br>000 "conn": 103.29.172.40<103.29.172.40>[+S=C]---202.45.103.161...119.225.115.131<119.225.115.131>[+S=C]; unrouted; eroute owner: #0<br>000 "conn": myip=unset; hisip=unset;<br>000 "conn": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0<br>000 "conn": policy: PSK+ENCRYPT+TUNNEL+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 32,32; interface: eth0:1;<br>000 "conn": newest ISAKMP SA: #0; newest IPsec SA: #0;<br>000 "conn": IKE algorithms wanted: AES_CBC(7)_256-SHA1(2)_000-MODP1536(5); flags=-strict<br>000 "conn": IKE algorithms found: AES_CBC(7)_256-SHA1(2)_160-MODP1536(5)<br>000 "conn": ESP algorithms wanted: AES(12)_256-SHA1(2)_000; flags=-strict<br>000 "conn": ESP algorithms loaded: AES(12)_256-SHA1(2)_160<snip><br>000 #2: "multi-conn/1x1":500 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 28373s; newest IPSEC; eroute owner; isakmp#1; idle; import:not set<br>000 #2: "multi-conn/1x1" esp.a4a1a941@119.225.115.131 esp.8ecfa2a9@103.29.172.40 tun.1001@119.225.115.131 tun.1002@103.29.172.40 ref=3 refhim=1<br>000 #1: "multi-conn/1x1":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 3173s; newest ISAKMP; nodpd; idle; import:not set<br><br>-----Original Message-----<br>From: Paul Wouters [mailto:paul@nohats.ca] <br>Sent: Saturday, 8 December 2012 9:10 AM<br>To: adstar@genis-x.com<br>Subject: RE: [Openswan Users] Problem with a simple connection.<br><br>On Sat, 8 Dec 2012, adstar@genis-x.com wrote:<br><br>Try removing the rightnexthop setting?<br><br>> I tried the alias side of things but I get errors on startup<br><br>Is there a reason you are using KLIPS and not NETKEY?<br><br>> ipsec_setup: ipsec0 -> NULL mtu=0(0) -> 0<br><br>That should be linked the eth0:1, so there might be a bug in openswan.<br><br>><br>> ipsec_setup: Error: either "local" is duplicate, or "eth0" is a garbage.<br><br>This might be the rightnexthop, try removing it<br><br>> conn conn<br>> type = tunnel<br>> authby = secret<br>> left = 103.29.172.40<br>> leftnexthop = 103.29.172.1<br>> right = 119.225.115.131<br>> rightnexthop = %defaultroute<br>> ike = aes256-sha1-modp1536<br>> esp = aes256-sha1<br>> keyexchange = ike<br>> pfs = no<br>> auto = add<br>><br>><br>> -----Original Message-----<br>> From: Paul Wouters [mailto:paul@nohats.ca]<br>> Sent: Saturday, 8 December 2012 2:25 AM<br>> To: adstar@genis-x.com<br>> Subject: Re: [Openswan Users] Problem with a simple connection.<br>><br>> On Fri, 7 Dec 2012, adstar@genis-x.com wrote:<br>><br>>> If I switch to protostack=mast the vpn comes up, but I don't know enough about mast, does it place a route like klips? If so I'm not seeing a route when the connection comes up.</div>><br>> If using mast, then you must configure mast using ifconfig to match your public ip with a /32 mask on it. But don't use mast unless you are using L2TP/IPsec.<br>><br>>> With this config that works if I switch back to klips I get the <br>>> packet from 119.225.115.131:500: initial Main Mode message received <br>>> on<br>>> 103.29.172.40:500 but no connection has been authorized with <br>>> policy=PSK<br>><br>> Looks like your connection just did not load or is misconfigured. run "ipsec auto --add connname" to see an error in loading?<br>><br>> You also need to add interfaces for each "alias" device when using KLIPS, so interfaces="ipsec0=eth0, ipsec1=eth0:1" etc etc.<br>><br>> Paul<br>><br>>> packet from 119.225.115.131:500: ignoring unknown Vendor ID payload <br>>> [f4ed19e0c114eb516faaac0ee37daf2807b4381f000000010000138d50c08988...]<br>>><br>>> error?<br>>><br>>> Any advise guys?<br>>><br>>> Plutorun started on Fri Dec 7 08:17:03 EDT 2012 adjusting ipsec.d to <br>>> /etc/ipsec.d<br>>> bind() will be filtered for 103.29.172.40 Starting Pluto (Openswan <br>>> Version 2.6.37; Vendor ID OEu\134d\134jy\134\134ap) pid:24066 <br>>> LEAK_DETECTIVE support [disabled] OCF support for IKE [disabled] <br>>> SAref support [disabled]: Protocol not available SAbind support [disabled]:<br>>> Protocol not available NSS support [disabled] HAVE_STATSD <br>>> notification support not compiled in Setting NAT-Traversal port-4500 floating to on<br>>> port floating activation criteria nat_t=1/port_float=1<br>>> NAT-Traversal support [enabled]<br>>> using /dev/urandom as source of random entropy<br>>> ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)<br>>> ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)<br>>> ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok (ret=0)<br>>> ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)<br>>> ike_alg_register_enc(): Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)<br>>> ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)<br>>> ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0) <br>>> starting up 1 cryptographic helpers started helper pid=24070 (fd:4) <br>>> Using KLIPSng (mast) IPsec interface code on 2.6.35.14-i686 using <br>>> /dev/urandom as source of random entropy Changed path to directory <br>>> '/etc/ipsec.d/cacerts'<br>>> Changed path to directory '/etc/ipsec.d/aacerts'<br>>> Changed path to directory '/etc/ipsec.d/ocspcerts'<br>>> Changing to directory '/etc/ipsec.d/crls'<br>>> Warning: empty directory<br>>> listening for IKE messages<br>>> | useful mast device -1<br>>> skipping interface eth1 with 202.45.103.162<br>>> ERROR: PF_KEY K_SADB_X_PLUMBIF response for configure_mast_device <br>>> included errno 17: File exists adding interface mast0/eth0<br>>> 103.29.172.40:500 (fd=10) adding interface mast0/eth0<br>>> 103.29.172.40:4500 (fd=11) skipping interface eth0:4 with <br>>> 172.16.0.100 skipping interface eth0:2 with 103.29.175.1 skipping <br>>> interface eth0:1 with 103.29.174.1 skipping interface eth0:0 with <br>>> 103.29.173.1 skipping interface eth0 with 103.29.172.1<br>>> | useful mast device 0<br>>> | useful mast device 0<br>>> loading secrets from "/etc/ipsec.secrets"<br>>> packet from 119.225.115.131:500: ignoring unknown Vendor ID payload <br>>> [f4ed19e0c114eb516faaac0ee37daf2807b4381f000000010000138d50c10b74...]<br>>> "multi-conn/1x1" #1: responding to Main Mode "multi-conn/1x1" #1:<br>>> transition from state STATE_MAIN_R0 to state STATE_MAIN_R1 <br>>> "multi-conn/1x1" #1: STATE_MAIN_R1: sent MR1, expecting MI2 <br>>> "multi-conn/1x1" #1: transition from state STATE_MAIN_R1 to state<br>>> STATE_MAIN_R2 "multi-conn/1x1" #1: STATE_MAIN_R2: sent MR2, expecting<br>>> MI3 "multi-conn/1x1" #1: Main mode peer ID is ID_IPV4_ADDR: '119.225.115.131'<br>>> "multi-conn/1x1" #1: transition from state STATE_MAIN_R2 to state<br>>> STATE_MAIN_R3 "multi-conn/1x1" #1: STATE_MAIN_R3: sent MR3, ISAKMP SA <br>>> established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha <br>>> group=modp1536} "multi-conn/1x1" #1: the peer proposed: 103.29.173.70/32:0/0 -> 144.55.124.122/32:0/0 "multi-conn/1x1" #2: responding to Quick Mode proposal {msgid:ed10f5ab}<br>>> "multi-conn/1x1" #2: us: 103.29.173.70/32===103.29.172.40<103.29.172.40>[+S=C]---202.45.103.161<br>>> "multi-conn/1x1" #2: them: 202.45.103.161---119.225.115.131<119.225.115.131>[+S=C]===144.55.124.122/32<br>>> | mast_raw_eroute called op=4 said=tun.1002@103.29.172.40<br>>> "multi-conn/1x1" #2: transition from state STATE_QUICK_R0 to state<br>>> STATE_QUICK_R1 "multi-conn/1x1" #2: STATE_QUICK_R1: sent QR1, inbound <br>>> IPsec SA installed, expecting QI2<br>>> | mast_sag_eroute called op=1/add<br>>> | mast_raw_eroute called op=1 said=tun.1001@119.225.115.131<br>>> "multi-conn/1x1" #2: transition from state STATE_QUICK_R1 to state<br>>> STATE_QUICK_R2 "multi-conn/1x1" #2: STATE_QUICK_R2: IPsec SA <br>>> established tunnel mode {ESP=>0x2a7072ec <0x1f27e374<br>>> xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=none DPD=none} "multi-conn/1x1"<br>>> #2: discarding duplicate packet; already STATE_QUICK_R2 <br>>> "multi-conn/1x1" #2: discarding duplicate packet; already<br>>> STATE_QUICK_R2<br>>><br>>><br>>> # bconn configuration<br>>> config setup<br>>> # plutodebug = "all"<br>>> # klipsdebug = "all"<br>>> #plutoopts="--perpeerlog"<br>>> dumpdir=/var/run/pluto/<br>>> nat_traversal=yes<br>>> virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10<br>>> oe=off<br>>> protostack=mast<br>>> plutostderrlog=/var/log/pluto.log<br>>> # interfaces="ipsec0=eth0"<br>>> listen=103.29.172.40<br>>><br>>> conn multi-conn<br>>> rightsubnets={144.55.124.122/32,144.55.123.187/32,144.55.122.67/32,144.55.123.63/32,172.27.130.1/32,172.27.130.2/32,192.168.11.51/32,144.55.124.206/32} leftsubnets={103.29.173.70/32,103.29.173.71/32,103.29.173.72/32,103.29.173.73/32,103.29.173.74/32,103.29.173.75/32,103.29.173.76/32,103.29.173.80/32,103.29.173.81/32,103.29.173.82/32,103.29.173.83/32,103.29.173.84/32,103.29.173.8<br>>> also=conn<br>>><br>>> conn conn<br>>> type = tunnel<br>>> authby = secret<br>>> left = 103.29.172.40<br>>> leftnexthop = %defaultroute<br>>> right = 119.225.115.131<br>>> rightnexthop = %defaultroute<br>>> ike = aes256-sha1-modp1536<br>>> esp = aes256-sha1<br>>> keyexchange = ike<br>>> pfs = no<br>>> auto = add<br>>><br>>> -----Original Message-----<br>>> From: Elison Niven [mailto:elison.niven@elitecore.com]<br>>> Sent: Thursday, 6 December 2012 10:41 PM<br>>> To: adstar@genis-x.com<br>>> Cc: users@lists.openswan.org<br>>> Subject: Re: [Openswan Users] Problem with a simple connection.<br>>><br>>> There's a typo. It should be left=103.29.172.40.<br>>> You have put left = 103.29.173.140<br>>><br>>> On Thursday 06 December 2012 05:09:11 PM IST, adstar@genis-x.com wrote:<br>>>> Hi Elison,<br>>>><br>>>> Sorry I totally forgot to cc the list..<br>>>> I made the changes to my config but still have the issues with PSK<br>>>><br>>>> # /etc/ipsec.conf - Openswan IPsec configuration file<br>>>> version 2.0 # conforms to second version of ipsec.conf specification<br>>>> # bconn configuration<br>>>> config setup<br>>>> dumpdir=/var/run/pluto/<br>>>> nat_traversal=yes<br>>>> virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10<br>>>> oe=off<br>>>> protostack=auto<br>>>> plutostderrlog=/var/log/pluto.log<br>>>> ; interfaces="ipsec0=eth0"<br>>>><br>>>> conn multi-conn<br>>>> rightsubnets={144.55.124.122/32,144.55.123.187/32,144.55.122.67/32,144.55.123.63/32,172.27.130.1/32,172.27.130.2/32,192.168.11.51/32,144.55.124.206/32} leftsubnets={103.29.173.70/32,103.29.173.71/32,103.29.173.72/32,103.29.173.73/32,103.29.173.74/32,103.29.173.75/32,103.29.173.76/32,103.29.173.80/32,103.29.173.81/32,103.29.173.82/32,103.29.173.83/32,103.29.173.84/32,103.29.173.8<br>>>> also=conn<br>>>><br>>>> conn conn<br>>>> type = tunnel<br>>>> authby = secret<br>>>> left = 103.29.173.140<br>>>> right = 119.225.115.131<br>>>> rightnexthop = %defaultroute<br>>>> ike = aes256-sha1-modp1536<br>>>> esp = aes256-sha1<br>>>> keyexchange = ike<br>>>> pfs = no<br>>>> auto = add<br>>>><br>>>> My Pluto log<br>>>> Plutorun started on Thu Dec 6 22:36:06 EDT 2012 adjusting ipsec.d to <br>>>> /etc/ipsec.d Starting Pluto (Openswan Version 2.6.37; Vendor ID<br>>>> OEu\134d\134jy\134\134ap) pid:9770 LEAK_DETECTIVE support [disabled] <br>>>> OCF support for IKE [disabled] SAref support [disabled]: Protocol <br>>>> not available SAbind support [disabled]: Protocol not available NSS <br>>>> support [disabled] HAVE_STATSD notification support not compiled in <br>>>> Setting NAT-Traversal port-4500 floating to on<br>>>> port floating activation criteria nat_t=1/port_float=1<br>>>> NAT-Traversal support [enabled] using /dev/urandom as source of <br>>>> random entropy<br>>>> ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC_SSH: Ok <br>>>> (ret=0)<br>>>> ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)<br>>>> ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok (ret=0)<br>>>> ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)<br>>>> ike_alg_register_enc(): Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)<br>>>> ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)<br>>>> ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0) <br>>>> starting up 1 cryptographic helpers started helper pid=9773 (fd:4) <br>>>> Kernel interface auto-pick No Kernel NETKEY interface detected Using <br>>>> KLIPS IPsec interface code on 2.6.35.14-i686 using /dev/urandom as <br>>>> source of random entropy Changed path to directory <br>>>> '/etc/ipsec.d/cacerts'<br>>>> Changed path to directory '/etc/ipsec.d/aacerts'<br>>>> Changed path to directory '/etc/ipsec.d/ocspcerts'<br>>>> Changing to directory '/etc/ipsec.d/crls'<br>>>> Warning: empty directory<br>>>> address family inconsistency in this connection=2 host=2/nexthop=0 <br>>>> attempt to load incomplete connection address family inconsistency <br>>>> in this connection=2 host=2/nexthop=0 attempt to load incomplete <br>>>> connection listening for IKE messages adding interface ipsec0/eth0<br>>>> 103.29.172.40:500 adding interface ipsec0/eth0 103.29.172.40:4500 <br>>>> adding interface ipsec0/eth0:4 172.16.0.100:500 adding interface<br>>>> ipsec0/eth0:4 172.16.0.100:4500 adding interface ipsec0/eth0:2<br>>>> 103.29.175.1:500 adding interface ipsec0/eth0:2 103.29.175.1:4500 <br>>>> adding interface ipsec0/eth0:1 103.29.174.1:500 adding interface<br>>>> ipsec0/eth0:1 103.29.174.1:4500 adding interface ipsec0/eth0:0<br>>>> 103.29.173.1:500 adding interface ipsec0/eth0:0 103.29.173.1:4500 <br>>>> adding interface ipsec0/eth0 103.29.172.1:500 adding interface<br>>>> ipsec0/eth0 103.29.172.1:4500 loading secrets from <br>>>> "/etc/ipsec.secrets"<br>>>> packet from 119.225.115.131:500: ignoring unknown Vendor ID payload <br>>>> [f4ed19e0c114eb516faaac0ee37daf2807b4381f000000010000138d50c08322...<br>>>> ] packet from 119.225.115.131:500: initial Main Mode message <br>>>> received on<br>>>> 103.29.172.40:500 but no connection has been authorized with <br>>>> policy=PSK packet from 119.225.115.131:500: ignoring unknown Vendor <br>>>> ID payload <br>>>> [f4ed19e0c114eb516faaac0ee37daf2807b4381f000000010000138d50c08322...<br>>>> ] packet from 119.225.115.131:500: initial Main Mode message <br>>>> received on<br>>>> 103.29.172.40:500 but no connection has been authorized with <br>>>> policy=PSK<br>>>><br>>>> Cheers<br>>>> Adam<br>>>><br>>>><br>>>><br>>>> -----Original Message-----<br>>>> From: Elison Niven [mailto:elison.niven@elitecore.com]<br>>>> Sent: Thursday, 6 December 2012 10:08 PM<br>>>> To: adstar@genis-x.com<br>>>> Cc: users@lists.openswan.org<br>>>> Subject: Re: [Openswan Users] Problem with a simple connection.<br>>>><br>>>>> Ok so my external interface is eth1 internal eth0<br>>>> You are receiving the main mode request on eth0.<br>>>><br>>>> You are receiving packets on this interface :<br>>>>> packet from 119.225.115.131:500: initial Main Mode message received <br>>>>> on<br>>>>> 103.29.172.40:500 but no connection has been authorized with <br>>>>> policy=PSK<br>>>> Therefore you should have left=103.29.172.40 in your config. You can omit leftnexthop in the config.<br>>>><br>>>> Restart your ipsec service or do ipsec auto --rereadall after doing the changes.<br>>>> Kindly do not take the discussion off-list.<br>>>><br>>>> On Thursday 06 December 2012 04:26:57 PM IST, adstar@genis-x.com wrote:<br>>>>> Hi Elison,<br>>>>><br>>>>> Ok so my external interface is eth1 internal eth0<br>>>>><br>>>>> I'm not sure what to put as the left/leftnexthop.<br>>>>> I have tried<br>>>>> conn conn<br>>>>> type = tunnel<br>>>>> authby = secret<br>>>>> left = 202.45.103.162<br>>>>> leftnexthop = 202.45.103.161<br>>>>> right = 119.225.115.131<br>>>>> rightnexthop = %defaultroute<br>>>>> ike = aes256-sha1-modp1536<br>>>>> esp = aes256-sha1<br>>>>> keyexchange = ike<br>>>>> pfs = no<br>>>>> auto = add<br>>>>><br>>>>> but still get the error<br>>>>> packet from 119.225.115.131:500: ignoring unknown Vendor ID payload <br>>>>> [f4ed19e0c114eb516faaac0ee37daf2807b4381f000000010000138d50c0798a...<br>>>>> ] packet from 119.225.115.131:500: initial Main Mode message <br>>>>> received on<br>>>>> 103.29.172.40:500 but no connection has been authorized with <br>>>>> policy=PSK packet from 119.225.115.131:500: ignoring unknown Vendor <br>>>>> ID payload <br>>>>> [f4ed19e0c114eb516faaac0ee37daf2807b4381f000000010000138d50c0798a...<br>>>>> ] packet from 119.225.115.131:500: initial Main Mode message <br>>>>> received on<br>>>>> 103.29.172.40:500 but no connection has been authorized with <br>>>>> policy=PSK<br>>>>><br>>>>> Also do you mean all IPV6 on all interfaces?<br>>>>><br>>>>> Thanks for you help<br>>>>> Cheers<br>>>>> Adam<br>>>>><br>>>>> 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000<br>>>>> link/ether 00:25:90:35:35:9e brd ff:ff:ff:ff:ff:ff<br>>>>> inet 103.29.172.1/24 brd 103.29.172.255 scope global eth0<br>>>>> inet 103.29.173.1/24 brd 103.29.173.255 scope global eth0:0<br>>>>> inet 103.29.174.1/24 brd 103.29.174.255 scope global eth0:1<br>>>>> inet 103.29.175.1/24 brd 103.29.175.255 scope global eth0:2<br>>>>> nbsp; inet 172.16.0.100/24 brd 172.16.0.255 scope global eth0:4<br>>>>> inet 103.29.172.40/24 scope global secondary eth0<br>>>>> inet6 fe80::225:90ff:fe35:359e/64 scope link<br>>>>> valid_lft forever preferred_lft forever<br>>>>> 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000<br>>>>> link/ether 00:25:90:35:35:9f brd ff:ff:ff:ff:ff:ff<br>>>>> inet 202.45.103.162/30 brd 202.45.103.163 scope global eth1<br>>>>> inet6 fe80::225:90ff:fe35:359f/64 scope link<br>>>>> valid_lft forever preferred_lft forever<br>>>>><br>>>>><br>>>>> I would like my external clients to connect to the IP 172.29.172.40<br>>>>><br>>>>> firewall# ip route<br>>>>> 202.45.103.160/30 dev eth1 proto kernel scope link src<br>>>>> 202.45.103.162<br>>>>> 172.16.0.0/24 dev eth0 proto kernel scope link src 172.16.0.100<br>>>>> 103.29.174.0/24 dev eth0 proto kernel scope link src <br>>>>> 103.29.174.1<br>>>>> 103.29.175.0/24 dev eth0 proto kernel scope link src <br>>>>> 103.29.175.1<br>>>>> 103.29.172.0/24 dev eth0 proto kernel scope link src <br>>>>> 103.29.172.1<br>>>>> 103.29.173.0/24 dev eth0 proto kernel scope link src <br>>>>> 103.29.173.1 default via 202.45.103.161 dev eth1<br>>>>><br>>>>><br>>>>><br>>>>><br>>>>> -----Original Message-----<br>>>>> From: Elison Niven [mailto:elison.niven@elitecore.com]<br>>>>> Sent: Thursday, 6 December 2012 9:27 PM<br>>>>> To: adstar@genis-x.com<br>>>>> Cc: users@lists.openswan.org<br>>>>> Subject: Re: [Openswan Users] Problem with a simple connection.<br>>>>><br>>>>> The address type of your host address (left) does not match with the address type of your nexthop (leftnexthop).<br>>>>> You can try removing leftnexthop=%defaultroute and put in the <br>>>>> actual<br>>>>> IPv4 gateway, and do the same for rightnexthop.<br>>>>> You can also try disabling IPv6.<br>>>>><br>>>>> On Thursday 06 December 2012 08:48:45 AM IST, adstar@genis-x.com wrote:<br>>>>>> Hi all,<br>>>>>><br>>>>>> I’m having an issue setting up a tunnel that I need some help with.<br>>>>>><br>>>>>> I have included the relevant files below<br>>>>>><br>>>>>><br>>>>>> My first issue is when I start ipsec I get the following error:<br>>>>>><br>>>>>> Dec 6 13:51:30 firewall ipsec__plutorun: 023 address family <br>>>>>> inconsistency in this connection=2 host=2/nexthop=0<br>>>>>><br>>>>>> Dec 6 13:51:30 firewall ipsec__plutorun: 037 attempt to load <br>>>>>> incomplete connection<br>>>>>><br>>>>>> Dec 6 13:51:30 firewall ipsec__plutorun: 023 address family <br>>>>>> inconsistency in this connection=2 host=2/nexthop=0<br>>>>>><br>>>>>> Dec 6 13:51:30 firewall ipsec__plutorun: 037 attempt to load <br>>>>>> incomplete connection<br>>>>>><br>>>>>> My second issue is the right side can’t connect.<br>>>>>><br>>>>>> packet from 119.225.115.131:500: ignoring unknown Vendor ID <br>>>>>> payload [f4ed19e0c114eb516faaac0ee37daf2807b4381f000000010000138d50c009ee...<br>>>>>> ]<br>>>>>><br>>>>>> packet from 119.225.115.131:500: initial Main Mode message <br>>>>>> received on<br>>>>>> 103.29.172.40:500 but no connection has been authorized with <br>>>>>> policy=PSK<br>>>>>><br>>>>>> packet from 119.225.115.131:500: ignoring unknown Vendor ID <br>>>>>> payload [f4ed19e0c114eb516faaac0ee37daf2807b4381f000000010000138d50c009ee...<br>>>>>> ]<br>>>>>><br>>>>>> packet from 119.225.115.131:500: initial Main Mode message <br>>>>>> received on<br>>>>>> 103.29.172.40:500 but no connection has been authorized with <br>>>>>> policy=PSK<br>>>>>><br>>>>>> Can anyone help me on where to go from here?<br>>>>>><br>>>>>> Cheers<br>>>>>> Adam<br>>>>>><br>>>>>> firewall# ipsec --version<br>>>>>><br>>>>>> Linux Openswan 2.6.37 (klips)<br>>>>>><br>>>>>><br>>>>>> firewall# cat ipsec.conf<br>>>>>><br>>>>>> # /etc/ipsec.conf - Openswan IPsec configuration file<br>>>>>><br>>>>>> version 2.0 # conforms to second version of ipsec.conf specification<br>>>>>><br>>>>>> # bconn configuration<br>>>>>><br>>>>>> config setup<br>>>>>><br>>>>>> #plutodebug = "all"<br>>>>>><br>>>>>> #klipsdebug = "all"<br>>>>>><br>>>>>> plutoopts="--perpeerlog"<br>>>>>><br>>>>>> dumpdir=/var/run/pluto/<br>>>>>><br>>>>>> nat_traversal=yes<br>>>>>><br>>>>>><br>>>>>> virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/1<br>>>>>> 2<br>>>>>> ,<br>>>>>> %<br>>>>>> v<br>>>>>> 4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10<br>>>>>><br>>>>>> oe=off<br>>>>>><br>>>>>> protostack=klips<br>>>>>><br>>>>>> plutostderrlog=/var/log/pluto.log<br>>>>>><br>>>>>> interfaces="ipsec0=eth0"<br>>>>>><br>>>>>> listen=103.29.172.40<br>>>>>><br>>>>>> # Add connections here<br>>>>>><br>>>>>> conn multi-conn1<br>>>>>><br>>>>>> rightsubnets={144.55.124.122/32,144.55.123.187/32,144.55.122.67/32<br>>>>>> ,<br>>>>>> 1<br>>>>>> 4<br>>>>>> 4<br>>>>>> .55.123.63/32,172.27.130.1/32,172.27.130.2/32,192.168.11.51/32,144.55.<br>>>>>> 124.206/32}<br>>>>>><br>>>>>> leftsubnets={103.29.173.70/32,103.29.173.71/32,103.29.173.72/32,103.<br>>>>>> 2<br>>>>>> 9<br>>>>>> .173.73/32,103.29.173.74/32,103.29.173.75/32,103.29.173.76/32,103.29.<br>>>>>> 1<br>>>>>> 73.80/32,103.29.173.81/32,103.29.173.82/32,103.29.173.83/32,103.29.<br>>>>>> 1<br>>>>>> 7<br>>>>>> 3<br>>>>>> .84/32,103.29.173.85/32,103.29.173.86/32,103.29.173.60/32,103.29.173.<br>>>>>> 6 1/32,103.29.173.64/32,103.29.173.65/32}<br>>>>>><br>>>>>> also=conn1<br>>>>>><br>>>>>> conn conn1<br>>>>>><br>>>>>> type = tunnel<br>>>>>><br>>>>>> authby = secret<br>>>>>><br>>>>>> left = 103.29.172.40<br>>>>>><br>>>>>> leftnexthop = %defaultroute<br>>>>>><br>>>>>> right = 119.225.115.131<br>>>>>><br>>>>>> rightnexthop = %defaultroute<br>>>>>><br>>>>>> ike = aes256-sha1-modp1536<br>>>>>><br>>>>>> esp = aes256-sha1<br>>>>>><br>>>>>> keyexchange = ike<br>>>>>><br>>>>>> pfs = no<br>>>>>><br>>>>>> p; auto = add<br>>>>>><br>>>>>> firewall# cat ipsec.secrets<br>>>>>><br>>>>>> # This file holds shared secrets or RSA private keys for <br>>>>>> inter-Pluto<br>>>>>><br>>>>>> # authentication. See ipsec_pluto(8) manpage, and HTML documentation.<br>>>>>><br>>>>>> 103.29.172.40 119.225.115.131: PSK "BLANK-BLANK-BLANK"<br>>>>>><br>>>>>> firewall# ip addr<br>>>>>><br>>>>>> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state <br>>>>>> UNKNOWN<br>>>>>><br>>>>>> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00<br>>>>>><br>>>>>> inet 127.0.0.1/8 scope host lo<br>>>>>><br>>>>>> inet6 ::1/128 scope host<br>>>>>><br>>>>>> valid_lft forever preferred_lft forever<br>>>>>><br>>>>>> 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc <br>>>>>> pfifo_fast state UP qlen 1000<br>>>>>><br>>>>>> link/ether 00:25:90:35:35:9e brd ff:ff:ff:ff:ff:ff<br>>>>>><br>>>>>> inet 103.29.172.1/24 brd 103.29.172.255 scope global eth0<br>>>>>><br>>>>>> inet 103.29.173.1/24 brd 103.29.173.255 scope global eth0:0<br>>>>>><br>>>>>> inet 103.29.174.1/24 brd 103.29.174.255 scope global eth0:1<br>>>>>><br>>>>>> inet 103.29.175.1/24 brd 103.29.175.255 scope global eth0:2<br>>>>>><br>>>>>> inet 172.16.0.100/24 brd 172.16.0.255 scope global eth0:4<br>>>>>><br>>>>>> inet 103.29.172.40/24 scope global secondary eth0<br>>>>>><br>>>>>> inet6 fe80::225:90ff:fe35:359e/64 scope link<br>>>>>><br>>>>>> valid_lft forever preferred_lft forever<br>>>>>><br>>>>>> 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc <br>>>>>> pfifo_fast state UP qlen 1000<br>>>>>><br>>>>>> link/ether 00:25:90:35:35:9f brd ff:ff:ff:ff:ff:ff<br>>>>>><br>>>>>> inet 202.45.103.162/30 brd 202.45.103.163 scope global eth1<br>>>>>><br>>>>>> inet6 fe80::225:90ff:fe35:359f/64 scope link<br>>>>>><br>>>>>> valid_lft forever preferred_lft forever<br>>>>>><br>>>>>> 82: ipsec0: <NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state <br>>>>>> UNKNOWN qlen 10<br>>>>>><br>>>>>> link/ether 00:25:90:35:35:9e brd ff:ff:ff:ff:ff:ff<br>>>>>><br>>>>>> inet 103.29.172.1/32 scope global ipsec0<br>>>>>><br>>>>>> inet 103.29.173.1/32 scope global ipsec0<br>>>>>><br>>>>>> inet 103.29.174.1/32 scope global ipsec0<br>>>>>><br>>>>>> inet 103.29.175.1/32 scope global ipsec0<br>>>>>><br>>>>>> inet 172.16.0.100/32 scope global ipsec0<br>>>>>><br>>>>>> inet 103.29.172.40/32 scope global ipsec0<br>>>>>><br>>>>>> inet6 fe80::225:90ff:fe35:359e/128 scope link<br>>>>>><br>>>>>> valid_lft forever preferred_lft forever<br>>>>>><br>>>>>> 83: ipsec1: <NOARP> mtu 0 qdisc noop state DOWN qlen 10<br>>>>>><br>>>>>> link/void<br>>>>>><br>>>>>> firewall# cat daemon.log<br>>>>>><br>>>>>> Dec 6 13:51:29 firewall ipsec_setup: Starting Openswan IPsec 2.6.37...<br>>>>>><br>>>>>> Dec 6 13:51:29 firewall ipsec_setup: Using KLIPS/legacy stack<br>>>>>><br>>>>>> Dec 6 13:51:30 firewall ipsec_setup: KLIPS debug `none'<br>>>>>><br>>>>>> Dec 6 13:51:30 firewall ipsec_setup: KLIPS ipsec0 on eth0<br>>>>>> 103.29.172.1/24 broadcast mtu 1500<br>>>>>><br>>>>>> Dec 6 13:51:30 firewall ipsec_setup: ipsec0 -> NULL mtu=0(0) -> 0<br>>>>>><br>>>>>> Dec 6 13:51:30 firewall ipsec_setup: ...Openswan IPsec started<br>>>>>><br>>>>>> Dec 6 13:51:30 firewall ipsec__plutorun: 023 address family <br>>>>>> inconsistency in this connection=2 host=2/nexthop=0<br>>>>>><br>>>>>> Dec 6 13:51:30 firewall ipsec__plutorun: 037 attempt to load <br>>>>>> incomplete connection<br>>>>>><br>>>>>> Dec 6 13:51:30 firewall ipsec__plutorun: 023 address family <br>>>>>> inconsistency in this connection=2 host=2/nexthop=0<br>>>>>><br>>>>>> Dec 6 13:51:30 firewall ipsec__plutorun: 037 attempt to load <br>>>>>> incomplete connection<br>>>>>><br>>>>>><br>>>>>><br>>>>>> _______________________________________________<br>>>>>> Users@lists.openswan.org<br>>>>>> https://lists.openswan.org/mailman/listinfo/users<br>>>>>> Micropayments:<br>>>>>> https://flattr.com/thing/38387/IPsec-for-Linux-made-easy<br>>>>>> Building and Integrating Virtual Private Networks with Openswan:<br>>>>>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=<br>>>>>> 2<br>>>>>> 8<br>>>>>> 3<br>>>>>> 1<br>>>>>> 55<br>>>>><br>>>>> --<br>>>>> Best Regards,<br>>>>> Elison Niven<br>>>>><br>>>>><br>>>>><br>>>><br>>>> --<br>>>> Best Regards,<br>>>> Elison Niven<br>>>><br>>>><br>>>><br>>><br>>> --<br>>> Best Regards,<br>>> Elison Niven<br>>><br>>> _______________________________________________<br>>> Users@lists.openswan.org<br>>> https://lists.openswan.org/mailman/listinfo/users<br>>> Micropayments:<br>>> https://flattr.com/thing/38387/IPsec-for-Linux-made-easy<br>>> Building and Integrating Virtual Private Networks with Openswan:<br>>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283<br>>> 155<br>>><br>><br><br>_______________________________________________<br>Users@lists.openswan.org<br>https://lists.openswan.org/mailman/listinfo/users<br>Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy<br>Building and Integrating Virtual Private Networks with Openswan:<br>http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155<br></body>