<html><head><meta http-equiv="Content-Type" content="text/html charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;">Rescued from the spam bucket. Please remember to subscribe to the mailing list before posting to it.<br><div><br><div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px;"><span style="font-family:'Helvetica'; color:rgba(127, 127, 127, 1.0);"><b>From: </b></span><span style="font-family:'Helvetica';">Ted Victorio <<a href="mailto:tvan5bee@yahoo.com">tvan5bee@yahoo.com</a>><br></span></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px;"><span style="font-family:'Helvetica'; color:rgba(127, 127, 127, 1.0);"><b>Subject: </b></span><span style="font-family:'Helvetica';"><b>Openswan 2.4.12 fails handshake</b><br></span></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px;"><span style="font-family:'Helvetica'; color:rgba(127, 127, 127, 1.0);"><b>Date: </b></span><span style="font-family:'Helvetica';">January 15, 2014 at 5:06:24 PM EST<br></span></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px;"><span style="font-family:'Helvetica'; color:rgba(127, 127, 127, 1.0);"><b>To: </b></span><span style="font-family:'Helvetica';">"<a href="mailto:users@lists.openswan.org">users@lists.openswan.org</a>" <<a href="mailto:users@lists.openswan.org">users@lists.openswan.org</a>><br></span></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px;"><span style="font-family:'Helvetica'; color:rgba(127, 127, 127, 1.0);"><b>Reply-To: </b></span><span style="font-family:'Helvetica';">Ted Victorio <<a href="mailto:tvan5bee@yahoo.com">tvan5bee@yahoo.com</a>><br></span></div><br><br><div><div style="background-color: rgb(255, 255, 255); font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-size: 10pt;"><div><span><br></span></div><div style="display: block;" class="yahoo_quoted">Our existing uClinux-dist-20080808 (kernel 2.6.25-uc0) build includes openswan 2.4.12 (which came with the distro)<br><div style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 10pt;"><div style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 12pt;"><div class="y_msg_container"><div id="yiv7993591535"><div style="background-color: rgb(255, 255, 255); font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-size: 10pt;">Problem: The unit neither initiates nor responds to the remote IPsec Main Mode handshake.<br>Wireshark monitor has shown the remote ubuntu PC initiated
ISAKMP-Identity Protection (Main Mode)<br>but the local unit replied with ICMP-Destination unreachable (Port unreachable).<br>Can someone advise me on how to proceed next?<br>Details shown below. Thank you in advance for your help. <br>Ted<br> <br>The relevant IPsec modules were verified.<br>/> lsmod<br>Module Size Used by<br>af_key 29216 - - Live 0x41490000<br>xfrm_user 15092 - - Live 0x415b8000<br>xfrm4_tunnel 640 - - Live
0x414a2800<br>tunnel4 852 - - Live 0x414a2c00<br>ipcomp 2748 - - Live 0x41422000<br>esp4 3764 - - Live 0x41d20000<br>ah4 2824 - - Live 0x41c4c000<br><br>-----------------------------<br>I executed the following commands (uClinux unit) since the build has no ipsec scripting utilities:<br>/>pluto --nofork --noklips --use-netkey --secretsfile /mnt/ipsec.secrets --debug-all &<br>/>whack --listen &<br>/>whack --name link2 --host 90.0.0.3 --to --host 90.0.0.9 --client 209.0.0.0/24 --psk --encrypt --tunnel --pfs &<br>/>whack --name link2 --initiate &<br>/><br>Pluto initialized<br>Nov 30 00:01:51 pluto[30]: Starting Pluto (Openswan Version 2.4.12<br>PLUTO_SENDS_VENDORID; Vendor ID OEzufdtpHjOA)<br>Nov 30 00:01:51 pluto[30]: | opening /dev/urandom<br>Nov 30 00:01:51 pluto[30]: | inserting event EVENT_REINIT_SECRET,<br>timeout in 3600 seconds<br>Nov 30 00:01:51 pluto[30]: | inserting event EVENT_PENDING_PHASE2,<br>timeout in
120 seconds<br>Nov 30 00:01:51 pluto[30]: ike_alg_register_enc(): Activating<br>OAKLEY_AES_CBC: Ok(ret=0)<br>Nov 30 00:01:51 pluto[30]: starting up 1 cryptographic helpers<br>Nov 30 00:03:55 pluto[31]: | opening /dev/urandom<br>Nov 30 00:03:55 pluto[31]: ! helper 0 waiting on fd: 6<br> <br>Note: Using similar pluto & whack commands above, I was able to have 2 Ubuntu PCs etablish IPsec communication.<br><br>-----------------------------<br>I executed the following commands (On Ubuntu side):<br># ipsec auto --add link2<br># ipsec auto --up link2<br><br><br><br>Additional IPsec build configuration options:<br><br>Networking options<br>CONFIG_XFRM_USER=m<br>CONFIG_NET_KEY=m<br>CONFIG_INET_AH=m<br>CONFIG_INET_ESP=m<br>CONFIG_INET_IPCOMP=m<br>CONFIG_INET_XFRM_MODE_TRANSPORT=m<br>CONFIG_INET_XFRM_MODE_TUNNEL=m<br> <br>Cryptographic
API<br>CONFIG_CRYPTO_NULL=y<br>CONFIG_CRYPTO_HMAC=y<br>CONFIG_CRYPTO_MD5=y<br>CONFIG_CRYPTO_SHA1=y<br>CONFIG_CRYPTO_AES=y<br>CONFIG_CRYPTO_DES=y<br>CONFIG_CRYPTO_DEFLATE=y<br> <br> <br>uClinux to ubunutu test configuration<br>Ubuntu setup:<br>-------------<br>ipsec.conf:<br> config setup<br> plutodebug=all<br> klipsdebug=all<br> #nat_traversal=yes<br> <br> conn link2<br> type=tunnel<br>
authby=secret<br> left=90.0.0.3<br> right=90.0.0.9<br> rightsubnet=209.0.0.0/24<br> <br> <br>ipsec.secrets:<br>90.0.0.3 90.0.0.9 : PSK "testing12345"<br> <br>uClinux setup:<br>--------------<br>/mnt/ipsec.secrets:<br>90.0.0.3 90.0.0.9 : PSK "testing12345"<br> <br> <br>(uClinux) 90.0.0.3====================90.0.0.9 (Ubuntu) ---- 209.0.0.9<br><br></div></div><br><br></div> </div> </div> </div> </div></div><br><br></div></div><br></body></html>