[Openswan dev] more info on pfs failure previous message

Paul Wouters paul at xelerance.com
Fri Mar 10 18:59:48 CET 2006



---------- Forwarded message ----------
Date: Fri, 10 Mar 2006 15:35:18 +0000
From: Brian Candler <B.Candler at pobox.com>
To: users at openswan.org
Subject: [Openswan Users]

>                                   dynamic     static
> 10.1.50.0/28          172.151     x.x.x.x     p.p.p.p     10.1.1.0/24
> ------------ Openswan ------- NAT =================== PIX -----------
>              (Linux)          rtr

Supplementary information:

(1) Logs from the PIX side

Once the Openswan box thinks that phase 2 is up, it sends packets to UDP
port 4500, but the PIX is discarding them (without explaining exactly *why*
it's discarding them). The logs show incoming UDP packets from openswan with
two different source ports, x.x.x.x/62859 and x.x.x.x/3593, to port 4500.

Mar 10 14:27:00 pixfw2 %PIX-7-713906: IP = x.x.x.x, processing SA payloadMar 10 14:27:00 pixfw2 %PIX-7-713906: IP = x.x.x.x, processing ke payloadMar 10 14:27:00 pixfw2 %PIX-7-713906: IP = x.x.x.x, processing ISA_KE
Mar 10 14:27:00 pixfw2 %PIX-7-715001: IP = x.x.x.x, processing nonce payload
Mar 10 14:27:00 pixfw2 %PIX-7-715001: IP = x.x.x.x, Processing ID
Mar 10 14:27:00 pixfw2 %PIX-7-715047: IP = x.x.x.x, processing VID payload
Mar 10 14:27:00 pixfw2 %PIX-7-715049: IP = x.x.x.x, Received DPD VID
Mar 10 14:27:00 pixfw2 %PIX-7-715047: IP = x.x.x.x, processing VID payload
Mar 10 14:27:00 pixfw2 %PIX-7-715047: IP = x.x.x.x, processing VID payload
Mar 10 14:27:00 pixfw2 %PIX-7-715049: IP = x.x.x.x, Received NAT-Traversal ver 03 VID
Mar 10 14:27:00 pixfw2 %PIX-7-715047: IP = x.x.x.x, processing VID payload
Mar 10 14:27:00 pixfw2 %PIX-7-715047: IP = x.x.x.x, processing VID payload
Mar 10 14:27:00 pixfw2 %PIX-7-715049: IP = x.x.x.x, Received NAT-Traversal ver 02 VID
Mar 10 14:27:00 pixfw2 %PIX-7-715047: IP = x.x.x.x, processing VID payload
Mar 10 14:27:00 pixfw2 %PIX-7-713906: IP = x.x.x.x, Connection landed on tunnel_group gprstesting1
Mar 10 14:27:00 pixfw2 %PIX-7-713906: Group = gprstesting1, IP = x.x.x.x, processing IKE SA
Mar 10 14:27:00 pixfw2 %PIX-7-715028: Group = gprstesting1, IP = x.x.x.x, IKE SA Proposal # 1, Transform # 0 acceptable  Matches global IKE entry # 4
Mar 10 14:27:00 pixfw2 %PIX-7-713906: Group = gprstesting1, IP = x.x.x.x, constructing ISA_SA for isakmp
Mar 10 14:27:00 pixfw2 %PIX-7-713906: Group = gprstesting1, IP = x.x.x.x, constructing ke payload
Mar 10 14:27:00 pixfw2 %PIX-7-715001: Group = gprstesting1, IP = x.x.x.x, constructing nonce payload
Mar 10 14:27:00 pixfw2 %PIX-7-713906: Group = gprstesting1, IP = x.x.x.x, Generating keys for Responder...
Mar 10 14:27:00 pixfw2 %PIX-7-715001: Group = gprstesting1, IP = x.x.x.x, constructing ID
Mar 10 14:27:00 pixfw2 %PIX-7-713906: Group = gprstesting1, IP = x.x.x.x, construct hash payload
Mar 10 14:27:00 pixfw2 %PIX-7-713906: Group = gprstesting1, IP = x.x.x.x, computing hash
Mar 10 14:27:00 pixfw2 %PIX-7-715046: Group = gprstesting1, IP = x.x.x.x, constructing Cisco Unity VID payload
Mar 10 14:27:00 pixfw2 %PIX-7-715046: Group = gprstesting1, IP = x.x.x.x, constructing xauth V6 VID payload
Mar 10 14:27:00 pixfw2 %PIX-7-715046: Group = gprstesting1, IP = x.x.x.x, constructing dpd vid payload
Mar 10 14:27:00 pixfw2 %PIX-7-715046: Group = gprstesting1, IP = x.x.x.x, constructing NAT-Traversal VID ver 02 payload
Mar 10 14:27:00 pixfw2 %PIX-7-713906: Group = gprstesting1, IP = x.x.x.x, constructing NAT Discovery payload
Mar 10 14:27:00 pixfw2 %PIX-7-713906: Group = gprstesting1, IP = x.x.x.x, computing NAT Discovery hash
Mar 10 14:27:00 pixfw2 %PIX-7-713906: Group = gprstesting1, IP = x.x.x.x, constructing NAT Discovery payload
Mar 10 14:27:00 pixfw2 %PIX-7-713906: Group = gprstesting1, IP = x.x.x.x, computing NAT Discovery hash
Mar 10 14:27:00 pixfw2 %PIX-7-715046: Group = gprstesting1, IP = x.x.x.x, constructing Fragmentation VID + extended capabilities payload
Mar 10 14:27:00 pixfw2 %PIX-7-715048: Group = gprstesting1, IP = x.x.x.x, Send IOS VID
Mar 10 14:27:00 pixfw2 %PIX-7-715038: Group = gprstesting1, IP = x.x.x.x, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 00000408)
Mar 10 14:27:00 pixfw2 %PIX-7-715046: Group = gprstesting1, IP = x.x.x.x, constructing VID payload
Mar 10 14:27:00 pixfw2 %PIX-7-715048: Group = gprstesting1, IP = x.x.x.x, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Mar 10 14:27:00 pixfw2 %PIX-7-713906: IP = x.x.x.x, IKE DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + HASH (8) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 444
Mar 10 14:27:01 pixfw2 %PIX-6-302016: Teardown UDP connection 11537746 for outside:x.x.x.x/3672 to NP Identity Ifc:p.p.p.p/4500 duration 0:02:03 bytes 0
Mar 10 14:27:01 pixfw2 %PIX-7-713906: IP = x.x.x.x, IKE DECODE RECEIVED Message (msgid=0) with payloads : HDR + NAT-D (130) + NAT-D (130) + HASH (8) + NONE (0) total length : 88
Mar 10 14:27:01 pixfw2 %PIX-7-713906: Group = gprstesting1, IP = x.x.x.x, processing NAT-Discovery payload
Mar 10 14:27:01 pixfw2 %PIX-7-713906: Group = gprstesting1, IP = x.x.x.x, computing NAT Discovery hash
Mar 10 14:27:01 pixfw2 %PIX-7-713906: Group = gprstesting1, IP = x.x.x.x, processing NAT-Discovery payload
Mar 10 14:27:01 pixfw2 %PIX-7-713906: Group = gprstesting1, IP = x.x.x.x, computing NAT Discovery hash
Mar 10 14:27:01 pixfw2 %PIX-7-713906: Group = gprstesting1, IP = x.x.x.x, processing hash
Mar 10 14:27:01 pixfw2 %PIX-7-713906: Group = gprstesting1, IP = x.x.x.x, computing hash
Mar 10 14:27:01 pixfw2 %PIX-6-713172: Group = gprstesting1, IP = x.x.x.x, Automatic NAT Detection Status:     Remote end   IS   behind a NAT device     This   end is NOT behind a NAT device
Mar 10 14:27:01 pixfw2 %PIX-3-713119: Group = gprstesting1, IP = x.x.x.x, PHASE 1 COMPLETED
Mar 10 14:27:01 pixfw2 %PIX-7-713121: IP = x.x.x.x, Keep-alive type for this connection: DPD
Mar 10 14:27:01 pixfw2 %PIX-7-713906: Group = gprstesting1, IP = x.x.x.x, Starting phase 1 rekey timer: 2700000 (ms)
Mar 10 14:27:01 pixfw2 %PIX-7-720041: (VPN-Primary) Sending New Phase 1 SA message (type L2L, remote addr x.x.x.x, my cookie DA1A55DF, his cookie 070B82EB) to standby unit
Mar 10 14:27:02 pixfw2 %PIX-7-714003: IP = x.x.x.x, IKE Responder starting QM: msg id = a2e00b9d
Mar 10 14:27:02 pixfw2 %PIX-7-713906: IP = x.x.x.x, IKE DECODE RECEIVED Message (msgid=a2e00b9d) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + KE (4) + ID (5) + ID (5) + NONE (0) total length : 368
Mar 10 14:27:02 pixfw2 %PIX-7-713906: Group = gprstesting1, IP = x.x.x.x, processing hash
Mar 10 14:27:02 pixfw2 %PIX-7-713906: Group = gprstesting1, IP = x.x.x.x, processing SA payload
Mar 10 14:27:02 pixfw2 %PIX-7-715001: Group = gprstesting1, IP = x.x.x.x, processing nonce payload
Mar 10 14:27:02 pixfw2 %PIX-7-713906: Group = gprstesting1, IP = x.x.x.x, processing ke payload
Mar 10 14:27:02 pixfw2 %PIX-7-713906: Group = gprstesting1, IP = x.x.x.x, processing ISA_KE for PFS in phase 2
Mar 10 14:27:02 pixfw2 %PIX-7-715001: Group = gprstesting1, IP = x.x.x.x, Processing ID
Mar 10 14:27:02 pixfw2 %PIX-7-713035: Group = gprstesting1, IP = x.x.x.x, Received remote IP Proxy Subnet data in ID Payload:   Address 10.1.50.0, Mask 255.255.255.240, Protocol 0, Port 0
Mar 10 14:27:02 pixfw2 %PIX-7-715001: Group = gprstesting1, IP = x.x.x.x, Processing ID
Mar 10 14:27:02 pixfw2 %PIX-7-713034: Group = gprstesting1, IP = x.x.x.x, Received local IP Proxy Subnet data in ID Payload:   Address 10.1.1.0, Mask 255.255.255.0, Protocol 0, Port 0
Mar 10 14:27:02 pixfw2 %PIX-7-713221: Group = gprstesting1, IP = x.x.x.x, Static Crypto Map check, checking map = vpns_to_internet, seq = 10...
Mar 10 14:27:02 pixfw2 %PIX-7-713222: Group = gprstesting1, IP = x.x.x.x, Static Crypto Map check, map = vpns_to_internet, seq = 10, ACL does not match proxy IDs src:10.1.50.0 dst:10.1.1.0
Mar 10 14:27:02 pixfw2 %PIX-7-713221: Group = gprstesting1, IP = x.x.x.x, Static Crypto Map check, checking map = vpns_to_internet, seq = 20...
Mar 10 14:27:02 pixfw2 %PIX-7-713222: Group = gprstesting1, IP = x.x.x.x, Static Crypto Map check, map = vpns_to_internet, seq = 20, ACL does not match proxy IDs src:10.1.50.0 dst:10.1.1.0
Mar 10 14:27:02 pixfw2 %PIX-7-713221: Group = gprstesting1, IP = x.x.x.x, Static Crypto Map check, checking map = vpns_to_internet, seq = 30...
Mar 10 14:27:02 pixfw2 %PIX-7-713222: Group = gprstesting1, IP = x.x.x.x, Static Crypto Map check, map = vpns_to_internet, seq = 30, ACL does not match proxy IDs src:10.1.50.0 dst:10.1.1.0
Mar 10 14:27:02 pixfw2 %PIX-7-713221: Group = gprstesting1, IP = x.x.x.x, Static Crypto Map check, checking map = vpns_to_internet, seq = 40...
Mar 10 14:27:02 pixfw2 %PIX-7-713223: Group = gprstesting1, IP = x.x.x.x, Static Crypto Map check, map = vpns_to_internet, seq = 40, no ACL configured
Mar 10 14:27:02 pixfw2 %PIX-7-715059: Group = gprstesting1, IP = x.x.x.x, Selecting only UDP-Encapsulated-Tunnel and  UDP-Encapsulated-Transport modes defined by NAT-Traversal
Mar 10 14:27:02 pixfw2 %PIX-7-713066: Group = gprstesting1, IP = x.x.x.x, IKE Remote Peer configured for SA: vpn_ras
Mar 10 14:27:02 pixfw2 %PIX-7-713906: Group = gprstesting1, IP = x.x.x.x, processing IPSEC SA
Mar 10 14:27:02 pixfw2 %PIX-7-715027: Group = gprstesting1, IP = x.x.x.x, IPSec SA Proposal # 0, Transform # 3 acceptable  Matches global IPSec SA entry # 100
Mar 10 14:27:02 pixfw2 %PIX-7-713906: Group = gprstesting1, IP = x.x.x.x, IKE: requesting SPI!
Mar 10 14:27:02 pixfw2 %PIX-7-713906: Group = gprstesting1, IP = x.x.x.x, oakley constucting quick mode
Mar 10 14:27:02 pixfw2 %PIX-7-713906: Group = gprstesting1, IP = x.x.x.x, constructing blank hash
Mar 10 14:27:02 pixfw2 %PIX-7-713906: Group = gprstesting1, IP = x.x.x.x, constructing ISA_SA for ipsec
Mar 10 14:27:02 pixfw2 %PIX-7-715001: Group = gprstesting1, IP = x.x.x.x, constructing ipsec nonce payload
Mar 10 14:27:02 pixfw2 %PIX-7-713906: Group = gprstesting1, IP = x.x.x.x, constructing pfs ke payload
Mar 10 14:27:02 pixfw2 %PIX-7-715001: Group = gprstesting1, IP = x.x.x.x, constructing proxy ID
Mar 10 14:27:02 pixfw2 %PIX-7-713906: Group = gprstesting1, IP = x.x.x.x, Transmitting Proxy Id:   Remote subnet: 10.1.50.0  Mask 255.255.255.240 Protocol 0  Port 0   Local subnet:  10.1.1.0  mask 255.255.255.0 Protocol 0  Port 0
Mar 10 14:27:02 pixfw2 %PIX-7-713906: Group = gprstesting1, IP = x.x.x.x, constructing qm hash
Mar 10 14:27:02 pixfw2 %PIX-7-713906: IP = x.x.x.x, IKE DECODE SENDING Message (msgid=a2e00b9d) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + KE (4) + ID (5) + ID (5) + NONE (0) total length : 288
Mar 10 14:27:03 pixfw2 %PIX-7-710005: UDP request discarded from x.x.x.x/3593 to outside:p.p.p.p/4500
Mar 10 14:27:03 pixfw2 %PIX-6-302015: Built inbound UDP connection 11537925 for outside:x.x.x.x/62859 (x.x.x.x/62859) to NP Identity Ifc:p.p.p.p/4500 (p.p.p.p/4500)
Mar 10 14:27:03 pixfw2 %PIX-7-710005: UDP request discarded from x.x.x.x/62859 to outside:p.p.p.p/4500
Mar 10 14:27:04 pixfw2 %PIX-7-710005: UDP request discarded from x.x.x.x/3593 to outside:p.p.p.p/4500
Mar 10 14:27:05 pixfw2 %PIX-7-710005: UDP request discarded from x.x.x.x/3593 to outside:p.p.p.p/4500
Mar 10 14:27:06 pixfw2 %PIX-7-710005: UDP request discarded from x.x.x.x/3593 to outside:p.p.p.p/4500
Mar 10 14:27:07 pixfw2 %PIX-7-710005: UDP request discarded from x.x.x.x/3593 to outside:p.p.p.p/4500
Mar 10 14:27:08 pixfw2 %PIX-7-710005: UDP request discarded from x.x.x.x/3593 to outside:p.p.p.p/4500
Mar 10 14:27:09 pixfw2 %PIX-7-710005: UDP request discarded from x.x.x.x/3593 to outside:p.p.p.p/4500
Mar 10 14:27:10 pixfw2 %PIX-7-710005: UDP request discarded from x.x.x.x/3593 to outside:p.p.p.p/4500
Mar 10 14:27:10 pixfw2 %PIX-7-710005: UDP request discarded from x.x.x.x/62859 to outside:p.p.p.p/4500
Mar 10 14:27:11 pixfw2 %PIX-7-710005: UDP request discarded from x.x.x.x/3593 to outside:p.p.p.p/4500
Mar 10 14:27:12 pixfw2 %PIX-7-710005: UDP request discarded from x.x.x.x/3593 to outside:p.p.p.p/4500
Mar 10 14:27:13 pixfw2 %PIX-7-710005: UDP request discarded from x.x.x.x/3593 to outside:p.p.p.p/4500
Mar 10 14:27:14 pixfw2 %PIX-7-710005: UDP request discarded from x.x.x.x/3593 to outside:p.p.p.p/4500
Mar 10 14:27:15 pixfw2 %PIX-7-710005: UDP request discarded from x.x.x.x/3593 to outside:p.p.p.p/4500
Mar 10 14:27:16 pixfw2 %PIX-7-710005: UDP request discarded from x.x.x.x/3593 to outside:p.p.p.p/4500
Mar 10 14:27:17 pixfw2 %PIX-7-710005: UDP request discarded from x.x.x.x/3593 to outside:p.p.p.p/4500
Mar 10 14:27:18 pixfw2 %PIX-7-710005: UDP request discarded from x.x.x.x/3593 to outside:p.p.p.p/4500
Mar 10 14:27:19 pixfw2 %PIX-7-710005: UDP request discarded from x.x.x.x/3593 to outside:p.p.p.p/4500
Mar 10 14:27:19 pixfw2 %PIX-7-710005: UDP request discarded from x.x.x.x/62859 to outside:p.p.p.p/4500
Mar 10 14:27:20 pixfw2 %PIX-7-715036: Group = gprstesting1, IP = x.x.x.x, Sending keep-alive of type DPD R-U-THERE (seq number 0x67481e17)
Mar 10 14:27:20 pixfw2 %PIX-7-713906: Group = gprstesting1, IP = x.x.x.x, constructing blank hash
Mar 10 14:27:20 pixfw2 %PIX-7-713906: Group = gprstesting1, IP = x.x.x.x, constructing qm hash
Mar 10 14:27:20 pixfw2 %PIX-7-713906: IP = x.x.x.x, IKE DECODE SENDING Message (msgid=28b8f911) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80
Mar 10 14:27:20 pixfw2 %PIX-7-710005: UDP request discarded from x.x.x.x/3593 to outside:p.p.p.p/4500
Mar 10 14:27:20 pixfw2 %PIX-7-713906: IP = x.x.x.x, IKE DECODE RECEIVED Message (msgid=554cd761) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80
Mar 10 14:27:20 pixfw2 %PIX-7-713906: Group = gprstesting1, IP = x.x.x.x, processing hash
Mar 10 14:27:20 pixfw2 %PIX-7-713906: Group = gprstesting1, IP = x.x.x.x, Processing Notify payload
Mar 10 14:27:20 pixfw2 %PIX-7-715075: Group = gprstesting1, IP = x.x.x.x, Received keep-alive of type DPD R-U-THERE-ACK (seq number 0x67481e17)
Mar 10 14:27:21 pixfw2 %PIX-4-713903: IP = x.x.x.x, Unsupported message length of 0
Mar 10 14:27:21 pixfw2 %PIX-7-710005: UDP request discarded from x.x.x.x/3593 to outside:p.p.p.p/4500
Mar 10 14:27:22 pixfw2 %PIX-7-710005: UDP request discarded from x.x.x.x/3593 to outside:p.p.p.p/4500
Mar 10 14:27:23 pixfw2 %PIX-7-710005: UDP request discarded from x.x.x.x/3593 to outside:p.p.p.p/4500
Mar 10 14:27:23 pixfw2 %PIX-7-713906: IP = x.x.x.x, IKE DECODE RECEIVED Message (msgid=9e845f4) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 64
Mar 10 14:27:23 pixfw2 %PIX-7-713906: Group = gprstesting1, IP = x.x.x.x, processing hash
Mar 10 14:27:23 pixfw2 %PIX-5-713050: Group = gprstesting1, IP = x.x.x.x, Connection terminated for peer gprstesting1.  Reason: Peer Terminate  Remote Proxy 10.1.50.0, Local Proxy 10.1.1.0
Mar 10 14:27:23 pixfw2 %PIX-7-715009: Group = gprstesting1, IP = x.x.x.x, IKE Deleting SA: Remote Proxy 10.1.50.0, Local Proxy 10.1.1.0
Mar 10 14:27:23 pixfw2 %PIX-3-713902: Group = gprstesting1, IP = x.x.x.x, Removing peer from correlator table failed, no match!
Mar 10 14:27:23 pixfw2 %PIX-3-713214: Group = gprstesting1, IP = x.x.x.x, Could not delete route for L2L peer that came in on a dynamic map. address: 10.1.50.0, mask: 15.0.0.0
Mar 10 14:27:23 pixfw2 %PIX-7-713906: Group = gprstesting1, IP = x.x.x.x, IKE SA AM:da1a55df rcv'd Terminate: state AM_ACTIVE  flags 0x00000041, refcnt 1, tuncnt 0
Mar 10 14:27:23 pixfw2 %PIX-7-720041: (VPN-Primary) Sending Phase 1 Terminate message (type L2L, remote addr x.x.x.x, my cookie DA1A55DF, his cookie 070B82EB) to standby unit
Mar 10 14:27:23 pixfw2 %PIX-7-713906: Group = gprstesting1, IP = x.x.x.x, IKE SA AM:da1a55df terminating:  flags 0x01000001, refcnt 0, tuncnt 0
Mar 10 14:27:23 pixfw2 %PIX-7-713906: Group = gprstesting1, IP = x.x.x.x, constructing blank hash
Mar 10 14:27:23 pixfw2 %PIX-7-713906: Group = gprstesting1, IP = x.x.x.x, constructing qm hash
Mar 10 14:27:23 pixfw2 %PIX-7-713906: IP = x.x.x.x, IKE DECODE SENDING Message (msgid=c3efe6ea) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 76
Mar 10 14:27:23 pixfw2 %PIX-4-113019: Group = gprstesting1, Username = gprstesting1, IP = x.x.x.x, Session disconnected. Session Type: IPSecLAN2LAN, Duration: 0h:00m:21s, Bytes xmt: 0, Bytes rcv: 0, Reason: Unknown
Mar 10 14:27:24 pixfw2 %PIX-5-713904: IP = x.x.x.x, Received encrypted packet with no matching SA, dropping

Now, the openswan box is behind NAT (actually two NAT boxes: firstly a GPRS
router, which picks up another private IP from the GPRS operator's network,
and then the GPRS operator's own NAT firewall to get out to the Internet)

If I run tcpdump on the openswan box's own interface, I see some packets
with {src 500, dst 4500} and others with {src 4500, dst 4500}. As far as I
can tell, the 500/4500 ones are IKE, and 4500/4500 are payload (i.e. test
pings)

Is this correct, or is openswan messing up here?? Since there are two
different source ports, of course these get mapped to two different ones via
the intervening NAT.

I see in RFC3947: "In Main Mode ... The initiator MUST set both UDP source
and destination ports to 4500". I'm using aggressive mode, but it does say
later: "The procedure for Aggressive Mode is very similar. After the NAT has
been detected, the initiator sends IP UDP(4500,4500)" and the example shows
UDP(4500,4500) as well.

Hence it seems to me that openswan isn't behaving correctly here by choosing
UDP(500,4500) for some packets, but I stand to be corrected.

Here's a snippet of tcpdump, taken on the openswan box:

00:58:40.517687 IP (tos 0x0, ttl 231, id 18788, offset 0, flags [none], length: 472) p.p.p.p.500 > 172.151.113.52.500: [udp sum ok] isakmp 1.0 msgid : phase 1 R agg:
    (sa: doi=ipsec situation=identity
        (p: #1 protoid=isakmp transform=1
            (t: #0 id=ike (type=enc value=3des)(type=hash value=md5)(type=group desc value=modp1024)(type=auth value=preshared)(type=lifetype value=sec)(type=lifeduration value=0e10))))
    (ke: key len=128)
    (nonce: n len=20)
    (id: idtype=IPv4 protoid=udp port=0 len=4 p.p.p.p)
    (hash: len=16)
    (vid: len=16)
    (vid: len=8)
    (vid: len=16)
    (vid: len=16)
    (#130)
    (#130)
    (vid: len=20)
    (vid: len=16)
    (vid: len=16)
00:58:40.622559 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], length: 120) 172.151.113.52.500 > p.p.p.p.500: [udp sum ok] isakmp 1.0 msgid : phase 1 I agg[E]: [encrypted #130]
00:58:40.707277 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], length: 404) 172.151.113.52.4500 > p.p.p.p.4500: [udp sum ok] UDP, length: 376
00:58:41.951924 IP (tos 0x0, ttl 231, id 18886, offset 0, flags [none], length: 320) p.p.p.p.500 > 172.151.113.52.500: [udp sum ok] isakmp 1.0 msgid : phase 2/others R oakley-quick[E]: [encrypted hash]
00:58:43.065078 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], length: 80) 172.151.113.52.500 > p.p.p.p.4500: [udp sum ok] isakmp 1.0 msgid : phase 2/others I oakley-quick[E]: [encrypted hash]
00:58:50.790292 IP (tos 0x0, ttl 231, id 19046, offset 0, flags [none], length: 320) p.p.p.p.500 > 172.151.113.52.500: [udp sum ok] isakmp 1.0 msgid : phase 2/others R oakley-quick[E]: [encrypted hash]
00:58:50.792938 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], length: 80) 172.151.113.52.500 > p.p.p.p.4500: [udp sum ok] isakmp 1.0 msgid : phase 2/others I oakley-quick[E]: [encrypted hash]
00:58:58.406616 IP (tos 0x0, ttl 231, id 19224, offset 0, flags [none], length: 320) p.p.p.p.500 > 172.151.113.52.500: [udp sum ok] isakmp 1.0 msgid : phase 2/others R oakley-quick[E]: [encrypted hash]
00:58:58.408866 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], length: 80) 172.151.113.52.500 > p.p.p.p.4500: [udp sum ok] isakmp 1.0 msgid : phase 2/others I oakley-quick[E]: [encrypted hash]
00:59:00.345936 IP (tos 0x0, ttl 231, id 19303, offset 0, flags [none], length: 112) p.p.p.p.500 > 172.151.113.52.500: [udp sum ok] isakmp 1.0 msgid : phase 2/others R inf[E]: [encrypted hash]
00:59:00.350227 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], length: 112) 172.151.113.52.500 > p.p.p.p.500: [udp sum ok] isakmp 1.0 msgid : phase 2/others I inf[E]: [encrypted hash]
00:59:00.352356 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], length: 29) 172.151.113.52.500 > p.p.p.p.500: [udp sum ok] [|isakmp]
00:59:07.032923 IP (tos 0x0, ttl 231, id 19409, offset 0, flags [none], length: 320) p.p.p.p.500 > 172.151.113.52.500: [udp sum ok] isakmp 1.0 msgid : phase 2/others R oakley-quick[E]: [encrypted hash]
00:59:09.875876 IP (tos 0x0, ttl  64, id 6642, offset 0, flags [none], length: 144) 172.151.113.52.4500 > p.p.p.p.4500: [no cksum] UDP, length: 116
00:59:10.875287 IP (tos 0x0, ttl  64, id 6643, offset 0, flags [none], length: 144) 172.151.113.52.4500 > p.p.p.p.4500: [no cksum] UDP, length: 116
00:59:14.568307 IP (tos 0x0, ttl 231, id 19650, offset 0, flags [none], length: 96) p.p.p.p.500 > 172.151.113.52.500: [udp sum ok] isakmp 1.0 msgid : phase 2/others R inf[E]: [encrypted hash]
00:59:14.588480 IP (tos 0x0, ttl 231, id 19663, offset 0, flags [none], length: 104) p.p.p.p.500 > 172.151.113.52.500: [udp sum ok] isakmp 1.0 msgid : phase 2/others R inf[E]: [encrypted hash]
00:59:14.606820 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], length: 104) 172.151.113.52.500 > p.p.p.p.500: [udp sum ok] isakmp 1.0 msgid : phase 2/others I inf[E]: [encrypted hash]
00:59:24.680670 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], length: 400) 172.151.113.52.500 > p.p.p.p.500: [udp sum ok] isakmp 1.0 msgid : phase 1 I agg:
    (sa: doi=ipsec situation=identity
        (p: #0 protoid=isakmp transform=1
            (t: #0 id=ike (type=lifetype value=sec)(type=lifeduration value=0e10)(type=enc value=3des)(type=hash value=md5)(type=auth value=preshared)(type=group desc value=modp1024))))
    (ke: key len=128)
    (nonce: n len=16)
    (id: idtype=FQDN protoid=0 port=0 len=12 gprstesting1)
    (vid: len=16)
    (vid: len=16)
    (vid: len=16)
    (vid: len=16)
    (vid: len=16)
    (vid: len=16)

(2) I tried changing the configs to allow phase 2 with no PFS. At the PIX
side there is now:

crypto dynamic-map vpn_ras 100 set pfs
crypto dynamic-map vpn_ras 100 set transform-set 3des_md5
crypto dynamic-map vpn_ras 100 set reverse-route
crypto dynamic-map vpn_ras 110 set transform-set 3des_md5
crypto dynamic-map vpn_ras 110 set reverse-route

(since I don't want to break other tunnels which may require pfs). Then I
set pfs=no in ipsec.conf. However, now phase 2 fails completely; the PIX
sends an informational message NO_PROPOSAL_CHOSEN

002 "pix" #8: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP+AGGRESSIVE {using isakmp#7}
117 "pix" #8: STATE_QUICK_I1: initiate
010 "pix" #8: STATE_QUICK_I1: retransmission; will wait 20s for response
010 "pix" #8: STATE_QUICK_I1: retransmission; will wait 40s for response
...
Jan  2 00:52:48 (none) kern.warn pluto[8099]: "pix" #7: ignoring informational payload, type NO_PROPOSAL_CHOSEN
Jan  2 00:52:48 (none) kern.warn pluto[8099]: "pix" #7: received and ignored informational message

In the PIX logs I see:

...
Mar 10 14:37:07 pixfw2 %PIX-7-715059: Group = gprstesting1, IP = x.x.x.x, Selecting only UDP-Encapsulated-Tunnel and  UDP-Encapsulated-Transport modes defined by NAT-Traversal
Mar 10 14:37:07 pixfw2 %PIX-7-713066: Group = gprstesting1, IP = x.x.x.x, IKE Remote Peer configured for SA: vpn_ras
Mar 10 14:37:07 pixfw2 %PIX-7-713906: Group = gprstesting1, IP = x.x.x.x, processing IPSEC SA
Mar 10 14:37:07 pixfw2 %PIX-5-713904: Group = gprstesting1, IP = x.x.x.x, All IPSec SA proposals found unacceptable!
Mar 10 14:37:07 pixfw2 %PIX-7-713906: Group = gprstesting1, IP = x.x.x.x, sending notify message

So I can't see how to allow pfs=no. That may be a PIX issue of course,
rather than an openswan one.

Regards,

Brian.
_______________________________________________
Users at openswan.org
http://lists.openswan.org/mailman/listinfo/users
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155


More information about the Dev mailing list