[Openswan dev] Regarding IKE implementation in openswan

Paul Wouters paul at nohats.ca
Mon Feb 27 16:23:58 EST 2012 

On Mon, 27 Feb 2012, SaRaVanAn wrote:

> Hi Paul,
>     We have developed our own IKE daemon and testing the interoperability with Openswan. We are facing
> certain issues and hard to debug.
> You might have faced same kind of face in Openswan IKE implementation and It would be of great help if
> you help me out on this.

You need to ensure that unencrypted UDP 500/4500 are always allowed, or
else you can only rekey if you have an IPsec tunnel up. But if one end
crashes, you would never be able to reconnect until the other end
rmeoves the IPsec SA (on openswan that is an 8h timeout)

Paul

> Setup
> +++++++
> Openswan ------------------------   VPN server (our own IKE daemon)
> 
> 
> 172.31.114.233                      172.31.114.239
> 
> 
> Openswan VPN client is trying to do rekeying with our VPN server but the IKE packets coming from openswan
> is not reaching our iskamp socket, it gets
> dropped somewhere. I am suspecting the SPD and SAD rules added in Kernel might be causing the problem.
> 
> I Just compared the SAD and SPD rules updated on both sides, I could not find any difference. I have no
> clue why the IKE packets are not coming to our
> IKE user space daemon.
> 
> 
> Please help if you have ever faced this issue on Openswan IKE implementation.
> 
> SAD and SPD tables for your reference
> +++++++++++++++++++++++++++++++
> 172.31.114.239[any] 172.31.114.233[any] any
>     out prio high + 1073739744 ipsec
>     esp/transport//unique:11
>     created: Feb 27 23:11:19 2012  lastused:
>     lifetime: 0(s) validtime: 0(s)
>     spid=1545 seq=1 pid=6715
>     refcnt=2
> 172.31.114.233[any] 172.31.114.239[any] any
>     in prio high + 1073739744 ipsec
>     esp/transport//unique:11
>     created: Feb 27 23:11:19 2012  lastused:
>     lifetime: 0(s) validtime: 0(s)
>     spid=1536 seq=0 pid=6715
>     refcnt=2
> 
> [root at localhost labuser]# setkey -D
> 
> 172.31.114.239 172.31.114.233
>     esp mode=transport spi=2068115192(0x7b44eef8) reqid=11(0x0000000b)
>     E: aes-cbc  fb5adf8f 11c5c019 bf75d0fc 07a7a8ef
>     A: hmac-sha1  6b1c2219 4535a933 b2b16230 eb144d92 d13dc2ea
>     seq=0x00000000 replay=32 flags=0x00000000 state=mature
>     created: Feb 27 23:11:19 2012   current: Feb 27 23:11:27 2012
>     diff: 8(s)  hard: 0(s)  soft: 0(s)
>     last:                       hard: 0(s)  soft: 0(s)
>     current: 0(bytes)   hard: 0(bytes)  soft: 0(bytes)
>     allocated: 0    hard: 0 soft: 0
>     sadb_seq=1 pid=6718 refcnt=0
> 172.31.114.233 172.31.114.239
>     esp mode=transport spi=1999636893(0x7730099d) reqid=11(0x0000000b)
>     E: aes-cbc  a17a73d1 cc9976e5 a51fafe6 851b1d51
>     A: hmac-sha1  ab96669f 188bb172 5e6362cb fe7284ad 32af81a9
>     seq=0x00000000 replay=32 flags=0x00000000 state=mature
>     created: Feb 27 23:11:19 2012   current: Feb 27 23:11:27 2012
>     diff: 8(s)  hard: 0(s)  soft: 0(s)
>     last:                       hard: 0(s)  soft: 0(s)
>     current: 0(bytes)   hard: 0(bytes)  soft: 0(bytes)
>     allocated: 0    hard: 0 soft: 0
>     sadb_seq=0 pid=6718 refcnt=0
> 
> Please let me know if you need more logs for this issue.
> 
> Regards,
> Saravanan N
> 
> 
> 
> 
> 
> 
>

More information about the Dev mailing list