[Openswan dev] Unable to setup Openswan tunnel on Ubuntu 14.04.1 LTS with Cisco Asa 5520
George Maina
wachugamaina at gmail.com
Mon Feb 23 08:59:02 EST 2015
Hey guys
I've been stuck for days, need yiur help.
I'm trying to setup a tunnel between our Openswan hosted on Amazon on
Ubuntu 14.04 and a remote Cisco ASA 5520 at a clients place
here are the config files
version 2.0
config setup
dumpdir=/var/run/pluto/
nat_traversal=yes
virtual_private=%v4:172.25.48.39/32,%v4:172.25.48.43/32
oe=off
protostack=netkey
plutostderrlog=/tmp/pluto.log
include /etc/ipsec.d/*.conf
conn our_client
left=10.0.0.183
leftsubnets={10.0.0.183/32,10.0.0.55/32,10.0.0.56/32}
leftid=A.A.A.A
leftsourceip=A.A.A.A
right=B.B.B.B
rightid=B.B.B.B
rightsubnets={172.25.48.39/32,172.25.48.43/32}
authby=secret
ike=3des-sha1;modp1024
phase2=esp
phase2alg=3des-sha1
keyingtries=3
rekey=yes
keyexchange=ike
ikelifetime=28800s
salifetime=3600s
forceencaps=yes
auto=start
pfs=yes
Cisco ASA settings
crypto map 118 set transform-set ESP-3DES-SHA
isakmp policy 2 authentication pre-share
isakmp policy 2 encryption 3des
isakmp policy 2 hash sha
isakmp policy 2 group 2
isakmp policy 2 lifetime 3600
IKE2
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map 118 set security-association lifetime seconds 3600
crypto map 118 set security-association lifetime kilobytes 28800
These is the error Im getting from pluto error log
=================================================================
adding interface lo/lo ::1:500
loading secrets from "/etc/ipsec.secrets"
loading secrets from "/var/lib/openswan/ipsec.secrets.inc"
initiating all conns with alias='our_client'
"our_client/3x2" #1: initiating Main Mode
"our_client/3x2" #1: ignoring Vendor ID payload [Cisco IKE Fragmentation]
"our_client/3x2" #1: transition from state STATE_MAIN_I1 to state
STATE_MAIN_I2
"our_client/3x2" #1: STATE_MAIN_I2: sent MI2, expecting MR2
"our_client/3x2" #1: ignoring informational payload, type INVALID_COOKIE
msgid=00000000
"our_client/3x2" #1: received and ignored informational message
shutting down
forgetting secrets
"our_client/3x2": deleting connection
"our_client/3x2" #1: deleting state (STATE_MAIN_I2)
"our_client/3x1": deleting connection
"our_client/2x2": deleting connection
"our_client/2x1": deleting connection
"our_client/1x2": deleting connection
"our_client/1x1": deleting connection
shutting down interface lo/lo ::1:500
shutting down interface lo/lo 127.0.0.1:4500
shutting down interface lo/lo 127.0.0.1:500
shutting down interface eth0/eth0 10.0.0.183:4500
shutting down interface eth0/eth0 10.0.0.183:500
pluto_crypto_helper: helper (0) is normal exiting
tail: /tmp/pluto.log: file truncated
Plutorun started on Mon Feb 23 12:41:52 UTC 2015
adjusting ipsec.d to /etc/ipsec.d
Starting Pluto (Openswan Version 2.6.38; Vendor ID OEvy\134kgzWq\134s)
pid:12642
LEAK_DETECTIVE support [disabled]
OCF support for IKE [disabled]
SAref support [disabled]: Protocol not available
SAbind support [disabled]: Protocol not available
NSS support [disabled]
HAVE_STATSD notification support not compiled in
Setting NAT-Traversal port-4500 floating to on
port floating activation criteria nat_t=1/port_float=1
NAT-Traversal support [enabled]
using /dev/urandom as source of random entropy
ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)
ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)
starting up 1 cryptographic helpers
started helper pid=12644 (fd:4)
Using Linux 2.6 IPsec interface code on 3.13.0-44-generic (experimental
code)
using /dev/urandom as source of random entropy
ike_alg_register_enc(): Activating aes_ccm_8: Ok (ret=0)
ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already
exists
ike_alg_register_enc(): Activating aes_ccm_12: FAILED (ret=-17)
ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already
exists
ike_alg_register_enc(): Activating aes_ccm_16: FAILED (ret=-17)
ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already
exists
ike_alg_register_enc(): Activating aes_gcm_8: FAILED (ret=-17)
ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already
exists
ike_alg_register_enc(): Activating aes_gcm_12: FAILED (ret=-17)
ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already
exists
ike_alg_register_enc(): Activating aes_gcm_16: FAILED (ret=-17)
added connection description "our_client/1x1"
added connection description "our_client/1x2"
added connection description "our_client/2x1"
added connection description "our_client/2x2"
added connection description "our_client/3x1"
added connection description "our_client/3x2"
listening for IKE messages
adding interface eth0/eth0 10.0.0.183:500
adding interface eth0/eth0 10.0.0.183:4500
adding interface lo/lo 127.0.0.1:500
adding interface lo/lo 127.0.0.1:4500
adding interface lo/lo ::1:500
loading secrets from "/etc/ipsec.secrets"
loading secrets from "/var/lib/openswan/ipsec.secrets.inc"
initiating all conns with alias='our_client'
"our_client/3x2" #1: initiating Main Mode
"our_client/3x2" #1: ignoring Vendor ID payload [Cisco IKE Fragmentation]
"our_client/3x2" #1: transition from state STATE_MAIN_I1 to state
STATE_MAIN_I2
"our_client/3x2" #1: STATE_MAIN_I2: sent MI2, expecting MR2
"our_client/3x2" #1: ignoring informational payload, type INVALID_COOKIE
msgid=00000000
"our_client/3x2" #1: received and ignored informational message
"our_client/3x2" #1: ignoring informational payload, type INVALID_COOKIE
msgid=00000000
"our_client/3x2" #1: received and ignored informational message
initiating all conns with alias='our_client'
"our_client/3x2" #1: max number of retransmissions (2) reached STATE_MAIN_I2
"our_client/3x2" #1: starting keying attempt 2 of at most 3
"our_client/3x2" #2: initiating Main Mode to replace #1
"our_client/3x2" #2: ignoring Vendor ID payload [Cisco IKE Fragmentation]
"our_client/3x2" #2: transition from state STATE_MAIN_I1 to state
STATE_MAIN_I2
"our_client/3x2" #2: STATE_MAIN_I2: sent MI2, expecting MR2
"our_client/3x2" #2: ignoring informational payload, type INVALID_COOKIE
msgid=00000000
"our_client/3x2" #2: received and ignored informational message
"our_client/3x2" #2: ignoring informational payload, type INVALID_COOKIE
msgid=00000000
"our_client/3x2" #2: received and ignored informational message
and the ipsec whack status
=====================
ubuntu at ip-10-0-0-183:~$ sudo ipsec whack --status
000 using kernel interface: netkey
000 interface lo/lo ::1
000 interface lo/lo 127.0.0.1
000 interface lo/lo 127.0.0.1
000 interface eth0/eth0 10.0.0.183
000 interface eth0/eth0 10.0.0.183
000 %myid = (none)
000 debug none
000
000 virtual_private (%priv):
000 - allowed 2 subnets: 172.25.48.39/32, 172.25.48.43/32
000 - disallowed 0 subnets:
000 WARNING: Disallowed subnets in virtual_private= is empty. If you have
000 private address space in internal use, it should be excluded!
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64,
keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192,
keysizemax=192
000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, keysizemin=40,
keysizemax=128
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40,
keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0,
keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128,
keysizemax=256
000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8,
keysizemin=160, keysizemax=288
000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=22, name=ESP_CAMELLIA, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256,
keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=6, name=AUTH_ALGORITHM_HMAC_SHA2_384,
keysizemin=384, keysizemax=384
000 algorithm ESP auth attr: id=7, name=AUTH_ALGORITHM_HMAC_SHA2_512,
keysizemin=512, keysizemax=512
000 algorithm ESP auth attr: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD,
keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC,
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=251, name=AUTH_ALGORITHM_NULL_KAME,
keysizemin=0, keysizemax=0
000
000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=131
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32
000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024
000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048
000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048
000
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,6,64}
trans={0,6,3072} attrs={0,6,2048}
000
000 "our_client/1x1": 10.0.0.183/32===10.0.0.183
<10.0.0.183>[A.A.A.A]...B.B.B.B<B.B.B.B>===172.25.48.39/32; unrouted;
eroute owner: #0
000 "our_client/1x1": myip=A.A.A.A; hisip=unset;
000 "our_client/1x1": ike_life: 28800s; ipsec_life: 3600s; rekey_margin:
540s; rekey_fuzz: 100%; keyingtries: 3
000 "our_client/1x1": policy:
PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 32,32;
interface: eth0;
000 "our_client/1x1": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "our_client/1x1": aliases: our_client
000 "our_client/1x1": IKE algorithms wanted:
3DES_CBC(5)_000-SHA1(2)_000-MODP1024(2); flags=-strict
000 "our_client/1x1": IKE algorithms found:
3DES_CBC(5)_192-SHA1(2)_160-MODP1024(2)
000 "our_client/1x1": ESP algorithms wanted: 3DES(3)_000-SHA1(2)_000;
flags=-strict
000 "our_client/1x1": ESP algorithms loaded: 3DES(3)_192-SHA1(2)_160
000 "our_client/1x2": 10.0.0.183/32===10.0.0.183
<10.0.0.183>[A.A.A.A]...B.B.B.B<B.B.B.B>===172.25.48.43/32; unrouted;
eroute owner: #0
000 "our_client/1x2": myip=A.A.A.A; hisip=unset;
000 "our_client/1x2": ike_life: 28800s; ipsec_life: 3600s; rekey_margin:
540s; rekey_fuzz: 100%; keyingtries: 3
000 "our_client/1x2": policy:
PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 32,32;
interface: eth0;
000 "our_client/1x2": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "our_client/1x2": aliases: our_client
000 "our_client/1x2": IKE algorithms wanted:
3DES_CBC(5)_000-SHA1(2)_000-MODP1024(2); flags=-strict
000 "our_client/1x2": IKE algorithms found:
3DES_CBC(5)_192-SHA1(2)_160-MODP1024(2)
000 "our_client/1x2": ESP algorithms wanted: 3DES(3)_000-SHA1(2)_000;
flags=-strict
000 "our_client/1x2": ESP algorithms loaded: 3DES(3)_192-SHA1(2)_160
000 "our_client/2x1": 10.0.0.55/32===10.0.0.183
<10.0.0.183>[A.A.A.A]...B.B.B.B<B.B.B.B>===172.25.48.39/32; unrouted;
eroute owner: #0
000 "our_client/2x1": myip=A.A.A.A; hisip=unset;
000 "our_client/2x1": ike_life: 28800s; ipsec_life: 3600s; rekey_margin:
540s; rekey_fuzz: 100%; keyingtries: 3
000 "our_client/2x1": policy:
PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 32,32;
interface: eth0;
000 "our_client/2x1": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "our_client/2x1": aliases: our_client
000 "our_client/2x1": IKE algorithms wanted:
3DES_CBC(5)_000-SHA1(2)_000-MODP1024(2); flags=-strict
000 "our_client/2x1": IKE algorithms found:
3DES_CBC(5)_192-SHA1(2)_160-MODP1024(2)
000 "our_client/2x1": ESP algorithms wanted: 3DES(3)_000-SHA1(2)_000;
flags=-strict
000 "our_client/2x1": ESP algorithms loaded: 3DES(3)_192-SHA1(2)_160
000 "our_client/2x2": 10.0.0.55/32===10.0.0.183
<10.0.0.183>[A.A.A.A]...B.B.B.B<B.B.B.B>===172.25.48.43/32; unrouted;
eroute owner: #0
000 "our_client/2x2": myip=A.A.A.A; hisip=unset;
000 "our_client/2x2": ike_life: 28800s; ipsec_life: 3600s; rekey_margin:
540s; rekey_fuzz: 100%; keyingtries: 3
000 "our_client/2x2": policy:
PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 32,32;
interface: eth0;
000 "our_client/2x2": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "our_client/2x2": aliases: our_client
000 "our_client/2x2": IKE algorithms wanted:
3DES_CBC(5)_000-SHA1(2)_000-MODP1024(2); flags=-strict
000 "our_client/2x2": IKE algorithms found:
3DES_CBC(5)_192-SHA1(2)_160-MODP1024(2)
000 "our_client/2x2": ESP algorithms wanted: 3DES(3)_000-SHA1(2)_000;
flags=-strict
000 "our_client/2x2": ESP algorithms loaded: 3DES(3)_192-SHA1(2)_160
000 "our_client/3x1": 10.0.0.56/32===10.0.0.183
<10.0.0.183>[A.A.A.A]...B.B.B.B<B.B.B.B>===172.25.48.39/32; unrouted;
eroute owner: #0
000 "our_client/3x1": myip=A.A.A.A; hisip=unset;
000 "our_client/3x1": ike_life: 28800s; ipsec_life: 3600s; rekey_margin:
540s; rekey_fuzz: 100%; keyingtries: 3
000 "our_client/3x1": policy:
PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 32,32;
interface: eth0;
000 "our_client/3x1": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "our_client/3x1": aliases: our_client
000 "our_client/3x1": IKE algorithms wanted:
3DES_CBC(5)_000-SHA1(2)_000-MODP1024(2); flags=-strict
000 "our_client/3x1": IKE algorithms found:
3DES_CBC(5)_192-SHA1(2)_160-MODP1024(2)
000 "our_client/3x1": ESP algorithms wanted: 3DES(3)_000-SHA1(2)_000;
flags=-strict
000 "our_client/3x1": ESP algorithms loaded: 3DES(3)_192-SHA1(2)_160
000 "our_client/3x2": 10.0.0.56/32===10.0.0.183
<10.0.0.183>[A.A.A.A]...B.B.B.B<B.B.B.B>===172.25.48.43/32; unrouted;
eroute owner: #0
000 "our_client/3x2": myip=A.A.A.A; hisip=unset;
000 "our_client/3x2": ike_life: 28800s; ipsec_life: 3600s; rekey_margin:
540s; rekey_fuzz: 100%; keyingtries: 3
000 "our_client/3x2": policy:
PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 32,32;
interface: eth0;
000 "our_client/3x2": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "our_client/3x2": aliases: our_client
000 "our_client/3x2": IKE algorithms wanted:
3DES_CBC(5)_000-SHA1(2)_000-MODP1024(2); flags=-strict
000 "our_client/3x2": IKE algorithms found:
3DES_CBC(5)_192-SHA1(2)_160-MODP1024(2)
000 "our_client/3x2": ESP algorithms wanted: 3DES(3)_000-SHA1(2)_000;
flags=-strict
000 "our_client/3x2": ESP algorithms loaded: 3DES(3)_192-SHA1(2)_160
000
000 #2: "our_client/3x2":500 STATE_MAIN_I2 (sent MI2, expecting MR2);
EVENT_RETRANSMIT in 20s; nodpd; idle; import:admin initiate
000 #2: pending Phase 2 for "our_client/1x1" replacing #0
000 #2: pending Phase 2 for "our_client/1x2" replacing #0
000 #2: pending Phase 2 for "our_client/2x1" replacing #0
000 #2: pending Phase 2 for "our_client/2x2" replacing #0
000 #2: pending Phase 2 for "our_client/3x1" replacing #0
000 #2: pending Phase 2 for "our_client/3x2" replacing #0
000
And Ipsec Verify
=============
ubuntu at ip-10-0-0-183:~$ sudo ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.6.38/K3.13.0-44-generic (netkey)
Checking for IPsec support in kernel [OK]
SAref kernel support [N/A]
NETKEY: Testing XFRM related proc values [OK]
[OK]
[OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for NAT-T on udp 4500 [OK]
Checking for 'ip' command [OK]
Checking /bin/sh is not /bin/dash [WARNING]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/dev/attachments/20150223/033e3937/attachment-0001.html>
More information about the Dev
mailing list