[Openswan Users] Re: FreeS/WAN and BEFSX41-CA
Jeannot_Langlois
jeannot at cableamos.com
Thu Apr 15 21:38:15 CEST 2004
Jon Earle wrote:
>Hi,
>
>I've been having some major problems with this router too, and I noticed
>your post on the openswan site. I was curious if you'd sorted out your
>difficulties and wouldn't mind sharing your findings?
>
>Many TIA!
>
>Cheers!
>Jon
>
>
>
Hi John,
(Sorry for the delay in my response; I am quite busy these days...)
I'd be glad to provide you with ANY and ALL detailed documentation about
my experiments (and I would have done so to the mailing lists a long
time ago if I could), but...
Unfortunately, I wasn't able to get our FreeSWAN 2.04 box (which runs
Linux 2.4.24) to establish an IPSEC tunnel with the LINKSYS
BEFSX41-FR(CA) router.
[Take note of this exact model number; this is the *FRENCH CANADIAN*
version I have been experimenting with, *NOT* the standard "American"
version which has model number "BEFSX41"].
Not that I didn't try hard. Three weeks of hard work, but it still did
NOT work. I STRONGLY suspect the problem to be with the LinkSys
router's low quality IPSEC implementation.
If you are NOT using the *FRENCH CANADIAN* (BEFSX41-FR(CA)) version but
are using the *AMERICAN* (BEFSX41) version, I guess you can ignore most
parts of my message (which concerns the FRENCH CANADIAN version only,
and rather checkout this link from "ldeviator" which might help you a
lot): http://www.livejournal.com/users/ldeviator/199614.html?mode=reply
... and maybe also request some attached files I had included in my
DETAILED REPORT which didn't make it to the mailing lists (i.e., the
mail server cut them).
If you are rather using the FRENCH CANADIAN VERSION, read on for a
couple more ideas about *ATTEMPTING* to solve this issue.
I haven't tried anything yet with Linux 2.6.X, but I am sure the kernel
version isn't a problem here.
The farthest I could get in my experiments with FreeSWAN and IPSEC on
the BEFSX41-FR(CA) is included in this DETAILED REPORT email I've sent
as a last resort to the FreeSWAN mailing lists in the first days of last
December (it seems to me that some heading parts have disappeared from
my original email so this DETAILED REPORT is missing some context
information. Look at the bottom of this email for a "repost" of this
missing information):
http://lists.openswan.org/pipermail/users/2003-December/000005.html
The *ONLY* thing I haven't tried is to apply a certain Firmware patch
from LinkSys on the BEFSX41-FR(CA) (the latest LinkSys Firmware patch
was designed for the *American* version of the BEFSX41 ONLY; there was
**NO** upgrade available for the French Canadian model (BEFSX41-FR(CA)))
on the LinkSys website when I checked back in December.
As the BEFSX41-FR(CA) we've been playing with is a router which one of
my friends uses in production -- and because he was afraid of breaking
it by applying an inappropriate patch to it -- we didn't try to apply
the patch.
So, applying this patch *COULD POSSIBLY* be the ultimate solution to
this FreeSWAN<-->BEFSX41-FR(CA) issue, but it could also *BREAK* the
BEFSX41-FR(CA) permanently, as this patch is *NOT* designed for the
BEFSX41-FR(CA) (I repeat).
Of course we tried to contact LinkSys about this particular issue, but
they NEVER returned any feedback.
Having heard numerous bad reports and bad experiences from friends
owning and using LinkSys products (which, by the way, really seem
entry-level grade because they are so cheap and popular), I am forced to
infer that LinkSys products aren't of good quality, and that would
explain why their current IPSEC implementation is faulty. LinkSys
advertises the BEFSX41 as being IPSEC-enabled, but from what I've
observed during three weeks of non-stop desperate experiments I guess
that LinkSys probably ONLY tested IPSEC by connecting their OWN products
successfully together, BUT NOT with others. That would explain a lot.
So it's up to you to decide if you want to try the AMERICAN VERSION
Firmware patch on the CANADIAN VERSION. If I was you though, I'd look
for a better-quality router with equivalent IPSEC capabilities (ex:
DLink). That could save you quite some time and headaches rather to
play with low quality products (IMHO).
So this is all I can provide you with for now.... I wish I could have
given you good news (and others on the mailing lists too).
Just in case, here's a repost of the DETAILED REPORT<s header I have
sent to the mailing lists in December. The files attached have been cut
by the mail server, but I can provide them to you privately if needed
(just email me back if necessary and I'll send them to you):
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
Seasons's Greetings and hello to all,
I am posting this message as a last resort after three weeks of
(unsuccessful) hard work attempts at getting a FreeSWAN 2.04 gateway and
a LinkSys BEFSX41-CA(FR) router to establish a simple subnet-to-subnet
IPsec tunnel together using Pre-Shared Keys.
I am sending this detailed report so maybe you guys can figure something
out of this that I couldn't, even after TONS of Googlezing :-).
======> My current assumption is that something in the BEFSX41-CA(FR)'s
IPsec implementation is faulty. <======
--------------------------- Setup ----------------------------
- I am using FreeSWAN 2.04 (built from sources as a module; it actually
runs on top of an iptables firewall/router created using Slackware Linux
9.0, kernel 2.4.23 and iptables 1.2.8);
- The other tunnel endpoint is a LinkSys BEFSX41-CA(FR) firewall/router
(that is, the "Canadian" version of the original "American" BEFSX41 - I
honestly don't know the particular differences between the two products).
--------------------------------------------------------------
Our tunnel's configuration was inspired from the directions for setting
up a subnet-to-subnet FreeSWAN<====>BEFVP41 tunnel which are available
at (http://www.freeswan.ca/docs/BEFVP41) and which recommends the
following settings:
- Automatic keying (IKE);
- Pre-Shared Keys (PSKs);
- Perfect Forward Secrecy turned ON;
- Compression turned OFF;
- 3DES encryption;
- MD5 authentication;
- 1024-bit groups.
Mr. Nick Mossie, which I recently contacted, CONFIRMED to me that he had
got a FreeSWAN 2.02 gateway and a LinkSys BEFSX41 (the *AMERICAN*
version, freshly updated with the most recent LinkSys BEFSX41 firmware
patch) to sucessfully establish an IPsec tunnel together using the
LinkSys BEFVP41 settings, as he explains at
(http://www.livejournal.com/users/ldeviator/199614.html?mode=reply).
Unfortunately, ALL of these settings DO NOT WORK FOR ME using FreeSWAN
2.04 and the Linksys BEFSX41-CA(FR): I get the following output on the
FreeSWAN side of the tunnel when attempting to perform "ipsec auto
--verbose --up jeannot_christian_psk_auto" to enable the tunnel:
---------------------------------------------------------------
(...)
104 "jeannot_christian_psk_auto" #1: STATE_MAIN_I1: initiate
106 "jeannot_christian_psk_auto" #1: STATE_MAIN_I2: sent MI2, expecting MR2
108 "jeannot_christian_psk_auto" #1: STATE_MAIN_I3: sent MI3, expecting MR3
003 "jeannot_christian_psk_auto" #1: ignoring informational payload,
type INVALID_PAYLOAD_TYPE
010 "jeannot_christian_psk_auto" #1: STATE_MAIN_I3: retransmission; will
wait 20s for response
003 "jeannot_christian_psk_auto" #1: ignoring informational payload,
type INVALID_PAYLOAD_TYPE
010 "jeannot_christian_psk_auto" #1: STATE_MAIN_I3: retransmission; will
wait 40s for response
003 "jeannot_christian_psk_auto" #1: ignoring informational payload,
type INVALID_PAYLOAD_TYPE
031 "jeannot_christian_psk_auto" #1: max number of retransmissions (2)
reached STATE_MAIN_I3. Possible authentication failure: no
acceptable response to our first encrypted message
000 "jeannot_christian_psk_auto" #1: starting keying attempt 2 of an
unlimited number, but releasing whack
---------------------------------------------------------------
...and right after that I get a console prompt but no IPsec tunnel.
So in an attempt to isolate the problem (is my FreeSWAN 2.04's config
incorrect? --OR-- is the BEFSX41-CA(FR)'s config incorrect?) I've
decided to setup a very similar subnet-to-subnet tunnel (using the same
parameters: Automatic Keying using IKE, Pre-Shared Keys, Perfect Forward
Secrecy turned ON, no compression, 3DES/MD5/1024, etc...) with the SAME
previous FreeSWAN gateway machine on one end of the tunnel AND ANOTHER
IDENTICALLY-SETUP FreeSWAN gateway machine on the other side of the
tunnel (which uses: FreeSWAN 2.04 built (as a module) from sources too,
kernel 2.4.23 too, iptables 1.2.8 too, the only difference is that it
runs Mandrake instead of Slackware) -- and it WORKED SUCCESSFULLY
WITHOUT ANY PROBLEMS (pings, traceroutes, tcpdumps of encrypted ESP
packets were shown, etc... were ALL sucessfully routed from one subnet
to another in *BOTH* ways AS EXPECTED).
So NOW I KNOW for SURE that my iptables's routing and absence of NATting
for the VPN subnets is WORKING PERFECTLY.
Again, for this sucessful FreeSWAN to FreeSWAN IPsec tunnel attempt, I
used the same settings (IKE, PSKs, PFS, no compression, 3DES/MD5/1024,
etc...) as I did with the LinkSys BEFSX41-CA(FR).
Using those "WINNING" parameters that work for two FreeSWAN 2.04
gateways, I still can't establish a tunnel between a LinkSys
BEFSX41-CA(FR) and a FreeSWAN 2.04 gateway.
I've triple-checked EVERYTHING, of course. Using regular internet
routes, all machines can ping themselves. However, I know that
somewhere between the FreeSWAN gateway and the LinkSys BEFSX41-CA(FR),
our ISP blocks traceroute requests, but I don't think this should be an
issue at all in this case, as machines can communicate together using
pings or other tcp-based or udp-based applications.
======> SO, most apparently from all these experiments and results, the
LinkSys BEFSX41-CA(FR) HAS TO BE FAULTY. <======
Here's some details about my configuration which might help you figure
something out (HOPEFULLY):
- The FreeSWAN gateway uses public IP W.X.Y.Z, its nexthop is W.X.Y.1,
and it's subnet is 192.168.1.0/24;
- The BEFSX41-CA(FR) gateway uses public IP A.B.C.D, its nexthop is
A.B.C.1 and its subnet is 192.168.0.0/24 (configuration screenshots have
been attached to this message -- if you encounter problems getting them
you can obtain them from me on request...);
- The BEFSX41-CA(FR) firewall/router currently uses the following
firmware version: 1.44.3 - Dec 24 2002.
- NO official firmware upgrade is available from the LinkSys website
(http://www.linksys.com/download/) for the particular BEFSX41-CA(FR)
product.
- HOWEVER a firmware upgrade *IS* available (1.45.3 - September 26 2003)
for the *AMERICAN* BEFSX41
(http://www.linksys.com/download/firmware.asp?fwid=172) but since it
*SEEMS* that the BEFSX41 and BEFSX41-CA(FR) are *DIFFERENT* products,
and that our BEFSX41-CA(FR) is currently in production, we don't want to
take the risk of breaking it by attempting to upgrade it's firmware with
the American firmware -- an operation that will most probably fail (I
have attempted to contact LinkSys technical support about this
possiblity but I did NOT get an answer after two days... I might try
reaching them again soon...) -- we prefer not to do this
apparently-risky-upgrade and prefer to ask proper questions first.
Here's some more details about our setup:
==========================================================================================
=============== RELEVANT SECTIONS OF ipsec.conf FILE (FreeSWAN side)
=====================
==========================================================================================
# /etc/ipsec.conf - FreeS/WAN IPsec configuration file
version 2.0 # conforms to second version of ipsec.conf specification
# ------------------------------------------------------------------
# BASIC CONFIGURATION
# ------------------------------------------------------------------
config setup
interfaces="ipsec0=eth0" # Virtual/physical interfaces
klipsdebug=all # Debug KLIPS (** "all" is TEMPORARY - I
want to debug problems **)
plutodebug=all # Debug PLUTO (** "all" is TEMPORARY - I
want to debug problems **)
manualstart= # Manually-keyed conns to start
automatically
forwardcontrol=no # Force IP forwarding (** ip_forward
option in /proc/... is already ON by DEFAULT **)
rp_filter=0 # DISABLE reverse path filtering
pluto=yes # Start PLUTO
# ------------------------------------------------------------------
# POLICY GROUP settings
# ------------------------------------------------------------------
conn block
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear-or-private
auto=ignore
conn clear
auto=ignore
conn packetdefault
auto=ignore
# ------------------------------------------------------------------
# Connections
# ------------------------------------------------------------------
#
# JEANNOT/FRANCK VPN connection (PSK/AUTO) *** THIS IS MY __WORKING__
FREESWAN-FREESWAN TUNNEL'S CONFIG ***
#
conn jeannot_franck_psk
left=W.X.Y.Z
leftsubnet=192.168.1.0/24
leftnexthop=W.X.Y.1
right=E.F.G.H
rightsubnet=10.1.1.0/24
rightnexthop=E.F.G.1
keyexchange=ike
ikelifetime=240m
keylife=60m
pfs=yes
compress=no
authby=secret
auto=ignore
(...)
#
# JEANNOT/CHRISTIAN VPN connection (PSK/AUTO) *** THIS IS THE
__OFFENDING__ FREESWAN-BEFSX41-CA(FR) TUNNEL'S CONFIG ***
#
conn jeannot_christian_psk_auto
left=W.X.Y.Z
leftsubnet=192.168.1.0/24
leftnexthop=W.X.Y.1
right=A.B.C.D
rightsubnet=192.168.0.0/24
rightnexthop=A.B.C.1
keyexchange=ike
ikelifetime=240m
keylife=60m
pfs=yes
compress=no
authby=secret
auto=ignore
(...)
==========================================================================================
==========================================================================================
==========================================================================================
========================================================================================
=========================== ipsec.secrets FILE (FreeSWAN side)
=========================
========================================================================================
W.X.Y.Z A.B.C.D : PSK "0xSOME-CENSORED-JEANNOT-CHRISTIAN-SECRET"
W.W.Y.Z E.F.G.H : PSK "0xSOME-CENSORED-JEANNOT-FRANCK-SECRET"
========================================================================================
========================================================================================
========================================================================================
========================================================================================
======================= COMPLETE ipsec barf output (FreeSWAN side)
=====================
============ obtained RIGHT after INVALID_PAYLOAD_TYPE error message
output ============
========================================================================================
(see attached TXT file - or contact me to obtain it if you can't get
access to it)
========================================================================================
========================================================================================
========================================================================================
So this is it.... I SINCERELY HOPE that ALL of this info might help...
Feel free to contact me at "jeannot12 AT linuxmail DOT org" for any
questions.
Merry Christmas and best wishes for the upcoming new year too all of you,
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
Good luck John,
If you ever success in making this work, please send some feedback to me
and/or the FreeSWAN mailing lists; that would be GREATLY appreciated by
everybody.
Regards,
--
Jeannot Langlois
B. Sc. Computer Science / B. Sc. Informatique
Software Developer / Programmeur-Analyste
System/Network Administrator / Administrateur Système/Réseau
LINUX_LOGO
More information about the Users
mailing list