[Openswan Users] Re: FreeS/WAN and BEFSX41-CA

Jeannot_Langlois jeannot at cableamos.com
Thu Apr 15 21:38:15 CEST 2004


Jon Earle wrote:

>Hi,
>
>I've been having some major problems with this router too, and I noticed
>your post on the openswan site.  I was curious if you'd sorted out your
>difficulties and wouldn't mind sharing your findings?
>
>Many TIA!
>
>Cheers!
>Jon
>
>  
>
Hi John,

(Sorry for the delay in my response; I am quite busy these days...)


I'd be glad to provide you with ANY and ALL detailed documentation about 
my experiments (and I would have done so to the mailing lists a long 
time ago if I could), but...


Unfortunately, I wasn't able to get our FreeSWAN 2.04 box (which runs 
Linux 2.4.24) to establish an IPSEC tunnel with the LINKSYS 
BEFSX41-FR(CA) router.  

[Take note of this exact model number; this is the *FRENCH CANADIAN* 
version I have been experimenting with, *NOT* the standard "American" 
version which has model number "BEFSX41"].  

Not that I didn't try hard.   Three weeks of hard work, but it still did 
NOT work.  I STRONGLY suspect the problem to be with the LinkSys 
router's low quality IPSEC implementation.

If you are NOT using the *FRENCH CANADIAN* (BEFSX41-FR(CA)) version but 
are using the *AMERICAN* (BEFSX41) version, I guess you can ignore most 
parts of my message (which concerns the FRENCH CANADIAN version only, 
and rather checkout this link from "ldeviator" which might help you a 
lot): http://www.livejournal.com/users/ldeviator/199614.html?mode=reply 
... and maybe also request some attached files I had included in my 
DETAILED REPORT which didn't make it to the mailing lists (i.e., the 
mail server cut them).


If you are rather using the FRENCH CANADIAN VERSION, read on for a 
couple more ideas about *ATTEMPTING* to solve this issue.

I haven't tried anything yet with Linux 2.6.X, but I am sure the kernel 
version isn't a problem here.


The farthest I could get in my experiments with FreeSWAN and IPSEC on 
the BEFSX41-FR(CA) is included in this DETAILED REPORT email I've sent 
as a last resort to the FreeSWAN mailing lists in the first days of last 
December (it seems to me that some heading parts have disappeared from 
my original email so this DETAILED REPORT is missing some context 
information.   Look at the bottom of this email for a "repost" of this 
missing information):

http://lists.openswan.org/pipermail/users/2003-December/000005.html


The *ONLY* thing I haven't tried is to apply a certain Firmware patch 
from LinkSys on the BEFSX41-FR(CA) (the latest LinkSys Firmware patch 
was designed for the *American* version of the BEFSX41 ONLY; there was 
**NO** upgrade available for the French Canadian model (BEFSX41-FR(CA))) 
on the LinkSys website when I checked back in December.  

As the BEFSX41-FR(CA) we've been playing with is a router which one of 
my friends uses in production -- and because he was afraid of breaking 
it by applying an inappropriate patch to it -- we didn't try to apply 
the patch.  

So, applying this patch *COULD POSSIBLY* be the ultimate solution to 
this FreeSWAN<-->BEFSX41-FR(CA) issue, but it could also *BREAK* the 
BEFSX41-FR(CA) permanently, as this patch is *NOT* designed for the 
BEFSX41-FR(CA) (I repeat).  

Of course we tried to contact LinkSys about this particular issue, but 
they NEVER returned any feedback.

Having heard numerous bad reports and bad experiences from friends 
owning and using LinkSys products (which, by the way, really seem 
entry-level grade because they are so cheap and popular), I am forced to 
infer that LinkSys products aren't of good quality, and that would 
explain why their current IPSEC implementation is faulty.  LinkSys 
advertises the BEFSX41 as being IPSEC-enabled, but from what I've 
observed during three weeks of non-stop desperate experiments I guess 
that LinkSys probably ONLY tested IPSEC by connecting their OWN products 
successfully together, BUT NOT with others.  That would explain a lot.

So it's up to you to decide if you want to try the AMERICAN VERSION 
Firmware patch on the CANADIAN VERSION.  If I was you though, I'd look 
for a better-quality router with equivalent IPSEC capabilities (ex: 
 DLink).  That could save you quite some time and headaches rather to 
play with low quality products (IMHO).


So this is all I can provide you with for now....  I wish I could have 
given you good news (and others on the mailing lists too).  

Just in case, here's a repost of the DETAILED REPORT<s header I have 
sent to the mailing lists in December.  The files attached have been cut 
by the mail server, but I can provide them to you privately if needed 
(just email me back if necessary and I'll send them to you):

____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
Seasons's Greetings and hello to all,


I am posting this message as a last resort after three weeks of 
(unsuccessful) hard work attempts at getting a FreeSWAN 2.04 gateway and 
a LinkSys BEFSX41-CA(FR) router to establish a simple subnet-to-subnet 
IPsec tunnel together using Pre-Shared Keys. 

I am sending this detailed report so maybe you guys can figure something 
out of this that I couldn't, even after TONS of Googlezing :-).

======> My current assumption is that something in the BEFSX41-CA(FR)'s 
IPsec implementation is faulty. <======


--------------------------- Setup ----------------------------
- I am using FreeSWAN 2.04 (built from sources as a module; it actually 
runs on top of an iptables firewall/router created using Slackware Linux 
9.0, kernel 2.4.23 and iptables 1.2.8);
- The other tunnel endpoint is a LinkSys BEFSX41-CA(FR) firewall/router 
(that is, the "Canadian" version of the original "American" BEFSX41 - I 
honestly don't know the particular differences between the two products).
--------------------------------------------------------------


Our tunnel's configuration was inspired from the directions for setting 
up a subnet-to-subnet FreeSWAN<====>BEFVP41 tunnel which are available 
at (http://www.freeswan.ca/docs/BEFVP41) and which recommends the 
following settings:

- Automatic keying (IKE);
- Pre-Shared Keys (PSKs);
- Perfect Forward Secrecy turned ON;
- Compression turned OFF;
- 3DES encryption;
- MD5 authentication;
- 1024-bit groups.


Mr. Nick Mossie, which I recently contacted, CONFIRMED to me that he had 
got a FreeSWAN 2.02 gateway and a LinkSys BEFSX41 (the *AMERICAN* 
version, freshly updated with the most recent LinkSys BEFSX41 firmware 
patch) to sucessfully establish an IPsec tunnel together using the 
LinkSys BEFVP41 settings, as he explains at 
(http://www.livejournal.com/users/ldeviator/199614.html?mode=reply).

Unfortunately, ALL of these settings DO NOT WORK FOR ME using FreeSWAN 
2.04 and the Linksys BEFSX41-CA(FR): I get the following output on the 
FreeSWAN side of the tunnel when attempting to perform "ipsec auto 
--verbose --up jeannot_christian_psk_auto" to enable the tunnel:

---------------------------------------------------------------
(...)
104 "jeannot_christian_psk_auto" #1: STATE_MAIN_I1: initiate
106 "jeannot_christian_psk_auto" #1: STATE_MAIN_I2: sent MI2, expecting MR2
108 "jeannot_christian_psk_auto" #1: STATE_MAIN_I3: sent MI3, expecting MR3
003 "jeannot_christian_psk_auto" #1: ignoring informational payload, 
type INVALID_PAYLOAD_TYPE
010 "jeannot_christian_psk_auto" #1: STATE_MAIN_I3: retransmission; will 
wait 20s for response
003 "jeannot_christian_psk_auto" #1: ignoring informational payload, 
type INVALID_PAYLOAD_TYPE
010 "jeannot_christian_psk_auto" #1: STATE_MAIN_I3: retransmission; will 
wait 40s for response
003 "jeannot_christian_psk_auto" #1: ignoring informational payload, 
type INVALID_PAYLOAD_TYPE
031 "jeannot_christian_psk_auto" #1: max number of retransmissions (2) 
reached STATE_MAIN_I3.  Possible authentication failure: no
acceptable response to our first encrypted message
000 "jeannot_christian_psk_auto" #1: starting keying attempt 2 of an 
unlimited number, but releasing whack
---------------------------------------------------------------

...and right after that I get a console prompt but no IPsec tunnel.


So in an attempt to isolate the problem (is my FreeSWAN 2.04's config 
incorrect? --OR-- is the BEFSX41-CA(FR)'s config incorrect?) I've 
decided to setup a very similar subnet-to-subnet tunnel (using the same 
parameters: Automatic Keying using IKE, Pre-Shared Keys, Perfect Forward 
Secrecy turned ON, no compression, 3DES/MD5/1024, etc...) with the SAME 
previous FreeSWAN gateway machine on one end of the tunnel AND ANOTHER 
IDENTICALLY-SETUP FreeSWAN gateway machine on the other side of the 
tunnel (which uses: FreeSWAN 2.04 built (as a module) from sources too, 
kernel 2.4.23 too, iptables 1.2.8 too, the only difference is that it 
runs Mandrake instead of Slackware) -- and it WORKED SUCCESSFULLY 
WITHOUT ANY PROBLEMS (pings, traceroutes, tcpdumps of encrypted ESP 
packets were shown, etc... were ALL sucessfully routed from one subnet 
to another in *BOTH* ways AS EXPECTED). 

So NOW I KNOW for SURE that my iptables's routing and absence of NATting 
for the VPN subnets is WORKING PERFECTLY.

Again, for this sucessful FreeSWAN to FreeSWAN IPsec tunnel attempt, I 
used the same settings (IKE, PSKs, PFS, no compression, 3DES/MD5/1024, 
etc...) as I did with the LinkSys BEFSX41-CA(FR). 



Using those "WINNING" parameters that work for two FreeSWAN 2.04 
gateways, I still can't establish a tunnel between a LinkSys 
BEFSX41-CA(FR) and a FreeSWAN 2.04 gateway. 


I've triple-checked EVERYTHING, of course.  Using regular internet 
routes, all machines can ping themselves.  However, I know that 
somewhere between the FreeSWAN gateway and the LinkSys BEFSX41-CA(FR), 
our ISP blocks traceroute requests, but I don't think this should be an 
issue at all in this case, as machines can communicate together using 
pings or other tcp-based or udp-based applications.




======> SO, most apparently from all these experiments and results, the 
LinkSys BEFSX41-CA(FR) HAS TO BE FAULTY. <======




Here's some details about my configuration which might help you figure 
something out (HOPEFULLY):


- The FreeSWAN gateway uses public IP W.X.Y.Z, its nexthop is W.X.Y.1, 
and it's subnet is 192.168.1.0/24;
- The BEFSX41-CA(FR) gateway uses public IP A.B.C.D, its nexthop is 
A.B.C.1 and its subnet is 192.168.0.0/24 (configuration screenshots have 
been attached to this message -- if you encounter problems getting them 
you can obtain them from me on request...);

- The BEFSX41-CA(FR) firewall/router currently uses the following 
firmware version: 1.44.3 - Dec 24 2002.
- NO official firmware upgrade is available from the LinkSys website 
(http://www.linksys.com/download/) for the particular BEFSX41-CA(FR) 
product.
- HOWEVER a firmware upgrade *IS* available (1.45.3 - September 26 2003) 
for the *AMERICAN* BEFSX41 
(http://www.linksys.com/download/firmware.asp?fwid=172) but since it 
*SEEMS* that the BEFSX41 and BEFSX41-CA(FR) are *DIFFERENT* products, 
and that our BEFSX41-CA(FR) is currently in production, we don't want to 
take the risk of breaking it by attempting to upgrade it's firmware with 
the American firmware -- an operation that will most probably fail (I 
have attempted to contact LinkSys technical support about this 
possiblity but I did NOT get an answer after two days...  I might try 
reaching them again soon...) -- we prefer not to do this 
apparently-risky-upgrade and prefer to ask proper questions first.


Here's some more details about our setup:



==========================================================================================
=============== RELEVANT SECTIONS OF ipsec.conf FILE (FreeSWAN side) 
=====================
==========================================================================================
# /etc/ipsec.conf - FreeS/WAN IPsec configuration file

version 2.0     # conforms to second version of ipsec.conf specification

# ------------------------------------------------------------------
# BASIC CONFIGURATION
# ------------------------------------------------------------------
config setup
  interfaces="ipsec0=eth0"      # Virtual/physical interfaces
  klipsdebug=all                # Debug KLIPS (** "all" is TEMPORARY - I 
want to debug problems **)
  plutodebug=all                # Debug PLUTO (** "all" is TEMPORARY - I 
want to debug problems **)
  manualstart=                  # Manually-keyed conns to start 
automatically
  forwardcontrol=no             # Force IP forwarding (** ip_forward 
option in /proc/... is already ON by DEFAULT **)
  rp_filter=0                   # DISABLE reverse path filtering
  pluto=yes                     # Start PLUTO

# ------------------------------------------------------------------
# POLICY GROUP settings
# ------------------------------------------------------------------
conn block
  auto=ignore

conn private
  auto=ignore

conn private-or-clear
  auto=ignore

conn clear-or-private
  auto=ignore

conn clear
  auto=ignore

conn packetdefault
  auto=ignore


# ------------------------------------------------------------------
# Connections
# ------------------------------------------------------------------


#
# JEANNOT/FRANCK VPN connection (PSK/AUTO) *** THIS IS MY __WORKING__ 
FREESWAN-FREESWAN TUNNEL'S CONFIG ***
#   
conn jeannot_franck_psk
  left=W.X.Y.Z
  leftsubnet=192.168.1.0/24
  leftnexthop=W.X.Y.1
  right=E.F.G.H
  rightsubnet=10.1.1.0/24
  rightnexthop=E.F.G.1
  keyexchange=ike
  ikelifetime=240m
  keylife=60m
  pfs=yes
  compress=no
  authby=secret
  auto=ignore

(...)

#
# JEANNOT/CHRISTIAN VPN connection (PSK/AUTO) *** THIS IS THE 
__OFFENDING__ FREESWAN-BEFSX41-CA(FR) TUNNEL'S CONFIG ***
#   
conn jeannot_christian_psk_auto
  left=W.X.Y.Z
  leftsubnet=192.168.1.0/24
  leftnexthop=W.X.Y.1
  right=A.B.C.D
  rightsubnet=192.168.0.0/24
  rightnexthop=A.B.C.1
  keyexchange=ike
  ikelifetime=240m
  keylife=60m
  pfs=yes
  compress=no
  authby=secret
  auto=ignore

(...)
==========================================================================================
==========================================================================================
==========================================================================================



========================================================================================
=========================== ipsec.secrets FILE (FreeSWAN side) 
=========================
========================================================================================
W.X.Y.Z A.B.C.D : PSK "0xSOME-CENSORED-JEANNOT-CHRISTIAN-SECRET"
W.W.Y.Z E.F.G.H : PSK "0xSOME-CENSORED-JEANNOT-FRANCK-SECRET"
========================================================================================
========================================================================================
========================================================================================



========================================================================================
======================= COMPLETE ipsec barf output (FreeSWAN side) 
=====================
============ obtained RIGHT after INVALID_PAYLOAD_TYPE error message 
output ============
========================================================================================
(see attached TXT file - or contact me to obtain it if you can't get 
access to it)
========================================================================================
========================================================================================
========================================================================================



So this is it.... I SINCERELY HOPE that ALL of this info might help...
Feel free to contact me at "jeannot12 AT linuxmail DOT org" for any 
questions.


Merry Christmas and best wishes for the upcoming new year too all of you,

____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________


Good luck John,


If you ever success in making this work, please send some feedback to me 
and/or the FreeSWAN mailing lists; that would be GREATLY appreciated by 
everybody.


Regards,

-- 
Jeannot Langlois
B. Sc.  Computer Science / B. Sc.  Informatique
Software Developer / Programmeur-Analyste
System/Network Administrator / Administrateur Système/Réseau

LINUX_LOGO






More information about the Users mailing list