[Openswan Users] Re: FreeS/WAN and BEFSX41-CA

Nick Mossie ld at initiated.com
Thu Apr 15 22:59:49 CEST 2004


Hi Jon and Jeannot,

	Jeannot's got everything right... I agree it's probably the firmware.
It's a damn shame that LinkSys is being contrary to getting their own products
to work. :(
	
	I just upgraded to version 2.05 on freeswan for the 2.4.20-28.7 kernel
on the same linux box.  Still the same config and it still works the same.  
Only odd thing I'm getting is that I still have to initiate the link from the 
freeSwan side.  Since then I've even added another tunnel to another LinkSys 
router (same model and firmware on the other side), so it's running the two 
tunnels now... one to freeswan and one to the other linksys router.  The other
router is actually doing the same thing... so freeswan has 2 IPEC connections..
it's a 3 way ring really.
	I'm just using the RPMs on a Red Hat 7.2 machine.  I'm gonna 
upgrade that bad boy to Fedora Core 2 whenever it comes out, so that'll be
interesting. :)
	So firmware is as mentioned on the American model: 1.45.3, Sep 26 2003
The original reason I upgraded firmware was for spanning tree problems like
getting to a website hosted by an internal machine behind the LinkSys's NAT.
So I don't know if it didn't work before I upgraded.  I can't remember if I
even had IPSEC running without the newer firmware. :(

	My setup is below... 

Good luck,
Nick

/etc/ipsec.conf:
------------------------
version 2.0
config setup
conn here_to_nick
        right=9.8.7.6 	# (public IP on linksys)
        rightsubnet=192.168.4.0/24 # (private IPs on linksys)
        left=1.2.3.4	# (public IP on freeswan)
        leftsubnet=192.168.2.0/24 # (private IPs on freeswan)
        leftnexthop=1.2.3.5 # (next hop on public IP network)
        keyexchange=ike
        ikelifetime=240m
        keylife=60m
        pfs=yes
        compress=no
        authby=secret
        auto=start
------------------------

/etc/ipsec.secrets:
------------------------
1.2.3.4 9.8.7.6: PSK "somepassword"
------------------------

Linksys:
------------------------
Tunnel Name: Tunnel 1
Local Secure Group ->
	Subnet
	IP: 192.168.4.0
	Netmask: 255.255.255.0
Remote Secure Group ->
	Subnet
	IP: 192.168.2.0
	Netmask: 255.255.255.0
Remote Secure Gateway:
	FQDN
	FQDN: (FQDN of my freeswan box)
Encryption: 3DES
Authentication: MD5
Key Management: IKE
PFS: checked
Pre-Shared: somepassword
Key Lifetime: 3600

Advanced ->
	Phase 1 ->
		Operation Mode ->
			Main Mode: Checked
		Proposal 1 ->
			Encryption: 3DES
			Authentication: SHA
			Group: 1024-bit
			Key Lifetime: 3600
	Phase 2 ->
		Encryption: 3DES
		Authentication: MD5
		PFS: ON
		Group: 1024-bit
		Key Lifetime: 3600

	Other Options ->
		NetBIOS broadcast: checked (doesn't do anything :))

... anything not mentioned is cleared.
------------------------


On Thu, Apr 15, 2004 at 08:38:15PM -0400, Jeannot_Langlois wrote:
> Jon Earle wrote:
> 
> >Hi,
> >
> >I've been having some major problems with this router too, and I noticed
> >your post on the openswan site.  I was curious if you'd sorted out your
> >difficulties and wouldn't mind sharing your findings?
> >
> >Many TIA!
> >
> >Cheers!
> >Jon
> >
> >  
> >
> Hi John,
> 
> (Sorry for the delay in my response; I am quite busy these days...)
> 
> 
> I'd be glad to provide you with ANY and ALL detailed documentation about 
> my experiments (and I would have done so to the mailing lists a long 
> time ago if I could), but...
> 
> 
> Unfortunately, I wasn't able to get our FreeSWAN 2.04 box (which runs 
> Linux 2.4.24) to establish an IPSEC tunnel with the LINKSYS 
> BEFSX41-FR(CA) router.  
> 
> [Take note of this exact model number; this is the *FRENCH CANADIAN* 
> version I have been experimenting with, *NOT* the standard "American" 
> version which has model number "BEFSX41"].  
> 
> Not that I didn't try hard.   Three weeks of hard work, but it still did 
> NOT work.  I STRONGLY suspect the problem to be with the LinkSys 
> router's low quality IPSEC implementation.
> 
> If you are NOT using the *FRENCH CANADIAN* (BEFSX41-FR(CA)) version but 
> are using the *AMERICAN* (BEFSX41) version, I guess you can ignore most 
> parts of my message (which concerns the FRENCH CANADIAN version only, 
> and rather checkout this link from "ldeviator" which might help you a 
> lot): http://www.livejournal.com/users/ldeviator/199614.html?mode=reply 
> ... and maybe also request some attached files I had included in my 
> DETAILED REPORT which didn't make it to the mailing lists (i.e., the 
> mail server cut them).
> 
> 
> If you are rather using the FRENCH CANADIAN VERSION, read on for a 
> couple more ideas about *ATTEMPTING* to solve this issue.
> 
> I haven't tried anything yet with Linux 2.6.X, but I am sure the kernel 
> version isn't a problem here.
> 
> 
> The farthest I could get in my experiments with FreeSWAN and IPSEC on 
> the BEFSX41-FR(CA) is included in this DETAILED REPORT email I've sent 
> as a last resort to the FreeSWAN mailing lists in the first days of last 
> December (it seems to me that some heading parts have disappeared from 
> my original email so this DETAILED REPORT is missing some context 
> information.   Look at the bottom of this email for a "repost" of this 
> missing information):
> 
> http://lists.openswan.org/pipermail/users/2003-December/000005.html
> 
> 
> The *ONLY* thing I haven't tried is to apply a certain Firmware patch 
> from LinkSys on the BEFSX41-FR(CA) (the latest LinkSys Firmware patch 
> was designed for the *American* version of the BEFSX41 ONLY; there was 
> **NO** upgrade available for the French Canadian model (BEFSX41-FR(CA))) 
> on the LinkSys website when I checked back in December.  
> 
> As the BEFSX41-FR(CA) we've been playing with is a router which one of 
> my friends uses in production -- and because he was afraid of breaking 
> it by applying an inappropriate patch to it -- we didn't try to apply 
> the patch.  
> 
> So, applying this patch *COULD POSSIBLY* be the ultimate solution to 
> this FreeSWAN<-->BEFSX41-FR(CA) issue, but it could also *BREAK* the 
> BEFSX41-FR(CA) permanently, as this patch is *NOT* designed for the 
> BEFSX41-FR(CA) (I repeat).  
> 
> Of course we tried to contact LinkSys about this particular issue, but 
> they NEVER returned any feedback.
> 
> Having heard numerous bad reports and bad experiences from friends 
> owning and using LinkSys products (which, by the way, really seem 
> entry-level grade because they are so cheap and popular), I am forced to 
> infer that LinkSys products aren't of good quality, and that would 
> explain why their current IPSEC implementation is faulty.  LinkSys 
> advertises the BEFSX41 as being IPSEC-enabled, but from what I've 
> observed during three weeks of non-stop desperate experiments I guess 
> that LinkSys probably ONLY tested IPSEC by connecting their OWN products 
> successfully together, BUT NOT with others.  That would explain a lot.
> 
> So it's up to you to decide if you want to try the AMERICAN VERSION 
> Firmware patch on the CANADIAN VERSION.  If I was you though, I'd look 
> for a better-quality router with equivalent IPSEC capabilities (ex: 
>  DLink).  That could save you quite some time and headaches rather to 
> play with low quality products (IMHO).
> 
> 
> So this is all I can provide you with for now....  I wish I could have 
> given you good news (and others on the mailing lists too).  
> 
> Just in case, here's a repost of the DETAILED REPORT<s header I have 
> sent to the mailing lists in December.  The files attached have been cut 
> by the mail server, but I can provide them to you privately if needed 
> (just email me back if necessary and I'll send them to you):
> 
> ____________________________________________________________________________________
> ____________________________________________________________________________________
> ____________________________________________________________________________________
> ____________________________________________________________________________________
> Seasons's Greetings and hello to all,
> 
> 
> I am posting this message as a last resort after three weeks of 
> (unsuccessful) hard work attempts at getting a FreeSWAN 2.04 gateway and 
> a LinkSys BEFSX41-CA(FR) router to establish a simple subnet-to-subnet 
> IPsec tunnel together using Pre-Shared Keys. 
> 
> I am sending this detailed report so maybe you guys can figure something 
> out of this that I couldn't, even after TONS of Googlezing :-).
> 
> ======> My current assumption is that something in the BEFSX41-CA(FR)'s 
> IPsec implementation is faulty. <======
> 
> 
> --------------------------- Setup ----------------------------
> - I am using FreeSWAN 2.04 (built from sources as a module; it actually 
> runs on top of an iptables firewall/router created using Slackware Linux 
> 9.0, kernel 2.4.23 and iptables 1.2.8);
> - The other tunnel endpoint is a LinkSys BEFSX41-CA(FR) firewall/router 
> (that is, the "Canadian" version of the original "American" BEFSX41 - I 
> honestly don't know the particular differences between the two products).
> --------------------------------------------------------------
> 
> 
> Our tunnel's configuration was inspired from the directions for setting 
> up a subnet-to-subnet FreeSWAN<====>BEFVP41 tunnel which are available 
> at (http://www.freeswan.ca/docs/BEFVP41) and which recommends the 
> following settings:
> 
> - Automatic keying (IKE);
> - Pre-Shared Keys (PSKs);
> - Perfect Forward Secrecy turned ON;
> - Compression turned OFF;
> - 3DES encryption;
> - MD5 authentication;
> - 1024-bit groups.
> 
> 
> Mr. Nick Mossie, which I recently contacted, CONFIRMED to me that he had 
> got a FreeSWAN 2.02 gateway and a LinkSys BEFSX41 (the *AMERICAN* 
> version, freshly updated with the most recent LinkSys BEFSX41 firmware 
> patch) to sucessfully establish an IPsec tunnel together using the 
> LinkSys BEFVP41 settings, as he explains at 
> (http://www.livejournal.com/users/ldeviator/199614.html?mode=reply).
> 
> Unfortunately, ALL of these settings DO NOT WORK FOR ME using FreeSWAN 
> 2.04 and the Linksys BEFSX41-CA(FR): I get the following output on the 
> FreeSWAN side of the tunnel when attempting to perform "ipsec auto 
> --verbose --up jeannot_christian_psk_auto" to enable the tunnel:
> 
> ---------------------------------------------------------------
> (...)
> 104 "jeannot_christian_psk_auto" #1: STATE_MAIN_I1: initiate
> 106 "jeannot_christian_psk_auto" #1: STATE_MAIN_I2: sent MI2, expecting MR2
> 108 "jeannot_christian_psk_auto" #1: STATE_MAIN_I3: sent MI3, expecting MR3
> 003 "jeannot_christian_psk_auto" #1: ignoring informational payload, 
> type INVALID_PAYLOAD_TYPE
> 010 "jeannot_christian_psk_auto" #1: STATE_MAIN_I3: retransmission; will 
> wait 20s for response
> 003 "jeannot_christian_psk_auto" #1: ignoring informational payload, 
> type INVALID_PAYLOAD_TYPE
> 010 "jeannot_christian_psk_auto" #1: STATE_MAIN_I3: retransmission; will 
> wait 40s for response
> 003 "jeannot_christian_psk_auto" #1: ignoring informational payload, 
> type INVALID_PAYLOAD_TYPE
> 031 "jeannot_christian_psk_auto" #1: max number of retransmissions (2) 
> reached STATE_MAIN_I3.  Possible authentication failure: no
> acceptable response to our first encrypted message
> 000 "jeannot_christian_psk_auto" #1: starting keying attempt 2 of an 
> unlimited number, but releasing whack
> ---------------------------------------------------------------
> 
> ...and right after that I get a console prompt but no IPsec tunnel.
> 
> 
> So in an attempt to isolate the problem (is my FreeSWAN 2.04's config 
> incorrect? --OR-- is the BEFSX41-CA(FR)'s config incorrect?) I've 
> decided to setup a very similar subnet-to-subnet tunnel (using the same 
> parameters: Automatic Keying using IKE, Pre-Shared Keys, Perfect Forward 
> Secrecy turned ON, no compression, 3DES/MD5/1024, etc...) with the SAME 
> previous FreeSWAN gateway machine on one end of the tunnel AND ANOTHER 
> IDENTICALLY-SETUP FreeSWAN gateway machine on the other side of the 
> tunnel (which uses: FreeSWAN 2.04 built (as a module) from sources too, 
> kernel 2.4.23 too, iptables 1.2.8 too, the only difference is that it 
> runs Mandrake instead of Slackware) -- and it WORKED SUCCESSFULLY 
> WITHOUT ANY PROBLEMS (pings, traceroutes, tcpdumps of encrypted ESP 
> packets were shown, etc... were ALL sucessfully routed from one subnet 
> to another in *BOTH* ways AS EXPECTED). 
> 
> So NOW I KNOW for SURE that my iptables's routing and absence of NATting 
> for the VPN subnets is WORKING PERFECTLY.
> 
> Again, for this sucessful FreeSWAN to FreeSWAN IPsec tunnel attempt, I 
> used the same settings (IKE, PSKs, PFS, no compression, 3DES/MD5/1024, 
> etc...) as I did with the LinkSys BEFSX41-CA(FR). 
> 
> 
> 
> Using those "WINNING" parameters that work for two FreeSWAN 2.04 
> gateways, I still can't establish a tunnel between a LinkSys 
> BEFSX41-CA(FR) and a FreeSWAN 2.04 gateway. 
> 
> 
> I've triple-checked EVERYTHING, of course.  Using regular internet 
> routes, all machines can ping themselves.  However, I know that 
> somewhere between the FreeSWAN gateway and the LinkSys BEFSX41-CA(FR), 
> our ISP blocks traceroute requests, but I don't think this should be an 
> issue at all in this case, as machines can communicate together using 
> pings or other tcp-based or udp-based applications.
> 
> 
> 
> 
> ======> SO, most apparently from all these experiments and results, the 
> LinkSys BEFSX41-CA(FR) HAS TO BE FAULTY. <======
> 
> 
> 
> 
> Here's some details about my configuration which might help you figure 
> something out (HOPEFULLY):
> 
> 
> - The FreeSWAN gateway uses public IP W.X.Y.Z, its nexthop is W.X.Y.1, 
> and it's subnet is 192.168.1.0/24;
> - The BEFSX41-CA(FR) gateway uses public IP A.B.C.D, its nexthop is 
> A.B.C.1 and its subnet is 192.168.0.0/24 (configuration screenshots have 
> been attached to this message -- if you encounter problems getting them 
> you can obtain them from me on request...);
> 
> - The BEFSX41-CA(FR) firewall/router currently uses the following 
> firmware version: 1.44.3 - Dec 24 2002.
> - NO official firmware upgrade is available from the LinkSys website 
> (http://www.linksys.com/download/) for the particular BEFSX41-CA(FR) 
> product.
> - HOWEVER a firmware upgrade *IS* available (1.45.3 - September 26 2003) 
> for the *AMERICAN* BEFSX41 
> (http://www.linksys.com/download/firmware.asp?fwid=172) but since it 
> *SEEMS* that the BEFSX41 and BEFSX41-CA(FR) are *DIFFERENT* products, 
> and that our BEFSX41-CA(FR) is currently in production, we don't want to 
> take the risk of breaking it by attempting to upgrade it's firmware with 
> the American firmware -- an operation that will most probably fail (I 
> have attempted to contact LinkSys technical support about this 
> possiblity but I did NOT get an answer after two days...  I might try 
> reaching them again soon...) -- we prefer not to do this 
> apparently-risky-upgrade and prefer to ask proper questions first.
> 
> 
> Here's some more details about our setup:
> 
> 
> 
> ==========================================================================================
> =============== RELEVANT SECTIONS OF ipsec.conf FILE (FreeSWAN side) 
> =====================
> ==========================================================================================
> # /etc/ipsec.conf - FreeS/WAN IPsec configuration file
> 
> version 2.0     # conforms to second version of ipsec.conf specification
> 
> # ------------------------------------------------------------------
> # BASIC CONFIGURATION
> # ------------------------------------------------------------------
> config setup
>   interfaces="ipsec0=eth0"      # Virtual/physical interfaces
>   klipsdebug=all                # Debug KLIPS (** "all" is TEMPORARY - I 
> want to debug problems **)
>   plutodebug=all                # Debug PLUTO (** "all" is TEMPORARY - I 
> want to debug problems **)
>   manualstart=                  # Manually-keyed conns to start 
> automatically
>   forwardcontrol=no             # Force IP forwarding (** ip_forward 
> option in /proc/... is already ON by DEFAULT **)
>   rp_filter=0                   # DISABLE reverse path filtering
>   pluto=yes                     # Start PLUTO
> 
> # ------------------------------------------------------------------
> # POLICY GROUP settings
> # ------------------------------------------------------------------
> conn block
>   auto=ignore
> 
> conn private
>   auto=ignore
> 
> conn private-or-clear
>   auto=ignore
> 
> conn clear-or-private
>   auto=ignore
> 
> conn clear
>   auto=ignore
> 
> conn packetdefault
>   auto=ignore
> 
> 
> # ------------------------------------------------------------------
> # Connections
> # ------------------------------------------------------------------
> 
> 
> #
> # JEANNOT/FRANCK VPN connection (PSK/AUTO) *** THIS IS MY __WORKING__ 
> FREESWAN-FREESWAN TUNNEL'S CONFIG ***
> #   
> conn jeannot_franck_psk
>   left=W.X.Y.Z
>   leftsubnet=192.168.1.0/24
>   leftnexthop=W.X.Y.1
>   right=E.F.G.H
>   rightsubnet=10.1.1.0/24
>   rightnexthop=E.F.G.1
>   keyexchange=ike
>   ikelifetime=240m
>   keylife=60m
>   pfs=yes
>   compress=no
>   authby=secret
>   auto=ignore
> 
> (...)
> 
> #
> # JEANNOT/CHRISTIAN VPN connection (PSK/AUTO) *** THIS IS THE 
> __OFFENDING__ FREESWAN-BEFSX41-CA(FR) TUNNEL'S CONFIG ***
> #   
> conn jeannot_christian_psk_auto
>   left=W.X.Y.Z
>   leftsubnet=192.168.1.0/24
>   leftnexthop=W.X.Y.1
>   right=A.B.C.D
>   rightsubnet=192.168.0.0/24
>   rightnexthop=A.B.C.1
>   keyexchange=ike
>   ikelifetime=240m
>   keylife=60m
>   pfs=yes
>   compress=no
>   authby=secret
>   auto=ignore
> 
> (...)
> ==========================================================================================
> ==========================================================================================
> ==========================================================================================
> 
> 
> 
> ========================================================================================
> =========================== ipsec.secrets FILE (FreeSWAN side) 
> =========================
> ========================================================================================
> W.X.Y.Z A.B.C.D : PSK "0xSOME-CENSORED-JEANNOT-CHRISTIAN-SECRET"
> W.W.Y.Z E.F.G.H : PSK "0xSOME-CENSORED-JEANNOT-FRANCK-SECRET"
> ========================================================================================
> ========================================================================================
> ========================================================================================
> 
> 
> 
> ========================================================================================
> ======================= COMPLETE ipsec barf output (FreeSWAN side) 
> =====================
> ============ obtained RIGHT after INVALID_PAYLOAD_TYPE error message 
> output ============
> ========================================================================================
> (see attached TXT file - or contact me to obtain it if you can't get 
> access to it)
> ========================================================================================
> ========================================================================================
> ========================================================================================
> 
> 
> 
> So this is it.... I SINCERELY HOPE that ALL of this info might help...
> Feel free to contact me at "jeannot12 AT linuxmail DOT org" for any 
> questions.
> 
> 
> Merry Christmas and best wishes for the upcoming new year too all of you,
> 
> ____________________________________________________________________________________
> ____________________________________________________________________________________
> ____________________________________________________________________________________
> ____________________________________________________________________________________
> 
> 
> Good luck John,
> 
> 
> If you ever success in making this work, please send some feedback to me 
> and/or the FreeSWAN mailing lists; that would be GREATLY appreciated by 
> everybody.
> 
> 
> Regards,
> 
> -- 
> Jeannot Langlois
> B. Sc.  Computer Science / B. Sc.  Informatique
> Software Developer / Programmeur-Analyste
> System/Network Administrator / Administrateur Système/Réseau
> 
> LINUX_LOGO
> 
> 
> 
> 


-- 
--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--
Nick Mossie: ld at initiated.com  ICQ : 801765  AIM : LDeviator
GPG Key ID: 351D415D -=- See http://pgp.mit.edu

"WARNING!  Excessive use of technology may lead to the 
enslavement of mankind." -- SciFi Channel
-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_


More information about the Users mailing list