[Openswan Users]

Fri Jun 18 09:45:18 CEST 2004

Hello,

I think I managed to do some karma damage to my VPN by bragging that it worked.

This VPN connection has been up for two months. All of a sudden, it stopped
routing packets from A (nat'd gateway and its subnet) to B. From ipsec barf,
everything looks OK:

Gateway A:

Jun 18 10:10:07 milano pluto[3124]: adding interface ipsec0/eth1 192.168.0.1
Jun 18 10:10:07 milano pluto[3124]: adding interface ipsec0/eth1 192.168.0.1:4500
Jun 18 10:10:07 milano pluto[3124]: loading secrets from "/etc/ipsec.secrets"
Jun 18 10:10:07 milano pluto[3124]:   loaded private key file
'/etc/ipsec.d/private/swanKey.pem' (1683 bytes)
Jun 18 10:10:07 milano pluto[3124]: "milano-roma" #1: initiating Main Mode
Jun 18 10:10:07 milano pluto[3124]: "milano-roma" #1: received Vendor ID
payload [draft-ietf-ipsec-nat-t-ike-03]
Jun 18 10:10:07 milano pluto[3124]: "milano-roma" #1: NAT-Traversal: Result
using draft-ietf-ipsec-nat-t-ike-02/03: i am NATed
Jun 18 10:10:08 milano pluto[3124]: "milano-roma" #1: Main mode peer ID is
ID_DER_ASN1_DN: 'C=IT, ST=Roma, L=Roma, O=Cofax Roma, OU=Cofax Roma,
CN=roma_cofax, E=administrator at cofax.it'
Jun 18 10:10:08 milano pluto[3124]: "milano-roma" #1: Issuer CRL not found
Jun 18 10:10:08 milano pluto[3124]: "milano-roma" #1: ISAKMP SA established
Jun 18 10:10:08 milano pluto[3124]: "milano-roma" #2: initiating Quick Mode
RSASIG+ENCRYPT+TUNNEL+PFS+DISABLEARRIVALCHECK
Jun 18 10:10:08 milano pluto[3124]: "milano-roma" #2: sent QI2, IPsec SA
established

Everything looks fine on Gateway B too:

Jun 18 10:10:39 roma pluto[11517]: "milano-roma"[2] 81.208.125.56 #3: Issuer
CRL not found
Jun 18 10:10:39 roma pluto[11517]: | Public key validated
Jun 18 10:10:39 roma pluto[11517]: | CR
Jun 18 10:10:39 roma pluto[11517]: | requested CA: '%any'
Jun 18 10:10:39 roma pluto[11517]: | offered CA: 'C=IT, ST=Roma, L=Roma,
O=Cofax Roma, OU=Cofax Roma, CN=roma_cofax, E=administrator at cofax.it'
Jun 18 10:10:39 roma pluto[11517]: | required CA is '%any'
Jun 18 10:10:39 roma pluto[11517]: | key issuer CA is 'C=IT, ST=Roma, L=Roma,
O=Cofax Roma, OU=Cofax Roma, CN=roma_cofax_f
ox, E=administrator at cofax.it'
Jun 18 10:10:39 roma pluto[11517]: | an RSA Sig check passed with *AwEAAbICq
[preloaded key]
Jun 18 10:10:39 roma pluto[11517]: | signing hash with RSA Key *AwEAAdGi+
Jun 18 10:10:39 roma pluto[11517]: | NAT-T: new mapping 81.208.125.56:500/4500)
Jun 18 10:10:39 roma pluto[11517]: | inserting event EVENT_SA_REPLACE, timeout
in 14130 seconds for #3
Jun 18 10:10:39 roma pluto[11517]: "milano-roma"[2] 81.208.125.56:4500 #3:
sent MR3, ISAKMP SA established
Jun 18 10:10:39 roma pluto[11517]: | next event EVENT_NAT_T_KEEPALIVE in 20
seconds
Jun 18 10:10:39 roma pluto[11517]: |

<...snip...>

Jun 18 10:10:40 roma pluto[11517]: | route owner of "milano-roma" CK_INSTANCE
unrouted: NULL; eroute owner: NULL
Jun 18 10:10:40 roma pluto[11517]: | route owner of "milano-roma" CK_INSTANCE
unrouted: NULL; eroute owner: NULL
Jun 18 10:10:40 roma pluto[11517]: | add eroute 10.10.15.0/24:0 ->
192.168.0.1/32:0 => tun.1004 at 81.208.125.56:0
Jun 18 10:10:40 roma pluto[11517]: | executing up-client: 2>&1
PLUTO_VERSION='1.1' PLUTO_VERB='up-client' PLUTO_CONNECTION='milan
o-roma' PLUTO_NEXT_HOP='83.103.20.249' PLUTO_INTERFACE='ipsec0'
PLUTO_ME='83.103.20.250' PLUTO_MY_ID='C=IT, ST=Roma, L=Roma, O=Cofax Ro
ma, OU=Cofax Roma, CN=roma_cofax, E=administrator at cofax.it'
PLUTO_MY_CLIENT='10.10.15.0/24' PLUTO_MY_CLIENT_NET='10.10.15.0'
 PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0'
PLUTO_PEER='81.208.125.56' PLUTO_PEER_ID='C=IT, ST=MI, L=
Milano, O=cofax roaming user, OU=, CN=new_milano_cert,
E=administrator at cofax.it' PLUTO_PEER_CLIENT='192.168.0.1/32' PLUTO_PEER_CL
IENT_NET='192.168.0.1' PLUTO_PEER_CLIENT_MASK='255.255.255.255'
PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='C=IT, ST=Rom
a, L=Roma, O=Cofax Roma, OU=Cofax Roma, CN=roma_cofax,
E=administrator at cofax.it' ipsec _updown
Jun 18 10:10:40 roma pluto[11517]: | executing prepare-client: 2>&1
PLUTO_VERSION='1.1' PLUTO_VERB='prepare-client' PLUTO_CONNECT
ION='milano-roma' PLUTO_NEXT_HOP='83.103.20.249' PLUTO_INTERFACE='ipsec0'
PLUTO_ME='83.103.20.250' PLUTO_MY_ID='C=IT, ST=Roma, L=Roma,
O=Cofax Roma, OU=Cofax Roma, CN=roma_cofax, E=administrator at cofax.it'
PLUTO_MY_CLIENT='10.10.15.0/24' PLUTO_MY_CLIENT_NET='1
0.10.15.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0'
PLUTO_MY_PROTOCOL='0' PLUTO_PEER='81.208.125.56' PLUTO_PEER_ID='C=IT,
 ST=MI, L=Milano, O=cofax roaming user, OU=, CN=new_milano_cert,
E=administrator at cofax.it' PLUTO_PEER_CLIENT='192.168.0.1/32' PLU
TO_PEER_CLIENT_NET='192.168.0.1' PLUTO_PEER_CLIENT_MASK='255.255.255.255'
PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='C=
IT, ST=Roma, L=Roma, O=Cofax Roma, OU=Cofax Roma, CN=roma_cofax,
E=administrator at cofax.it' ipsec _updown
Jun 18 10:10:40 roma pluto[11517]: | executing route-client: 2>&1
PLUTO_VERSION='1.1' PLUTO_VERB='route-client' PLUTO_CONNECTION=
'milano-roma' PLUTO_NEXT_HOP='83.103.20.249' PLUTO_INTERFACE='ipsec0'
PLUTO_ME='83.103.20.250' PLUTO_MY_ID='C=IT, ST=Roma, L=Roma, O=Co
fax Roma, OU=Cofax Roma, CN=roma_cofax, E=administrator at cofax.it'
PLUTO_MY_CLIENT='10.10.15.0/24' PLUTO_MY_CLIENT_NET='10.10
15.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0'
PLUTO_MY_PROTOCOL='0' PLUTO_PEER='81.208.125.56' PLUTO_PEER_ID='C=IT, ST=
MI, L=Milano, O=cofax roaming user, OU=, CN=new_milano_cert,
E=administrator at cofax.it' PLUTO_PEER_CLIENT='192.168.0.1/32' PLUTO_P
EER_CLIENT_NET='192.168.0.1' PLUTO_PEER_CLIENT_MASK='255.255.255.255'
PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='C=IT,
ST=Roma, L=Roma, O=Cofax Roma, OU=Cofax Roma, CN=roma_cofax,
E=administrator at cofax.it' ipsec _updown
Jun 18 10:10:40 roma pluto[11517]: | inserting event EVENT_SA_REPLACE, timeout
in 3330 seconds for #4
Jun 18 10:10:40 roma pluto[11517]: "milano-roma"[2] 81.208.125.56:4500 #4:
IPsec SA established
Jun 18 10:10:40 roma pluto[11517]: | next event EVENT_NAT_T_KEEPALIVE in 19
seconds
Jun 18 10:10:59 roma pluto[11517]: |
Jun 18 10:10:59 roma pluto[11517]: | *time to handle event
Jun 18 10:10:59 roma pluto[11517]: | event after this is EVENT_SHUNT_SCAN in
44 seconds
Jun 18 10:10:59 roma pluto[11517]: | next event EVENT_SHUNT_SCAN in 44 seconds

But pings, traceroutes and etc from A to B are dead.

The crazy thing is I posted my working ipsec.conf files to the list last
night. Nothing has changed since then except that this morning the VPN isn't
working.

Here are my ipsec.conf files

Gateway A

config setup
        interfaces="ipsec0=eth1"
        klipsdebug=none
        plutodebug=none
        plutoload=%search
        plutostart=%search
        uniqueids=yes
        nat_traversal=yes

conn %default
        #keyingretries=0
        leftid="C=IT, ST=MI, L=Milano, O=cofax roaming user, OU=,
CN=new_milano_cert, Email=administrator at cofax.it"
        left=192.168.0.1
        leftnexthop=192.168.0.254
        disablearrivalcheck=yes
        authby=rsasig
        keyexchange=ike
        ikelifetime=240m
        keylife=60m
        rekey=yes
        pfs=yes
        compress=no
        leftcert=certs/swanCert.pem
        auto=start

conn milano-roma
        right=83.103.20.250
        rightsubnet=10.10.15.0/24
        rightid="C=IT, ST=Roma, L=Roma, O=Cofax Roma, OU=Cofax Roma,
CN=roma_cofax, Email=administrator at cofax.it"
        authby=rsasig
        rightrsasigkey=%cert
        leftrsasigkey=%cert
        auto=start
        pfs=yes

Gateway B

config setup
        interfaces="ipsec0=eth1"
        klipsdebug=none
        plutodebug="parsing control"
        plutoload=%search
        plutostart=%search
        uniqueids=yes
        nat_traversal=yes

virtual_private=%v4:192.168.1.0/24,%v4:192.168.0.0/24,%v4:1.1.206.0/24,%v4:10.10.14.0/24

# Global connection defaults

conn %default
        #keyingretries=0
        disablearrivalcheck=yes
        authby=rsasig
        keyexchange=ike
        ikelifetime=240m
        keylife=60m
        rekey=yes
        pfs=yes
        compress=no
        left=83.103.20.250
        leftnexthop=83.103.20.249
        leftsubnet=10.10.15.0/24
        leftrsasigkey=%cert
        leftid="C=IT, ST=Roma, L=Roma, O=Cofax Roma, OU=Cofax Roma,
CN=roma_cofax, Email=administrator at cofax.it"
        leftcert=certs/swanCert.pem
        auto=add

conn milano-roma
        type=tunnel
        leftsubnet=10.10.15.0/24
        right=%any
        rightrsasigkey=%cert
        rightid="C=IT, ST=MI, L=Milano, O=cofax roaming user, OU=,
CN=new_milano_cert, Email=administrator at cofax.it"
        auto=add
        rightsubnet=vhost:%no,%priv

Any ideas? Thank you in advance.