[Openswan Users]
giovanni.m at agilemovement.it
giovanni.m at agilemovement.it
Fri Jun 18 09:45:18 CEST 2004
Hello,
I think I managed to do some karma damage to my VPN by bragging that it worked.
This VPN connection has been up for two months. All of a sudden, it stopped
routing packets from A (nat'd gateway and its subnet) to B. From ipsec barf,
everything looks OK:
Gateway A:
Jun 18 10:10:07 milano pluto[3124]: adding interface ipsec0/eth1 192.168.0.1
Jun 18 10:10:07 milano pluto[3124]: adding interface ipsec0/eth1 192.168.0.1:4500
Jun 18 10:10:07 milano pluto[3124]: loading secrets from "/etc/ipsec.secrets"
Jun 18 10:10:07 milano pluto[3124]: loaded private key file
'/etc/ipsec.d/private/swanKey.pem' (1683 bytes)
Jun 18 10:10:07 milano pluto[3124]: "milano-roma" #1: initiating Main Mode
Jun 18 10:10:07 milano pluto[3124]: "milano-roma" #1: received Vendor ID
payload [draft-ietf-ipsec-nat-t-ike-03]
Jun 18 10:10:07 milano pluto[3124]: "milano-roma" #1: NAT-Traversal: Result
using draft-ietf-ipsec-nat-t-ike-02/03: i am NATed
Jun 18 10:10:08 milano pluto[3124]: "milano-roma" #1: Main mode peer ID is
ID_DER_ASN1_DN: 'C=IT, ST=Roma, L=Roma, O=Cofax Roma, OU=Cofax Roma,
CN=roma_cofax, E=administrator at cofax.it'
Jun 18 10:10:08 milano pluto[3124]: "milano-roma" #1: Issuer CRL not found
Jun 18 10:10:08 milano pluto[3124]: "milano-roma" #1: ISAKMP SA established
Jun 18 10:10:08 milano pluto[3124]: "milano-roma" #2: initiating Quick Mode
RSASIG+ENCRYPT+TUNNEL+PFS+DISABLEARRIVALCHECK
Jun 18 10:10:08 milano pluto[3124]: "milano-roma" #2: sent QI2, IPsec SA
established
Everything looks fine on Gateway B too:
Jun 18 10:10:39 roma pluto[11517]: "milano-roma"[2] 81.208.125.56 #3: Issuer
CRL not found
Jun 18 10:10:39 roma pluto[11517]: | Public key validated
Jun 18 10:10:39 roma pluto[11517]: | CR
Jun 18 10:10:39 roma pluto[11517]: | requested CA: '%any'
Jun 18 10:10:39 roma pluto[11517]: | offered CA: 'C=IT, ST=Roma, L=Roma,
O=Cofax Roma, OU=Cofax Roma, CN=roma_cofax, E=administrator at cofax.it'
Jun 18 10:10:39 roma pluto[11517]: | required CA is '%any'
Jun 18 10:10:39 roma pluto[11517]: | key issuer CA is 'C=IT, ST=Roma, L=Roma,
O=Cofax Roma, OU=Cofax Roma, CN=roma_cofax_f
ox, E=administrator at cofax.it'
Jun 18 10:10:39 roma pluto[11517]: | an RSA Sig check passed with *AwEAAbICq
[preloaded key]
Jun 18 10:10:39 roma pluto[11517]: | signing hash with RSA Key *AwEAAdGi+
Jun 18 10:10:39 roma pluto[11517]: | NAT-T: new mapping 81.208.125.56:500/4500)
Jun 18 10:10:39 roma pluto[11517]: | inserting event EVENT_SA_REPLACE, timeout
in 14130 seconds for #3
Jun 18 10:10:39 roma pluto[11517]: "milano-roma"[2] 81.208.125.56:4500 #3:
sent MR3, ISAKMP SA established
Jun 18 10:10:39 roma pluto[11517]: | next event EVENT_NAT_T_KEEPALIVE in 20
seconds
Jun 18 10:10:39 roma pluto[11517]: |
<...snip...>
Jun 18 10:10:40 roma pluto[11517]: | route owner of "milano-roma" CK_INSTANCE
unrouted: NULL; eroute owner: NULL
Jun 18 10:10:40 roma pluto[11517]: | route owner of "milano-roma" CK_INSTANCE
unrouted: NULL; eroute owner: NULL
Jun 18 10:10:40 roma pluto[11517]: | add eroute 10.10.15.0/24:0 ->
192.168.0.1/32:0 => tun.1004 at 81.208.125.56:0
Jun 18 10:10:40 roma pluto[11517]: | executing up-client: 2>&1
PLUTO_VERSION='1.1' PLUTO_VERB='up-client' PLUTO_CONNECTION='milan
o-roma' PLUTO_NEXT_HOP='83.103.20.249' PLUTO_INTERFACE='ipsec0'
PLUTO_ME='83.103.20.250' PLUTO_MY_ID='C=IT, ST=Roma, L=Roma, O=Cofax Ro
ma, OU=Cofax Roma, CN=roma_cofax, E=administrator at cofax.it'
PLUTO_MY_CLIENT='10.10.15.0/24' PLUTO_MY_CLIENT_NET='10.10.15.0'
PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0'
PLUTO_PEER='81.208.125.56' PLUTO_PEER_ID='C=IT, ST=MI, L=
Milano, O=cofax roaming user, OU=, CN=new_milano_cert,
E=administrator at cofax.it' PLUTO_PEER_CLIENT='192.168.0.1/32' PLUTO_PEER_CL
IENT_NET='192.168.0.1' PLUTO_PEER_CLIENT_MASK='255.255.255.255'
PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='C=IT, ST=Rom
a, L=Roma, O=Cofax Roma, OU=Cofax Roma, CN=roma_cofax,
E=administrator at cofax.it' ipsec _updown
Jun 18 10:10:40 roma pluto[11517]: | executing prepare-client: 2>&1
PLUTO_VERSION='1.1' PLUTO_VERB='prepare-client' PLUTO_CONNECT
ION='milano-roma' PLUTO_NEXT_HOP='83.103.20.249' PLUTO_INTERFACE='ipsec0'
PLUTO_ME='83.103.20.250' PLUTO_MY_ID='C=IT, ST=Roma, L=Roma,
O=Cofax Roma, OU=Cofax Roma, CN=roma_cofax, E=administrator at cofax.it'
PLUTO_MY_CLIENT='10.10.15.0/24' PLUTO_MY_CLIENT_NET='1
0.10.15.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0'
PLUTO_MY_PROTOCOL='0' PLUTO_PEER='81.208.125.56' PLUTO_PEER_ID='C=IT,
ST=MI, L=Milano, O=cofax roaming user, OU=, CN=new_milano_cert,
E=administrator at cofax.it' PLUTO_PEER_CLIENT='192.168.0.1/32' PLU
TO_PEER_CLIENT_NET='192.168.0.1' PLUTO_PEER_CLIENT_MASK='255.255.255.255'
PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='C=
IT, ST=Roma, L=Roma, O=Cofax Roma, OU=Cofax Roma, CN=roma_cofax,
E=administrator at cofax.it' ipsec _updown
Jun 18 10:10:40 roma pluto[11517]: | executing route-client: 2>&1
PLUTO_VERSION='1.1' PLUTO_VERB='route-client' PLUTO_CONNECTION=
'milano-roma' PLUTO_NEXT_HOP='83.103.20.249' PLUTO_INTERFACE='ipsec0'
PLUTO_ME='83.103.20.250' PLUTO_MY_ID='C=IT, ST=Roma, L=Roma, O=Co
fax Roma, OU=Cofax Roma, CN=roma_cofax, E=administrator at cofax.it'
PLUTO_MY_CLIENT='10.10.15.0/24' PLUTO_MY_CLIENT_NET='10.10
15.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0'
PLUTO_MY_PROTOCOL='0' PLUTO_PEER='81.208.125.56' PLUTO_PEER_ID='C=IT, ST=
MI, L=Milano, O=cofax roaming user, OU=, CN=new_milano_cert,
E=administrator at cofax.it' PLUTO_PEER_CLIENT='192.168.0.1/32' PLUTO_P
EER_CLIENT_NET='192.168.0.1' PLUTO_PEER_CLIENT_MASK='255.255.255.255'
PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='C=IT,
ST=Roma, L=Roma, O=Cofax Roma, OU=Cofax Roma, CN=roma_cofax,
E=administrator at cofax.it' ipsec _updown
Jun 18 10:10:40 roma pluto[11517]: | inserting event EVENT_SA_REPLACE, timeout
in 3330 seconds for #4
Jun 18 10:10:40 roma pluto[11517]: "milano-roma"[2] 81.208.125.56:4500 #4:
IPsec SA established
Jun 18 10:10:40 roma pluto[11517]: | next event EVENT_NAT_T_KEEPALIVE in 19
seconds
Jun 18 10:10:59 roma pluto[11517]: |
Jun 18 10:10:59 roma pluto[11517]: | *time to handle event
Jun 18 10:10:59 roma pluto[11517]: | event after this is EVENT_SHUNT_SCAN in
44 seconds
Jun 18 10:10:59 roma pluto[11517]: | next event EVENT_SHUNT_SCAN in 44 seconds
But pings, traceroutes and etc from A to B are dead.
The crazy thing is I posted my working ipsec.conf files to the list last
night. Nothing has changed since then except that this morning the VPN isn't
working.
Here are my ipsec.conf files
Gateway A
config setup
interfaces="ipsec0=eth1"
klipsdebug=none
plutodebug=none
plutoload=%search
plutostart=%search
uniqueids=yes
nat_traversal=yes
conn %default
#keyingretries=0
leftid="C=IT, ST=MI, L=Milano, O=cofax roaming user, OU=,
CN=new_milano_cert, Email=administrator at cofax.it"
left=192.168.0.1
leftnexthop=192.168.0.254
disablearrivalcheck=yes
authby=rsasig
keyexchange=ike
ikelifetime=240m
keylife=60m
rekey=yes
pfs=yes
compress=no
leftcert=certs/swanCert.pem
auto=start
conn milano-roma
right=83.103.20.250
rightsubnet=10.10.15.0/24
rightid="C=IT, ST=Roma, L=Roma, O=Cofax Roma, OU=Cofax Roma,
CN=roma_cofax, Email=administrator at cofax.it"
authby=rsasig
rightrsasigkey=%cert
leftrsasigkey=%cert
auto=start
pfs=yes
Gateway B
config setup
interfaces="ipsec0=eth1"
klipsdebug=none
plutodebug="parsing control"
plutoload=%search
plutostart=%search
uniqueids=yes
nat_traversal=yes
virtual_private=%v4:192.168.1.0/24,%v4:192.168.0.0/24,%v4:1.1.206.0/24,%v4:10.10.14.0/24
# Global connection defaults
conn %default
#keyingretries=0
disablearrivalcheck=yes
authby=rsasig
keyexchange=ike
ikelifetime=240m
keylife=60m
rekey=yes
pfs=yes
compress=no
left=83.103.20.250
leftnexthop=83.103.20.249
leftsubnet=10.10.15.0/24
leftrsasigkey=%cert
leftid="C=IT, ST=Roma, L=Roma, O=Cofax Roma, OU=Cofax Roma,
CN=roma_cofax, Email=administrator at cofax.it"
leftcert=certs/swanCert.pem
auto=add
conn milano-roma
type=tunnel
leftsubnet=10.10.15.0/24
right=%any
rightrsasigkey=%cert
rightid="C=IT, ST=MI, L=Milano, O=cofax roaming user, OU=,
CN=new_milano_cert, Email=administrator at cofax.it"
auto=add
rightsubnet=vhost:%no,%priv
Any ideas? Thank you in advance.
More information about the Users
mailing list