[Openswan Users] Openswan on Fedora Core3 wont connect to FreeSwan hardware device....

Donovan J. Edye donovan at edyeweb.com
Tue Nov 23 21:17:42 CET 2004


G'Day,

- Apologies for the long post, but most of it is logs and config information
- Can someone point me in the right direction to get this going please?
- All suggestions welcomed and I can provide more debugging data if
required.

I have the following LAN config:

FedoraBox : 192.168.40.3  (GateWay:  192.168.40.1)
GateWayBox : 192.168.40.1 and connected to the Net. It just does a
passthrough of IPSEC
RemoteIPSecDeviceRunnningFreeSwan: Public Internet Address and on network
192.168.42.0/24

Now in essence I am attempting to set up a tunnel between FedoraBox and
RemoteIPSecDeviceRunnningFreeSwan so that I can access the 192.168.42.0/24
securely from my 192.168.40.0/24 network. However when I attempt to start
the connection using:

ipsec auto --up Namadgi

On FedoraBox I see:

104 "Namadgi" #1245: STATE_MAIN_I1: initiate
003 "Namadgi" #1245: ignoring Vendor ID payload [Dead Peer Detection]
106 "Namadgi" #1245: STATE_MAIN_I2: sent MI2, expecting MR2
108 "Namadgi" #1245: STATE_MAIN_I3: sent MI3, expecting MR3
004 "Namadgi" #1245: STATE_MAIN_I4: ISAKMP SA established
112 "Namadgi" #1246: STATE_QUICK_I1: initiate
003 "Namadgi" #1246: ERROR: netlink response for Add SA
comp.4608 at 192.168.40.3 included errno 22: Invalid argument
032 "Namadgi" #1246: STATE_QUICK_I1: internal error
010 "Namadgi" #1246: STATE_QUICK_I1: retransmission; will wait 20s for
response
003 "Namadgi" #1246: ERROR: netlink response for Add SA
comp.4608 at 192.168.40.3 included errno 22: Invalid argument
032 "Namadgi" #1246: STATE_QUICK_I1: internal error
010 "Namadgi" #1246: STATE_QUICK_I1: retransmission; will wait 40s for
response
003 "Namadgi" #1246: ERROR: netlink response for Add SA
comp.4608 at 192.168.40.3 included errno 22: Invalid argument
032 "Namadgi" #1246: STATE_QUICK_I1: internal error
031 "Namadgi" #1246: max number of retransmissions (2) reached
STATE_QUICK_I1.  No acceptable response to our first Quick Mode messa
ge: perhaps peer likes no proposal
000 "Namadgi" #1246: starting keying attempt 2 of an unlimited number, but
releasing whack

On RemoteIPSecDeviceRunnningFreeSwan I see:

Nov 23 21:03:19 Pluto[129]: "DonovanHome" 203.21x.xx.xx #5545: using deflate
compression 
Nov 23 21:03:19 Pluto[129]: "DonovanHome" 203.21x.xx.xx #5545: responding to
Quick Mode 
Nov 23 21:03:30 Pluto[129]: "DonovanHome" 203.21x.xx.xx #5545: discarding
duplicate packet; already STATE_QUICK_R1 
Nov 23 21:03:33 Pluto[129]: "DonovanHome" 203.21x.xx.xx #5543: max number of
retransmissions (2) reached STATE_QUICK_R1 
Nov 23 21:03:49 Pluto[129]: "DonovanHome" 203.21x.xx.xx #5545: discarding
duplicate packet; already STATE_QUICK_R1 
Nov 23 21:04:30 Pluto[129]: "DonovanHome" 203.21x.xx.xx #5546: using deflate
compression 
Nov 23 21:04:30 Pluto[129]: "DonovanHome" 203.21x.xx.xx #5546: responding to
Quick Mode 
Nov 23 21:04:30 Pluto[129]: "DonovanHome" 203.21x.xx.xx #5545: max number of
retransmissions (2) reached STATE_QUICK_R1 
Nov 23 21:04:39 Pluto[129]: "DonovanHome" 203.21x.xx.xx #5546: discarding
duplicate packet; already STATE_QUICK_R1 
Nov 23 21:05:39 Pluto[129]: "DonovanHome" 203.21x.xx.xx #5547: using deflate
compression 
Nov 23 21:05:39 Pluto[129]: "DonovanHome" 203.21x.xx.xx #5547: responding to
Quick Mode 
Nov 23 21:05:40 Pluto[129]: "DonovanHome" 203.21x.xx.xx #5546: max number of
retransmissions (2) reached STATE_QUICK_R1 
Nov 23 21:05:49 Pluto[129]: "DonovanHome" 203.21x.xx.xx #5547: discarding
duplicate packet; already STATE_QUICK_R1 

So it looks like the phase 1 part succeeds but not phase 2. Here is the
relevant config information from the FedoraBox:

[root at moe ~]# uname -va
Linux moe.home.local 2.6.9-1.678_FC3 #1 Mon Nov 15 18:28:07 EST 2004 i686
i686 i386 GNU/Linux

[root at moe ~]# ipsec --version
Linux Openswan U2.1.5/K2.6.9-1.678_FC3 (native) (native)

[root at moe ~]# ipsec whack --status
000 interface lo/lo ::1
000 interface lo/lo 127.0.0.1
000 interface eth0/eth0 192.168.40.3
000 %myid = (none)
000 debug
raw+crypt+parsing+emitting+control+lifecycle+klips+dns+oppo+controlmore+pfke
y+nattraversal
000
000 "Namadgi":
192.168.40.0/24===192.168.40.3[203.21x.xx.xx,S=C]---192.168.40.1...192.168.4
2.5---203.26.xx.xx[S=C]===192.168.42.0/24
; unrouted; eroute owner: #0
000 "Namadgi":   ike_life: 18000s; ipsec_life: 3600s; rekey_margin: 60s;
rekey_fuzz: 50%; keyingtries: 0
000 "Namadgi":   policy: PSK+ENCRYPT+COMPRESS+TUNNEL+PFS+DONTREKEY+UP; prio:
24,24; interface: eth0;
000 "Namadgi":   newest ISAKMP SA: #1245; newest IPsec SA: #0;
000
000 #1251: "Namadgi" STATE_QUICK_I1 (sent QI1, expecting QR1);
EVENT_RETRANSMIT in 4s
000 #1245: "Namadgi" STATE_MAIN_I4 (ISAKMP SA established);
EVENT_SA_REPLACE_IF_USED in 17566s; newest ISAKMP
000

[root at moe ~]# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                         [OK]
Linux Openswan U2.1.5/K2.6.9-1.678_FC3 (native) (native)
Checking for IPsec support in kernel                                    [OK]
Checking for RSA private key (/etc/ipsec.secrets)                       [OK]
Checking that pluto is running                                          [OK]
Two or more interfaces found, checking IP forwarding                    [OK]
Checking NAT and MASQUERADEing                                          [OK]
Checking for 'ip' command                                               [OK]
Checking for 'iptables' command                                         [OK]
Checking for 'setkey' command for native IPsec stack support            [OK]

Opportunistic Encryption DNS checks:
   Looking for TXT in forward dns zone: moe.home.local
[MISSING]
   Does the machine have at least one non-private address?
[FAILED]

# basic configuration
config setup
        # Debug-logging controls:  "none" for (almost) none, "all" for lots.
        klipsdebug=all
        plutodebug=all


# Add connections here.
conn Namadgi
       type=tunnel
       left=192.168.40.3
       leftsubnet=192.168.40.0/24
       leftnexthop=192.168.40.1
       right=203.26.16.136
       rightsubnet=192.168.42.0/24
       rightnexthop=192.168.42.5
       keyexchange = ike
       authby = secret
       auth = esp
       keyingtries = 0
       pfs = yes
       esp = 3DES-SHA1
       ikelifetime = 300m
       keylife = 60m
       compress = yes
       rekey = no
       leftid = somehost.somedomain.com
       rightid = 203.26.xx.xx
       rekeyfuzz = 50%
       rekeymargin = 1m

--Donovan
www.edyeweb.com





More information about the Users mailing list