[Openswan Users] Problems connecting to office LAN

Ted Kaczmarek tedkaz at optonline.net
Tue Nov 23 21:00:43 CET 2004 

On Tue, 2004-11-23 at 11:19 -0700, Cory S wrote:
> Hi all,
> 
> I've been working with this for weeks trying to get it to work but
> I've finally given up and decided to ask the experts. Here is my
> layout:
> 
> home                 DSL modem/gateway                     Symantec
> firewall       work
> 192.168.1.2 -------- 192.168.1.1/xxx.xxx.xxx.xxx ======
> xxx.xxx.xxx.xxx ----------- 192.168.169.149
> 
> I can connect just fine from Windows with the Symantec client but I
> would like to connect with Linux using openswan (installed v. 2.2.0).
> And yes, I got my settings from Andreas' mail post.
> 
> Here is the config from Symantec's client:
> 
> Tunnel Summary
> Security gateway: xxx.xxx.xxx.xxx
> Tunnel name:
> IP address:          192.168.169.0
> Network Mask:      255.255.255.0
> Tunnel state:        Connected
> VPN policy:          Custom
> 
> Tunnel Settings
> IPSec protocol:    ESP
> Data integrity:      MD5
> Data privacy:       DES
> Compression:       Any
> Encapsulation:     Tunnel
> Diffie-Hellman:      None
> Data volume limit: 2100000
> Lifetime timeout:    480
> Inactivity timeout:   0
> 
> My ipsec.secrets
> @#ID_IN_HEX <firewall address> : PSK "SECRET_IN_DECIMAL"
> 
> My ipsec.conf
> 
> version 2.0     # conforms to second version of ipsec.conf specification
> 
> # basic configuration
> config setup
>         # Debug-logging controls:  "none" for (almost) none, "all" for lots.
>         # klipsdebug=all
>         # plutodebug=dns
>         interfaces=%defaultroute
>         klipsdebug=all
>         plutodebug=all
>         nat_traversal=yes
> 
> # Equis connection
> conn conn1
>         type=           tunnel
>         left=           192.168.1.2
>         leftsubnet=     192.168.1.0/0
>         leftnexthop=    192.168.1.1
>         leftid=@#637363686d696474
>         right=          204.246.137.26
>         rightsubnet=    192.168.169.0/0
>         keyexchange=    ike
>         authby=         secret
>         auth=           esp
>         auto=           add
> 
> #Disable Opportunistic Encryption
> include /etc/ipsec.d/examples/no_oe.conf
> 
> I start things up with the following commands:
> ipsec pluto
> ipsec auto --add conn1
> ipsec auto --ready
> ipsec auto --up conn1
> 
> And get this in auth.log:
> 
> Nov 22 18:42:37 kashmir pluto[2939]: Starting Pluto (Openswan Version
> 2.2.0 X.509-1.5.
> 4 PLUTO_USES_KEYRR)
> Nov 22 18:42:37 kashmir pluto[2939]:   including NAT-Traversal patch
> (Version 0.6c) [d
> isabled]
> Nov 22 18:42:37 kashmir pluto[2939]: ike_alg_register_enc():
> Activating OAKLEY_AES_CBC
> : Ok (ret=0)
> Nov 22 18:42:37 kashmir pluto[2939]: Using Linux 2.6 IPsec interface code
> Nov 22 18:42:37 kashmir pluto[2939]: Changing to directory
> '/etc/ipsec.d/cacerts'
> Nov 22 18:42:37 kashmir pluto[2939]: Could not change to directory
> '/etc/ipsec.d/aacer
> ts'
> Nov 22 18:42:37 kashmir pluto[2939]: Changing to directory
> '/etc/ipsec.d/ocspcerts'
> Nov 22 18:42:37 kashmir pluto[2939]: Changing to directory '/etc/ipsec.d/crls'
> Nov 22 18:42:37 kashmir pluto[2939]:   Warning: empty directory
> Nov 22 18:42:50 kashmir pluto[2939]: added connection description "conn1"
> Nov 22 18:42:58 kashmir pluto[2939]: listening for IKE messages
> Nov 22 18:42:58 kashmir pluto[2939]: adding interface lo/lo 127.0.0.1
> Nov 22 18:42:58 kashmir pluto[2939]: adding interface eth0/eth0 192.168.1.2
> Nov 22 18:42:58 kashmir pluto[2939]: adding interface lo/lo ::1
> Nov 22 18:42:58 kashmir pluto[2939]: loading secrets from "/etc/ipsec.secrets"
> Nov 22 18:43:04 kashmir pluto[2939]: "conn1" #1: initiating Main Mode
> Nov 22 18:43:04 kashmir pluto[2939]: packet from xxx.xxx.xxx.xxx:500:
> ignoring informat
> ional payload, type PAYLOAD_MALFORMED
> Nov 22 18:43:04 kashmir pluto[2939]: packet from xxx.xxx.xxx.xxx:500:
> received and igno
> red informational message
> 
> Can anyone help?
> 
> Thanks!

Openswan does not support single des , as it should. Make sure the
symantec is doing 3des.

If you do a tcpdump do you see it getting to phase 2?

I don't see any policy in your symantec config to correlate to
your Openswan as well. How does the symantec know to match
192.168.1.0/24?

Have never defined leftid,  does the symantec require that?

What do the logs on the symantec tell you?

What does ipsec barf on the openswan tell you?

I would ask the symantec admin to set you up with polices to match your
proposals. 


Good Luck,

Ted

More information about the Users mailing list