[Openswan Users] Client not accepting proposals openswan
receivesfine
ljane at xs4all.nl
ljane at xs4all.nl
Tue Sep 14 16:58:11 CEST 2004
Here below is the output of 'ipsec barf' i tried to play a bit with
setting algorithms manually but it did not help.
I tested it with a couple client wich are: thegreenbow 2.50, ssh sentinel
1.3.22 and 1.4 and Safenet/Softremote 9.2.1.
With all those clients i'm getting the same crap: client does not accept
proposal from server, server does accept proposal from client
You will see below also a log file from softremote -> openswan 2.2.0dr4
I also tried to setup with strongswan 2.2.0 but it kept giving me the same
crap :) also tried switching between algorithms e.g. 3des, aes128, aes256
and several combinations with the hash algorithms, sha1 and md5 and
nothing, the problem still exists.
My kernel is a self-compiled 2.4.27 static kernel on Slackware 10 with no
modules enabled, i used the kernel patch to install
the klips module with both strongswan and openswan.
So that's the story of the setup wich would not could not work.. :) I hope
somebody could point me out to a solution.
Safenet/Softremote -> openswan 2.2.0dr4:
Sep 14 15:34:07 hallo pluto[7336]: packet from 192.168.128.21:500:
ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Sep 14 15:34:07 hallo pluto[7336]: packet from 192.168.128.21:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but
already using method 0
Sep 14 15:34:07 hallo pluto[7336]: "wtux-tux"[1] 192.168.128.21 #1:
responding to Main Mode from unknown peer 192.168.128.21
Sep 14 15:34:07 hallo pluto[7336]: "wtux-tux"[1] 192.168.128.21 #1:
transition from state (null) to state STATE_MAIN_R1
Sep 14 15:34:07 hallo pluto[7336]: "wtux-tux"[1] 192.168.128.21 #1:
ignoring Vendor ID payload
[47bbe7c993f1fc13b4e6d0db565c68e501020101020101030f392e322e312028...]
Sep 14 15:34:07 hallo pluto[7336]: "wtux-tux"[1] 192.168.128.21 #1:
ignoring Vendor ID payload [da8e937880010000]
Sep 14 15:34:07 hallo pluto[7336]: "wtux-tux"[1] 192.168.128.21 #1:
ignoring Vendor ID payload [XAUTH]
Sep 14 15:34:07 hallo pluto[7336]: "wtux-tux"[1] 192.168.128.21 #1:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Sep 14 15:34:07 hallo pluto[7336]: "wtux-tux"[1] 192.168.128.21 #1:
ignoring informational payload, type IPSEC_INITIAL_CONTACT
Sep 14 15:34:07 hallo pluto[7336]: "wtux-tux"[1] 192.168.128.21 #1: Peer
ID is ID_DER_ASN1_DN: 'C=WL, ST=Wonder-State, L=Wonder-City, O=TUX,
OU=IPSEC Machines, CN=flappy.tux'
Sep 14 15:34:07 hallo pluto[7336]: "wtux-tux"[1] 192.168.128.21 #1: no crl
from issuer "C=WL, ST=Wonder-State, L=Wonder-City, O=TUX, OU=SSL, CN=TUX
Private Primary Certification Authority" found (strict=no)
Sep 14 15:34:07 hallo pluto[7336]: "wtux-tux"[2] 192.168.128.21 #1:
deleting connection "wtux-tux" instance with peer 192.168.128.21
{isakmp=#0/ipsec=#0}
Sep 14 15:34:07 hallo pluto[7336]: "wtux-tux"[2] 192.168.128.21 #1: I am
sending my cert
Sep 14 15:34:07 hallo pluto[7336]: "wtux-tux"[2] 192.168.128.21 #1:
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Sep 14 15:34:07 hallo pluto[7336]: "wtux-tux"[2] 192.168.128.21 #1: sent
MR3, ISAKMP SA established
Sep 14 15:34:07 hallo pluto[7336]: "wtux-tux"[2] 192.168.128.21 #2:
responding to Quick Mode
Sep 14 15:34:07 hallo pluto[7336]: "wtux-tux"[2] 192.168.128.21 #2:
transition from state (null) to state STATE_QUICK_R1
Sep 14 15:34:07 hallo pluto[7336]: "wtux-tux"[2] 192.168.128.21 #2:
transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Sep 14 15:34:07 hallo pluto[7336]: "wtux-tux"[2] 192.168.128.21 #2: IPsec
SA established {ESP=>0x2e29f531 <0x5d14e227}
Sep 14 15:35:02 hallo pluto[7336]: "wtux-tux"[2] 192.168.128.21 #3:
initiating Quick Mode RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS to replace #2
{using isakmp#1}
Sep 14 15:35:02 hallo pluto[7336]: "wtux-tux"[2] 192.168.128.21 #1:
ignoring informational payload, type NO_PROPOSAL_CHOSEN
Sep 14 15:35:02 hallo pluto[7336]: "wtux-tux"[2] 192.168.128.21 #1:
received and ignored informational message
Sep 14 15:35:12 hallo pluto[7336]: "wtux-tux"[2] 192.168.128.21 #1:
ignoring informational payload, type NO_PROPOSAL_CHOSEN
Sep 14 15:35:12 hallo pluto[7336]: "wtux-tux"[2] 192.168.128.21 #1:
received and ignored informational message
Sep 14 15:35:17 hallo pluto[7336]: "wtux-tux"[2] 192.168.128.21 #2: IPsec
SA expired (LATEST!)
Sep 14 15:35:18 hallo pluto[7336]: "wtux-tux"[2] 192.168.128.21 #4:
initiating Quick Mode RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS {using isakmp#1}
Sep 14 15:35:18 hallo pluto[7336]: "wtux-tux"[2] 192.168.128.21 #1:
ignoring informational payload, type NO_PROPOSAL_CHOSEN
Sep 14 15:35:18 hallo pluto[7336]: "wtux-tux"[2] 192.168.128.21 #1:
received and ignored informational message
Sep 14 15:35:28 hallo pluto[7336]: "wtux-tux"[2] 192.168.128.21 #1:
ignoring informational payload, type NO_PROPOSAL_CHOSEN
Sep 14 15:35:28 hallo pluto[7336]: "wtux-tux"[2] 192.168.128.21 #1:
received and ignored informational message
Sep 14 15:35:32 hallo pluto[7336]: "wtux-tux"[2] 192.168.128.21 #1:
ignoring informational payload, type NO_PROPOSAL_CHOSEN
Sep 14 15:35:32 hallo pluto[7336]: "wtux-tux"[2] 192.168.128.21 #1:
received and ignored informational message
Sep 14 15:35:48 hallo pluto[7336]: "wtux-tux"[2] 192.168.128.21 #1:
ignoring informational payload, type NO_PROPOSAL_CHOSEN
Sep 14 15:35:48 hallo pluto[7336]: "wtux-tux"[2] 192.168.128.21 #1:
received and ignored informational message
Sep 14 15:36:02 hallo pluto[7336]: "wtux-tux"[2] 192.168.128.21 #5:
initiating Main Mode to replace #1
Sep 14 15:36:02 hallo pluto[7336]: "wtux-tux"[2] 192.168.128.21 #5:
transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
Sep 14 15:36:02 hallo pluto[7336]: "wtux-tux"[2] 192.168.128.21 #5:
ignoring Vendor ID payload
[47bbe7c993f1fc13b4e6d0db565c68e501020101020101030f392e322e312028...]
Sep 14 15:36:02 hallo pluto[7336]: "wtux-tux"[2] 192.168.128.21 #5:
ignoring Vendor ID payload [da8e937880010000]
Sep 14 15:36:02 hallo pluto[7336]: "wtux-tux"[2] 192.168.128.21 #5:
ignoring Vendor ID payload [XAUTH]
Sep 14 15:36:02 hallo pluto[7336]: "wtux-tux"[2] 192.168.128.21 #5: I am
sending my cert
Sep 14 15:36:02 hallo pluto[7336]: "wtux-tux"[2] 192.168.128.21 #5: I am
sending a certificate request
Sep 14 15:36:02 hallo pluto[7336]: "wtux-tux"[2] 192.168.128.21 #5:
transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Sep 14 15:36:02 hallo pluto[7336]: "wtux-tux"[2] 192.168.128.21 #5: Peer
ID is ID_DER_ASN1_DN: 'C=WL, ST=Wonder-State, L=Wonder-City, O=TUX,
OU=IPSEC Machines, CN=flappy.tux'
Sep 14 15:36:02 hallo pluto[7336]: "wtux-tux"[2] 192.168.128.21 #5: no crl
from issuer "C=WL, ST=Wonder-State, L=Wonder-City, O=TUX, OU=SSL, CN=TUX
Private Primary Certification Authority" found (strict=no)
Sep 14 15:36:02 hallo pluto[7336]: "wtux-tux"[2] 192.168.128.21 #5:
transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
Sep 14 15:36:02 hallo pluto[7336]: "wtux-tux"[2] 192.168.128.21 #5: ISAKMP
SA established
Sep 14 15:36:02 hallo pluto[7336]: "wtux-tux"[2] 192.168.128.21 #1:
received Delete SA payload: deleting ISAKMP State #1
Sep 14 15:36:02 hallo pluto[7336]: packet from 192.168.128.21:500:
received and ignored informational message
Sep 14 15:36:12 hallo pluto[7336]: "wtux-tux"[2] 192.168.128.21 #3: max
number of retransmissions (2) reached STATE_QUICK_I1. No acceptable
response to our first Quick Mode message: perhaps peer likes no proposal
Sep 14 15:36:12 hallo pluto[7336]: "wtux-tux"[2] 192.168.128.21 #3:
starting keying attempt 2 of an unlimited number
Sep 14 15:36:12 hallo pluto[7336]: "wtux-tux"[2] 192.168.128.21 #6:
initiating Quick Mode RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS to replace #3
{using isakmp#5}
Sep 14 15:36:12 hallo pluto[7336]: "wtux-tux"[2] 192.168.128.21 #5:
ignoring informational payload, type NO_PROPOSAL_CHOSEN
Sep 14 15:36:12 hallo pluto[7336]: "wtux-tux"[2] 192.168.128.21 #5:
received and ignored informational message
Sep 14 15:36:15 hallo pluto[7336]: "wtux-tux"[2] 192.168.128.21 #5:
received Delete SA payload: deleting ISAKMP State #5
Sep 14 15:36:15 hallo pluto[7336]: packet from 192.168.128.21:500:
received and ignored informational message
Kernel config options:
CONFIG_IPSEC=y
CONFIG_IPSEC_IPIP=y
CONFIG_IPSEC_AH=y
CONFIG_IPSEC_AUTH_HMAC_MD5=y
CONFIG_IPSEC_AUTH_HMAC_SHA1=y
CONFIG_IPSEC_ESP=y
CONFIG_IPSEC_ENC_3DES=y
CONFIG_IPSEC_ENC_AES=y
CONFIG_IPSEC_ALG=y
CONFIG_IPSEC_ALG_AES=y
# CONFIG_IPSEC_ALG_CRYPTOAPI is not set <- I do not have that module so
it seemed pointless to add it and not usefull for what i want to achieve
CONFIG_IPSEC_IPCOMP=y
CONFIG_IPSEC_DEBUG=y
CONFIG_IPSEC_NAT_TRAVERSAL=y
ipsec barf output (changed some ip addresses, because i'm paranoid):
Unable to find Pluto messages, typically found in /var/log/secure or
equivalent. You may need to run Openswan for the first time;
alternatively, your log files have been emptied (ie, logwatch) or we do
not understand your logging configuration.
hallo
Tue Sep 14 15:34:18 CEST 2004
+ _________________________ version
+ ipsec --version
Linux Openswan 2.2.0dr4 (klips)
See `ipsec --copyright' for copyright information.
+ _________________________ proc/version
+ cat /proc/version
Linux version 2.4.27 (root at hallo) (gcc version 3.3.4) #4 Tue Sep 14
02:33:30 CEST 2004
+ _________________________ proc/net/ipsec_eroute
+ test -r /proc/net/ipsec_eroute
+ sort -sg +3 /proc/net/ipsec_eroute
0 0.0.0.0/0 -> 192.168.128.21/32 =>
tun0x1002 at 192.168.128.21
+ _________________________ netstat-rn
+ netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt
Iface
192.168.128.21 192.168.128.21 255.255.255.255 UGH 0 0 0
ipsec2
192.168.128.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2
192.168.128.0 0.0.0.0 255.255.255.0 U 0 0 0
ipsec2
xxx.xxx.xxx.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
192.168.127.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 xxx.xxx.xxx.xxx 0.0.0.0 UG 0 0 0 eth0
+ _________________________ proc/net/ipsec_spi
+ test -r proc/net/ipsec_spi
+ _________________________ proc/net/ipsec_spigrp
+ test -r /proc/net/ipsec_spigrp
+ cat /proc/net/ipsec_spigrp
tun0x1002 at 192.168.128.21 esp0x2e29f531 at 192.168.128.21
tun0x1001 at 192.168.128.1 esp0x5d14e227 at 192.168.128.1
+ _________________________ proc/net/ipsec_tncfg
+ test -r /proc/net/ipsec_tncfg
+ cat /proc/net/ipsec_tncfg
ipsec0 -> NULL mtu=0(0) -> 0
ipsec1 -> NULL mtu=0(0) -> 0
ipsec2 -> eth2 mtu=16260(1500) -> 1500
ipsec3 -> NULL mtu=0(0) -> 0
+ _________________________ proc/net/pfkey
+ test -r /proc/net/pfkey
+ _________________________ proc/sys/net/ipsec-star
+ test -d /proc/sys/net/ipsec
+ cd /proc/sys/net/ipsec
+ egrep '^' debug_ah debug_eroute debug_esp debug_ipcomp debug_netlink
debug_pfkey debug_radij debug_rcv debug_spi debug_tunnel debug_verbose
debug_xform icmp inbound_policy_check tos
debug_ah:0
debug_eroute:0
debug_esp:0
debug_ipcomp:0
debug_netlink:0
debug_pfkey:0
debug_radij:0
debug_rcv:0
debug_spi:0
debug_tunnel:0
debug_verbose:0
debug_xform:0
icmp:1
inbound_policy_check:1
tos:1
+ _________________________ ipsec/status
+ ipsec auto --status
000 interface ipsec2/eth2 192.168.128.1
000 %myid = (none)
000 debug none
000
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=64, keysizemin=168,
keysizemax=168
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=128, keysizemin=128,
keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_ID9,
keysizemin=128, keysizemax=128
000
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
keydeflen=128
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
keydeflen=192
000 algorithm IKE hash: id=2, name=OAKLEY_SHA, hashsize=20
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,0,0}
trans={0,0,0} attrs={0,0,0}
000
000 "wtux-tux": 0.0.0.0/0===192.168.128.1[C=WL, ST=Wonder-State,
L=Wonder-City, O=TUX, OU=IPSEC Machines, CN=hallo.tux]...%any; unrouted;
eroute owner: #0
000 "wtux-tux": CAs: 'C=WL, ST=Wonder-State, L=Wonder-City, O=TUX,
OU=SSL, CN=TUX Private Primary Certification Authority'...'C=WL,
ST=Wonder-State, L=Wonder-City, O=TUX, OU=SSL, CN=TUX Private Primary
Certification Authority'
000 "wtux-tux": ike_life: 130s; ipsec_life: 70s; rekey_margin: 30s;
rekey_fuzz: 100%; keyingtries: 0
000 "wtux-tux": policy: RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS; prio: 0,32;
interface: eth2;
000 "wtux-tux": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "wtux-tux": IKE algorithms wanted: 5_000-1-5, 5_000-1-2, 5_000-2-5,
5_000-2-2, flags=-strict
000 "wtux-tux": IKE algorithms found: 5_192-1_128-5, 5_192-1_128-2,
5_192-2_160-5, 5_192-2_160-2,
000 "wtux-tux": ESP algorithms wanted: 3_000-1, 3_000-2, flags=-strict
000 "wtux-tux": ESP algorithms loaded: 3_000-1, 3_000-2, flags=-strict
000 "wtux-tux"[2]: 0.0.0.0/0===192.168.128.1[C=WL, ST=Wonder-State,
L=Wonder-City, O=TUX, OU=IPSEC Machines,
CN=hallo.tux]...192.168.128.21[C=WL, ST=Wonder-State, L=Wonder-City,
O=TUX, OU=IPSEC Machines, CN=flappy.tux]; erouted; eroute owner: #2
000 "wtux-tux"[2]: CAs: 'C=WL, ST=Wonder-State, L=Wonder-City, O=TUX,
OU=SSL, CN=TUX Private Primary Certification Authority'...'C=WL,
ST=Wonder-State, L=Wonder-City, O=TUX, OU=SSL, CN=TUX Private Primary
Certification Authority'
000 "wtux-tux"[2]: ike_life: 130s; ipsec_life: 70s; rekey_margin: 30s;
rekey_fuzz: 100%; keyingtries: 0
000 "wtux-tux"[2]: policy: RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS; prio:
0,32; interface: eth2;
000 "wtux-tux"[2]: newest ISAKMP SA: #1; newest IPsec SA: #2;
000 "wtux-tux"[2]: IKE algorithms wanted: 5_000-1-5, 5_000-1-2,
5_000-2-5, 5_000-2-2, flags=-strict
000 "wtux-tux"[2]: IKE algorithms found: 5_192-1_128-5, 5_192-1_128-2,
5_192-2_160-5, 5_192-2_160-2,
000 "wtux-tux"[2]: IKE algorithm newest: 3DES_CBC_192-MD5-MODP1024
000 "wtux-tux"[2]: ESP algorithms wanted: 3_000-1, 3_000-2, flags=-strict
000 "wtux-tux"[2]: ESP algorithms loaded: 3_000-1, 3_000-2, flags=-strict
000 "wtux-tux"[2]: ESP algorithm newest: 3DES_0-HMAC_MD5; pfsgroup=<Phase1>
000
000 #2: "wtux-tux"[2] 192.168.128.21 STATE_QUICK_R2 (IPsec SA
established); EVENT_SA_REPLACE in 44s; newest IPSEC; eroute owner
000 #2: "wtux-tux"[2] 192.168.128.21 esp.2e29f531 at 192.168.128.21
esp.5d14e227 at 192.168.128.1 tun.1002 at 192.168.128.21 tun.1001 at 192.168.128.1
000 #1: "wtux-tux"[2] 192.168.128.21 STATE_MAIN_R3 (sent MR3, ISAKMP SA
established); EVENT_SA_REPLACE in 104s; newest ISAKMP
000
+ _________________________ ifconfig-a
+ ifconfig -a
eth0 Link encap:Ethernet HWaddr FF:FF:FF:FF:FF:FF
inet addr:xxx.xxx.xxx.xxx Bcast:xxx.xxx.xxx.255
Mask:255.255.255.0
UP BROADCAST NOTRAILERS RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2970 errors:0 dropped:0 overruns:0 frame:0
TX packets:2831 errors:0 dropped:0 overruns:0 carrier:0
collisions:1 txqueuelen:1000
RX bytes:1851850 (1.7 Mb) TX bytes:341552 (333.5 Kb)
Interrupt:11 Base address:0xb000
eth1 Link encap:Ethernet HWaddr 00:50:FC:23:26:A6
inet addr:192.168.127.1 Bcast:192.168.127.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:18113 errors:0 dropped:0 overruns:0 frame:0
TX packets:21647 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1752942 (1.6 Mb) TX bytes:2963360 (2.8 Mb)
Interrupt:10 Base address:0xd000
eth2 Link encap:Ethernet HWaddr 00:50:BF:5A:28:27
inet addr:192.168.128.1 Bcast:192.168.128.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3071 errors:0 dropped:0 overruns:0 frame:0
TX packets:3441 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:540185 (527.5 Kb) TX bytes:1779810 (1.6 Mb)
Interrupt:11 Base address:0xf000
ipsec0 Link encap:UNSPEC HWaddr
00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
NOARP MTU:0 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
ipsec1 Link encap:UNSPEC HWaddr
00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
NOARP MTU:0 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
ipsec2 Link encap:Ethernet HWaddr 00:50:BF:5A:28:27
inet addr:192.168.128.1 Mask:255.255.255.0
UP RUNNING NOARP MTU:16260 Metric:1
RX packets:1303 errors:0 dropped:0 overruns:0 frame:0
TX packets:2216 errors:0 dropped:17 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:145027 (141.6 Kb) TX bytes:1589168 (1.5 Mb)
ipsec3 Link encap:UNSPEC HWaddr
00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
NOARP MTU:0 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:511 errors:0 dropped:0 overruns:0 frame:0
TX packets:511 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:67132 (65.5 Kb) TX bytes:67132 (65.5 Kb)
tunl0 Link encap:IPIP Tunnel HWaddr
NOARP MTU:1480 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
+ _________________________ ipsec_verify
+ ipsec verify --nocolour
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan 2.2.0dr4 (klips)
Checking for IPsec support in kernel [OK]
Checking for RSA private key (/etc/ipsec.secrets)
[FAILED]
ipsec showhostkey: no default key in "/etc/ipsec.secrets"
Checking that pluto is running [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing [OK]
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption DNS checks:
Looking for TXT in forward dns zone: hallo
[MISSING]
Does the machine have at least one non-private address? [OK]
Looking for TXT in reverse dns zone: xxx.xxx.xxx.xxx.in-addr.arpa.
[MISSING]
+ _________________________ mii-tool
+ '[' -x /sbin/mii-tool ']'
+ /sbin/mii-tool -v
eth0: autonegotiation failed, link ok
product info: vendor 00:00:00, model 0 rev 0
basic mode: autonegotiation enabled
basic status: autonegotiation complete, link ok
capabilities: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
advertising: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
eth1: negotiated 100baseTx-FD, link ok
product info: vendor 00:00:00, model 0 rev 0
basic mode: autonegotiation enabled
basic status: autonegotiation complete, link ok
capabilities: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
advertising: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
link partner: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD flow-control
eth2: negotiated 100baseTx-FD, link ok
product info: vendor 00:00:00, model 0 rev 0
basic mode: autonegotiation enabled
basic status: autonegotiation complete, link ok
capabilities: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
advertising: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
link partner: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
+ _________________________ ipsec/directory
+ ipsec --directory
/usr/lib/ipsec
+ _________________________ hostname/fqdn
+ hostname --fqdn
hallo.tux
+ _________________________ hostname/ipaddress
+ hostname --ip-address
192.168.127.1
+ _________________________ uptime
+ uptime
15:34:18 up 1:54, 5 users, load average: 0.33, 0.08, 0.02
+ _________________________ ps
+ ps alxwf
+ egrep -i 'ppid|pluto|ipsec|klips'
F UID PID PPID PRI NI VSZ RSS WCHAN STAT TTY TIME COMMAND
0 0 7469 238 17 0 2400 1252 wait4 S+ pts/0 0:00 |
\_ /bin/sh /usr/libexec/ipsec/barf
1 0 7556 7469 17 0 2400 1252 - R+ pts/0 0:00 |
\_ /bin/sh /usr/libexec/ipsec/barf
4 0 6646 1015 9 0 6300 2560 select S+ pts/3 0:00 |
\_ mcedit /etc/ipsec.conf
1 0 7325 1 9 0 2040 996 wait4 S pts/4 0:00 /bin/sh
/usr/lib/ipsec/_plutorun --debug none --uniqueids yes --nocrsend
--strictcrlpolicy --nat_traversal no --keep_alive --force_keepalive
--disable_port_floating --virtual_private --crlcheckinterval 0 --ocspuri
--dump --opts --stderrlog --wait no --pre --post --log daemon.warn
--pid /var/run/pluto.pid
1 0 7329 7325 9 0 2040 1004 wait4 S pts/4 0:00 \_
/bin/sh /usr/lib/ipsec/_plutorun --debug none --uniqueids yes --nocrsend
--strictcrlpolicy --nat_traversal no --keep_alive --force_keepalive
--disable_port_floating --virtual_private --crlcheckinterval 0 --ocspuri
--dump --opts --stderrlog --wait no --pre --post --log daemon.warn
--pid /var/run/pluto.pid
4 0 7336 7329 9 0 2300 1220 select S pts/4 0:00 | \_
/usr/libexec/ipsec/pluto --nofork --secretsfile /etc/ipsec.secrets
--ipsecdir /etc/ipsec.d --debug-none --uniqueids
0 0 7338 7336 9 0 1392 256 select S pts/4 0:00 |
\_ _pluto_adns
0 0 7330 7325 8 0 2016 968 pipe_w S pts/4 0:00 \_
/bin/sh /usr/lib/ipsec/_plutoload --wait no --post
0 0 7326 1 9 0 1328 360 pipe_w S pts/4 0:00 logger
-s -p daemon.warn -t ipsec__plutorun
+ _________________________ ipsec/showdefaults
+ ipsec showdefaults
# no default route
+ _________________________ ipsec/conf
+ ipsec _include /etc/ipsec.conf
+ ipsec _keycensor
#< /etc/ipsec.conf 1
version 2.0
config setup
klipsdebug=none
plutodebug=none
interfaces="ipsec2=eth2"
nat_traversal=no
uniqueids=yes
syslog=daemon.warn
conn %default
authby=rsasig
ikelifetime=130s
keylife=70s
keyingtries=0
rekey=yes
rekeymargin=30s
rekeyfuzz=100%
compress=yes
pfs=yes
conn wtux-tux
auto=add
left=192.168.128.1
leftrsasigkey=%cert
leftcert=public_server.pem
leftsubnet=0.0.0.0/0.0.0.0
right=%any
rightrsasigkey=%cert
rightca="C=WL, ST=Wonder-State, L=Wonder-City, O=TUX, OU=SSL, CN=TUX
Private Primary Certification Authority"
#< /etc/ipsec.d/examples/no_oe.conf 1
# 'include' this file to disable Opportunistic Encryption.
# See /usr/share/doc/openswan/policygroups.html for details.
#
# RCSID $Id: no_oe.conf.in,v 1.1 2004/01/20 19:24:23 sam Exp $
conn block
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear-or-private
auto=ignore
conn clear
auto=ignore
conn packetdefault
auto=ignore
#> /etc/ipsec.conf 33
+ _________________________ ipsec/secrets
+ ipsec _include /etc/ipsec.secrets
+ ipsec _secretcensor
#< /etc/ipsec.secrets 1
: RSA key_server.pem "[sums to 4528...]"
+ _________________________ ipsec/listall
+ ipsec auto --listall
000
000 List of Public Keys:
000
000 Sep 14 15:34:07 2004, 1024 RSA Key AwEAAZkKH, until Sep 12 21:02:25
2006 ok
000 ID_DER_ASN1_DN 'C=WL, ST=Wonder-State, L=Wonder-City, O=TUX,
OU=IPSEC Machines, CN=flappy.tux'
000 Issuer 'C=WL, ST=Wonder-State, L=Wonder-City, O=TUX, OU=SSL,
CN=TUX Private Primary Certification Authority'
000 Sep 14 15:33:49 2004, 2048 RSA Key AwEAAc2Jq, until Sep 12 21:01:26
2006 ok
000 ID_DER_ASN1_DN 'C=WL, ST=Wonder-State, L=Wonder-City, O=TUX,
OU=IPSEC Machines, CN=hallo.tux'
000 Issuer 'C=WL, ST=Wonder-State, L=Wonder-City, O=TUX, OU=SSL,
CN=TUX Private Primary Certification Authority'
000
000 List of X.509 End Certificates:
000
000 Sep 14 15:33:49 2004, count: 2
000 subject: 'C=WL, ST=Wonder-State, L=Wonder-City, O=TUX, OU=IPSEC
Machines, CN=hallo.tux'
000 issuer: 'C=WL, ST=Wonder-State, L=Wonder-City, O=TUX, OU=SSL,
CN=TUX Private Primary Certification Authority'
000 serial: 01
000 pubkey: 2048 RSA Key AwEAAc2Jq, has private key
000 validity: not before Sep 12 21:01:26 2004 ok
000 not after Sep 12 21:01:26 2006 ok
000 subjkey:
99:91:85:b5:66:17:e3:76:0e:3c:1c:81:51:dc:37:ea:f2:58:6e:53
000 authkey:
2a:f9:5e:62:b5:76:2b:4a:7c:d5:aa:83:d3:e3:cb:f8:fb:51:59:df
000 aserial: 00
000
000 List of X.509 CA Certificates:
000
000 Sep 14 15:33:49 2004, count: 1
000 subject: 'C=WL, ST=Wonder-State, L=Wonder-City, O=TUX, OU=SSL,
CN=TUX Private Primary Certification Authority'
000 issuer: 'C=WL, ST=Wonder-State, L=Wonder-City, O=TUX, OU=SSL,
CN=TUX Private Primary Certification Authority'
000 serial: 00
000 pubkey: 2048 RSA Key AwEAAeiww
000 validity: not before Sep 12 20:57:53 2004 ok
000 not after Sep 07 20:57:53 2024 ok
000 subjkey:
2a:f9:5e:62:b5:76:2b:4a:7c:d5:aa:83:d3:e3:cb:f8:fb:51:59:df
000 authkey:
2a:f9:5e:62:b5:76:2b:4a:7c:d5:aa:83:d3:e3:cb:f8:fb:51:59:df
000 aserial: 00
+ '[' /etc/ipsec.d/policies ']'
++ basename /etc/ipsec.d/policies/block
+ base=block
+ _________________________ ipsec/policies/block
+ cat /etc/ipsec.d/policies/block
# This file defines the set of CIDRs (network/mask-length) to which
# communication should never be allowed.
#
# See /usr/share/doc/openswan/policygroups.html for details.
#
# $Id: block.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
++ basename /etc/ipsec.d/policies/clear
+ base=clear
+ _________________________ ipsec/policies/clear
+ cat /etc/ipsec.d/policies/clear
# This file defines the set of CIDRs (network/mask-length) to which
# communication should always be in the clear.
#
# See /usr/share/doc/openswan/policygroups.html for details.
#
# $Id: clear.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
++ basename /etc/ipsec.d/policies/clear-or-private
+ base=clear-or-private
+ _________________________ ipsec/policies/clear-or-private
+ cat /etc/ipsec.d/policies/clear-or-private
# This file defines the set of CIDRs (network/mask-length) to which
# we will communicate in the clear, or, if the other side initiates IPSEC,
# using encryption. This behaviour is also called "Opportunistic Responder".
#
# See /usr/share/doc/openswan/policygroups.html for details.
#
# $Id: clear-or-private.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
++ basename /etc/ipsec.d/policies/private
+ base=private
+ _________________________ ipsec/policies/private
+ cat /etc/ipsec.d/policies/private
# This file defines the set of CIDRs (network/mask-length) to which
# communication should always be private (i.e. encrypted).
# See /usr/share/doc/openswan/policygroups.html for details.
#
# $Id: private.in,v 1.4 2003/02/17 02:22:15 mcr Exp $
#
++ basename /etc/ipsec.d/policies/private-or-clear
+ base=private-or-clear
+ _________________________ ipsec/policies/private-or-clear
+ cat /etc/ipsec.d/policies/private-or-clear
# This file defines the set of CIDRs (network/mask-length) to which
# communication should be private, if possible, but in the clear otherwise.
#
# If the target has a TXT (later IPSECKEY) record that specifies
# authentication material, we will require private (i.e. encrypted)
# communications. If no such record is found, communications will be
# in the clear.
#
# See /usr/share/doc/openswan/policygroups.html for details.
#
# $Id: private-or-clear.in,v 1.5 2003/02/17 02:22:15 mcr Exp $
#
0.0.0.0/0
+ _________________________ ipsec/ls-libdir
+ ls -l /usr/lib/ipsec
total 140
-rwxr-xr-x 1 root root 15403 Sep 14 13:34 _confread
-rwxr-xr-x 1 root root 48261 Sep 14 13:34 _copyright
-rwxr-xr-x 1 root root 2379 Sep 14 13:34 _include
-rwxr-xr-x 1 root root 1475 Sep 14 13:34 _keycensor
-rwxr-xr-x 1 root root 3586 Sep 14 13:34 _plutoload
-rwxr-xr-x 1 root root 7167 Sep 14 13:34 _plutorun
-rwxr-xr-x 1 root root 10493 Sep 14 13:34 _realsetup
-rwxr-xr-x 1 root root 1975 Sep 14 13:34 _secretcensor
-rwxr-xr-x 1 root root 9016 Sep 14 13:34 _startklips
-rwxr-xr-x 1 root root 12313 Sep 14 13:34 _updown
-rwxr-xr-x 1 root root 7572 Sep 14 13:34 _updown_x509
-rwxr-xr-x 1 root root 1942 Sep 14 13:34 ipsec_pr.template
+ _________________________ ipsec/ls-execdir
+ ls -l /usr/libexec/ipsec
total 4760
-rwxr-xr-x 1 root root 72051 Sep 14 13:34 _pluto_adns
-rwxr-xr-x 1 root root 19220 Sep 14 13:34 auto
-rwxr-xr-x 1 root root 10248 Sep 14 13:34 barf
-rwxr-xr-x 1 root root 816 Sep 14 13:34 calcgoo
-rwxr-xr-x 1 root root 321605 Sep 14 13:34 eroute
-rwxr-xr-x 1 root root 189650 Sep 14 13:34 klipsdebug
-rwxr-xr-x 1 root root 2461 Sep 14 13:34 look
-rwxr-xr-x 1 root root 7124 Sep 14 13:34 mailkey
-rwxr-xr-x 1 root root 16188 Sep 14 13:34 manual
-rwxr-xr-x 1 root root 1874 Sep 14 13:34 newhostkey
-rwxr-xr-x 1 root root 173505 Sep 14 13:34 pf_key
-rwxr-xr-x 1 root root 2666353 Sep 14 13:34 pluto
-rwxr-xr-x 1 root root 52105 Sep 14 13:34 ranbits
-rwxr-xr-x 1 root root 84479 Sep 14 13:34 rsasigkey
-rwxr-xr-x 1 root root 766 Sep 14 13:34 secrets
-rwxr-xr-x 1 root root 17578 Sep 14 13:34 send-pr
lrwxrwxrwx 1 root root 15 Sep 14 13:34 setup -> /etc/rc.d/ipsec
-rwxr-xr-x 1 root root 1048 Sep 14 13:34 showdefaults
-rwxr-xr-x 1 root root 4364 Sep 14 13:34 showhostkey
-rwxr-xr-x 1 root root 510546 Sep 14 13:34 spi
-rwxr-xr-x 1 root root 260494 Sep 14 13:34 spigrp
-rwxr-xr-x 1 root root 51665 Sep 14 13:34 tncfg
-rwxr-xr-x 1 root root 10195 Sep 14 13:34 verify
-rwxr-xr-x 1 root root 231900 Sep 14 13:34 whack
+ _________________________ ipsec/updowns
++ ls /usr/libexec/ipsec
++ egrep updown
+ _________________________ proc/net/dev
+ cat /proc/net/dev
Inter-| Receive | Transmit
face |bytes packets errs drop fifo frame compressed multicast|bytes
packets errs drop fifo colls carrier compressed
lo: 68094 523 0 0 0 0 0 0 68094
523 0 0 0 0 0 0
eth0: 1852018 2971 0 0 0 0 0 0 341649
2832 0 0 0 1 0 0
eth1: 1753032 18114 0 0 0 0 0 0 2963526
21649 0 0 0 0 0 0
eth2: 540245 3072 0 0 0 0 0 0 1779810
3441 0 0 0 0 0 0
tunl0: 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0
ipsec0: 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0
ipsec1: 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0
ipsec2: 145027 1303 0 0 0 0 0 0 1589168
2216 0 17 0 0 0 0
ipsec3: 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0
+ _________________________ proc/net/route
+ cat /proc/net/route
Iface Destination Gateway Flags RefCnt Use Metric
Mask MTU Window IRTT
ipsec2 1580A8C0 1580A8C0 0007 0 0 0
FFFFFFFF 0 0 0
eth2 0080A8C0 00000000 0001 0 0 0
00FFFFFF 0 0 0
ipsec2 0080A8C0 00000000 0001 0 0 0
00FFFFFF 0 0 0
eth0 00B2A152 00000000 0001 0 0 0
00FFFFFF 0 0 0
eth1 007FA8C0 00000000 0001 0 0 0
00FFFFFF 0 0 0
lo 0000007F 00000000 0001 0 0 0
000000FF 0 0 0
eth0 00000000 FEB2A152 0003 0 0 0
00000000 0 0 0
+ _________________________ proc/sys/net/ipv4/ip_forward
+ cat /proc/sys/net/ipv4/ip_forward
1
+ _________________________ proc/sys/net/ipv4/conf/star-rp_filter
+ cd /proc/sys/net/ipv4/conf
+ egrep '^' all/rp_filter default/rp_filter eth0/rp_filter eth1/rp_filter
eth2/rp_filter ipsec2/rp_filter lo/rp_filter
all/rp_filter:0
default/rp_filter:0
eth0/rp_filter:0
eth1/rp_filter:0
eth2/rp_filter:0
ipsec2/rp_filter:0
lo/rp_filter:0
+ _________________________ uname-a
+ uname -a
Linux hallo 2.4.27 #4 Tue Sep 14 02:33:30 CEST 2004 i686 unknown unknown
GNU/Linux
+ _________________________ config-built-with
+ test -r /proc/config_built_with
+ _________________________ redhat-release
+ test -r /etc/redhat-release
+ test -r /etc/fedora-release
+ _________________________ proc/net/ipsec_version
+ test -r /proc/net/ipsec_version
+ cat /proc/net/ipsec_version
Openswan version: 2.2.0dr4
+ _________________________ ipfwadm
+ test -r /sbin/ipfwadm
+ 'no old-style linux 1.x/2.0 ipfwadm firewall support'
/usr/libexec/ipsec/barf: line 288: no old-style linux 1.x/2.0 ipfwadm
firewall support: No such file or directory
+ _________________________ ipchains
+ test -r /sbin/ipchains
+ echo 'no old-style linux 2.0 ipchains firewall support'
no old-style linux 2.0 ipchains firewall support
+ _________________________ iptables
+ test -r /sbin/iptables
+ test -r /sbin/ipchains
+ _________________________ proc/modules
+ test -f /proc/modules
+ echo 'kernel without module support'
kernel without module support
+ _________________________ proc/meminfo
+ cat /proc/meminfo
total: used: free: shared: buffers: cached:
Mem: 527364096 187424768 339939328 0 24600576 124002304
Swap: 1916448768 0 1916448768
MemTotal: 515004 kB
MemFree: 331972 kB
MemShared: 0 kB
Buffers: 24024 kB
Cached: 121096 kB
SwapCached: 0 kB
Active: 23096 kB
Inactive: 147392 kB
HighTotal: 0 kB
HighFree: 0 kB
LowTotal: 515004 kB
LowFree: 331972 kB
SwapTotal: 1871532 kB
SwapFree: 1871532 kB
+ _________________________ proc/net/ipsec-ls
+ test -f /proc/net/ipsec_version
+ ls -l /proc/net/ipsec_eroute /proc/net/ipsec_klipsdebug
/proc/net/ipsec_spi /proc/net/ipsec_spigrp /proc/net/ipsec_tncfg
/proc/net/ipsec_version
lrwxrwxrwx 1 root root 16 Sep 14 15:34 /proc/net/ipsec_eroute ->
ipsec/eroute/all
lrwxrwxrwx 1 root root 16 Sep 14 15:34 /proc/net/ipsec_klipsdebug ->
ipsec/klipsdebug
lrwxrwxrwx 1 root root 13 Sep 14 15:34 /proc/net/ipsec_spi -> ipsec/spi/all
lrwxrwxrwx 1 root root 16 Sep 14 15:34 /proc/net/ipsec_spigrp ->
ipsec/spigrp/all
lrwxrwxrwx 1 root root 11 Sep 14 15:34 /proc/net/ipsec_tncfg -> ipsec/tncfg
lrwxrwxrwx 1 root root 13 Sep 14 15:34 /proc/net/ipsec_version ->
ipsec/version
+ _________________________ usr/src/linux/.config
+ test -f /proc/config.gz
++ uname -r
+ test -f /lib/modules/2.4.27/build/.config
+ echo 'no .config file found, cannot list kernel properties'
no .config file found, cannot list kernel properties
+ _________________________ etc/syslog.conf
+ cat /etc/syslog.conf
cat: /etc/syslog.conf: No such file or directory
+ _________________________ etc/resolv.conf
+ cat /etc/resolv.conf
nameserver 192.168.127.1
search tux
+ _________________________ lib/modules-ls
+ ls -ltr /lib/modules
ls: /lib/modules: No such file or directory
+ _________________________ proc/ksyms-netif_rx
+ test -r /proc/ksyms
+ test -r /proc/kallsyms
+ echo 'broken (redhat/fedora) 2.6 kernel without kallsyms'
broken (redhat/fedora) 2.6 kernel without kallsyms
+ _________________________ lib/modules-netif_rx
+ modulegoo kernel/net/ipv4/ipip.o netif_rx
+ set +x
ls: /lib/modules: No such file or directory
+ _________________________ kern.debug
+ test -f /var/log/kern.debug
+ _________________________ klog
+ sed -n '120,$p' /var/log/dmesg
+ egrep -i 'ipsec|klips|pluto'
+ cat
klips_info:ipsec_init: KLIPS startup, Openswan KLIPS IPsec stack version:
2.2.0dr4
klips_info:ipsec_alg_init: KLIPS alg v=0.8.1-0 (EALG_MAX=255, AALG_MAX=251)
klips_info:ipsec_alg_init: calling ipsec_alg_static_init()
ipsec_aes_init(alg_type=15 alg_id=12 name=aes): ret=0
ipsec_aes_init(alg_type=14 alg_id=9 name=aes_mac): ret=0
+ _________________________ plog
+ sed -n '1,$p' /dev/null
+ egrep -i pluto
+ cat
+ _________________________ date
+ date
Tue Sep 14 15:34:19 CEST 2004
> On Mon, 13 Sep 2004 ljane at xs4all.nl wrote:
>
>> the client is setup to use aes256 with sha hash algorithm. when the SA
>> expires on the server and openswan proposes to the client the client
>> does
>> not accept one.
>> buttt when the SA expires on the client and it proposes to the server
>> the
>> server accepts the proposal.
>>
>> Very funny and weird, maybe someone could lighten up a bit about this,
>> maybe i oversee something?
>
> It will be easier to say what happens if you provide us with some debug
> information you can obtain running 'ipsec barf'.
>
> Probably what is happening is that the proposals are not symetrical.
> The offer of the client is accepted by openswan, but the proposal from
> openswan, which one would expect to be the same as the one it got
> earlier, is rejected by the client. But when the client's SA expires,
> it becomes the same as a 'new' connection.
> Another possibility is that Openswan might be accepting an aggressive
> mode (instead of main mode) exchange, but Openswan itself will not
> start with aggressive mode.
>
> This could be a bug in either openswan or the client. But an ipsec barf
> output could show this.
>
> Paul
>
More information about the Users
mailing list