[Openswan Users]
openswan connection problems with x509 certificates
Marius.Lindberg at hiMolde.no
Marius.Lindberg at hiMolde.no
Wed Aug 3 10:18:00 CEST 2005
Test system is running Debian Sarge. Using Openswan with x.509
certificates. Client is Windows XP SP2 using Marcus Müller's ipsec
utility.
The problem is that we apparently get established a tunnel but we can`t
connect/contact the openswan server or the other network. When we try to
ping any of the interfaces on the openswan box we only get a timeout but
we see the attempt in the auth.log. There is no firewall running on the box
and ip_forwarding and masquerading is turned on.
Our test scenario:
{ROADWARRIOR 192.168.100.25} --> {GW 192.168.100.1 --> 192.168.200.1}
--> {OPENSWAN 192.168.200.30} --> {INTERNAL 10.0.0.1}
OpenSwan Config:
version 2.0
config setup
interfaces=%defaultroute
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,v%4:!
192.168.200.0/24
conn %default
keyingtries=1
compress=yes
disablearrivalcheck=no
authby=rsasig
leftrsasigkey=%cert
rightrsasigkey=%cert
conn roadwarrior-all
leftsubnet=0.0.0.0/0
also=roadwarrior
conn roadwarrior-net
leftsubnet=192.168.200.0/24
also=roadwarrior
conn roadwarrior
left=%defaultroute
leftcert=athene.misi.no.pem
right=%any
rightsubnet=vhost:%no,%priv
auto=add
include /etc/ipsec.d/examples/no_oe.conf
Windows client configuration:
conn roadwarrior
left=%any
right=192.168.200.30
rightca=XXXXXXXXXXX
network=auto
auto=start
pfs=yes
conn roadwarrior-net
left=%any
right=192.168.200.30
rightsubnet=192.168.100.0/255.255.255.0
rightca=XXXXXXXXXXX
network=auto
auto=start
pfs=yes
The log file:
Aug 2 13:46:40 athene pluto[3856]: packet from 192.168.100.25:500:
ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Aug 2 13:46:40 athene pluto[3856]: packet from 192.168.100.25:500:
ignoring Vendor ID payload [FRAGMENTATION]
Aug 2 13:46:40 athene pluto[3856]: packet from 192.168.100.25:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Aug 2 13:46:40 athene pluto[3856]: "roadwarrior"[1] 192.168.100.25 #1:
responding to Main Mode from unknown peer 192.168.100.25
Aug 2 13:46:40 athene pluto[3856]: "roadwarrior"[1] 192.168.100.25 #1:
transition from state (null) to state STATE_MAIN_R1
Aug 2 13:46:40 athene pluto[3856]: "roadwarrior"[1] 192.168.100.25 #1:
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: no NAT
detected
Aug 2 13:46:40 athene pluto[3856]: "roadwarrior"[1] 192.168.100.25 #1:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Aug 2 13:46:40 athene pluto[3856]: "roadwarrior"[1] 192.168.100.25 #1:
Peer ID is ID_DER_ASN1_DN: 'C=NO, L=Molde, O=Minerva, CN=Minerva,
E=marius at misi.no'
Aug 2 13:46:40 athene pluto[3856]: "roadwarrior"[2] 192.168.100.25 #1:
deleting connection "roadwarrior" instance with peer 192.168.100.25
{isakmp=#0/ipsec=#0}
Aug 2 13:46:40 athene pluto[3856]: "roadwarrior"[2] 192.168.100.25 #1: I
am sending my cert
Aug 2 13:46:40 athene pluto[3856]: "roadwarrior"[2] 192.168.100.25 #1:
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Aug 2 13:46:40 athene pluto[3856]: "roadwarrior"[2] 192.168.100.25 #1:
sent MR3, ISAKMP SA established
Aug 2 13:46:40 athene pluto[3856]: "roadwarrior"[2] 192.168.100.25 #2:
responding to Quick Mode
Aug 2 13:46:40 athene pluto[3856]: "roadwarrior"[2] 192.168.100.25 #2:
transition from state (null) to state STATE_QUICK_R1
Aug 2 13:46:41 athene pluto[3856]: "roadwarrior"[2] 192.168.100.25 #2:
transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Aug 2 13:46:41 athene pluto[3856]: "roadwarrior"[2] 192.168.100.25 #2:
IPsec SA established {ESP=>0xd63ddf02 <0x94c8cdaa}
Aug 2 13:47:14 athene pluto[3856]: "roadwarrior"[2] 192.168.100.25 #1:
received Delete SA(0xd63ddf02) payload: deleting IPSEC State #2
Aug 2 13:47:14 athene pluto[3856]: "roadwarrior"[2] 192.168.100.25 #1:
received and ignored informational message
Aug 2 13:47:14 athene pluto[3856]: "roadwarrior"[2] 192.168.100.25 #1:
received Delete SA payload: deleting ISAKMP State #1
Aug 2 13:47:14 athene pluto[3856]: "roadwarrior"[2] 192.168.100.25:
deleting connection "roadwarrior" instance with peer 192.168.100.25
{isakmp=#0/ipsec=#0}
Aug 2 13:47:14 athene pluto[3856]: packet from 192.168.100.25:500:
received and ignored informational message
Aug 2 13:47:28 athene pluto[3856]: packet from 192.168.100.25:500:
ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Aug 2 13:47:28 athene pluto[3856]: packet from 192.168.100.25:500:
ignoring Vendor ID payload [FRAGMENTATION]
Aug 2 13:47:28 athene pluto[3856]: packet from 192.168.100.25:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Aug 2 13:47:28 athene pluto[3856]: "roadwarrior"[3] 192.168.100.25 #3:
responding to Main Mode from unknown peer 192.168.100.25
Aug 2 13:47:28 athene pluto[3856]: "roadwarrior"[3] 192.168.100.25 #3:
transition from state (null) to state STATE_MAIN_R1
Aug 2 13:47:28 athene pluto[3856]: "roadwarrior"[3] 192.168.100.25 #3:
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: no NAT
detected
Aug 2 13:47:28 athene pluto[3856]: "roadwarrior"[3] 192.168.100.25 #3:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Aug 2 13:47:28 athene pluto[3856]: "roadwarrior"[3] 192.168.100.25 #3:
Peer ID is ID_DER_ASN1_DN: 'C=NO, L=Molde, O=Minerva, CN=Minerva,
E=marius at misi.no'
Aug 2 13:47:28 athene pluto[3856]: "roadwarrior"[4] 192.168.100.25 #3:
deleting connection "roadwarrior" instance with peer 192.168.100.25
{isakmp=#0/ipsec=#0}
Aug 2 13:47:28 athene pluto[3856]: "roadwarrior"[4] 192.168.100.25 #3: I
am sending my cert
Aug 2 13:47:28 athene pluto[3856]: "roadwarrior"[4] 192.168.100.25 #3:
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Aug 2 13:47:28 athene pluto[3856]: "roadwarrior"[4] 192.168.100.25 #3:
sent MR3, ISAKMP SA established
Aug 2 13:47:28 athene pluto[3856]: "roadwarrior"[4] 192.168.100.25 #4:
responding to Quick Mode
Aug 2 13:47:28 athene pluto[3856]: "roadwarrior"[4] 192.168.100.25 #4:
transition from state (null) to state STATE_QUICK_R1
Aug 2 13:47:28 athene pluto[3856]: "roadwarrior"[4] 192.168.100.25 #4:
transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Aug 2 13:47:28 athene pluto[3856]: "roadwarrior"[4] 192.168.100.25 #4:
IPsec SA established {ESP=>0x5c974f13 <0x57ffc1af}
More information about the Users
mailing list