[Openswan Users] openswan connection problems with x509 certificates

Marius.Lindberg at hiMolde.no Marius.Lindberg at hiMolde.no
Wed Aug 3 10:18:00 CEST 2005 

Test system is running Debian Sarge. Using Openswan with x.509
certificates. Client is Windows XP SP2 using Marcus Müller's ipsec
utility.

The problem is that we apparently get established a tunnel but we can`t
connect/contact the openswan server or the other network. When we try to
ping any of the interfaces on the openswan box we only get a timeout but
we see the attempt in the auth.log. There is no firewall running on the box
and ip_forwarding and masquerading is turned on.

Our test scenario:

{ROADWARRIOR 192.168.100.25} --> {GW 192.168.100.1 --> 192.168.200.1}
--> {OPENSWAN 192.168.200.30} --> {INTERNAL 10.0.0.1}


OpenSwan Config:

version 2.0

config setup
        interfaces=%defaultroute
        nat_traversal=yes
        virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,v%4:!
192.168.200.0/24

conn %default
        keyingtries=1
        compress=yes
        disablearrivalcheck=no
        authby=rsasig
        leftrsasigkey=%cert
        rightrsasigkey=%cert

conn roadwarrior-all
        leftsubnet=0.0.0.0/0
        also=roadwarrior

conn roadwarrior-net
        leftsubnet=192.168.200.0/24
        also=roadwarrior

conn roadwarrior
        left=%defaultroute
        leftcert=athene.misi.no.pem
        right=%any
        rightsubnet=vhost:%no,%priv
        auto=add

include /etc/ipsec.d/examples/no_oe.conf

Windows client configuration:

conn roadwarrior
        left=%any
        right=192.168.200.30
        rightca=XXXXXXXXXXX
        network=auto
        auto=start
        pfs=yes

conn roadwarrior-net
        left=%any
        right=192.168.200.30
        rightsubnet=192.168.100.0/255.255.255.0
        rightca=XXXXXXXXXXX
        network=auto
        auto=start
        pfs=yes

The log file:

Aug  2 13:46:40 athene pluto[3856]: packet from 192.168.100.25:500:
ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Aug  2 13:46:40 athene pluto[3856]: packet from 192.168.100.25:500:
ignoring Vendor ID payload [FRAGMENTATION]
Aug  2 13:46:40 athene pluto[3856]: packet from 192.168.100.25:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Aug  2 13:46:40 athene pluto[3856]: "roadwarrior"[1] 192.168.100.25 #1:
responding to Main Mode from unknown peer 192.168.100.25
Aug  2 13:46:40 athene pluto[3856]: "roadwarrior"[1] 192.168.100.25 #1:
transition from state (null) to state STATE_MAIN_R1
Aug  2 13:46:40 athene pluto[3856]: "roadwarrior"[1] 192.168.100.25 #1:
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: no NAT
detected
Aug  2 13:46:40 athene pluto[3856]: "roadwarrior"[1] 192.168.100.25 #1:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Aug  2 13:46:40 athene pluto[3856]: "roadwarrior"[1] 192.168.100.25 #1:
Peer ID is ID_DER_ASN1_DN: 'C=NO, L=Molde, O=Minerva, CN=Minerva,
E=marius at misi.no'
Aug  2 13:46:40 athene pluto[3856]: "roadwarrior"[2] 192.168.100.25 #1:
deleting connection "roadwarrior" instance with peer 192.168.100.25
{isakmp=#0/ipsec=#0}
Aug  2 13:46:40 athene pluto[3856]: "roadwarrior"[2] 192.168.100.25 #1: I
am sending my cert
Aug  2 13:46:40 athene pluto[3856]: "roadwarrior"[2] 192.168.100.25 #1:
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Aug  2 13:46:40 athene pluto[3856]: "roadwarrior"[2] 192.168.100.25 #1:
sent MR3, ISAKMP SA established
Aug  2 13:46:40 athene pluto[3856]: "roadwarrior"[2] 192.168.100.25 #2:
responding to Quick Mode
Aug  2 13:46:40 athene pluto[3856]: "roadwarrior"[2] 192.168.100.25 #2:
transition from state (null) to state STATE_QUICK_R1
Aug  2 13:46:41 athene pluto[3856]: "roadwarrior"[2] 192.168.100.25 #2:
transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Aug  2 13:46:41 athene pluto[3856]: "roadwarrior"[2] 192.168.100.25 #2:
IPsec SA established {ESP=>0xd63ddf02 <0x94c8cdaa}
Aug  2 13:47:14 athene pluto[3856]: "roadwarrior"[2] 192.168.100.25 #1:
received Delete SA(0xd63ddf02) payload: deleting IPSEC State #2
Aug  2 13:47:14 athene pluto[3856]: "roadwarrior"[2] 192.168.100.25 #1:
received and ignored informational message
Aug  2 13:47:14 athene pluto[3856]: "roadwarrior"[2] 192.168.100.25 #1:
received Delete SA payload: deleting ISAKMP State #1
Aug  2 13:47:14 athene pluto[3856]: "roadwarrior"[2] 192.168.100.25:
deleting connection "roadwarrior" instance with peer 192.168.100.25
{isakmp=#0/ipsec=#0}
Aug  2 13:47:14 athene pluto[3856]: packet from 192.168.100.25:500:
received and ignored informational message
Aug  2 13:47:28 athene pluto[3856]: packet from 192.168.100.25:500:
ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Aug  2 13:47:28 athene pluto[3856]: packet from 192.168.100.25:500:
ignoring Vendor ID payload [FRAGMENTATION]
Aug  2 13:47:28 athene pluto[3856]: packet from 192.168.100.25:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Aug  2 13:47:28 athene pluto[3856]: "roadwarrior"[3] 192.168.100.25 #3:
responding to Main Mode from unknown peer 192.168.100.25
Aug  2 13:47:28 athene pluto[3856]: "roadwarrior"[3] 192.168.100.25 #3:
transition from state (null) to state STATE_MAIN_R1
Aug  2 13:47:28 athene pluto[3856]: "roadwarrior"[3] 192.168.100.25 #3:
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: no NAT
detected
Aug  2 13:47:28 athene pluto[3856]: "roadwarrior"[3] 192.168.100.25 #3:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Aug  2 13:47:28 athene pluto[3856]: "roadwarrior"[3] 192.168.100.25 #3:
Peer ID is ID_DER_ASN1_DN: 'C=NO, L=Molde, O=Minerva, CN=Minerva,
E=marius at misi.no'
Aug  2 13:47:28 athene pluto[3856]: "roadwarrior"[4] 192.168.100.25 #3:
deleting connection "roadwarrior" instance with peer 192.168.100.25
{isakmp=#0/ipsec=#0}
Aug  2 13:47:28 athene pluto[3856]: "roadwarrior"[4] 192.168.100.25 #3: I
am sending my cert
Aug  2 13:47:28 athene pluto[3856]: "roadwarrior"[4] 192.168.100.25 #3:
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Aug  2 13:47:28 athene pluto[3856]: "roadwarrior"[4] 192.168.100.25 #3:
sent MR3, ISAKMP SA established
Aug  2 13:47:28 athene pluto[3856]: "roadwarrior"[4] 192.168.100.25 #4:
responding to Quick Mode
Aug  2 13:47:28 athene pluto[3856]: "roadwarrior"[4] 192.168.100.25 #4:
transition from state (null) to state STATE_QUICK_R1
Aug  2 13:47:28 athene pluto[3856]: "roadwarrior"[4] 192.168.100.25 #4:
transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Aug  2 13:47:28 athene pluto[3856]: "roadwarrior"[4] 192.168.100.25 #4:
IPsec SA established {ESP=>0x5c974f13 <0x57ffc1af}

More information about the Users mailing list