[Openswan Users] OpenSwan 2.2 vs XP roadwarrior didn't work
Guenter.Sprakties at team4.de
Guenter.Sprakties at team4.de
Thu Aug 11 16:44:40 CEST 2005
Hi,
I've got some trouble to get OpenSwan to work in an XP Roadwarrior
environment.
Server: latest debian Sarge Network installation, 2.6.8 Kernel, Client XP
SP2 fully patched, no XP Firewall, Markus Müllers ipsec.exe, X509
Certificates made by openssl/CA.pl. The server has its own external
interface with static internet connection and fixed address bound as
default route.
ipsec.conf Server:
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
interfaces=%defaultroute
klipsdebug=none
plutodebug=none
conn %default
authby=rsasig
leftrsasigkey=%cert
rightrsasigkey=%cert
left=%defaultroute
leftcert=vpngatecert.pem
leftid="C=DE/ST=NRW/L=HERZOGENRATH/O=xxxxx/CN=VPNxxxxx"
right=%any
keyingtries=1
conn x509-roadwarrior
auto=add
conn x509-net-roadwarrior
leftsubnet=192.168.2.0/24
auto=add
#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf
ipsec.conf Client:
conn VPN
right=%any
left=212.xxx.xxx.xxx
leftsubnet=192.168.2.0/24
leftca="C=DE, ST=NRW, L=HERZOGENRATH, O=xxxxx, CN=VPNxxxxx"
network=auto
auto=start
rekey=1800S/30000K
authmode=MD5
pfs=yes
Start Server:
Aug 11 09:46:29 t4ac00 pluto[6651]: Starting Pluto (Openswan Version 2.2.0
X.509-1.5.4 PLUTO_USES_KEYRR)
Aug 11 09:46:29 t4ac00 pluto[6651]: including NAT-Traversal patch (Version
0.6c) [disabled]
Aug 11 09:46:29 t4ac00 pluto[6651]: ike_alg_register_enc(): Activating
OAKLEY_AES_CBC: Ok (ret=0)
Aug 11 09:46:29 t4ac00 pluto[6651]: Using Linux 2.6 IPsec interface code
Aug 11 09:46:30 t4ac00 pluto[6651]: Changing to directory
'/etc/ipsec.d/cacerts'
Aug 11 09:46:30 t4ac00 pluto[6651]: loaded CA cert file 'cacert.pem' (1054
bytes)
Aug 11 09:46:30 t4ac00 pluto[6651]: Could not change to directory
'/etc/ipsec.d/aacerts'
Aug 11 09:46:30 t4ac00 pluto[6651]: Changing to directory
'/etc/ipsec.d/ocspcerts'
Aug 11 09:46:30 t4ac00 pluto[6651]: Changing to directory
'/etc/ipsec.d/crls'
Aug 11 09:46:30 t4ac00 pluto[6651]: loaded crl file 'crl.pem' (434 bytes)
Aug 11 09:46:31 t4ac00 pluto[6651]: loaded host cert file
'/etc/ipsec.d/certs/vpngatecert.pem' (3329 bytes)
Aug 11 09:46:31 t4ac00 pluto[6651]: added connection description
"x509-net-roadwarrior"
Aug 11 09:46:31 t4ac00 pluto[6651]: loaded host cert file
'/etc/ipsec.d/certs/vpngatecert.pem' (3329 bytes)
Aug 11 09:46:31 t4ac00 pluto[6651]: added connection description
"x509-roadwarrior"
Aug 11 09:46:31 t4ac00 pluto[6651]: listening for IKE messages
Aug 11 09:46:31 t4ac00 pluto[6651]: adding interface eth2/eth2 192.168.2.1
Aug 11 09:46:31 t4ac00 pluto[6651]: adding interface eth1/eth1
172.xxx.xxx.xxx
Aug 11 09:46:31 t4ac00 pluto[6651]: adding interface eth0/eth0
212.xxx.xxx.xxx
Aug 11 09:46:31 t4ac00 pluto[6651]: adding interface lo/lo 127.0.0.1
Aug 11 09:46:31 t4ac00 pluto[6651]: adding interface lo/lo ::1
Aug 11 09:46:31 t4ac00 pluto[6651]: loading secrets from
"/etc/ipsec.secrets"
Aug 11 09:46:31 t4ac00 pluto[6651]: loaded private key file
'/etc/ipsec.d/private/vpnxxxxreq.pem' (1586 bytes)
when we start ipsec on the XP client with direct connection to the
internet an ping:
Aug 11 09:52:22 t4ac00 pluto[6651]: packet from 62.246.73.238:500:
ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Aug 11 09:52:22 t4ac00 pluto[6651]: packet from 62.246.73.238:500:
ignoring Vendor ID payload [FRAGMENTATION]
Aug 11 09:52:22 t4ac00 pluto[6651]: packet from 62.246.73.238:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but
already using method 0
Aug 11 09:52:22 t4ac00 pluto[6651]: packet from 62.246.73.238:500:
ignoring Vendor ID payload [26244d38eddb61b3172a36e3d0cfb819]
Aug 11 09:52:22 t4ac00 pluto[6651]: "x509-net-roadwarrior"[1]
62.246.73.238 #1: responding to Main Mode from unknown peer 62.246.73.238
Aug 11 09:52:22 t4ac00 pluto[6651]: "x509-net-roadwarrior"[1]
62.246.73.238 #1: transition from state (null) to state STATE_MAIN_R1
Aug 11 09:52:22 t4ac00 pluto[6651]: "x509-net-roadwarrior"[1]
62.246.73.238 #1: transition from state STATE_MAIN_R1 to state
STATE_MAIN_R2
Aug 11 09:52:23 t4ac00 pluto[6651]: "x509-net-roadwarrior"[1]
62.246.73.238 #1: Peer ID is ID_DER_ASN1_DN: 'C=DE, ST=NRW,
L=HERZOGENRATH, O=xxxxx, CN=VPNyy'
Aug 11 09:52:23 t4ac00 pluto[6651]: "x509-net-roadwarrior"[2]
62.246.73.238 #1: deleting connection "x509-net-roadwarrior" instance with
peer 62.246.73.238 {isakmp=#0/ipsec=#0}
Aug 11 09:52:23 t4ac00 pluto[6651]: "x509-net-roadwarrior"[2]
62.246.73.238 #1: I am sending my cert
Aug 11 09:52:23 t4ac00 pluto[6651]: "x509-net-roadwarrior"[2]
62.246.73.238 #1: transition from state STATE_MAIN_R2 to state
STATE_MAIN_R3
Aug 11 09:52:23 t4ac00 pluto[6651]: "x509-net-roadwarrior"[2]
62.246.73.238 #1: sent MR3, ISAKMP SA established
Aug 11 09:52:23 t4ac00 pluto[6651]: "x509-net-roadwarrior"[2]
62.246.73.238 #2: responding to Quick Mode
Aug 11 09:52:23 t4ac00 pluto[6651]: "x509-net-roadwarrior"[2]
62.246.73.238 #2: transition from state (null) to state STATE_QUICK_R1
Aug 11 09:52:24 t4ac00 pluto[6651]: "x509-net-roadwarrior"[2]
62.246.73.238 #2: transition from state STATE_QUICK_R1 to state
STATE_QUICK_R2
Aug 11 09:52:24 t4ac00 pluto[6651]: "x509-net-roadwarrior"[2]
62.246.73.238 #2: IPsec SA established {ESP=>0x8fda5747 <0x7c91c54b}
Everything looks fine, SA established, so I try to ping a machine behind
the Gateway. Here's the icmp logging of the INPUT, OUTPUT and FORWARD
chain, eth0 ist 212.., eth2 is 192.168.2.1:
Aug 11 09:52:24 t4ac00 kernel: INPUT LOG: IN=eth0 OUT= MAC=00....
SRC=62.246.73.238 DST=212.xxx.xxx.xxx LEN=112 TOS=0x00 PREC=0x00 TTL=117
ID=5225 PROTO=ESP SPI=0x7c91c54b
Aug 11 09:52:24 t4ac00 kernel: FORWARD LOG: IN=eth0 OUT=eth2
SRC=62.246.73.238 DST=192.168.2.10 LEN=60 TOS=0x00 PREC=0x00 TTL=127
ID=26899 PROTO=ICMP TYPE=8 CODE=0 ID=1024 SEQ=768
Aug 11 09:52:24 t4ac00 kernel: FORWARD LOG: IN=eth2 OUT=eth0
SRC=192.168.2.10 DST=62.246.73.238 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=734
PROTO=ICMP TYPE=0 CODE=0 ID=1024 SEQ=768
Like yoe see, paket arrives by ESP protocol, will be converted to icmp
pong, goes out. A icmp ping responses from 192.168.2.10 with the
destination 62.246.73.238 which ist the actual transient client IP adress.
And then nothing. Result: in the client we see some request time out;
additionaly there is NO incoming traffic from the network.
Beneath this, there are later some UDP/500 interaction between client and
server and nothing more. If anyone argued about the firewall as reason:
it's the same without. And the functioning UDP/500 communication between
client and server shows, that both can reach each other. Oakley log at XP
looks too long for posting but ok (or even I can't read it the appropriate
way...).
Anyone any idea? I use this test-equip for several tests in fw and ipsec,
everything else is totally ok...
Greetings,
Guenter
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20050811/25aa9b74/attachment.htm
More information about the Users
mailing list