[Openswan Users] OpenSwan 2.2 vs XP roadwarrior didn't work

Guenter.Sprakties at team4.de Guenter.Sprakties at team4.de
Thu Aug 11 16:44:40 CEST 2005 

Hi,

I've got some trouble to get OpenSwan to work in an XP Roadwarrior 
environment. 


Server: latest debian Sarge Network installation, 2.6.8 Kernel, Client XP 
SP2 fully patched, no XP Firewall, Markus Müllers ipsec.exe, X509 
Certificates made by openssl/CA.pl. The server has its own external 
interface with static internet connection and fixed address bound as 
default route.

ipsec.conf Server:
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
  interfaces=%defaultroute
  klipsdebug=none
  plutodebug=none
conn %default
  authby=rsasig
  leftrsasigkey=%cert
  rightrsasigkey=%cert
  left=%defaultroute
  leftcert=vpngatecert.pem 
leftid="C=DE/ST=NRW/L=HERZOGENRATH/O=xxxxx/CN=VPNxxxxx"
  right=%any
  keyingtries=1
conn x509-roadwarrior
  auto=add
conn x509-net-roadwarrior
  leftsubnet=192.168.2.0/24
  auto=add
#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf

ipsec.conf Client:
conn VPN
right=%any
left=212.xxx.xxx.xxx
leftsubnet=192.168.2.0/24
leftca="C=DE, ST=NRW, L=HERZOGENRATH, O=xxxxx, CN=VPNxxxxx"
network=auto
auto=start
rekey=1800S/30000K
authmode=MD5
pfs=yes

Start Server:
Aug 11 09:46:29 t4ac00 pluto[6651]: Starting Pluto (Openswan Version 2.2.0 
X.509-1.5.4 PLUTO_USES_KEYRR)
Aug 11 09:46:29 t4ac00 pluto[6651]: including NAT-Traversal patch (Version 
0.6c) [disabled]
Aug 11 09:46:29 t4ac00 pluto[6651]: ike_alg_register_enc(): Activating 
OAKLEY_AES_CBC: Ok (ret=0)
Aug 11 09:46:29 t4ac00 pluto[6651]: Using Linux 2.6 IPsec interface code
Aug 11 09:46:30 t4ac00 pluto[6651]: Changing to directory 
'/etc/ipsec.d/cacerts'
Aug 11 09:46:30 t4ac00 pluto[6651]: loaded CA cert file 'cacert.pem' (1054 
bytes)
Aug 11 09:46:30 t4ac00 pluto[6651]: Could not change to directory 
'/etc/ipsec.d/aacerts'
Aug 11 09:46:30 t4ac00 pluto[6651]: Changing to directory 
'/etc/ipsec.d/ocspcerts'
Aug 11 09:46:30 t4ac00 pluto[6651]: Changing to directory 
'/etc/ipsec.d/crls'
Aug 11 09:46:30 t4ac00 pluto[6651]: loaded crl file 'crl.pem' (434 bytes)
Aug 11 09:46:31 t4ac00 pluto[6651]: loaded host cert file 
'/etc/ipsec.d/certs/vpngatecert.pem' (3329 bytes)
Aug 11 09:46:31 t4ac00 pluto[6651]: added connection description 
"x509-net-roadwarrior"
Aug 11 09:46:31 t4ac00 pluto[6651]: loaded host cert file 
'/etc/ipsec.d/certs/vpngatecert.pem' (3329 bytes)
Aug 11 09:46:31 t4ac00 pluto[6651]: added connection description 
"x509-roadwarrior"
Aug 11 09:46:31 t4ac00 pluto[6651]: listening for IKE messages
Aug 11 09:46:31 t4ac00 pluto[6651]: adding interface eth2/eth2 192.168.2.1
Aug 11 09:46:31 t4ac00 pluto[6651]: adding interface eth1/eth1 
172.xxx.xxx.xxx
Aug 11 09:46:31 t4ac00 pluto[6651]: adding interface eth0/eth0 
212.xxx.xxx.xxx
Aug 11 09:46:31 t4ac00 pluto[6651]: adding interface lo/lo 127.0.0.1
Aug 11 09:46:31 t4ac00 pluto[6651]: adding interface lo/lo ::1
Aug 11 09:46:31 t4ac00 pluto[6651]: loading secrets from 
"/etc/ipsec.secrets"
Aug 11 09:46:31 t4ac00 pluto[6651]: loaded private key file 
'/etc/ipsec.d/private/vpnxxxxreq.pem' (1586 bytes)

when we start ipsec on the XP client with direct connection to the 
internet an ping:
Aug 11 09:52:22 t4ac00 pluto[6651]: packet from 62.246.73.238:500: 
ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Aug 11 09:52:22 t4ac00 pluto[6651]: packet from 62.246.73.238:500: 
ignoring Vendor ID payload [FRAGMENTATION]
Aug 11 09:52:22 t4ac00 pluto[6651]: packet from 62.246.73.238:500: 
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but 
already using method 0
Aug 11 09:52:22 t4ac00 pluto[6651]: packet from 62.246.73.238:500: 
ignoring Vendor ID payload [26244d38eddb61b3172a36e3d0cfb819]
Aug 11 09:52:22 t4ac00 pluto[6651]: "x509-net-roadwarrior"[1] 
62.246.73.238 #1: responding to Main Mode from unknown peer 62.246.73.238
Aug 11 09:52:22 t4ac00 pluto[6651]: "x509-net-roadwarrior"[1] 
62.246.73.238 #1: transition from state (null) to state STATE_MAIN_R1
Aug 11 09:52:22 t4ac00 pluto[6651]: "x509-net-roadwarrior"[1] 
62.246.73.238 #1: transition from state STATE_MAIN_R1 to state 
STATE_MAIN_R2
Aug 11 09:52:23 t4ac00 pluto[6651]: "x509-net-roadwarrior"[1] 
62.246.73.238 #1: Peer ID is ID_DER_ASN1_DN: 'C=DE, ST=NRW, 
L=HERZOGENRATH, O=xxxxx, CN=VPNyy'
Aug 11 09:52:23 t4ac00 pluto[6651]: "x509-net-roadwarrior"[2] 
62.246.73.238 #1: deleting connection "x509-net-roadwarrior" instance with 
peer 62.246.73.238 {isakmp=#0/ipsec=#0}
Aug 11 09:52:23 t4ac00 pluto[6651]: "x509-net-roadwarrior"[2] 
62.246.73.238 #1: I am sending my cert
Aug 11 09:52:23 t4ac00 pluto[6651]: "x509-net-roadwarrior"[2] 
62.246.73.238 #1: transition from state STATE_MAIN_R2 to state 
STATE_MAIN_R3
Aug 11 09:52:23 t4ac00 pluto[6651]: "x509-net-roadwarrior"[2] 
62.246.73.238 #1: sent MR3, ISAKMP SA established
Aug 11 09:52:23 t4ac00 pluto[6651]: "x509-net-roadwarrior"[2] 
62.246.73.238 #2: responding to Quick Mode
Aug 11 09:52:23 t4ac00 pluto[6651]: "x509-net-roadwarrior"[2] 
62.246.73.238 #2: transition from state (null) to state STATE_QUICK_R1
Aug 11 09:52:24 t4ac00 pluto[6651]: "x509-net-roadwarrior"[2] 
62.246.73.238 #2: transition from state STATE_QUICK_R1 to state 
STATE_QUICK_R2
Aug 11 09:52:24 t4ac00 pluto[6651]: "x509-net-roadwarrior"[2] 
62.246.73.238 #2: IPsec SA established {ESP=>0x8fda5747 <0x7c91c54b}

Everything looks fine, SA established, so I try to ping a machine behind 
the Gateway. Here's the icmp logging of the INPUT, OUTPUT and FORWARD 
chain, eth0 ist 212.., eth2 is 192.168.2.1:

Aug 11 09:52:24 t4ac00 kernel: INPUT LOG: IN=eth0 OUT= MAC=00.... 
SRC=62.246.73.238 DST=212.xxx.xxx.xxx LEN=112 TOS=0x00 PREC=0x00 TTL=117 
ID=5225 PROTO=ESP SPI=0x7c91c54b 
Aug 11 09:52:24 t4ac00 kernel: FORWARD LOG: IN=eth0 OUT=eth2 
SRC=62.246.73.238 DST=192.168.2.10 LEN=60 TOS=0x00 PREC=0x00 TTL=127 
ID=26899 PROTO=ICMP TYPE=8 CODE=0 ID=1024 SEQ=768 
Aug 11 09:52:24 t4ac00 kernel: FORWARD LOG: IN=eth2 OUT=eth0 
SRC=192.168.2.10 DST=62.246.73.238 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=734 
PROTO=ICMP TYPE=0 CODE=0 ID=1024 SEQ=768 

Like yoe see, paket arrives by ESP protocol, will be converted to icmp 
pong, goes out. A icmp ping responses from 192.168.2.10 with the 
destination 62.246.73.238 which ist the actual transient client IP adress. 
And then nothing. Result: in the client we see some request time out; 
additionaly there is NO incoming traffic from the network.

Beneath this, there are later some UDP/500 interaction between client and 
server and nothing more. If anyone argued about the firewall as reason: 
it's the same without. And the functioning UDP/500 communication between 
client and server shows, that both can reach each other. Oakley log at XP 
looks too long for posting but ok (or even I can't read it the appropriate 
way...).

Anyone any idea? I use this test-equip for several tests in fw and ipsec, 
everything else is totally ok...

Greetings,
Guenter
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20050811/25aa9b74/attachment.htm

More information about the Users mailing list