[Openswan Users] One side stuck...

Freivald, Joseph A, GVSOL jfreivald at att.com
Tue Aug 16 17:39:21 CEST 2005


I'm attempting to establish the following VPN:

 

192.168.25.0/24 - 192.168.25.1(eth0) -- 69.243.24.3(eth1) --> default
routes <-- 69.243.6.198(eth1) - 192.168.26.1(eth0) - 192.168.26.0/24

 

Each VPN endpoint performs SNAT for the private addressing for outbound
traffic not destined for the other private networks.

 

The /etc/ipsec.conf entry is:

 

conn athostofreivald

        left=euclid.cable.nu

        leftsubnet=192.168.25.0/24

        leftnexthop=%defaultroute

        leftrsasigkey=<key inserted here>

        right=freivald.cable.nu

        rightsubnet=192.168.26.0/24

        rightnexthop=%defaultroute

        rightrsasigkey=<key inserted here>

        auto=start

 

and is identical on both sides.

 

Ipsec whack -status on both sides provides:

 

hadrian:/etc# ipsec whack --status

000 interface lo/lo ::1

000 interface lo/lo 127.0.0.1

000 interface eth0/eth0 192.168.26.1

000 interface eth1/eth1 69.243.24.3

000 %myid = (none)

000 debug none

000

000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64,
keysizemax=64

000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192,
keysizemax=192

000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8,
keysizemin=40, keysizemax=448

000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0,
keysizemax=0

000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128,
keysizemax=256

000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8,
keysizemin=128, keysizemax=256

000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8,
keysizemin=128, keysizemax=256

000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
keysizemin=128, keysizemax=128

000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
keysizemin=160, keysizemax=160

000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256,
keysizemin=256, keysizemax=256

000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0,
keysizemax=0

000

000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
keydeflen=128

000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
keydeflen=192

000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20

000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16

000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024

000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536

000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048

000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072

000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096

000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144

000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192

000

000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,0,0}
trans={0,0,0} attrs={0,0,0}

000

000 "athostofreivald":
192.168.26.0/24===69.243.24.3---69.243.24.1...69.243.24.1---69.243.6.198
===192.168.25.0/24; erouted; eroute owner: #6

000 "athostofreivald":     srcip=unset; dstip=unset

000 "athostofreivald":   ike_life: 3600s; ipsec_life: 28800s;
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0

000 "athostofreivald":   policy: RSASIG+ENCRYPT+TUNNEL+PFS+UP; prio:
24,24; interface: eth1;

000 "athostofreivald":   newest ISAKMP SA: #5; newest IPsec SA: #6;

000 "athostofreivald":   IKE algorithm newest: 3DES_CBC_192-MD5-MODP1536

000

000 #6: "athostofreivald":500 STATE_QUICK_R2 (IPsec SA established);
EVENT_SA_REPLACE in 28511s; newest IPSEC; eroute owner

000 #6: "athostofreivald" esp.730abb8c at 69.243.6.198
esp.eb6f2d0a at 69.243.24.3 tun.0 at 69.243.6.198 tun.0 at 69.243.24.3

000 #5: "athostofreivald":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA
established); EVENT_SA_REPLACE in 3309s; newest ISAKMP; lastdpd=-1s(seq
in:0 out:0)

000 #4: "athostofreivald":500 STATE_QUICK_I2 (sent QI2, IPsec SA
established); EVENT_SA_REPLACE in 27732s

000 #4: "athostofreivald" esp.1038bc80 at 69.243.6.198
esp.460d29d0 at 69.243.24.3 tun.0 at 69.243.6.198 tun.0 at 69.243.24.3

000 #3: "athostofreivald":500 STATE_QUICK_I2 (sent QI2, IPsec SA
established); EVENT_SA_REPLACE in 27666s

000 #3: "athostofreivald" esp.f7da25fe at 69.243.6.198
esp.2ae83429 at 69.243.24.3 tun.0 at 69.243.6.198 tun.0 at 69.243.24.3

000 #2: "athostofreivald":500 STATE_MAIN_I4 (ISAKMP SA established);
EVENT_SA_REPLACE in 2870s; lastdpd=-1s(seq in:0 out:0)

000

000 192.168.26.213/32:0 -1-> 192.168.25.201/32:0 => %hold 0
%acquire-netlink

hadrian:/etc#  

 

and

 

athos:/etc# ipsec whack --status

000 interface lo/lo ::1

000 interface lo/lo 127.0.0.1

000 interface eth0/eth0 192.168.25.1

000 interface eth1/eth1 69.243.6.198

000 %myid = (none)

000 debug none

000

000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64,
keysizemax=64

000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192,
keysizemax=192

000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8,
keysizemin=40, keysizemax=448

000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0,
keysizemax=0

000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128,
keysizemax=256

000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8,
keysizemin=128, keysizemax=256

000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8,
keysizemin=128, keysizemax=256

000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
keysizemin=128, keysizemax=128

000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
keysizemin=160, keysizemax=160

000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256,
keysizemin=256, keysizemax=256

000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0,
keysizemax=0

000

000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
keydeflen=128

000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
keydeflen=192

000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20

000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16

000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024

000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536

000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048

000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072

000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096

000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144

000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192

000

000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,0,0}
trans={0,0,0} attrs={0,0,0}

000

000 "aramistoathos":
192.168.25.0/24===69.243.6.198---69.243.0.1...69.243.0.1---216.52.115.66
===192.168.27.0/24; prospective erouted; eroute owner: #0

000 "aramistoathos":     srcip=unset; dstip=unset

000 "aramistoathos":   ike_life: 3600s; ipsec_life: 28800s;
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0

000 "aramistoathos":   policy: RSASIG+ENCRYPT+TUNNEL+PFS+UP; prio:
24,24; interface: eth1;

000 "aramistoathos":   newest ISAKMP SA: #0; newest IPsec SA: #0;

000 "athostofreivald":
192.168.25.0/24===69.243.6.198---69.243.0.1...69.243.0.1---69.243.24.3==
=192.168.26.0/24; erouted; eroute owner: #207

000 "athostofreivald":     srcip=unset; dstip=unset

000 "athostofreivald":   ike_life: 3600s; ipsec_life: 28800s;
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0

000 "athostofreivald":   policy: RSASIG+ENCRYPT+TUNNEL+PFS+UP; prio:
24,24; interface: eth1;

000 "athostofreivald":   newest ISAKMP SA: #206; newest IPsec SA: #207;

000 "athostofreivald":   IKE algorithm newest: 3DES_CBC_192-MD5-MODP1536

000

000 #201: "aramistoathos":500 STATE_MAIN_I1 (sent MI1, expecting MR1);
EVENT_RETRANSMIT in 36s; nodpd

000 #201: pending Phase 2 for "aramistoathos" replacing #0

000 #205: "athostofreivald":500 STATE_QUICK_R2 (IPsec SA established);
EVENT_SA_REPLACE in 28449s

000 #205: "athostofreivald" esp.460d29d0 at 69.243.24.3
esp.1038bc80 at 69.243.6.198 tun.0 at 69.243.24.3 tun.0 at 69.243.6.198

000 #204: "athostofreivald":500 STATE_QUICK_R2 (IPsec SA established);
EVENT_SA_REPLACE in 28447s

000 #204: "athostofreivald" esp.2ae83429 at 69.243.24.3
esp.f7da25fe at 69.243.6.198 tun.0 at 69.243.24.3 tun.0 at 69.243.6.198

000 #203: "athostofreivald":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA
established); EVENT_SA_REPLACE in 3245s; lastdpd=-1s(seq in:0 out:0)

000 #207: "athostofreivald":500 STATE_QUICK_I2 (sent QI2, IPsec SA
established); EVENT_SA_REPLACE in 28080s; newest IPSEC; eroute owner

000 #207: "athostofreivald" esp.eb6f2d0a at 69.243.24.3
esp.730abb8c at 69.243.6.198 tun.0 at 69.243.24.3 tun.0 at 69.243.6.198

000 #206: "athostofreivald":500 STATE_MAIN_I4 (ISAKMP SA established);
EVENT_SA_REPLACE in 2755s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0)

000

athos:/etc#

 

Note that the 'hadrian' host (the right side) shows the VPN as up and
the 'athos' host (the left side) is stalled for some reason.  If I
attempt to ping from right to left, ESP packets go outbound but none
return.  Pinging from left to right sees no outbound ESP packets.

 

I'm trying to figure out why athos will not complete the connection.

 

Thanks for any help.

 

--JATF

 

This message and any attachments to it contain PRIVILEGED AND
PROPRIETARY INFORMATION exclusively for the intended recipients. DO NOT
FORWARD OR DISTRIBUTE to anyone else. If you received this e-mail in
error, please call the sender to report the error and then delete this
message from your system.

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20050816/40405392/attachment-0001.htm


More information about the Users mailing list