[Openswan Users] One side stuck...
Freivald, Joseph A, GVSOL
jfreivald at att.com
Tue Aug 16 17:39:21 CEST 2005
I'm attempting to establish the following VPN:
192.168.25.0/24 - 192.168.25.1(eth0) -- 69.243.24.3(eth1) --> default
routes <-- 69.243.6.198(eth1) - 192.168.26.1(eth0) - 192.168.26.0/24
Each VPN endpoint performs SNAT for the private addressing for outbound
traffic not destined for the other private networks.
The /etc/ipsec.conf entry is:
conn athostofreivald
left=euclid.cable.nu
leftsubnet=192.168.25.0/24
leftnexthop=%defaultroute
leftrsasigkey=<key inserted here>
right=freivald.cable.nu
rightsubnet=192.168.26.0/24
rightnexthop=%defaultroute
rightrsasigkey=<key inserted here>
auto=start
and is identical on both sides.
Ipsec whack -status on both sides provides:
hadrian:/etc# ipsec whack --status
000 interface lo/lo ::1
000 interface lo/lo 127.0.0.1
000 interface eth0/eth0 192.168.26.1
000 interface eth1/eth1 69.243.24.3
000 %myid = (none)
000 debug none
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64,
keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192,
keysizemax=192
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8,
keysizemin=40, keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0,
keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128,
keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256,
keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0,
keysizemax=0
000
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
keydeflen=128
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
keydeflen=192
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,0,0}
trans={0,0,0} attrs={0,0,0}
000
000 "athostofreivald":
192.168.26.0/24===69.243.24.3---69.243.24.1...69.243.24.1---69.243.6.198
===192.168.25.0/24; erouted; eroute owner: #6
000 "athostofreivald": srcip=unset; dstip=unset
000 "athostofreivald": ike_life: 3600s; ipsec_life: 28800s;
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "athostofreivald": policy: RSASIG+ENCRYPT+TUNNEL+PFS+UP; prio:
24,24; interface: eth1;
000 "athostofreivald": newest ISAKMP SA: #5; newest IPsec SA: #6;
000 "athostofreivald": IKE algorithm newest: 3DES_CBC_192-MD5-MODP1536
000
000 #6: "athostofreivald":500 STATE_QUICK_R2 (IPsec SA established);
EVENT_SA_REPLACE in 28511s; newest IPSEC; eroute owner
000 #6: "athostofreivald" esp.730abb8c at 69.243.6.198
esp.eb6f2d0a at 69.243.24.3 tun.0 at 69.243.6.198 tun.0 at 69.243.24.3
000 #5: "athostofreivald":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA
established); EVENT_SA_REPLACE in 3309s; newest ISAKMP; lastdpd=-1s(seq
in:0 out:0)
000 #4: "athostofreivald":500 STATE_QUICK_I2 (sent QI2, IPsec SA
established); EVENT_SA_REPLACE in 27732s
000 #4: "athostofreivald" esp.1038bc80 at 69.243.6.198
esp.460d29d0 at 69.243.24.3 tun.0 at 69.243.6.198 tun.0 at 69.243.24.3
000 #3: "athostofreivald":500 STATE_QUICK_I2 (sent QI2, IPsec SA
established); EVENT_SA_REPLACE in 27666s
000 #3: "athostofreivald" esp.f7da25fe at 69.243.6.198
esp.2ae83429 at 69.243.24.3 tun.0 at 69.243.6.198 tun.0 at 69.243.24.3
000 #2: "athostofreivald":500 STATE_MAIN_I4 (ISAKMP SA established);
EVENT_SA_REPLACE in 2870s; lastdpd=-1s(seq in:0 out:0)
000
000 192.168.26.213/32:0 -1-> 192.168.25.201/32:0 => %hold 0
%acquire-netlink
hadrian:/etc#
and
athos:/etc# ipsec whack --status
000 interface lo/lo ::1
000 interface lo/lo 127.0.0.1
000 interface eth0/eth0 192.168.25.1
000 interface eth1/eth1 69.243.6.198
000 %myid = (none)
000 debug none
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64,
keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192,
keysizemax=192
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8,
keysizemin=40, keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0,
keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128,
keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256,
keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0,
keysizemax=0
000
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
keydeflen=128
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
keydeflen=192
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,0,0}
trans={0,0,0} attrs={0,0,0}
000
000 "aramistoathos":
192.168.25.0/24===69.243.6.198---69.243.0.1...69.243.0.1---216.52.115.66
===192.168.27.0/24; prospective erouted; eroute owner: #0
000 "aramistoathos": srcip=unset; dstip=unset
000 "aramistoathos": ike_life: 3600s; ipsec_life: 28800s;
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "aramistoathos": policy: RSASIG+ENCRYPT+TUNNEL+PFS+UP; prio:
24,24; interface: eth1;
000 "aramistoathos": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "athostofreivald":
192.168.25.0/24===69.243.6.198---69.243.0.1...69.243.0.1---69.243.24.3==
=192.168.26.0/24; erouted; eroute owner: #207
000 "athostofreivald": srcip=unset; dstip=unset
000 "athostofreivald": ike_life: 3600s; ipsec_life: 28800s;
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "athostofreivald": policy: RSASIG+ENCRYPT+TUNNEL+PFS+UP; prio:
24,24; interface: eth1;
000 "athostofreivald": newest ISAKMP SA: #206; newest IPsec SA: #207;
000 "athostofreivald": IKE algorithm newest: 3DES_CBC_192-MD5-MODP1536
000
000 #201: "aramistoathos":500 STATE_MAIN_I1 (sent MI1, expecting MR1);
EVENT_RETRANSMIT in 36s; nodpd
000 #201: pending Phase 2 for "aramistoathos" replacing #0
000 #205: "athostofreivald":500 STATE_QUICK_R2 (IPsec SA established);
EVENT_SA_REPLACE in 28449s
000 #205: "athostofreivald" esp.460d29d0 at 69.243.24.3
esp.1038bc80 at 69.243.6.198 tun.0 at 69.243.24.3 tun.0 at 69.243.6.198
000 #204: "athostofreivald":500 STATE_QUICK_R2 (IPsec SA established);
EVENT_SA_REPLACE in 28447s
000 #204: "athostofreivald" esp.2ae83429 at 69.243.24.3
esp.f7da25fe at 69.243.6.198 tun.0 at 69.243.24.3 tun.0 at 69.243.6.198
000 #203: "athostofreivald":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA
established); EVENT_SA_REPLACE in 3245s; lastdpd=-1s(seq in:0 out:0)
000 #207: "athostofreivald":500 STATE_QUICK_I2 (sent QI2, IPsec SA
established); EVENT_SA_REPLACE in 28080s; newest IPSEC; eroute owner
000 #207: "athostofreivald" esp.eb6f2d0a at 69.243.24.3
esp.730abb8c at 69.243.6.198 tun.0 at 69.243.24.3 tun.0 at 69.243.6.198
000 #206: "athostofreivald":500 STATE_MAIN_I4 (ISAKMP SA established);
EVENT_SA_REPLACE in 2755s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0)
000
athos:/etc#
Note that the 'hadrian' host (the right side) shows the VPN as up and
the 'athos' host (the left side) is stalled for some reason. If I
attempt to ping from right to left, ESP packets go outbound but none
return. Pinging from left to right sees no outbound ESP packets.
I'm trying to figure out why athos will not complete the connection.
Thanks for any help.
--JATF
This message and any attachments to it contain PRIVILEGED AND
PROPRIETARY INFORMATION exclusively for the intended recipients. DO NOT
FORWARD OR DISTRIBUTE to anyone else. If you received this e-mail in
error, please call the sender to report the error and then delete this
message from your system.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20050816/40405392/attachment-0001.htm
More information about the Users
mailing list