[Openswan Users] Openswan IPsec help please
Michael Jeffries
MichaelJ at fastnet.co.za
Wed Dec 28 17:23:38 CET 2005
I am using Linux Openswan U2.3.0/K2.6.9-11.EL on a Centos linux machine.
I guess you have seen this issue quite a few times, and I have had a look on the net but nothing is really giving me the answer.
I have deleted the entry in the /etc/ipsec.secret and put in 10.3.1.9 10.100.10.101: PSK "test" as I want this to be the shared key between the two devices [The devices are a Unix box and a router] (Although the system is complaining about the /etc/ipsec.secret, I don't know how to put back the old RSA key]
Any little bit of help will be appreciated for me to get this tunnel up, as the system keeps on complain when I start it up about "ipsec__plutorun: ...could not start conn "tunnelipsec"
my /var/log/messages looks as follows when I start up the service
Dec 28 17:11:31 bb kernel: NET: Unregistered protocol family 15
Dec 28 17:11:31 bb ipsec_setup: ...Openswan IPsec stopped
Dec 28 17:11:31 bb ipsec_setup: Stopping Openswan IPsec...
Dec 28 17:11:32 bb kernel: NET: Registered protocol family 15
Dec 28 17:11:32 bb ipsec_setup: KLIPS ipsec0 on eth0 10.3.1.9/255.255.255.0 broadcast 10.3.1.255
Dec 28 17:11:32 bb ipsec_setup: ...Openswan IPsec started
Dec 28 17:11:32 bb ipsec_setup: Starting Openswan IPsec 2.3.0...
Dec 28 17:11:32 bb ipsec_setup: insmod /lib/modules/2.6.9-11.EL/kernel/net/key/af_key.ko
Dec 28 17:11:32 bb ipsec_setup: insmod /lib/modules/2.6.9-11.EL/kernel/net/ipv4/xfrm4_tunnel.ko
Dec 28 17:11:33 bb ipsec__plutorun: 104 "tunnelipsec" #1: STATE_MAIN_I1: initiate
Dec 28 17:11:33 bb ipsec__plutorun: ...could not start conn "tunnelipsec"
my /etc/ipsec.conf looks like
[root at bb policies]# cat /etc/ipsec.conf
# /etc/ipsec.conf - Openswan IPsec configuration file
version 2.0
include /etc/ipsec.d/examples/no_oe.conf
# basic configuration
config setup
# Debug-logging controls: "none" for (almost) none, "all" for lots.
interfaces="ipsec0=eth0"
klipsdebug=none
plutodebug=none
forwardcontrol=yes
# Add connections here
conn tunnelipsec
type=tunnel
left=10.3.1.9 # Local ip
leftsubnet=10.1.1.0/24 #Local network
leftnexthop=10.3.1.1
right=10.100.10.101 #Remote ip address
rightsubnet=155.236.47.0/24 # Remote network
rightnexthop=10.100.10.1
esp= des-md5-96
pfs= no
auto=start
my TCPDump just shows
17:14:42.828708 IP 10.100.10.101.isakmp > 10.3.1.9.isakmp: isakmp: phase 1 I ident
17:14:42.829577 IP 10.3.1.9.isakmp > 10.100.10.101.isakmp: isakmp: phase 1 R inf
17:14:43.638849 IP 10.100.10.101.isakmp > 10.3.1.9.isakmp: isakmp: phase 1 I inf
17:14:52.267624 IP 10.100.10.101.isakmp > 10.3.1.9.isakmp: isakmp: phase 1 I ident
17:14:52.268488 IP 10.3.1.9.isakmp > 10.100.10.101.isakmp: isakmp: phase 1 R inf
17:14:53.098304 IP 10.100.10.101.isakmp > 10.3.1.9.isakmp: isakmp: phase 1 I inf
17:14:59.008855 IP 10.3.1.9.3158 > auth2.pacenet.co.za.domain: 36755+ PTR? 101.10.100.10.in-addr.arpa. (44)
17:15:02.827326 IP 10.100.10.101.isakmp > 10.3.1.9.isakmp: isakmp: phase 1 I ident
17:15:02.828250 IP 10.3.1.9.isakmp > 10.100.10.101.isakmp: isakmp: phase 1 R inf
17:15:03.638848 IP 10.100.10.101.isakmp > 10.3.1.9.isakmp: isakmp: phase 1 I inf
17:15:04.008737 IP 10.3.1.9.3160 > auth1.pacenet.co.za.domain: 36755+ PTR? 101.10.100.10.in-addr.arpa. (44)
17:15:09.008976 IP 10.3.1.9.3158 > auth2.pacenet.co.za.domain: 36755+ PTR? 101.10.100.10.in-addr.arpa. (44)
17:15:14.009290 IP 10.3.1.9.3160 > auth1.pacenet.co.za.domain: 36755+ PTR? 101.10.100.10.in-addr.arpa. (44)
[root at bb policies]# ipsec auto status
ipsec auto: warning: obsolete command syntax used
000 interface lo/lo ::1
000 interface lo/lo 127.0.0.1
000 interface eth0/eth0 10.3.1.9
000 %myid = (none)
000 debug none
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0
000
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0}
000
000 "tunnelipsec": 10.1.1.0/24===10.3.1.9---10.3.1.1...10.100.10.1---10.100.10.101===155.236.47.0/24; prospective erouted; eroute owner: #0
000 "tunnelipsec": srcip=unset; dstip=unset
000 "tunnelipsec": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "tunnelipsec": policy: RSASIG+ENCRYPT+TUNNEL+UP+lKOD+rKOD; prio: 24,24; interface: eth0;
000 "tunnelipsec": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "tunnelipsec": ESP algorithms wanted: 2_000-1, flags=-strict
000 "tunnelipsec": ESP algorithms loaded: 2_000-1, flags=-strict
000
000 #1: "tunnelipsec" STATE_MAIN_I2 (sent MI2, expecting MR2); none in -1s; lastdpd=-1s(seq in:0 out:0)
000 #1: pending Phase 2 for "tunnelipsec" replacing #0
[root at bb policies]# ipsec verify status
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.3.0/K2.6.9-11.EL (netkey)
Checking for IPsec support in kernel [OK]
Checking for RSA private key (/etc/ipsec.secrets) [FAILED]
ipsec showhostkey: no default key in "/etc/ipsec.secrets"
Checking that pluto is running [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing [N/A]
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Checking for 'setkey' command for NETKEY IPsec stack support [OK]
Opportunistic Encryption DNS checks:
Looking for TXT in forward dns zone: bb.pacenet.co.za [MISSING]
Does the machine have at least one non-private address? [FAILED]
DISCLAIMER: The information in this message is confidential and may be legally privileged. It is intended solely for the addressee. Access to this message by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, or distribution of the message, or any action or omission taken by you in reliance on it, is prohibited and may be unlawful. Please immediately contact the sender if you have received this message in error. SWIFTNET and any of its subsidiaries each reserve the right to monitor all e-mail communications through its networks. Thank you.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20051228/3594ac7f/attachment-0001.htm
More information about the Users
mailing list