[Openswan Users] SA established but not ping

sasa sasa at shoponweb.it
Thu Dec 29 17:07:56 CET 2005 

Hi, I have a problem with a connection LAN-to-LAN, the ipsec is established 
but I don't try ping from pc behind vpn server, in appareance I don't have 
nobody error in log file, in particular on one vpn-point I have:

ipsec.conf

config setup
   virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.1.0/16,%v4:192.168.0.0/24,%v4:!10.0.1.0/24
   interfaces="ipsec0=eth0"

conn %default
 authby=rsasig
 rekey=no
 esp=3des-md5

conn princ-cardito
  auto=start
  pfs=yes
  left=5.6.7.8
  leftsubnet=192.168.0.0/24
  leftnexthop=5.6.7.9
  # RSA 2192 bits   test2   Thu Dec 29 14:09:50 2005
        leftrsasigkey=0s..
 #sede right cardito
  right=1.2.3.4
  rightsubnet=10.0.1.0/24
  rightnexthop=1.2.3.5
  # RSA 2192 bits   fw2   Thu Dec 29 14:00:00 2005
        rightrsasigkey=0sAQ...

..in log file:

Dec 29 16:34:48 fw2 pluto[7924]: Setting NAT-Traversal port-4500 floating to 
off
Dec 29 16:34:48 fw2 pluto[7924]:    port floating activation criteria 
nat_t=0/port_fload=1
Dec 29 16:34:48 fw2 pluto[7924]:   including NAT-Traversal patch (Version 
0.6c) [disabled]
Dec 29 16:34:48 fw2 pluto[7924]: ike_alg_register_enc(): Activating 
OAKLEY_AES_CBC: Ok (ret=0)
Dec 29 16:34:48 fw2 pluto[7924]: starting up 1 cryptographic helpers
Dec 29 16:34:48 fw2 pluto[7924]: started helper pid=7925 (fd:6)
Dec 29 16:34:48 fw2 pluto[7924]: Using KLIPS IPsec interface code on 
2.6.9-1.667.root
Dec 29 16:34:48 fw2 pluto[7924]: Could not change to directory 
'/etc/ipsec.d/cacerts'
Dec 29 16:34:48 fw2 pluto[7924]: Could not change to directory 
'/etc/ipsec.d/aacerts'
Dec 29 16:34:48 fw2 pluto[7924]: Could not change to directory 
'/etc/ipsec.d/ocspcerts'
Dec 29 16:34:48 fw2 pluto[7924]: Could not change to directory 
'/etc/ipsec.d/crls'
Dec 29 16:34:48 fw2 pluto[7924]: added connection description "left-road"
Dec 29 16:34:48 fw2 pluto[7924]: added connection description 
"princ-cardito"
Dec 29 16:34:48 fw2 pluto[7924]: listening for IKE messages
Dec 29 16:34:48 fw2 pluto[7924]: adding interface ipsec0/eth0 1.2.3.4:500
Dec 29 16:34:48 fw2 pluto[7924]: loading secrets from "/etc/ipsec.secrets"
Dec 29 16:34:48 fw2 pluto[7924]: "princ-cardito" #1: initiating Main Mode
Dec 29 16:34:51 fw2 pluto[7924]: initiate on demand from 10.0.1.2:0 to 
192.168.0.2:0 proto=0 state: fos_start because: acquire
Dec 29 16:34:56 fw2 pluto[7924]: packet from 5.6.7.8:1: ignoring unknown 
Vendor ID payload [4f454f50487f447340705155]
Dec 29 16:34:56 fw2 pluto[7924]: packet from 5.6.7.8:1: received Vendor ID 
payload [Dead Peer Detection]
Dec 29 16:34:56 fw2 pluto[7924]: packet from 5.6.7.8:1: received Vendor ID 
payload [RFC 3947] meth=109, but port floating is off
Dec 29 16:34:56 fw2 pluto[7924]: packet from 5.6.7.8:1: received Vendor ID 
payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but port floating is off
Dec 29 16:34:56 fw2 pluto[7924]: packet from 5.6.7.8:1: received Vendor ID 
payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but port floating is off
Dec 29 16:34:56 fw2 pluto[7924]: packet from 5.6.7.8:1: ignoring Vendor ID 
payload [draft-ietf-ipsec-nat-t-ike-00]
Dec 29 16:34:56 fw2 pluto[7924]: "princ-cardito" #2: responding to Main Mode
Dec 29 16:34:56 fw2 pluto[7924]: "princ-cardito" #2: transition from state 
STATE_MAIN_R0 to state STATE_MAIN_R1
Dec 29 16:34:56 fw2 pluto[7924]: "princ-cardito" #2: STATE_MAIN_R1: sent 
MR1, expecting MI2
Dec 29 16:34:56 fw2 pluto[7924]: "princ-cardito" #2: transition from state 
STATE_MAIN_R1 to state STATE_MAIN_R2
Dec 29 16:34:56 fw2 pluto[7924]: "princ-cardito" #2: STATE_MAIN_R2: sent 
MR2, expecting MI3
Dec 29 16:34:57 fw2 pluto[7924]: "princ-cardito" #2: Main mode peer ID is 
ID_IPV4_ADDR: '5.6.7.8'
Dec 29 16:34:57 fw2 pluto[7924]: "princ-cardito" #2: I did not send a 
certificate because I do not have one.
Dec 29 16:34:57 fw2 pluto[7924]: "princ-cardito" #2: transition from state 
STATE_MAIN_R2 to state STATE_MAIN_R3
Dec 29 16:34:57 fw2 pluto[7924]: "princ-cardito" #2: STATE_MAIN_R3: sent 
MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 
prf=oakley_md5 group=modp1536}
Dec 29 16:34:57 fw2 pluto[7924]: "princ-cardito" #3: responding to Quick 
Mode {msgid:056743c8}
Dec 29 16:34:57 fw2 pluto[7924]: "princ-cardito" #3: transition from state 
STATE_QUICK_R0 to state STATE_QUICK_R1
Dec 29 16:34:57 fw2 pluto[7924]: "princ-cardito" #3: STATE_QUICK_R1: sent 
QR1, inbound IPsec SA installed, expecting QI2
Dec 29 16:34:57 fw2 pluto[7924]: "princ-cardito" #3: transition from state 
STATE_QUICK_R1 to state STATE_QUICK_R2
Dec 29 16:34:57 fw2 pluto[7924]: "princ-cardito" #3: STATE_QUICK_R2: IPsec 
SA established {ESP=>0x2f26635a <0xbd01e599 xfrm=3DES_0-HMAC_MD5 NATD=none 
DPD=none}
Dec 29 16:35:06 fw2 pluto[7924]: "princ-cardito" #2: ignoring Delete SA 
payload: PROTO_IPSEC_ESP SA(0x2f266358) not found (maybe expired)
Dec 29 16:35:06 fw2 pluto[7924]: "princ-cardito" #2: received and ignored 
informational message

000 "princ-cardito": 
10.0.1.0/24===1.2.3.4---1.2.3.5...5.6.7.9---5.6.7.8===192.168.0.0/24; 
erouted; eroute owner: #3
000 "princ-cardito":     srcip=unset; dstip=unset; srcup=ipsec _updown; 
dstup=ipsec _updown;
000 "princ-cardito":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 
540s; rekey_fuzz: 100%; keyingtries: 0
000 "princ-cardito":   policy: RSASIG+ENCRYPT+TUNNEL+PFS+DONTREKEY+UP; prio: 
24,24; interface: eth0;
000 "princ-cardito":   newest ISAKMP SA: #2; newest IPsec SA: #3;
000 "princ-cardito":   IKE algorithm newest: 3DES_CBC_192-MD5-MODP1536
000 "princ-cardito":   ESP algorithms wanted: 3_000-1, flags=-strict
000 "princ-cardito":   ESP algorithms loaded: 3_000-1, flags=-strict
000 "princ-cardito":   ESP algorithm newest: 3DES_0-HMAC_MD5; 
pfsgroup=<Phase1>
000
000 #1: "princ-cardito":500 STATE_MAIN_I1 (sent MI1, expecting MR1); 
EVENT_RETRANSMIT in 40s; nodpd
000 #1: pending Phase 2 for "princ-cardito" replacing #0
000 #1: pending Phase 2 for "princ-cardito" replacing #0
000 #3: "princ-cardito":1 STATE_QUICK_R2 (IPsec SA established); 
EVENT_SA_EXPIRE in 28579s; newest IPSEC; eroute owner
000 #3: "princ-cardito" used 110s ago; esp.2f26635a at 5.6.7.8 
esp.bd01e599 at 1.2.3.4 tun.1002 at 5.6.7.8 tun.1001 at 1.2.3.4
000 #2: "princ-cardito":1 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); 
EVENT_SA_EXPIRE in 3379s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0)
000

..on second end-point I have:

ipsec.conf

config setup
       interfaces="ipsec0=eth0"
       nat_traversal=yes

conn %default
      authby=rsasig
      esp=3des-md5
      rekey=no

conn princ-cardito
  auto=start
  pfs=yes
 #sede left princ
  left=5.6.7.8
  leftsubnet=192.168.0.0/24
  leftnexthop=5.6.7.9
  # RSA 2192 bits   test2   Thu Dec 29 14:09:50 2005
        leftrsasigkey=0s..
 #sede right cardito
  right=1.2.3.4
  rightsubnet=10.0.1.0/24
  rightnexthop=1.2.3.5
  # RSA 2192 bits   fw2   Thu Dec 29 14:00:00 2005
        rightrsasigkey=0sA...

...in log file:

000 #11: "princ-cardito":500 STATE_QUICK_I2 (sent QI2, IPsec SA 
established); EVENT_SA_REPLACE_IF_USED in 27936s; newest IPSEC; eroute owner
000 #11: "princ-cardito" used 116s ago; esp.bd01e599 at 1.2.3.4 
esp.2f26635a at 5.6.7.8tun.1004@1.2.3.4 tun.1003 at 5.6.7.9
000 #10: "princ-cardito":500 STATE_MAIN_I4 (ISAKMP SA established); 
EVENT_SA_REPLACE_IF_USED in 2237s; newest ISAKMP; lastdpd=-1s(seq in:0 
out:0)
000

Thanks.

------
Salvatore.

More information about the Users mailing list