[Openswan Users] SA established but not ping
sasa
sasa at shoponweb.it
Thu Dec 29 17:07:56 CET 2005
Hi, I have a problem with a connection LAN-to-LAN, the ipsec is established
but I don't try ping from pc behind vpn server, in appareance I don't have
nobody error in log file, in particular on one vpn-point I have:
ipsec.conf
config setup
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.1.0/16,%v4:192.168.0.0/24,%v4:!10.0.1.0/24
interfaces="ipsec0=eth0"
conn %default
authby=rsasig
rekey=no
esp=3des-md5
conn princ-cardito
auto=start
pfs=yes
left=5.6.7.8
leftsubnet=192.168.0.0/24
leftnexthop=5.6.7.9
# RSA 2192 bits test2 Thu Dec 29 14:09:50 2005
leftrsasigkey=0s..
#sede right cardito
right=1.2.3.4
rightsubnet=10.0.1.0/24
rightnexthop=1.2.3.5
# RSA 2192 bits fw2 Thu Dec 29 14:00:00 2005
rightrsasigkey=0sAQ...
..in log file:
Dec 29 16:34:48 fw2 pluto[7924]: Setting NAT-Traversal port-4500 floating to
off
Dec 29 16:34:48 fw2 pluto[7924]: port floating activation criteria
nat_t=0/port_fload=1
Dec 29 16:34:48 fw2 pluto[7924]: including NAT-Traversal patch (Version
0.6c) [disabled]
Dec 29 16:34:48 fw2 pluto[7924]: ike_alg_register_enc(): Activating
OAKLEY_AES_CBC: Ok (ret=0)
Dec 29 16:34:48 fw2 pluto[7924]: starting up 1 cryptographic helpers
Dec 29 16:34:48 fw2 pluto[7924]: started helper pid=7925 (fd:6)
Dec 29 16:34:48 fw2 pluto[7924]: Using KLIPS IPsec interface code on
2.6.9-1.667.root
Dec 29 16:34:48 fw2 pluto[7924]: Could not change to directory
'/etc/ipsec.d/cacerts'
Dec 29 16:34:48 fw2 pluto[7924]: Could not change to directory
'/etc/ipsec.d/aacerts'
Dec 29 16:34:48 fw2 pluto[7924]: Could not change to directory
'/etc/ipsec.d/ocspcerts'
Dec 29 16:34:48 fw2 pluto[7924]: Could not change to directory
'/etc/ipsec.d/crls'
Dec 29 16:34:48 fw2 pluto[7924]: added connection description "left-road"
Dec 29 16:34:48 fw2 pluto[7924]: added connection description
"princ-cardito"
Dec 29 16:34:48 fw2 pluto[7924]: listening for IKE messages
Dec 29 16:34:48 fw2 pluto[7924]: adding interface ipsec0/eth0 1.2.3.4:500
Dec 29 16:34:48 fw2 pluto[7924]: loading secrets from "/etc/ipsec.secrets"
Dec 29 16:34:48 fw2 pluto[7924]: "princ-cardito" #1: initiating Main Mode
Dec 29 16:34:51 fw2 pluto[7924]: initiate on demand from 10.0.1.2:0 to
192.168.0.2:0 proto=0 state: fos_start because: acquire
Dec 29 16:34:56 fw2 pluto[7924]: packet from 5.6.7.8:1: ignoring unknown
Vendor ID payload [4f454f50487f447340705155]
Dec 29 16:34:56 fw2 pluto[7924]: packet from 5.6.7.8:1: received Vendor ID
payload [Dead Peer Detection]
Dec 29 16:34:56 fw2 pluto[7924]: packet from 5.6.7.8:1: received Vendor ID
payload [RFC 3947] meth=109, but port floating is off
Dec 29 16:34:56 fw2 pluto[7924]: packet from 5.6.7.8:1: received Vendor ID
payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but port floating is off
Dec 29 16:34:56 fw2 pluto[7924]: packet from 5.6.7.8:1: received Vendor ID
payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but port floating is off
Dec 29 16:34:56 fw2 pluto[7924]: packet from 5.6.7.8:1: ignoring Vendor ID
payload [draft-ietf-ipsec-nat-t-ike-00]
Dec 29 16:34:56 fw2 pluto[7924]: "princ-cardito" #2: responding to Main Mode
Dec 29 16:34:56 fw2 pluto[7924]: "princ-cardito" #2: transition from state
STATE_MAIN_R0 to state STATE_MAIN_R1
Dec 29 16:34:56 fw2 pluto[7924]: "princ-cardito" #2: STATE_MAIN_R1: sent
MR1, expecting MI2
Dec 29 16:34:56 fw2 pluto[7924]: "princ-cardito" #2: transition from state
STATE_MAIN_R1 to state STATE_MAIN_R2
Dec 29 16:34:56 fw2 pluto[7924]: "princ-cardito" #2: STATE_MAIN_R2: sent
MR2, expecting MI3
Dec 29 16:34:57 fw2 pluto[7924]: "princ-cardito" #2: Main mode peer ID is
ID_IPV4_ADDR: '5.6.7.8'
Dec 29 16:34:57 fw2 pluto[7924]: "princ-cardito" #2: I did not send a
certificate because I do not have one.
Dec 29 16:34:57 fw2 pluto[7924]: "princ-cardito" #2: transition from state
STATE_MAIN_R2 to state STATE_MAIN_R3
Dec 29 16:34:57 fw2 pluto[7924]: "princ-cardito" #2: STATE_MAIN_R3: sent
MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192
prf=oakley_md5 group=modp1536}
Dec 29 16:34:57 fw2 pluto[7924]: "princ-cardito" #3: responding to Quick
Mode {msgid:056743c8}
Dec 29 16:34:57 fw2 pluto[7924]: "princ-cardito" #3: transition from state
STATE_QUICK_R0 to state STATE_QUICK_R1
Dec 29 16:34:57 fw2 pluto[7924]: "princ-cardito" #3: STATE_QUICK_R1: sent
QR1, inbound IPsec SA installed, expecting QI2
Dec 29 16:34:57 fw2 pluto[7924]: "princ-cardito" #3: transition from state
STATE_QUICK_R1 to state STATE_QUICK_R2
Dec 29 16:34:57 fw2 pluto[7924]: "princ-cardito" #3: STATE_QUICK_R2: IPsec
SA established {ESP=>0x2f26635a <0xbd01e599 xfrm=3DES_0-HMAC_MD5 NATD=none
DPD=none}
Dec 29 16:35:06 fw2 pluto[7924]: "princ-cardito" #2: ignoring Delete SA
payload: PROTO_IPSEC_ESP SA(0x2f266358) not found (maybe expired)
Dec 29 16:35:06 fw2 pluto[7924]: "princ-cardito" #2: received and ignored
informational message
000 "princ-cardito":
10.0.1.0/24===1.2.3.4---1.2.3.5...5.6.7.9---5.6.7.8===192.168.0.0/24;
erouted; eroute owner: #3
000 "princ-cardito": srcip=unset; dstip=unset; srcup=ipsec _updown;
dstup=ipsec _updown;
000 "princ-cardito": ike_life: 3600s; ipsec_life: 28800s; rekey_margin:
540s; rekey_fuzz: 100%; keyingtries: 0
000 "princ-cardito": policy: RSASIG+ENCRYPT+TUNNEL+PFS+DONTREKEY+UP; prio:
24,24; interface: eth0;
000 "princ-cardito": newest ISAKMP SA: #2; newest IPsec SA: #3;
000 "princ-cardito": IKE algorithm newest: 3DES_CBC_192-MD5-MODP1536
000 "princ-cardito": ESP algorithms wanted: 3_000-1, flags=-strict
000 "princ-cardito": ESP algorithms loaded: 3_000-1, flags=-strict
000 "princ-cardito": ESP algorithm newest: 3DES_0-HMAC_MD5;
pfsgroup=<Phase1>
000
000 #1: "princ-cardito":500 STATE_MAIN_I1 (sent MI1, expecting MR1);
EVENT_RETRANSMIT in 40s; nodpd
000 #1: pending Phase 2 for "princ-cardito" replacing #0
000 #1: pending Phase 2 for "princ-cardito" replacing #0
000 #3: "princ-cardito":1 STATE_QUICK_R2 (IPsec SA established);
EVENT_SA_EXPIRE in 28579s; newest IPSEC; eroute owner
000 #3: "princ-cardito" used 110s ago; esp.2f26635a at 5.6.7.8
esp.bd01e599 at 1.2.3.4 tun.1002 at 5.6.7.8 tun.1001 at 1.2.3.4
000 #2: "princ-cardito":1 STATE_MAIN_R3 (sent MR3, ISAKMP SA established);
EVENT_SA_EXPIRE in 3379s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0)
000
..on second end-point I have:
ipsec.conf
config setup
interfaces="ipsec0=eth0"
nat_traversal=yes
conn %default
authby=rsasig
esp=3des-md5
rekey=no
conn princ-cardito
auto=start
pfs=yes
#sede left princ
left=5.6.7.8
leftsubnet=192.168.0.0/24
leftnexthop=5.6.7.9
# RSA 2192 bits test2 Thu Dec 29 14:09:50 2005
leftrsasigkey=0s..
#sede right cardito
right=1.2.3.4
rightsubnet=10.0.1.0/24
rightnexthop=1.2.3.5
# RSA 2192 bits fw2 Thu Dec 29 14:00:00 2005
rightrsasigkey=0sA...
...in log file:
000 #11: "princ-cardito":500 STATE_QUICK_I2 (sent QI2, IPsec SA
established); EVENT_SA_REPLACE_IF_USED in 27936s; newest IPSEC; eroute owner
000 #11: "princ-cardito" used 116s ago; esp.bd01e599 at 1.2.3.4
esp.2f26635a at 5.6.7.8tun.1004@1.2.3.4 tun.1003 at 5.6.7.9
000 #10: "princ-cardito":500 STATE_MAIN_I4 (ISAKMP SA established);
EVENT_SA_REPLACE_IF_USED in 2237s; newest ISAKMP; lastdpd=-1s(seq in:0
out:0)
000
Thanks.
------
Salvatore.
More information about the Users
mailing list