[Openswan Users]
help ,Urgent! IPsec SA is established,trouble with pinging and othe
rtraffic?
lidongli at ensemble.com.cn
lidongli at ensemble.com.cn
Tue Feb 1 21:29:30 CET 2005
Hi All,
I'm currently in the middle of setting up an IPSec connection which will
have a road warrior (running Windows XP) connecting to a Redhat 9.0 box
(kernel 2.4.20-8, openswan-1.0.8 with NATTraversal feature )
Network wise it looks like this:
Road warrior(windows XP)--NAT Device (Cisco router)--internet---Redhat
box( with iptables,openswan-1.0.8)--internal network (internal workstation
which is required to be accessed)
what's more about access control, for roadworrior, on the cisco router ,
there is no restriction for internal clients ; on the linux box ,UDP 500,
ESP(50),AH(51) had been allowed from and to the internet , accepted by
output, input, and forward chain in iptables .
I've set up the IPSec connection using the snap-in in MMC ,When I ping
from the Windows box, it shows
"Negotiating IP Security", followed by request timed out. It doesn't
matter
how long I try, I keep getting request timed out.
To verify that I have rightca set properly, follow these instructions:
Load the IPSec MMC you created earlier
- Click IP Security Policies; double-click on the FreeSwan tunnel
- Double-click roadwarrior-Host filter
- Click on the 'Authentication Methods' tab
- Click 'Add', then 'Use a certificate from this CA'
- Click Browse, find your CA
- Copy/paste the text in the grayed-out box into your ipsec.conf
It should be right , but I still get the request timed out ! :)
I move on to my linux gateway ( redhat linux 9.0) and debug with ipsec
barf command :
it shows the following information :
Feb 1 00:39:48 localhost pluto[319]: adding interface ipsec0/eth0
218.106.186.84
Feb 1 00:39:48 localhost pluto[319]: adding interface ipsec0/eth0
218.106.186.84:4500
Feb 1 00:39:48 localhost pluto[319]: loading secrets from
"/etc/ipsec.secrets"
Feb 1 00:39:48 localhost pluto[319]: loaded private key file
'/etc/ipsec.d/private/gateway.ensemble.com.key' (1683 bytes)
Feb 1 00:40:55 localhost pluto[319]: packet from 219.239.37.131:58868:
ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000003]
Feb 1 00:40:55 localhost pluto[319]: "roadworrior-net"[1]
219.239.37.131:58868 #1: responding to Main Mode from unknown peer
219.239.37.131:58868
Feb 1 00:40:55 localhost pluto[319]: "roadworrior-net"[1]
219.239.37.131:58868 #1: transition from state (null) to state
STATE_MAIN_R1
Feb 1 00:40:55 localhost pluto[319]: "roadworrior-net"[1]
219.239.37.131:58868 #1: transition from state STATE_MAIN_R1 to state
STATE_MAIN_R2
Feb 1 00:40:56 localhost pluto[319]: "roadworrior-net"[1]
219.239.37.131:58868 #1: Main mode peer ID is ID_DER_ASN1_DN: 'C=CN,
ST=BJ, L=BJ, O=Ensemble International, OU=System department, CN=WINHOST,
E=coffeeboy7411 at ensemble.com.cn'
Feb 1 00:40:56 localhost pluto[319]: "roadworrior-net"[2]
219.239.37.131:58868 #1: deleting connection "roadworrior-net" instance
with peer 219.239.37.131
Feb 1 00:40:56 localhost pluto[319]: "roadworrior-net"[2]
219.239.37.131:58868 #1: transition from state STATE_MAIN_R2 to state
STATE_MAIN_R3
Feb 1 00:40:56 localhost pluto[319]: "roadworrior-net"[2]
219.239.37.131:58868 #1: sent MR3, ISAKMP SA established
Feb 1 00:40:56 localhost pluto[319]: "roadworrior-net"[2]
219.239.37.131:58868 #2: responding to Quick Mode
Feb 1 00:40:56 localhost pluto[319]: "roadworrior-net"[2]
219.239.37.131:58868 #2: transition from state (null) to state
STATE_QUICK_R1
Feb 1 00:40:56 localhost pluto[319]: "roadworrior-net"[2]
219.239.37.131:58868 #2: transition from state STATE_QUICK_R1 to state
STATE_QUICK_R2
Feb 1 00:40:56 localhost pluto[319]: "roadworrior-net"[2]
219.239.37.131:58868 #2: IPsec SA established
Feb 1 01:36:26 localhost pluto[319]: "roadworrior-net"[2]
219.239.37.131:58868 #3: initiating Quick Mode
RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS to replace #2
Feb 1 01:36:26 localhost pluto[319]: ERROR: "roadworrior-net"[2]
219.239.37.131:58868 #3: sendto on eth0 to 219.239.37.131:58868 failed in
quick_outI1. Errno 1: Operation not permitted
Feb 1 01:36:26 localhost pluto[319]: "roadworrior-net"[2]
219.239.37.131:58868 #4: initiating Main Mode to replace #1
Feb 1 01:36:26 localhost pluto[319]: ERROR: "roadworrior-net"[2]
219.239.37.131:58868 #4: sendto on eth0 to 219.239.37.131:58868 failed in
main_outI1. Errno 1: Operation not permitted
Feb 1 01:36:36 localhost pluto[319]: ERROR: "roadworrior-net"[2]
219.239.37.131:58868 #4: sendto on eth0 to 219.239.37.131:58868 failed in
EVENT_RETRANSMIT. Errno 1: Operation not permitted
Feb 1 01:36:36 localhost pluto[319]: ERROR: "roadworrior-net"[2]
219.239.37.131:58868 #3: sendto on eth0 to 219.239.37.131:58868 failed in
EVENT_RETRANSMIT. Errno 1: Operation not permitted
Feb 1 01:36:56 localhost pluto[319]: ERROR: "roadworrior-net"[2]
219.239.37.131:58868 #3: sendto on eth0 to 219.239.37.131:58868 failed in
EVENT_RETRANSMIT. Errno 1: Operation not permitted
Feb 1 01:36:56 localhost pluto[319]: ERROR: "roadworrior-net"[2]
219.239.37.131:58868 #4: sendto on eth0 to 219.239.37.131:58868 failed in
EVENT_RETRANSMIT. Errno 1: Operation not permitted
Feb 1 01:37:36 localhost pluto[319]: "roadworrior-net"[2]
219.239.37.131:58868 #4: max number of retransmissions (2) reached
STATE_MAIN_I1. No acceptable response to our first IKE message
Feb 1 01:37:36 localhost pluto[319]: "roadworrior-net"[2]
219.239.37.131:58868 #3: max number of retransmissions (2) reached
STATE_QUICK_I1
Feb 1 01:40:56 localhost pluto[319]: "roadworrior-net"[2]
219.239.37.131:58868 #1: ISAKMP SA expired (LATEST!)
Feb 1 01:40:56 localhost pluto[319]: ERROR: "roadworrior-net"[2]
219.239.37.131:58868 #1: sendto on eth0 to 219.239.37.131:58868 failed in
delete notify. Errno 1: Operation not permitted
Feb 1 01:40:56 localhost pluto[319]: "roadworrior-net"[2]
219.239.37.131:58868 #2: IPsec SA expired (LATEST!)
Feb 1 01:40:56 localhost pluto[319]: "roadworrior-net"[2]
219.239.37.131:58868: deleting connection "roadworrior-net" instance with
peer 219.239.37.131
+ _________________________ date
+ date
Tue Feb 1 04:56:48 CST 2005
IPsec SA is indeed established, but I couldn't ping the
internal box behind Redhat gateway from the Roadworrior. pings in both
directions can not work properly.
I hope some one out there will have suggestions on solving this, as I'm
beginning to tear my hair out. I just paste ipsec.conf on linux side and
ipsec.conf windows xp side here for solving problem .
linux side ipsec.conf:
config setup
interfaces="ipsec0=eth0"
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16
klipsdebug=none
plutodebug=none
plutoload=%search
plutostart=%search
plutowait=no
uniqueids=yes
conn %default
keyingtries=1
compress=yes
disablearrivalcheck=no
authby=rsasig
leftrsasigkey=%cert
rightrsasigkey=%cert
conn roadworrior-net
left=68.106.186.85
leftnexthop=68.106.186.81
leftsubnet=192.168.0.0/16
leftcert=gateway.semble.com.pem
right=%any
rightsubnet=vhost:%no,%priv
auto=add
pfs=yes
windows side ipsec.conf
conn roadwarrior
left=68.106.186.85
leftsubnet=192.168.0.0/16
right=%any
rightca="C=CN, S=BJ, L=BJ, O=semble International, OU=System department,
CN=FIREWALL, E=lidong.li at ensemble.com.cn"
network=auto
auto=start
pfs=yes
Tony
Best Regards,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20050201/27613987/attachment-0001.htm
More information about the Users
mailing list