[Openswan Users] help ,Urgent! IPsec SA is established,trouble with pinging and othe rtraffic?

lidongli at ensemble.com.cn lidongli at ensemble.com.cn
Tue Feb 1 21:29:30 CET 2005 

Hi All,

I'm currently in the middle of setting up an IPSec connection which will 
have a road warrior (running Windows XP) connecting to a Redhat 9.0 box 
(kernel  2.4.20-8,  openswan-1.0.8 with NATTraversal feature )

Network wise it looks like this:


Road warrior(windows XP)--NAT Device (Cisco router)--internet---Redhat 
box( with iptables,openswan-1.0.8)--internal network (internal workstation 
which is required to be accessed)

what's more about access control, for roadworrior, on the cisco router , 
there is no restriction for internal clients ; on the linux box ,UDP 500, 
ESP(50),AH(51) had been allowed from and to the internet , accepted by 
output, input, and forward chain in iptables .


I've set up the IPSec connection using the snap-in in MMC ,When I ping 
from the Windows box, it shows 
"Negotiating IP Security", followed by request timed out. It doesn't 
matter 
how long I try, I keep getting request timed out.

To verify that I have rightca set properly, follow these instructions:



Load the IPSec MMC you created earlier
- Click IP Security Policies; double-click on the FreeSwan tunnel
- Double-click roadwarrior-Host filter
- Click on the 'Authentication Methods' tab
- Click 'Add', then 'Use a certificate from this CA'
- Click Browse, find your CA
- Copy/paste the text in the grayed-out box into your ipsec.conf

It should be right , but I still get the request timed out ! :)

I move on to my linux gateway ( redhat linux 9.0) and debug with ipsec 
barf command :
it shows the following information :
Feb  1 00:39:48 localhost pluto[319]: adding interface ipsec0/eth0 
218.106.186.84
Feb  1 00:39:48 localhost pluto[319]: adding interface ipsec0/eth0 
218.106.186.84:4500
Feb  1 00:39:48 localhost pluto[319]: loading secrets from 
"/etc/ipsec.secrets"
Feb  1 00:39:48 localhost pluto[319]:   loaded private key file 
'/etc/ipsec.d/private/gateway.ensemble.com.key' (1683 bytes)
Feb  1 00:40:55 localhost pluto[319]: packet from 219.239.37.131:58868: 
ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000003]
Feb  1 00:40:55 localhost pluto[319]: "roadworrior-net"[1] 
219.239.37.131:58868 #1: responding to Main Mode from unknown peer 
219.239.37.131:58868
Feb  1 00:40:55 localhost pluto[319]: "roadworrior-net"[1] 
219.239.37.131:58868 #1: transition from state (null) to state 
STATE_MAIN_R1
Feb  1 00:40:55 localhost pluto[319]: "roadworrior-net"[1] 
219.239.37.131:58868 #1: transition from state STATE_MAIN_R1 to state 
STATE_MAIN_R2
Feb  1 00:40:56 localhost pluto[319]: "roadworrior-net"[1] 
219.239.37.131:58868 #1: Main mode peer ID is ID_DER_ASN1_DN: 'C=CN, 
ST=BJ, L=BJ, O=Ensemble International, OU=System department, CN=WINHOST, 
E=coffeeboy7411 at ensemble.com.cn'
Feb  1 00:40:56 localhost pluto[319]: "roadworrior-net"[2] 
219.239.37.131:58868 #1: deleting connection "roadworrior-net" instance 
with peer 219.239.37.131
Feb  1 00:40:56 localhost pluto[319]: "roadworrior-net"[2] 
219.239.37.131:58868 #1: transition from state STATE_MAIN_R2 to state 
STATE_MAIN_R3
Feb  1 00:40:56 localhost pluto[319]: "roadworrior-net"[2] 
219.239.37.131:58868 #1: sent MR3, ISAKMP SA established
Feb  1 00:40:56 localhost pluto[319]: "roadworrior-net"[2] 
219.239.37.131:58868 #2: responding to Quick Mode
Feb  1 00:40:56 localhost pluto[319]: "roadworrior-net"[2] 
219.239.37.131:58868 #2: transition from state (null) to state 
STATE_QUICK_R1
Feb  1 00:40:56 localhost pluto[319]: "roadworrior-net"[2] 
219.239.37.131:58868 #2: transition from state STATE_QUICK_R1 to state 
STATE_QUICK_R2
Feb  1 00:40:56 localhost pluto[319]: "roadworrior-net"[2] 
219.239.37.131:58868 #2: IPsec SA established
Feb  1 01:36:26 localhost pluto[319]: "roadworrior-net"[2] 
219.239.37.131:58868 #3: initiating Quick Mode 
RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS to replace #2
Feb  1 01:36:26 localhost pluto[319]: ERROR: "roadworrior-net"[2] 
219.239.37.131:58868 #3: sendto on eth0 to 219.239.37.131:58868 failed in 
quick_outI1. Errno 1: Operation not permitted
Feb  1 01:36:26 localhost pluto[319]: "roadworrior-net"[2] 
219.239.37.131:58868 #4: initiating Main Mode to replace #1
Feb  1 01:36:26 localhost pluto[319]: ERROR: "roadworrior-net"[2] 
219.239.37.131:58868 #4: sendto on eth0 to 219.239.37.131:58868 failed in 
main_outI1. Errno 1: Operation not permitted
Feb  1 01:36:36 localhost pluto[319]: ERROR: "roadworrior-net"[2] 
219.239.37.131:58868 #4: sendto on eth0 to 219.239.37.131:58868 failed in 
EVENT_RETRANSMIT. Errno 1: Operation not permitted
Feb  1 01:36:36 localhost pluto[319]: ERROR: "roadworrior-net"[2] 
219.239.37.131:58868 #3: sendto on eth0 to 219.239.37.131:58868 failed in 
EVENT_RETRANSMIT. Errno 1: Operation not permitted
Feb  1 01:36:56 localhost pluto[319]: ERROR: "roadworrior-net"[2] 
219.239.37.131:58868 #3: sendto on eth0 to 219.239.37.131:58868 failed in 
EVENT_RETRANSMIT. Errno 1: Operation not permitted
Feb  1 01:36:56 localhost pluto[319]: ERROR: "roadworrior-net"[2] 
219.239.37.131:58868 #4: sendto on eth0 to 219.239.37.131:58868 failed in 
EVENT_RETRANSMIT. Errno 1: Operation not permitted
Feb  1 01:37:36 localhost pluto[319]: "roadworrior-net"[2] 
219.239.37.131:58868 #4: max number of retransmissions (2) reached 
STATE_MAIN_I1.  No acceptable response to our first IKE message
Feb  1 01:37:36 localhost pluto[319]: "roadworrior-net"[2] 
219.239.37.131:58868 #3: max number of retransmissions (2) reached 
STATE_QUICK_I1
Feb  1 01:40:56 localhost pluto[319]: "roadworrior-net"[2] 
219.239.37.131:58868 #1: ISAKMP SA expired (LATEST!)
Feb  1 01:40:56 localhost pluto[319]: ERROR: "roadworrior-net"[2] 
219.239.37.131:58868 #1: sendto on eth0 to 219.239.37.131:58868 failed in 
delete notify. Errno 1: Operation not permitted
Feb  1 01:40:56 localhost pluto[319]: "roadworrior-net"[2] 
219.239.37.131:58868 #2: IPsec SA expired (LATEST!)
Feb  1 01:40:56 localhost pluto[319]: "roadworrior-net"[2] 
219.239.37.131:58868: deleting connection "roadworrior-net" instance with 
peer 219.239.37.131
+ _________________________ date
+ date
Tue Feb  1 04:56:48 CST 2005

IPsec SA is indeed established, but I couldn't ping the 
internal box behind Redhat gateway from the Roadworrior.  pings in both 
directions can not work properly.

I hope some one out there will have suggestions on solving this, as I'm 
beginning to tear my hair out. I just paste ipsec.conf on linux side and 
ipsec.conf windows xp side here for solving problem .

linux side ipsec.conf:

config setup
 
        interfaces="ipsec0=eth0"
        nat_traversal=yes
 virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16
        klipsdebug=none
        plutodebug=none
        plutoload=%search
        plutostart=%search
        plutowait=no
        uniqueids=yes
conn %default

        keyingtries=1
        compress=yes
        disablearrivalcheck=no
        authby=rsasig
        leftrsasigkey=%cert
        rightrsasigkey=%cert

conn roadworrior-net
        left=68.106.186.85
        leftnexthop=68.106.186.81
        leftsubnet=192.168.0.0/16
        leftcert=gateway.semble.com.pem
        right=%any
        rightsubnet=vhost:%no,%priv
        auto=add
        pfs=yes


windows side ipsec.conf
conn roadwarrior
  left=68.106.186.85
  leftsubnet=192.168.0.0/16
  right=%any
  rightca="C=CN, S=BJ, L=BJ, O=semble International, OU=System department, 
CN=FIREWALL, E=lidong.li at ensemble.com.cn"
  network=auto
  auto=start
  pfs=yes














Tony

Best Regards,





-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20050201/27613987/attachment-0001.htm

More information about the Users mailing list