[Openswan Users] help ,still getting trouble (IPsec SA is established,trouble with pingingando the rtraffic)

lidongli at ensemble.com.cn lidongli at ensemble.com.cn
Tue Feb 22 00:37:43 CET 2005


Hi,

   I had followed your suggestions to upgrade my xp box to sp2 and open 
4500/udp ( even i allow all traffic), but this doesn't work ! The ISAKMP 
SA is also established . but i still couldn't talk with remote host behind 
my vpn gateway(kernel 2.4.20-8, openswan-1.0.8 with NATTraversal feature 
).
    The www.openswan.org recommend me to use openswan-1.0.8 , they say it 
is most stable one , as our environment is a production system .
     Because my road-worrior(windows xp box) behind a cisco router (which 
has nat set properly), so why i enable NAT Traversal on my linux gateway . 
my topology is :

xpbox---cisco router-------internet -----------redhat linux gateway( with 
iptables and openswan)--------remote host


communication between xpbox and remote box on a security tunnel is my 
purpose , example: run some client program to access application server on 
the remote host . 

like before , i always get negotiating ip security and then request timed 
out , maybe first request timed out then negotiating ip security . I don't 
know why ?  I really worry about this . for your review : i paste some 
information , hope it can give you some hints !

[root at localhost rc.d]# ipsec barf 

Feb  2 02:22:19 localhost pluto[11566]: ike_alg_register_hash(): 
Activating OAKLEY_SHA2_512: Ok (ret=0)
Feb  2 02:22:19 localhost pluto[11566]: ike_alg_register_enc(): Activating 
OAKLEY_TWOFISH_CBC: Ok (ret=0)
Feb  2 02:22:19 localhost pluto[11566]: ike_alg_register_enc(): Activating 
OAKLEY_SSH_PRIVATE_65289: Ok (ret=0)
Feb  2 02:22:19 localhost pluto[11566]: Changing to directory 
'/etc/ipsec.d/cacerts'
Feb  2 02:22:19 localhost pluto[11566]:   loaded cacert file 'cacert.pem' 
(1359 bytes)
Feb  2 02:22:19 localhost pluto[11566]: Changing to directory 
'/etc/ipsec.d/crls'
Feb  2 02:22:19 localhost pluto[11566]:   loaded crl file 'crl.pem' (540 
bytes)
Feb  2 02:22:19 localhost pluto[11566]: OpenPGP certificate file 
'/etc/pgpcert.pgp' not found
Feb  2 02:22:19 localhost pluto[11566]: | from whack: got --esp=3des
Feb  2 02:22:19 localhost pluto[11566]: | from whack: got --ike=3des
Feb  2 02:22:19 localhost pluto[11566]:   loaded host cert file 
'/etc/ipsec.d/gateway.ensemble.com.pem' (3745 bytes)
Feb  2 02:22:19 localhost pluto[11566]: added connection description 
"roadworrior-net"
Feb  2 02:22:19 localhost pluto[11566]: listening for IKE messages
Feb  2 02:22:19 localhost pluto[11566]: adding interface ipsec0/eth0 
218.106.186.84
Feb  2 02:22:19 localhost pluto[11566]: adding interface ipsec0/eth0 
218.106.186.84:4500
Feb  2 02:22:19 localhost pluto[11566]: loading secrets from 
"/etc/ipsec.secrets"
Feb  2 02:22:19 localhost pluto[11566]:   loaded private key file 
'/etc/ipsec.d/private/gateway.ensemble.com.key' (1683 bytes)
Feb  2 02:26:44 localhost pluto[11566]: packet from 219.239.37.132:18641: 
ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Feb  2 02:26:44 localhost pluto[11566]: packet from 219.239.37.132:18641: 
ignoring Vendor ID payload [FRAGMENTATION]
Feb  2 02:26:44 localhost pluto[11566]: packet from 219.239.37.132:18641: 
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Feb  2 02:26:44 localhost pluto[11566]: packet from 219.239.37.132:18641: 
ignoring Vendor ID payload [26244d38eddb61b3172a36e3d0cfb819]
Feb  2 02:26:44 localhost pluto[11566]: "roadworrior-net"[1] 
219.239.37.132:18641 #1: responding to Main Mode from unknown peer 
219.239.37.132:18641
Feb  2 02:26:44 localhost pluto[11566]: "roadworrior-net"[1] 
219.239.37.132:18641 #1: transition from state (null) to state 
STATE_MAIN_R1
Feb  2 02:26:44 localhost pluto[11566]: "roadworrior-net"[1] 
219.239.37.132:18641 #1: NAT-Traversal: Result using 
draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed
Feb  2 02:26:44 localhost pluto[11566]: "roadworrior-net"[1] 
219.239.37.132:18641 #1: transition from state STATE_MAIN_R1 to state 
STATE_MAIN_R2
Feb  2 02:26:44 localhost pluto[11566]: "roadworrior-net"[1] 
219.239.37.132:18641 #1: Main mode peer ID is ID_DER_ASN1_DN: 'C=CN, 
ST=BJ, L=BJ, O=Ensemble International, OU=System department, CN=WINHOST, 
E=coffeeboy7411 at ensemble.com.cn'
Feb  2 02:26:44 localhost pluto[11566]: "roadworrior-net"[2] 
219.239.37.132:18641 #1: deleting connection "roadworrior-net" instance 
with peer 219.239.37.132
Feb  2 02:26:44 localhost pluto[11566]: "roadworrior-net"[2] 
219.239.37.132:18641 #1: transition from state STATE_MAIN_R2 to state 
STATE_MAIN_R3
Feb  2 02:26:44 localhost pluto[11566]: | NAT-T: new mapping 
219.239.37.132:18641/18642)
Feb  2 02:26:44 localhost pluto[11566]: "roadworrior-net"[2] 
219.239.37.132:18642 #1: sent MR3, ISAKMP SA established
Feb  2 02:26:44 localhost pluto[11566]: "roadworrior-net"[2] 
219.239.37.132:18642 #2: responding to Quick Mode
Feb  2 02:26:44 localhost pluto[11566]: "roadworrior-net"[2] 
219.239.37.132:18642 #2: transition from state (null) to state 
STATE_QUICK_R1
Feb  2 02:26:45 localhost pluto[11566]: "roadworrior-net"[2] 
219.239.37.132:18642 #2: transition from state STATE_QUICK_R1 to state 
STATE_QUICK_R2
Feb  2 02:26:45 localhost pluto[11566]: "roadworrior-net"[2] 
219.239.37.132:18642 #2: IPsec SA established
Feb  2 02:27:12 localhost pluto[11566]: "roadworrior-net"[2] 
219.239.37.132:18642 #2: nat_traversal_new_mapping: address change 
currently not supported [219.239.37.132:18642,219.239.37.131:45193]
+ _________________________ date
+ date
Wed Feb  2 02:27:34 CST 2005
[root at localhost rc.d]# 


can you also check the ipsec.conf for me , thanks a million !


linux side ipsec.conf:

config setup
 
        interfaces="ipsec0=eth0"
        nat_traversal=yes
 virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16
        klipsdebug=none
        plutodebug=none
        plutoload=%search
        plutostart=%search
        plutowait=no
        uniqueids=yes
conn %default

        keyingtries=1
        compress=yes
        disablearrivalcheck=no
        authby=rsasig
        leftrsasigkey=%cert
        rightrsasigkey=%cert

conn roadworrior-net
        left=68.106.186.85
        leftnexthop=68.106.186.81
        leftsubnet=192.168.0.0/16
        leftcert=gateway.semble.com.pem
        right=%any
        rightsubnet=vhost:%no,%priv
        auto=add
        pfs=yes

windows side ipsec.conf
conn roadwarrior
  left=68.106.186.85
  leftsubnet=192.168.0.0/16
  right=%any
  rightca="C=CN, S=BJ, L=BJ, O=semble International, OU=System department, 
CN=FIREWALL, E=lidong.li at ensemble.com.cn"
  network=auto
  auto=start
  pfs=yes





tony

Best Regards,





Nate Carlson <natecars at natecarlson.com> 
2005-02-01 23:35

To
lidongli at ensemble.com.cn
cc

Subject
Re: help ,Urgent! IPsec SA is established,trouble with pinging ando the 
rtraffic






On Tue, 1 Feb 2005 lidongli at ensemble.com.cn wrote:
> I'm currently in the middle of setting up an IPSec connection which will 

> have a road warrior (running Windows XP) connecting to a Redhat 9.0 box 
> (kernel 2.4.20-8, openswan-1.0.8 with NATTraversal feature )

Just curious, any reason you're not using a more recent version (2.2.x) of 

Openswan? The 1.x versions work fine, they are just old.  :)

> what's more about access control, for roadworrior, on the cisco router , 

> there is no restriction for internal clients ; on the linux box ,UDP 
> 500, ESP(50),AH(51) had been allowed from and to the internet , accepted 

> by output, input, and forward chain in iptables .

Have you allowed 4500/udp? If you are using NAT Traversal, that port is 
also required.

> I've set up the IPSec connection using the snap-in in MMC ,When I ping 
> from the Windows box, it shows "Negotiating IP Security", followed by 
> request timed out. It doesn't matter how long I try, I keep getting 
> request timed out.

Check the logs in event viewer - they will often indicate what the problem 

is (in a lot nicer format than the oakley logs, too!)

> To verify that I have rightca set properly, follow these instructions:
<...>
> It should be right , but I still get the request timed out ! :)

OK, that's good!

> 219.239.37.131:58868 #3: initiating Quick Mode 
RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS to replace #2
> Feb  1 01:36:26 localhost pluto[319]: ERROR: "roadworrior-net"[2] 
219.239.37.131:58868 #3: sendto on eth0 to 219.239.37.131:58868 failed in 
quick_outI1. Errno 1: Operation not permitted
>
> IPsec SA is indeed established, but I couldn't ping the internal box 
> behind Redhat gateway from the Roadworrior.  pings in both directions 
> can not work properly.

It's failing to get to Main Mode, which is where you can actually exchange 

packets.

A few suggestions:

- Make sure the XP box is at SP2
- Run tcpdump on eth0 of the Linux box, and see what type of packets flow
   across when it's trying to initialize main mode
- Try opening 4500/udp or disabling NAT Traversal.

> I hope some one out there will have suggestions on solving this, as I'm 
> beginning to tear my hair out. I just paste ipsec.conf on linux side and 

> ipsec.conf windows xp side here for solving problem .

Let me know if this doesn't help!

------------------------------------------------------------------------
| nate carlson | natecars at natecarlson.com | http://www.natecarlson.com |
|       depriving some poor village of its idiot since 1981            |
------------------------------------------------------------------------


lilidong
Ensemble International Ltd..
Tel: 8610-82782892 ext. 319
Fax: 8610-82783467
http://www.ensembleintl.com
Best Regards,

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20050222/fcd20367/attachment-0001.htm


More information about the Users mailing list