[Openswan Users]
help ,still getting trouble (IPsec SA is established,trouble with
pingingando the rtraffic)
lidongli at ensemble.com.cn
lidongli at ensemble.com.cn
Tue Feb 22 00:37:43 CET 2005
Hi,
I had followed your suggestions to upgrade my xp box to sp2 and open
4500/udp ( even i allow all traffic), but this doesn't work ! The ISAKMP
SA is also established . but i still couldn't talk with remote host behind
my vpn gateway(kernel 2.4.20-8, openswan-1.0.8 with NATTraversal feature
).
The www.openswan.org recommend me to use openswan-1.0.8 , they say it
is most stable one , as our environment is a production system .
Because my road-worrior(windows xp box) behind a cisco router (which
has nat set properly), so why i enable NAT Traversal on my linux gateway .
my topology is :
xpbox---cisco router-------internet -----------redhat linux gateway( with
iptables and openswan)--------remote host
communication between xpbox and remote box on a security tunnel is my
purpose , example: run some client program to access application server on
the remote host .
like before , i always get negotiating ip security and then request timed
out , maybe first request timed out then negotiating ip security . I don't
know why ? I really worry about this . for your review : i paste some
information , hope it can give you some hints !
[root at localhost rc.d]# ipsec barf
Feb 2 02:22:19 localhost pluto[11566]: ike_alg_register_hash():
Activating OAKLEY_SHA2_512: Ok (ret=0)
Feb 2 02:22:19 localhost pluto[11566]: ike_alg_register_enc(): Activating
OAKLEY_TWOFISH_CBC: Ok (ret=0)
Feb 2 02:22:19 localhost pluto[11566]: ike_alg_register_enc(): Activating
OAKLEY_SSH_PRIVATE_65289: Ok (ret=0)
Feb 2 02:22:19 localhost pluto[11566]: Changing to directory
'/etc/ipsec.d/cacerts'
Feb 2 02:22:19 localhost pluto[11566]: loaded cacert file 'cacert.pem'
(1359 bytes)
Feb 2 02:22:19 localhost pluto[11566]: Changing to directory
'/etc/ipsec.d/crls'
Feb 2 02:22:19 localhost pluto[11566]: loaded crl file 'crl.pem' (540
bytes)
Feb 2 02:22:19 localhost pluto[11566]: OpenPGP certificate file
'/etc/pgpcert.pgp' not found
Feb 2 02:22:19 localhost pluto[11566]: | from whack: got --esp=3des
Feb 2 02:22:19 localhost pluto[11566]: | from whack: got --ike=3des
Feb 2 02:22:19 localhost pluto[11566]: loaded host cert file
'/etc/ipsec.d/gateway.ensemble.com.pem' (3745 bytes)
Feb 2 02:22:19 localhost pluto[11566]: added connection description
"roadworrior-net"
Feb 2 02:22:19 localhost pluto[11566]: listening for IKE messages
Feb 2 02:22:19 localhost pluto[11566]: adding interface ipsec0/eth0
218.106.186.84
Feb 2 02:22:19 localhost pluto[11566]: adding interface ipsec0/eth0
218.106.186.84:4500
Feb 2 02:22:19 localhost pluto[11566]: loading secrets from
"/etc/ipsec.secrets"
Feb 2 02:22:19 localhost pluto[11566]: loaded private key file
'/etc/ipsec.d/private/gateway.ensemble.com.key' (1683 bytes)
Feb 2 02:26:44 localhost pluto[11566]: packet from 219.239.37.132:18641:
ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Feb 2 02:26:44 localhost pluto[11566]: packet from 219.239.37.132:18641:
ignoring Vendor ID payload [FRAGMENTATION]
Feb 2 02:26:44 localhost pluto[11566]: packet from 219.239.37.132:18641:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Feb 2 02:26:44 localhost pluto[11566]: packet from 219.239.37.132:18641:
ignoring Vendor ID payload [26244d38eddb61b3172a36e3d0cfb819]
Feb 2 02:26:44 localhost pluto[11566]: "roadworrior-net"[1]
219.239.37.132:18641 #1: responding to Main Mode from unknown peer
219.239.37.132:18641
Feb 2 02:26:44 localhost pluto[11566]: "roadworrior-net"[1]
219.239.37.132:18641 #1: transition from state (null) to state
STATE_MAIN_R1
Feb 2 02:26:44 localhost pluto[11566]: "roadworrior-net"[1]
219.239.37.132:18641 #1: NAT-Traversal: Result using
draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed
Feb 2 02:26:44 localhost pluto[11566]: "roadworrior-net"[1]
219.239.37.132:18641 #1: transition from state STATE_MAIN_R1 to state
STATE_MAIN_R2
Feb 2 02:26:44 localhost pluto[11566]: "roadworrior-net"[1]
219.239.37.132:18641 #1: Main mode peer ID is ID_DER_ASN1_DN: 'C=CN,
ST=BJ, L=BJ, O=Ensemble International, OU=System department, CN=WINHOST,
E=coffeeboy7411 at ensemble.com.cn'
Feb 2 02:26:44 localhost pluto[11566]: "roadworrior-net"[2]
219.239.37.132:18641 #1: deleting connection "roadworrior-net" instance
with peer 219.239.37.132
Feb 2 02:26:44 localhost pluto[11566]: "roadworrior-net"[2]
219.239.37.132:18641 #1: transition from state STATE_MAIN_R2 to state
STATE_MAIN_R3
Feb 2 02:26:44 localhost pluto[11566]: | NAT-T: new mapping
219.239.37.132:18641/18642)
Feb 2 02:26:44 localhost pluto[11566]: "roadworrior-net"[2]
219.239.37.132:18642 #1: sent MR3, ISAKMP SA established
Feb 2 02:26:44 localhost pluto[11566]: "roadworrior-net"[2]
219.239.37.132:18642 #2: responding to Quick Mode
Feb 2 02:26:44 localhost pluto[11566]: "roadworrior-net"[2]
219.239.37.132:18642 #2: transition from state (null) to state
STATE_QUICK_R1
Feb 2 02:26:45 localhost pluto[11566]: "roadworrior-net"[2]
219.239.37.132:18642 #2: transition from state STATE_QUICK_R1 to state
STATE_QUICK_R2
Feb 2 02:26:45 localhost pluto[11566]: "roadworrior-net"[2]
219.239.37.132:18642 #2: IPsec SA established
Feb 2 02:27:12 localhost pluto[11566]: "roadworrior-net"[2]
219.239.37.132:18642 #2: nat_traversal_new_mapping: address change
currently not supported [219.239.37.132:18642,219.239.37.131:45193]
+ _________________________ date
+ date
Wed Feb 2 02:27:34 CST 2005
[root at localhost rc.d]#
can you also check the ipsec.conf for me , thanks a million !
linux side ipsec.conf:
config setup
interfaces="ipsec0=eth0"
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16
klipsdebug=none
plutodebug=none
plutoload=%search
plutostart=%search
plutowait=no
uniqueids=yes
conn %default
keyingtries=1
compress=yes
disablearrivalcheck=no
authby=rsasig
leftrsasigkey=%cert
rightrsasigkey=%cert
conn roadworrior-net
left=68.106.186.85
leftnexthop=68.106.186.81
leftsubnet=192.168.0.0/16
leftcert=gateway.semble.com.pem
right=%any
rightsubnet=vhost:%no,%priv
auto=add
pfs=yes
windows side ipsec.conf
conn roadwarrior
left=68.106.186.85
leftsubnet=192.168.0.0/16
right=%any
rightca="C=CN, S=BJ, L=BJ, O=semble International, OU=System department,
CN=FIREWALL, E=lidong.li at ensemble.com.cn"
network=auto
auto=start
pfs=yes
tony
Best Regards,
Nate Carlson <natecars at natecarlson.com>
2005-02-01 23:35
To
lidongli at ensemble.com.cn
cc
Subject
Re: help ,Urgent! IPsec SA is established,trouble with pinging ando the
rtraffic
On Tue, 1 Feb 2005 lidongli at ensemble.com.cn wrote:
> I'm currently in the middle of setting up an IPSec connection which will
> have a road warrior (running Windows XP) connecting to a Redhat 9.0 box
> (kernel 2.4.20-8, openswan-1.0.8 with NATTraversal feature )
Just curious, any reason you're not using a more recent version (2.2.x) of
Openswan? The 1.x versions work fine, they are just old. :)
> what's more about access control, for roadworrior, on the cisco router ,
> there is no restriction for internal clients ; on the linux box ,UDP
> 500, ESP(50),AH(51) had been allowed from and to the internet , accepted
> by output, input, and forward chain in iptables .
Have you allowed 4500/udp? If you are using NAT Traversal, that port is
also required.
> I've set up the IPSec connection using the snap-in in MMC ,When I ping
> from the Windows box, it shows "Negotiating IP Security", followed by
> request timed out. It doesn't matter how long I try, I keep getting
> request timed out.
Check the logs in event viewer - they will often indicate what the problem
is (in a lot nicer format than the oakley logs, too!)
> To verify that I have rightca set properly, follow these instructions:
<...>
> It should be right , but I still get the request timed out ! :)
OK, that's good!
> 219.239.37.131:58868 #3: initiating Quick Mode
RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS to replace #2
> Feb 1 01:36:26 localhost pluto[319]: ERROR: "roadworrior-net"[2]
219.239.37.131:58868 #3: sendto on eth0 to 219.239.37.131:58868 failed in
quick_outI1. Errno 1: Operation not permitted
>
> IPsec SA is indeed established, but I couldn't ping the internal box
> behind Redhat gateway from the Roadworrior. pings in both directions
> can not work properly.
It's failing to get to Main Mode, which is where you can actually exchange
packets.
A few suggestions:
- Make sure the XP box is at SP2
- Run tcpdump on eth0 of the Linux box, and see what type of packets flow
across when it's trying to initialize main mode
- Try opening 4500/udp or disabling NAT Traversal.
> I hope some one out there will have suggestions on solving this, as I'm
> beginning to tear my hair out. I just paste ipsec.conf on linux side and
> ipsec.conf windows xp side here for solving problem .
Let me know if this doesn't help!
------------------------------------------------------------------------
| nate carlson | natecars at natecarlson.com | http://www.natecarlson.com |
| depriving some poor village of its idiot since 1981 |
------------------------------------------------------------------------
lilidong
Ensemble International Ltd..
Tel: 8610-82782892 ext. 319
Fax: 8610-82783467
http://www.ensembleintl.com
Best Regards,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20050222/fcd20367/attachment-0001.htm
More information about the Users
mailing list