[Openswan Users] help about IPSEC tunnel between OpenSwan(pluto) and Kame(racoon)

xin jqxin at iastate.edu
Fri Mar 18 17:38:51 CET 2005 

hi, as a new learner of ipsec. I have been trying to set up a tunnel 
between two machines for testing machine. There is no problem when both 
use Kame or OpenSwan. However, I can never make one machine of OpenSwan 
and one machine using Kame work. At this stage, I am just using simple 
PSK for testing.
I did google and search the email archives of the list. Unluckily, 
nothing very useful turned up.
There is one post talking about some things to pay attention when 
connecting them together usch as OpenSwan only support 3DES, and 
OpenSwan does not support agressive mode, etc.
http://mail-index.netbsd.org/tech-net/2001/11/10/0001.html

I did follow the steps. However, it still does not work.  Any help is 
really apprciated.



The following is the output of the machine using OpenSwan:
104 "myTest" #1: STATE_MAIN_I1: initiate
003 "myTest" #1: ignoring Vendor ID payload [KAME/racoon]
106 "myTest" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "myTest" #1: ignoring Vendor ID payload [KAME/racoon]
108 "myTest" #1: STATE_MAIN_I3: sent MI3, expecting MR3
004 "myTest" #1: STATE_MAIN_I4: ISAKMP SA established
117 "myTest" #2: STATE_QUICK_I1: initiate
010 "myTest" #2: STATE_QUICK_I1: retransmission; will wait 20s for response
010 "myTest" #2: STATE_QUICK_I1: retransmission; will wait 40s for response
031 "myTest" #2: max number of retransmissions (2) reached 
STATE_QUICK_I1.  No acceptable response to our first Quick Mode message: 
perhaps peer likes no proposal
000 "myTest" #2: starting keying attempt 2 of an unlimited number, but 
releasing whack


The following is the output of Kame:

Foreground mode.
2005-03-17 17:37:18: INFO: main.c:174:main(): @(#)racoon - IPsec-tools 0.2.3
2005-03-17 17:37:18: INFO: main.c:175:main(): @(#)This product linked
OpenSSL 0.9.7a Feb 19 2003 (http://www.openssl.org/)
2005-03-17 17:37:19: ERROR: isakmp.c:1366:isakmp_open(): failed to bind to
address fe80::2e0:29ff:fe85:f8fd%253[500] (No such device).
2005-03-17 17:37:19: INFO: isakmp.c:1375:isakmp_open(): ::1[500] used as
isakmp port (fd=6)
2005-03-17 17:37:19: INFO: isakmp.c:1375:isakmp_open(): 192.168.2.8[500]
used as isakmp port (fd=7)
2005-03-17 17:37:19: INFO: isakmp.c:1375:isakmp_open(): 127.0.0.1[500]
used as isakmp port (fd=8)
2005-03-17 17:37:26: INFO: isakmp.c:891:isakmp_ph1begin_r(): respond new
phase 1 negotiation: 192.168.2.8[500]<=>192.168.2.2[500]
2005-03-17 17:37:26: INFO: isakmp.c:896:isakmp_ph1begin_r(): begin
Identity Protection mode.
2005-03-17 17:37:26: INFO: isakmp.c:2431:log_ph1established(): ISAKMP-SA
established 192.168.2.8[500]-192.168.2.2[500]
spi:fc673004466f2d38:03fe9fcdfc2fad1a
2005-03-17 17:37:26: INFO: isakmp.c:1046:isakmp_ph2begin_r(): respond new
phase 2 negotiation: 192.168.2.8[0]<=>192.168.2.2[0]
2005-03-17 17:37:26: ERROR: isakmp_quick.c:2029:get_proposal_r(): no
policy found: 192.168.2.2/32[0] 192.168.2.8/32[0] proto=any dir=in
2005-03-17 17:37:26: ERROR: isakmp_quick.c:1070:quick_r1recv(): failed to
get proposal for responder.
2005-03-17 17:37:26: ERROR: isakmp.c:1060:isakmp_ph2begin_r(): failed to
pre-process packet.
2005-03-17 17:37:34: INFO: isakmp_inf.c:885:purge_isakmp_spi(): purged
ISAKMP-SA proto_id=ISAKMP spi=fc673004466f2d38:03fe9fcdfc2fad1a.
2005-03-17 17:37:35: INFO: isakmp.c:1581:isakmp_ph1delete(): ISAKMP-SA
deleted 192.168.2.8[500]-192.168.2.2[500]
spi:fc673004466f2d38:03fe9fcdfc2fad1a
2005-03-17 17:37:41: INFO: isakmp.c:891:isakmp_ph1begin_r(): respond new
phase 1 negotiation: 192.168.2.8[500]<=>192.168.2.2[500]
2005-03-17 17:37:41: INFO: isakmp.c:896:isakmp_ph1begin_r(): begin
Identity Protection mode.
2005-03-17 17:37:41: INFO: isakmp.c:2431:log_ph1established(): ISAKMP-SA
established 192.168.2.8[500]-192.168.2.2[500]
spi:d56b2c30abf88657:cb8d98911feceb97
2005-03-17 17:37:41: INFO: isakmp.c:1046:isakmp_ph2begin_r(): respond new
phase 2 negotiation: 192.168.2.8[0]<=>192.168.2.2[0]
2005-03-17 17:37:41: ERROR: isakmp_quick.c:2029:get_proposal_r(): no
policy found: 192.168.2.2/32[0] 192.168.2.8/32[0] proto=any dir=in
2005-03-17 17:37:41: ERROR: isakmp_quick.c:1070:quick_r1recv(): failed to
get proposal for responder.
2005-03-17 17:37:41: ERROR: isakmp.c:1060:isakmp_ph2begin_r(): failed to
pre-process packet.
2005-03-17 17:37:51: INFO: isakmp.c:1046:isakmp_ph2begin_r(): respond new
phase 2 negotiation: 192.168.2.8[0]<=>192.168.2.2[0]
2005-03-17 17:37:51: ERROR: isakmp_quick.c:2029:get_proposal_r(): no
policy found: 192.168.2.2/32[0] 192.168.2.8/32[0] proto=any dir=in
2005-03-17 17:37:51: ERROR: isakmp_quick.c:1070:quick_r1recv(): failed to
get proposal for responder.
2005-03-17 17:37:51: ERROR: isakmp.c:1060:isakmp_ph2begin_r(): failed to
pre-process packet.
2005-03-17 17:38:11: INFO: isakmp.c:1046:isakmp_ph2begin_r(): respond new
phase 2 negotiation: 192.168.2.8[0]<=>192.168.2.2[0]
2005-03-17 17:38:11: ERROR: isakmp_quick.c:2029:get_proposal_r(): no
policy found: 192.168.2.2/32[0] 192.168.2.8/32[0] proto=any dir=in
2005-03-17 17:38:11: ERROR: isakmp_quick.c:1070:quick_r1recv(): failed to
get proposal for responder.
2005-03-17 17:38:11: ERROR: isakmp.c:1060:isakmp_ph2begin_r(): failed to
pre-process packet.
2005-03-17 17:38:13: INFO: isakmp_inf.c:885:purge_isakmp_spi(): purged
ISAKMP-SA proto_id=ISAKMP spi=d56b2c30abf88657:cb8d98911feceb97.
2005-03-17 17:38:14: INFO: isakmp.c:1581:isakmp_ph1delete(): ISAKMP-SA
deleted 192.168.2.8[500]-192.168.2.2[500]


The configuration file of ipsec.conf

conn myTest
   authby=secret
   left=192.168.2.2
   right=192.168.2.8
   auto=add


The configuation file of racoon.conf

# Racoon IKE daemon configuration file.
# See 'man racoon.conf' for a description of the format and entries.

path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";

remote 192.168.2.2 {
        exchange_mode main,aggressive;
        doi ipsec_doi;
        situation identity_only;
        my_identifier address;

        nonce_size 16;
        lifetime time 30 min;
        initial_contact on;
        support_mip6 on;
        proposal_check obey;
        proposal {
                encryption_algorithm 3des;
               hash_algorithm sha1;
                authentication_method pre_shared_key;
                dh_group modp1024;
        }
}

sainfo address 192.168.2.2/32 any address 192.168.2.8/32 any {
        pfs_group 1;
        encryption_algorithm 3des;
        authentication_algorithm hmac_sha1;
        compression_algorithm deflate;

}

sainfo address 192.168.2.8/32 any address 192.168.2.2/32 any {
        pfs_group 1;
        encryption_algorithm 3des;
        authentication_algorithm hmac_sha1;
        compression_algorithm deflate;
}






The configuation file of setkey.conf

#!/usr/sbin/setkey -f
#
# Flush SAD and SPD
flush;
spdflush;

# Create policies for racoon
spdadd 192.168.2.8/32 192.168.2.2/32 any -P in  ipsec
           esp/tunnel/192.168.2.8-192.168.2.2/require;

spdadd 192.16.2.2/32 192.168.2.8/32 any -P out  ipsec
           esp/tunnel/192.168.2.2-192.168.2.8/require;



Thanks again for any insight.

More information about the Users mailing list