[Openswan Users] can't ping

Max Sauer maxxa at seznam.cz
Wed Mar 30 14:31:31 CEST 2005


I'am trying to get an IPSec tunnel to work in my Lan environment. The 
server seems to be properly adjusted, the logs show connection tries and 
  SA's -- but i simply can't connect. Would someone be so kind and have 
a look on my logs?

Thanks.

192.168.0.2 is my slackware 9.1, kernel 2.6.11 server, 192.168.0.9 is my 
win XP SP2 client.

I'm using Linux Openswan 2.3.1dr4 (klips) and vpn.ebootis.de IPSEC.EXE

Output of "ipsec auto --status":
bash-2.05b# ipsec auto --status
000 interface ipsec0/eth0 192.168.0.2
000 interface ipsec0/eth0 192.168.0.2
000 %myid = (none)
000 debug none
000
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=64, 
keysizemin=168, keysizemax=168
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=128, 
keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, 
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, 
keysizemin=160, keysizemax=160
000
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, 
keydeflen=128
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, 
keydeflen=192
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,0,0} 
trans={0,0,0} attrs={0,0,0}
000
000 "roadwarrior": 192.168.0.2[C=CZ, ST=Praha, L=Praha, O=koga, 
CN=Sauer]---192.168.0.1...%virtual===?; unrouted; eroute owner: #0
000 "roadwarrior":     srcip=unset; dstip=unset
000 "roadwarrior":   CAs: 'C=CZ, ST=Praha, L=Praha, O=koga, CN=Max, 
E=maxxa at seznam.cz'...'%any'
000 "roadwarrior":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 
540s; rekey_fuzz: 100%; keyingtries: 1
000 "roadwarrior":   policy: RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS; prio: 
32,32; interface: eth0;
000 "roadwarrior":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "roadwarrior"[2]: 192.168.0.2[C=CZ, ST=Praha, L=Praha, O=koga, 
CN=Sauer]---192.168.0.1...192.168.0.9[C=CZ, ST=Praha, L=Praha, O=koga, 
CN=Sauer]; erouted; er
oute owner: #2
000 "roadwarrior"[2]:     srcip=unset; dstip=unset
000 "roadwarrior"[2]:   CAs: 'C=CZ, ST=Praha, L=Praha, O=koga, CN=Max, 
E=maxxa at seznam.cz'...'%any'
000 "roadwarrior"[2]:   ike_life: 3600s; ipsec_life: 28800s; 
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1
000 "roadwarrior"[2]:   policy: RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS; 
prio: 32,32; interface: eth0;
000 "roadwarrior"[2]:   newest ISAKMP SA: #3; newest IPsec SA: #2;
000 "roadwarrior"[2]:   IKE algorithm newest: 3DES_CBC_192-SHA1-MODP1024
000 "roadwarrior-all": ?===192.168.0.2[C=CZ, ST=Praha, L=Praha, O=koga, 
CN=Sauer]---192.168.0.1...%virtual===?; unrouted; eroute owner: #0
000 "roadwarrior-all":     srcip=unset; dstip=unset
000 "roadwarrior-all":   CAs: 'C=CZ, ST=Praha, L=Praha, O=koga, CN=Max, 
E=maxxa at seznam.cz'...'%any'
000 "roadwarrior-all":   ike_life: 3600s; ipsec_life: 28800s; 
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1
000 "roadwarrior-all":   policy: RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS; 
prio: 32,32; interface: eth0;
000 "roadwarrior-all":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "roadwarrior-net": ?===192.168.0.2[C=CZ, ST=Praha, L=Praha, O=koga, 
CN=Sauer]---192.168.0.1...%virtual===?; unrouted; eroute owner: #0
000 "roadwarrior-net":     srcip=unset; dstip=unset
000 "roadwarrior-net":   CAs: 'C=CZ, ST=Praha, L=Praha, O=koga, CN=Max, 
E=maxxa at seznam.cz'...'%any'
000 "roadwarrior-net":   ike_life: 3600s; ipsec_life: 28800s; 
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1
000 "roadwarrior-net":   policy: RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS; 
prio: 32,32; interface: eth0;
000 "roadwarrior-net":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000
000 #2: "roadwarrior"[2] 192.168.0.9:500 STATE_QUICK_R2 (IPsec SA 
established); EVENT_SA_REPLACE in 3131s; newest IPSEC; eroute owner
000 #2: "roadwarrior"[2] 192.168.0.9 esp.6f85dcc0 at 192.168.0.9 
esp.54de7a39 at 192.168.0.2 tun.1002 at 192.168.0.9 tun.1001 at 192.168.0.2
000 #3: "roadwarrior"[2] 192.168.0.9:500 STATE_MAIN_R3 (sent MR3, ISAKMP 
SA established); EVENT_SA_REPLACE in 3292s; newest ISAKMP; nodpd
000


--------------------------------

tail of my /var/log/secure:

Mar 29 16:21:41 maxa ipsec__plutorun: Starting Pluto subsystem...
Mar 29 16:21:41 maxa pluto[3814]: Starting Pluto (Openswan Version 
2.3.1dr4 X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID 
OE~Oe`puTJjq)
Mar 29 16:21:41 maxa pluto[3814]: Setting port floating to on
Mar 29 16:21:41 maxa pluto[3814]: port floating activate 1/1
Mar 29 16:21:41 maxa pluto[3814]:   including NAT-Traversal patch 
(Version 0.6c)
Mar 29 16:21:41 maxa pluto[3814]: ike_alg_register_enc(): Activating 
OAKLEY_AES_CBC: Ok (ret=0)
Mar 29 16:21:41 maxa pluto[3814]: starting up 1 cryptographic helpers
Mar 29 16:21:41 maxa pluto[3814]: started helper pid=3815 (fd:6)
Mar 29 16:21:41 maxa pluto[3814]: Using KLIPS IPsec interface code
Mar 29 16:21:41 maxa pluto[3814]: Changing to directory 
'/etc/ipsec.d/cacerts'
Mar 29 16:21:41 maxa pluto[3814]:   loaded CA cert file 'cacert.pem' 
(1127 bytes)
Mar 29 16:21:41 maxa pluto[3814]: Changing to directory 
'/etc/ipsec.d/aacerts'
Mar 29 16:21:41 maxa pluto[3814]: Changing to directory 
'/etc/ipsec.d/ocspcerts'
Mar 29 16:21:41 maxa pluto[3814]: Changing to directory '/etc/ipsec.d/crls'
Mar 29 16:21:41 maxa pluto[3814]:   loaded crl file 'crl.pem' (467 bytes)
Mar 29 16:21:41 maxa pluto[3814]:   loaded host cert file 
'/etc/ipsec.d/certs/kogahome.cz.pem' (3314 bytes)
Mar 29 16:21:41 maxa pluto[3814]: added connection description "roadwarrior"
Mar 29 16:21:41 maxa pluto[3814]:   loaded host cert file 
'/etc/ipsec.d/certs/kogahome.cz.pem' (3314 bytes)
Mar 29 16:21:41 maxa pluto[3814]: added connection description 
"roadwarrior-all"
Mar 29 16:21:41 maxa pluto[3814]:   loaded host cert file 
'/etc/ipsec.d/certs/kogahome.cz.pem' (3314 bytes)
Mar 29 16:21:41 maxa pluto[3814]: added connection description 
"roadwarrior-net"
Mar 29 16:21:42 maxa pluto[3814]: listening for IKE messages
Mar 29 16:21:42 maxa pluto[3814]: adding interface ipsec0/eth0 
192.168.0.2:500
Mar 29 16:21:42 maxa pluto[3814]: adding interface ipsec0/eth0 
192.168.0.2:4500
Mar 29 16:21:42 maxa pluto[3814]: loading secrets from "/etc/ipsec.secrets"
Mar 29 16:21:42 maxa pluto[3814]:   loaded private key file 
'/etc/ipsec.d/private/kogahome.cz.key' (1639 bytes)
Mar 29 16:22:07 maxa pluto[3814]: packet from 192.168.0.9:500: ignoring 
Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Mar 29 16:22:07 maxa pluto[3814]: packet from 192.168.0.9:500: ignoring 
Vendor ID payload [FRAGMENTATION]
Mar 29 16:22:07 maxa pluto[3814]: packet from 192.168.0.9:500: received 
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
Mar 29 16:22:07 maxa pluto[3814]: packet from 192.168.0.9:500: ignoring 
Vendor ID payload [Vid-Initial-Contact]
Mar 29 16:22:07 maxa pluto[3814]: "roadwarrior"[1] 192.168.0.9 #1: 
responding to Main Mode from unknown peer 192.168.0.9
Mar 29 16:22:07 maxa pluto[3814]: "roadwarrior"[1] 192.168.0.9 #1: 
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Mar 29 16:22:07 maxa pluto[3814]: "roadwarrior"[1] 192.168.0.9 #1: 
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: no NAT 
detected
Mar 29 16:22:07 maxa pluto[3814]: "roadwarrior"[1] 192.168.0.9 #1: 
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Mar 29 16:22:07 maxa pluto[3814]: "roadwarrior"[1] 192.168.0.9 #1: Main 
mode peer ID is ID_DER_ASN1_DN: 'C=CZ, ST=Praha, L=Praha, O=koga, CN=Sauer'
Mar 29 16:22:07 maxa pluto[3814]: "roadwarrior"[2] 192.168.0.9 #1: 
deleting connection "roadwarrior" instance with peer 192.168.0.9 
{isakmp=#0/ipsec=#0}
Mar 29 16:22:07 maxa pluto[3814]: "roadwarrior"[2] 192.168.0.9 #1: I am 
sending my cert
Mar 29 16:22:07 maxa pluto[3814]: "roadwarrior"[2] 192.168.0.9 #1: 
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Mar 29 16:22:07 maxa pluto[3814]: "roadwarrior"[2] 192.168.0.9 #1: sent 
MR3, ISAKMP SA established
Mar 29 16:22:07 maxa pluto[3814]: "roadwarrior"[2] 192.168.0.9 #2: 
responding to Quick Mode {msgid:29f09a3e}
Mar 29 16:22:07 maxa pluto[3814]: "roadwarrior"[2] 192.168.0.9 #2: 
transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Mar 29 16:22:07 maxa pluto[3814]: "roadwarrior"[2] 192.168.0.9 #2: 
transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Mar 29 16:22:07 maxa pluto[3814]: "roadwarrior"[2] 192.168.0.9 #2: IPsec 
SA established {ESP=>0x6f85dcc0 <0x54de7a39 xfrm=3DES_0-HMAC_MD5}
Mar 29 16:23:10 maxa pluto[3814]: "roadwarrior"[2] 192.168.0.9 #1: 
received Delete SA payload: deleting ISAKMP State #1
Mar 29 16:23:10 maxa pluto[3814]: packet from 192.168.0.9:500: received 
and ignored informational message

----------------------------------

and, lastly, my ipsec.conf file (server side):

version    2.0    # conforms to second version of ipsec.conf specification

# basic configuration
config setup
     interfaces=%defaultroute
     nat_traversal=yes
     virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16

# Add connections here

conn %default
     keyingtries=1
     compress=yes
     disablearrivalcheck=no
     authby=rsasig
     leftrsasigkey=%cert
     rightrsasigkey=%cert

conn roadwarrior-net
     leftsubnet=0.0.0.0/255.255.255.255
     also=roadwarrior

conn roadwarrior-l2tp
     pfs=no
     leftprotoport=17/0
     rightprotoport=17/1701
     also=roadwarrior

conn roadwarrior-l2tp-updatedwin
     pfs=no
     leftprotoport=17/1701
     rightprotoport=17/1701
     also=roadwarrior

conn roadwarrior-all
     leftsubnet=0.0.0.0/255.255.255.255
     also=roadwarrior

conn roadwarrior
     left=%defaultroute
     leftcert=kogahome.cz.pem
     right=%any
     rightsubnet=vhost:%no,%priv
     auto=add
     pfs=yes

conn block
     auto=ignore

conn private
     auto=ignore

conn private-or-clear
     auto=ignore

conn clear-or-private
     auto=ignore

conn clear
     auto=ignore

conn packetdefault
     auto=ignore

----------------------
client side:
----------------------
conn roadwarrior
     left=%any
     right=192.168.0.2
     rightca="C=CZ,S=Praha,L=Praha,O=koga,CN=Max,Email=maxxa at seznam.cz"
     network=auto
     auto=start
     pfs=yes

conn roadwarrior-net
     left=%any
     right=192.168.0.2
     rightsubnet=0.0.0.0/255.255.255.255
     rightca="C=CZ,S=Praha,L=Praha,O=koga,CN=Max,Email=maxxa at seznam.cz"
     network=auto
     auto=start
     pfs=yes

=====================================
and that's all :( It looks like that I'm connected (the client echoes 
Negotiating ...), but I can't ping the server and I can't ping the 
mashine from the server (it just timeouts).







More information about the Users mailing list