[Openswan Users] can't ping
Max Sauer
maxxa at seznam.cz
Wed Mar 30 14:31:31 CEST 2005
I'am trying to get an IPSec tunnel to work in my Lan environment. The
server seems to be properly adjusted, the logs show connection tries and
SA's -- but i simply can't connect. Would someone be so kind and have
a look on my logs?
Thanks.
192.168.0.2 is my slackware 9.1, kernel 2.6.11 server, 192.168.0.9 is my
win XP SP2 client.
I'm using Linux Openswan 2.3.1dr4 (klips) and vpn.ebootis.de IPSEC.EXE
Output of "ipsec auto --status":
bash-2.05b# ipsec auto --status
000 interface ipsec0/eth0 192.168.0.2
000 interface ipsec0/eth0 192.168.0.2
000 %myid = (none)
000 debug none
000
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=64,
keysizemin=168, keysizemax=168
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=128,
keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
keysizemin=160, keysizemax=160
000
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
keydeflen=128
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
keydeflen=192
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,0,0}
trans={0,0,0} attrs={0,0,0}
000
000 "roadwarrior": 192.168.0.2[C=CZ, ST=Praha, L=Praha, O=koga,
CN=Sauer]---192.168.0.1...%virtual===?; unrouted; eroute owner: #0
000 "roadwarrior": srcip=unset; dstip=unset
000 "roadwarrior": CAs: 'C=CZ, ST=Praha, L=Praha, O=koga, CN=Max,
E=maxxa at seznam.cz'...'%any'
000 "roadwarrior": ike_life: 3600s; ipsec_life: 28800s; rekey_margin:
540s; rekey_fuzz: 100%; keyingtries: 1
000 "roadwarrior": policy: RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS; prio:
32,32; interface: eth0;
000 "roadwarrior": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "roadwarrior"[2]: 192.168.0.2[C=CZ, ST=Praha, L=Praha, O=koga,
CN=Sauer]---192.168.0.1...192.168.0.9[C=CZ, ST=Praha, L=Praha, O=koga,
CN=Sauer]; erouted; er
oute owner: #2
000 "roadwarrior"[2]: srcip=unset; dstip=unset
000 "roadwarrior"[2]: CAs: 'C=CZ, ST=Praha, L=Praha, O=koga, CN=Max,
E=maxxa at seznam.cz'...'%any'
000 "roadwarrior"[2]: ike_life: 3600s; ipsec_life: 28800s;
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1
000 "roadwarrior"[2]: policy: RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS;
prio: 32,32; interface: eth0;
000 "roadwarrior"[2]: newest ISAKMP SA: #3; newest IPsec SA: #2;
000 "roadwarrior"[2]: IKE algorithm newest: 3DES_CBC_192-SHA1-MODP1024
000 "roadwarrior-all": ?===192.168.0.2[C=CZ, ST=Praha, L=Praha, O=koga,
CN=Sauer]---192.168.0.1...%virtual===?; unrouted; eroute owner: #0
000 "roadwarrior-all": srcip=unset; dstip=unset
000 "roadwarrior-all": CAs: 'C=CZ, ST=Praha, L=Praha, O=koga, CN=Max,
E=maxxa at seznam.cz'...'%any'
000 "roadwarrior-all": ike_life: 3600s; ipsec_life: 28800s;
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1
000 "roadwarrior-all": policy: RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS;
prio: 32,32; interface: eth0;
000 "roadwarrior-all": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "roadwarrior-net": ?===192.168.0.2[C=CZ, ST=Praha, L=Praha, O=koga,
CN=Sauer]---192.168.0.1...%virtual===?; unrouted; eroute owner: #0
000 "roadwarrior-net": srcip=unset; dstip=unset
000 "roadwarrior-net": CAs: 'C=CZ, ST=Praha, L=Praha, O=koga, CN=Max,
E=maxxa at seznam.cz'...'%any'
000 "roadwarrior-net": ike_life: 3600s; ipsec_life: 28800s;
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1
000 "roadwarrior-net": policy: RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS;
prio: 32,32; interface: eth0;
000 "roadwarrior-net": newest ISAKMP SA: #0; newest IPsec SA: #0;
000
000 #2: "roadwarrior"[2] 192.168.0.9:500 STATE_QUICK_R2 (IPsec SA
established); EVENT_SA_REPLACE in 3131s; newest IPSEC; eroute owner
000 #2: "roadwarrior"[2] 192.168.0.9 esp.6f85dcc0 at 192.168.0.9
esp.54de7a39 at 192.168.0.2 tun.1002 at 192.168.0.9 tun.1001 at 192.168.0.2
000 #3: "roadwarrior"[2] 192.168.0.9:500 STATE_MAIN_R3 (sent MR3, ISAKMP
SA established); EVENT_SA_REPLACE in 3292s; newest ISAKMP; nodpd
000
--------------------------------
tail of my /var/log/secure:
Mar 29 16:21:41 maxa ipsec__plutorun: Starting Pluto subsystem...
Mar 29 16:21:41 maxa pluto[3814]: Starting Pluto (Openswan Version
2.3.1dr4 X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID
OE~Oe`puTJjq)
Mar 29 16:21:41 maxa pluto[3814]: Setting port floating to on
Mar 29 16:21:41 maxa pluto[3814]: port floating activate 1/1
Mar 29 16:21:41 maxa pluto[3814]: including NAT-Traversal patch
(Version 0.6c)
Mar 29 16:21:41 maxa pluto[3814]: ike_alg_register_enc(): Activating
OAKLEY_AES_CBC: Ok (ret=0)
Mar 29 16:21:41 maxa pluto[3814]: starting up 1 cryptographic helpers
Mar 29 16:21:41 maxa pluto[3814]: started helper pid=3815 (fd:6)
Mar 29 16:21:41 maxa pluto[3814]: Using KLIPS IPsec interface code
Mar 29 16:21:41 maxa pluto[3814]: Changing to directory
'/etc/ipsec.d/cacerts'
Mar 29 16:21:41 maxa pluto[3814]: loaded CA cert file 'cacert.pem'
(1127 bytes)
Mar 29 16:21:41 maxa pluto[3814]: Changing to directory
'/etc/ipsec.d/aacerts'
Mar 29 16:21:41 maxa pluto[3814]: Changing to directory
'/etc/ipsec.d/ocspcerts'
Mar 29 16:21:41 maxa pluto[3814]: Changing to directory '/etc/ipsec.d/crls'
Mar 29 16:21:41 maxa pluto[3814]: loaded crl file 'crl.pem' (467 bytes)
Mar 29 16:21:41 maxa pluto[3814]: loaded host cert file
'/etc/ipsec.d/certs/kogahome.cz.pem' (3314 bytes)
Mar 29 16:21:41 maxa pluto[3814]: added connection description "roadwarrior"
Mar 29 16:21:41 maxa pluto[3814]: loaded host cert file
'/etc/ipsec.d/certs/kogahome.cz.pem' (3314 bytes)
Mar 29 16:21:41 maxa pluto[3814]: added connection description
"roadwarrior-all"
Mar 29 16:21:41 maxa pluto[3814]: loaded host cert file
'/etc/ipsec.d/certs/kogahome.cz.pem' (3314 bytes)
Mar 29 16:21:41 maxa pluto[3814]: added connection description
"roadwarrior-net"
Mar 29 16:21:42 maxa pluto[3814]: listening for IKE messages
Mar 29 16:21:42 maxa pluto[3814]: adding interface ipsec0/eth0
192.168.0.2:500
Mar 29 16:21:42 maxa pluto[3814]: adding interface ipsec0/eth0
192.168.0.2:4500
Mar 29 16:21:42 maxa pluto[3814]: loading secrets from "/etc/ipsec.secrets"
Mar 29 16:21:42 maxa pluto[3814]: loaded private key file
'/etc/ipsec.d/private/kogahome.cz.key' (1639 bytes)
Mar 29 16:22:07 maxa pluto[3814]: packet from 192.168.0.9:500: ignoring
Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Mar 29 16:22:07 maxa pluto[3814]: packet from 192.168.0.9:500: ignoring
Vendor ID payload [FRAGMENTATION]
Mar 29 16:22:07 maxa pluto[3814]: packet from 192.168.0.9:500: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
Mar 29 16:22:07 maxa pluto[3814]: packet from 192.168.0.9:500: ignoring
Vendor ID payload [Vid-Initial-Contact]
Mar 29 16:22:07 maxa pluto[3814]: "roadwarrior"[1] 192.168.0.9 #1:
responding to Main Mode from unknown peer 192.168.0.9
Mar 29 16:22:07 maxa pluto[3814]: "roadwarrior"[1] 192.168.0.9 #1:
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Mar 29 16:22:07 maxa pluto[3814]: "roadwarrior"[1] 192.168.0.9 #1:
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: no NAT
detected
Mar 29 16:22:07 maxa pluto[3814]: "roadwarrior"[1] 192.168.0.9 #1:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Mar 29 16:22:07 maxa pluto[3814]: "roadwarrior"[1] 192.168.0.9 #1: Main
mode peer ID is ID_DER_ASN1_DN: 'C=CZ, ST=Praha, L=Praha, O=koga, CN=Sauer'
Mar 29 16:22:07 maxa pluto[3814]: "roadwarrior"[2] 192.168.0.9 #1:
deleting connection "roadwarrior" instance with peer 192.168.0.9
{isakmp=#0/ipsec=#0}
Mar 29 16:22:07 maxa pluto[3814]: "roadwarrior"[2] 192.168.0.9 #1: I am
sending my cert
Mar 29 16:22:07 maxa pluto[3814]: "roadwarrior"[2] 192.168.0.9 #1:
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Mar 29 16:22:07 maxa pluto[3814]: "roadwarrior"[2] 192.168.0.9 #1: sent
MR3, ISAKMP SA established
Mar 29 16:22:07 maxa pluto[3814]: "roadwarrior"[2] 192.168.0.9 #2:
responding to Quick Mode {msgid:29f09a3e}
Mar 29 16:22:07 maxa pluto[3814]: "roadwarrior"[2] 192.168.0.9 #2:
transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Mar 29 16:22:07 maxa pluto[3814]: "roadwarrior"[2] 192.168.0.9 #2:
transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Mar 29 16:22:07 maxa pluto[3814]: "roadwarrior"[2] 192.168.0.9 #2: IPsec
SA established {ESP=>0x6f85dcc0 <0x54de7a39 xfrm=3DES_0-HMAC_MD5}
Mar 29 16:23:10 maxa pluto[3814]: "roadwarrior"[2] 192.168.0.9 #1:
received Delete SA payload: deleting ISAKMP State #1
Mar 29 16:23:10 maxa pluto[3814]: packet from 192.168.0.9:500: received
and ignored informational message
----------------------------------
and, lastly, my ipsec.conf file (server side):
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
interfaces=%defaultroute
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16
# Add connections here
conn %default
keyingtries=1
compress=yes
disablearrivalcheck=no
authby=rsasig
leftrsasigkey=%cert
rightrsasigkey=%cert
conn roadwarrior-net
leftsubnet=0.0.0.0/255.255.255.255
also=roadwarrior
conn roadwarrior-l2tp
pfs=no
leftprotoport=17/0
rightprotoport=17/1701
also=roadwarrior
conn roadwarrior-l2tp-updatedwin
pfs=no
leftprotoport=17/1701
rightprotoport=17/1701
also=roadwarrior
conn roadwarrior-all
leftsubnet=0.0.0.0/255.255.255.255
also=roadwarrior
conn roadwarrior
left=%defaultroute
leftcert=kogahome.cz.pem
right=%any
rightsubnet=vhost:%no,%priv
auto=add
pfs=yes
conn block
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear-or-private
auto=ignore
conn clear
auto=ignore
conn packetdefault
auto=ignore
----------------------
client side:
----------------------
conn roadwarrior
left=%any
right=192.168.0.2
rightca="C=CZ,S=Praha,L=Praha,O=koga,CN=Max,Email=maxxa at seznam.cz"
network=auto
auto=start
pfs=yes
conn roadwarrior-net
left=%any
right=192.168.0.2
rightsubnet=0.0.0.0/255.255.255.255
rightca="C=CZ,S=Praha,L=Praha,O=koga,CN=Max,Email=maxxa at seznam.cz"
network=auto
auto=start
pfs=yes
=====================================
and that's all :( It looks like that I'm connected (the client echoes
Negotiating ...), but I can't ping the server and I can't ping the
mashine from the server (it just timeouts).
More information about the Users
mailing list