[Openswan Users] #1: STATE_MAIN_I1: initiate - tunnel never reached
lee huughes
toxicnaan at gmail.com
Tue May 3 21:20:40 CEST 2005
Hi,
I'm trying to establish a network to network tunnel between
uname -r
2.6.11-gentoo-r6 box
and a cisco.
ipsec version
Linux Openswan U2.2.0/K2.6.11-gentoo-r6 (native)
I'm using KLIPS for IPSEC, and pluto to do IKE.
Pluto seems to authenticate, but I'm having trouble establishing
the tunnel, I don't seem to get an ipsec0 interface.
can someone look at my config to see if it's sane/insane?
I've been tearing my hairout with this, but I've learn lots about
ike/ipsec tunnel and protocols!. is it advisable to use openswan ipsec
features, rather than klips when connecting to cisco equipment?
I've doubled checked my firewall, and I'm getting bi-directional
packets flows on port 500, and ip protocol 50,51!
hope you guys/gals can help!
Cheers,
cat /etc/ipsec/ipsec.conf
# /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.13 2004/03/24 04:14:39 ken Exp $
# This file: /usr/share/doc/openswan-2.2.0/ipsec.conf-sample
#
# Manual: ipsec.conf.5
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
interfaces= %defaultroute
klipsdebug=all
plutodebug=all
# Debug-logging controls: "none" for (almost) none, "all" for lots.
# klipsdebug=none
# plutodebug="control parsing"
# Add connections here
conn pix
type= tunnel
left= 82.13.30.120
leftsubnet= 192.168.168.0/24
leftnexthop= %defaultroute
right= 194.72.147.114
rightsubnet= 10.0.10.0/24
#rightnexthop= %defaultroute
esp= 3des-md5-96
keyexchange= ike
pfs= no
auto= start
authby= secret
#Disable Opportunistic Encryption
include /etc/ipsec/ipsec.d/examples/no_oe.conf
*syslog*
May 3 18:47:29 vpntest ipsec_setup: Stopping Openswan IPsec...
May 3 18:47:30 vpntest ipsec_setup: ...Openswan IPsec stopped
May 3 18:47:34 vpntest ipsec_setup: Starting Openswan IPsec
U2.2.0/K2.6.11-gentoo-r6...
May 3 18:47:34 vpntest ipsec_setup: KLIPS ipsec0 on ppp0
82.13.30.120/255.255.255.255 pointopoint 194.145.148.5
May 3 18:47:34 vpntest ipsec_setup: ...Openswan IPsec started
May 3 18:47:34 vpntest ipsec__plutorun: 104 "pix" #1: STATE_MAIN_I1: initiate
May 3 18:47:34 vpntest ipsec__plutorun: ...could not start conn "pix"
*messages*
May 3 18:47:34 vpntest pluto[10353]: Starting Pluto (Openswan Version
2.2.0 X.509-1.5.4 PLUTO_USES_KEYRR)
May 3 18:47:34 vpntest pluto[10353]: including NAT-Traversal patch
(Version 0.6c) [disabled]
May 3 18:47:34 vpntest pluto[10353]: ike_alg_register_enc():
Activating OAKLEY_AES_CBC: Ok (ret=0)
May 3 18:47:34 vpntest pluto[10353]: Using Linux 2.6 IPsec interface code
May 3 18:47:34 vpntest pluto[10353]: Changing to directory
'/etc/ipsec/ipsec.d/cacerts'
May 3 18:47:34 vpntest pluto[10353]: Could not change to directory
'/etc/ipsec/ipsec.d/aacerts'
May 3 18:47:34 vpntest pluto[10353]: Changing to directory
'/etc/ipsec/ipsec.d/ocspcerts'
May 3 18:47:34 vpntest pluto[10353]: Changing to directory
'/etc/ipsec/ipsec.d/crls'
May 3 18:47:34 vpntest pluto[10353]: Warning: empty directory
May 3 18:47:34 vpntest pluto[10353]: added connection description "pix"
May 3 18:47:34 vpntest pluto[10353]: listening for IKE messages
May 3 18:47:34 vpntest pluto[10353]: adding interface ppp0/ppp0 82.13.30.120
May 3 18:47:34 vpntest pluto[10353]: adding interface eth0/eth0 192.168.168.230
May 3 18:47:34 vpntest pluto[10353]: adding interface lo/lo 127.0.0.1
May 3 18:47:34 vpntest pluto[10353]: loading secrets from
"/etc/ipsec/ipsec.secrets"
May 3 18:47:34 vpntest pluto[10353]: "pix" #1: initiating Main Mode
May 3 18:47:34 vpntest pluto[10353]: "pix" #1: transition from state
STATE_MAIN_I1 to state STATE_MAIN_I2
May 3 18:47:35 vpntest pluto[10353]: "pix" #1: ignoring Vendor ID
payload [XAUTH]
May 3 18:47:35 vpntest pluto[10353]: "pix" #1: received Vendor ID
payload [Dead Peer Detection]
May 3 18:47:35 vpntest pluto[10353]: "pix" #1: ignoring Vendor ID
payload [Cisco-Unity]
May 3 18:47:35 vpntest pluto[10353]: "pix" #1: ignoring Vendor ID
payload [08bf991e9aedfde5351acad0b6b3a22a]
May 3 18:47:35 vpntest pluto[10353]: "pix" #1: I did not send a
certificate because I do not have one.
May 3 18:47:35 vpntest pluto[10353]: "pix" #1: transition from state
STATE_MAIN_I2 to state STATE_MAIN_I3
May 3 18:47:35 vpntest pluto[10353]: "pix" #1: Peer ID is
ID_IPV4_ADDR: '194.72.147.114'
May 3 18:47:35 vpntest pluto[10353]: "pix" #1: transition from state
STATE_MAIN_I3 to state STATE_MAIN_I4
May 3 18:47:35 vpntest pluto[10353]: "pix" #1: ISAKMP SA established
May 3 18:47:35 vpntest pluto[10353]: "pix" #2: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+UP {using isakmp#1}
May 3 18:47:35 vpntest pluto[10353]: "pix" #1: ignoring informational
payload, type IPSEC_INITIAL_CONTACT
May 3 18:47:35 vpntest pluto[10353]: "pix" #1: received and ignored
informational message
May 3 18:47:35 vpntest pluto[10353]: "pix" #2: ignoring informational
payload, type IPSEC_RESPONDER_LIFETIME
May 3 18:47:35 vpntest pluto[10353]: "pix" #2: transition from state
STATE_QUICK_I1 to state STATE_QUICK_I2
May 3 18:47:35 vpntest pluto[10353]: "pix" #2: sent QI2, IPsec SA
established {ESP=>0x6200797b <0x71fddfcb}
May 3 18:54:23 vpntest pluto[10353]: "pix" #3: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+UP {using isakmp#1}
May 3 18:54:23 vpntest pluto[10353]: "pix" #3: ignoring informational
payload, type IPSEC_RESPONDER_LIFETIME
May 3 18:54:23 vpntest pluto[10353]: "pix" #3: transition from state
STATE_QUICK_I1 to state STATE_QUICK_I2
May 3 18:54:23 vpntest pluto[10353]: "pix" #3: sent QI2, IPsec SA
established {ESP=>0x2056d9a1 <0xfb34cca8}
May 3 18:54:51 vpntest pluto[10353]: "pix" #1: received Delete
SA(0x6200797b) payload: deleting IPSEC State #2
May 3 18:54:51 vpntest pluto[10353]: "pix" #1: received and ignored
informational message
ipsec look
vpntest.lan Tue May 3 19:14:09 BST 2005
cat: /proc/net/ipsec_spigrp: No such file or directory
cat: /proc/net/ipsec_eroute: No such file or directory
egrep: /proc/net/ipsec_tncfg: No such file or directory
sort: open failed: /proc/net/ipsec_spi: No such file or directory
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 194.145.148.5 0.0.0.0 UG 0 0 0 ppp0
10.0.10.0 194.145.148.5 255.255.255.0 UG 0 0 0 ppp0
194.145.148.5 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0
ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.2.0/K2.6.11-gentoo-r6 (native)
Checking for IPsec support in kernel [OK]
Checking for RSA private key (/etc/ipsec/ipsec.secrets) [FAILED]
hostname: Unknown host
ipsec showhostkey: no default key in "/etc/ipsec/ipsec.secrets"
Checking that pluto is running [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Checking for 'setkey' command for native IPsec stack support [OK]
Opportunistic Encryption DNS checks:
Looking for TXT in forward dns zone: vpntest.lan
[MISSING]
Does the machine have at least one non-private address? [OK]
Looking for TXT in reverse dns zone: 120.30.13.82.in-addr.arpa.
[MISSING]
ipsec auto --up pix
112 "pix" #3: STATE_QUICK_I1: initiate
003 "pix" #3: ignoring informational payload, type IPSEC_RESPONDER_LIFETIME
004 "pix" #3: STATE_QUICK_I2: sent QI2, IPsec SA established
{ESP=>0x9c3a3f8d <0xf6a61c99}
ipsec auto --status
000 interface lo/lo 127.0.0.1
000 interface eth0/eth0 192.168.168.230
000 interface ppp0/ppp0 82.13.30.120
000 %myid = (none)
000 debug raw+crypt+parsing+emitting+control+lifecycle+klips+dns+oppo+controlmore+pfkey+nattraversal+x509
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64,
keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8,
keysizemin=192, keysizemax=192
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
keysizemin=160, keysizemax=160
000
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
keydeflen=128
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
keydeflen=192
000 algorithm IKE hash: id=2, name=OAKLEY_SHA, hashsize=20
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,4,36}
trans={0,4,96} attrs={0,4,160}
000
000 "pix": 192.168.168.0/24===82.13.30.120---194.145.148.5...194.72.147.114===10.0.10.0/24;
erouted; eroute owner: #2
000 "pix": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s;
rekey_fuzz: 100%; keyingtries: 0
000 "pix": policy: PSK+ENCRYPT+TUNNEL+UP; prio: 24,24; interface: ppp0;
000 "pix": newest ISAKMP SA: #1; newest IPsec SA: #2;
000 "pix": IKE algorithms wanted: 5_000-1-5, 5_000-1-2, 5_000-2-5,
5_000-2-2, flags=-strict
000 "pix": IKE algorithms found: 5_192-1_128-5, 5_192-1_128-2,
5_192-2_160-5, 5_192-2_160-2,
000 "pix": IKE algorithm newest: 3DES_CBC_192-MD5-MODP1024
000 "pix": ESP algorithms wanted: 3_000-1, flags=-strict
000 "pix": ESP algorithms loaded: 3_000-1, flags=-strict
000 "pix": ESP algorithm newest: 3DES_0-HMAC_MD5; pfsgroup=<N/A>
000
000 #2: "pix" STATE_QUICK_I2 (sent QI2, IPsec SA established);
EVENT_SA_REPLACE in 27680s; newest IPSEC; eroute owner
000 #2: "pix" esp.753b2aef at 194.72.147.114 esp.b9f7db74 at 82.13.30.120
tun.0 at 194.72.147.114 tun.0 at 82.13.30.120
000 #1: "pix" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE
in 2937s; newest ISAKMP
000
More information about the Users
mailing list