[Openswan Users] Re: #1: STATE_MAIN_I1: initiate - tunnel never reached

lee huughes toxicnaan at gmail.com
Fri May 6 05:48:32 CEST 2005 

I'm managed to fix this myself, guess what , nothing was wrong
everything was working,
having not worked with 2.6kernel ipsec stack, I was expecting to see
an ipsecX interface being created, but your don't have that..

so, everything fine, and work great! :-))

one thing is that if I try and ping remote end subnet from the
gateway, they are still taking tthe default route to the internet ,
and not being ipsec'ed...

I think I need a extra routing policy, packets going through the
gateway, are fine however!

Cheers,
 

On 5/3/05, lee huughes <toxicnaan at gmail.com> wrote:
> Hi,
> 
> I'm trying to establish a network to network tunnel between
> 
> uname -r
> 2.6.11-gentoo-r6 box
> 
> and a cisco.
> 
> ipsec version
> Linux Openswan U2.2.0/K2.6.11-gentoo-r6 (native)
> 
> I'm using KLIPS for IPSEC, and pluto to do IKE.
> 
> Pluto seems to authenticate, but I'm having trouble establishing
> the tunnel, I don't seem to get an ipsec0 interface.
> 
> can someone look at my config to see if it's sane/insane?
> 
> I've been tearing my hairout with this, but I've learn lots about
> ike/ipsec tunnel and protocols!. is it advisable to use openswan ipsec
> features, rather than klips when connecting to cisco equipment?
> 
> I've doubled checked my firewall, and I'm getting bi-directional
> packets flows on port 500, and ip protocol 50,51!
> 
> hope you guys/gals can help!
> 
> Cheers,
> 
> cat /etc/ipsec/ipsec.conf
> # /etc/ipsec.conf - Openswan IPsec configuration file
> # RCSID $Id: ipsec.conf.in,v 1.13 2004/03/24 04:14:39 ken Exp $
> 
> # This file:  /usr/share/doc/openswan-2.2.0/ipsec.conf-sample
> #
> # Manual:     ipsec.conf.5
> 
> version 2.0     # conforms to second version of ipsec.conf specification
> 
> # basic configuration
> config setup
>         interfaces= %defaultroute
>         klipsdebug=all
>         plutodebug=all
>         # Debug-logging controls:  "none" for (almost) none, "all" for lots.
>         # klipsdebug=none
>         # plutodebug="control parsing"
> 
> # Add connections here
> conn pix
>         type=           tunnel
>         left=           82.13.30.120
>         leftsubnet=     192.168.168.0/24
>         leftnexthop=    %defaultroute
>         right=          194.72.147.114
>         rightsubnet=    10.0.10.0/24
>         #rightnexthop=  %defaultroute
>         esp=            3des-md5-96
>         keyexchange=    ike
>         pfs=            no
>         auto=           start
>         authby=         secret
> 
> #Disable Opportunistic Encryption
> include /etc/ipsec/ipsec.d/examples/no_oe.conf
> 
> *syslog*
> May  3 18:47:29 vpntest ipsec_setup: Stopping Openswan IPsec...
> May  3 18:47:30 vpntest ipsec_setup: ...Openswan IPsec stopped
> May  3 18:47:34 vpntest ipsec_setup: Starting Openswan IPsec
> U2.2.0/K2.6.11-gentoo-r6...
> May  3 18:47:34 vpntest ipsec_setup: KLIPS ipsec0 on ppp0
> 82.13.30.120/255.255.255.255 pointopoint 194.145.148.5
> May  3 18:47:34 vpntest ipsec_setup: ...Openswan IPsec started
> May  3 18:47:34 vpntest ipsec__plutorun: 104 "pix" #1: STATE_MAIN_I1: initiate
> May  3 18:47:34 vpntest ipsec__plutorun: ...could not start conn "pix"
> 
> *messages*
> May  3 18:47:34 vpntest pluto[10353]: Starting Pluto (Openswan Version
> 2.2.0 X.509-1.5.4 PLUTO_USES_KEYRR)
> May  3 18:47:34 vpntest pluto[10353]:   including NAT-Traversal patch
> (Version 0.6c) [disabled]
> May  3 18:47:34 vpntest pluto[10353]: ike_alg_register_enc():
> Activating OAKLEY_AES_CBC: Ok (ret=0)
> May  3 18:47:34 vpntest pluto[10353]: Using Linux 2.6 IPsec interface code
> May  3 18:47:34 vpntest pluto[10353]: Changing to directory
> '/etc/ipsec/ipsec.d/cacerts'
> May  3 18:47:34 vpntest pluto[10353]: Could not change to directory
> '/etc/ipsec/ipsec.d/aacerts'
> May  3 18:47:34 vpntest pluto[10353]: Changing to directory
> '/etc/ipsec/ipsec.d/ocspcerts'
> May  3 18:47:34 vpntest pluto[10353]: Changing to directory
> '/etc/ipsec/ipsec.d/crls'
> May  3 18:47:34 vpntest pluto[10353]:   Warning: empty directory
> May  3 18:47:34 vpntest pluto[10353]: added connection description "pix"
> May  3 18:47:34 vpntest pluto[10353]: listening for IKE messages
> May  3 18:47:34 vpntest pluto[10353]: adding interface ppp0/ppp0 82.13.30.120
> May  3 18:47:34 vpntest pluto[10353]: adding interface eth0/eth0 192.168.168.230
> May  3 18:47:34 vpntest pluto[10353]: adding interface lo/lo 127.0.0.1
> May  3 18:47:34 vpntest pluto[10353]: loading secrets from
> "/etc/ipsec/ipsec.secrets"
> May  3 18:47:34 vpntest pluto[10353]: "pix" #1: initiating Main Mode
> May  3 18:47:34 vpntest pluto[10353]: "pix" #1: transition from state
> STATE_MAIN_I1 to state STATE_MAIN_I2
> May  3 18:47:35 vpntest pluto[10353]: "pix" #1: ignoring Vendor ID
> payload [XAUTH]
> May  3 18:47:35 vpntest pluto[10353]: "pix" #1: received Vendor ID
> payload [Dead Peer Detection]
> May  3 18:47:35 vpntest pluto[10353]: "pix" #1: ignoring Vendor ID
> payload [Cisco-Unity]
> May  3 18:47:35 vpntest pluto[10353]: "pix" #1: ignoring Vendor ID
> payload [08bf991e9aedfde5351acad0b6b3a22a]
> May  3 18:47:35 vpntest pluto[10353]: "pix" #1: I did not send a
> certificate because I do not have one.
> May  3 18:47:35 vpntest pluto[10353]: "pix" #1: transition from state
> STATE_MAIN_I2 to state STATE_MAIN_I3
> May  3 18:47:35 vpntest pluto[10353]: "pix" #1: Peer ID is
> ID_IPV4_ADDR: '194.72.147.114'
> May  3 18:47:35 vpntest pluto[10353]: "pix" #1: transition from state
> STATE_MAIN_I3 to state STATE_MAIN_I4
> May  3 18:47:35 vpntest pluto[10353]: "pix" #1: ISAKMP SA established
> May  3 18:47:35 vpntest pluto[10353]: "pix" #2: initiating Quick Mode
> PSK+ENCRYPT+TUNNEL+UP {using isakmp#1}
> May  3 18:47:35 vpntest pluto[10353]: "pix" #1: ignoring informational
> payload, type IPSEC_INITIAL_CONTACT
> May  3 18:47:35 vpntest pluto[10353]: "pix" #1: received and ignored
> informational message
> May  3 18:47:35 vpntest pluto[10353]: "pix" #2: ignoring informational
> payload, type IPSEC_RESPONDER_LIFETIME
> May  3 18:47:35 vpntest pluto[10353]: "pix" #2: transition from state
> STATE_QUICK_I1 to state STATE_QUICK_I2
> May  3 18:47:35 vpntest pluto[10353]: "pix" #2: sent QI2, IPsec SA
> established {ESP=>0x6200797b <0x71fddfcb}
> May  3 18:54:23 vpntest pluto[10353]: "pix" #3: initiating Quick Mode
> PSK+ENCRYPT+TUNNEL+UP {using isakmp#1}
> May  3 18:54:23 vpntest pluto[10353]: "pix" #3: ignoring informational
> payload, type IPSEC_RESPONDER_LIFETIME
> May  3 18:54:23 vpntest pluto[10353]: "pix" #3: transition from state
> STATE_QUICK_I1 to state STATE_QUICK_I2
> May  3 18:54:23 vpntest pluto[10353]: "pix" #3: sent QI2, IPsec SA
> established {ESP=>0x2056d9a1 <0xfb34cca8}
> May  3 18:54:51 vpntest pluto[10353]: "pix" #1: received Delete
> SA(0x6200797b) payload: deleting IPSEC State #2
> May  3 18:54:51 vpntest pluto[10353]: "pix" #1: received and ignored
> informational message
> 
> ipsec look
> vpntest.lan Tue May  3 19:14:09 BST 2005
> cat: /proc/net/ipsec_spigrp: No such file or directory
> cat: /proc/net/ipsec_eroute: No such file or directory
> egrep: /proc/net/ipsec_tncfg: No such file or directory
> sort: open failed: /proc/net/ipsec_spi: No such file or directory
> Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
> 0.0.0.0         194.145.148.5   0.0.0.0         UG        0 0          0 ppp0
> 10.0.10.0       194.145.148.5   255.255.255.0   UG        0 0          0 ppp0
> 194.145.148.5   0.0.0.0         255.255.255.255 UH        0 0          0 ppp0
> 
> ipsec verify
> Checking your system to see if IPsec got installed and started correctly:
> Version check and ipsec on-path                                         [OK]
> Linux Openswan U2.2.0/K2.6.11-gentoo-r6 (native)
> Checking for IPsec support in kernel                                    [OK]
> Checking for RSA private key (/etc/ipsec/ipsec.secrets)                 [FAILED]
> hostname: Unknown host
> ipsec showhostkey: no default key in "/etc/ipsec/ipsec.secrets"
> Checking that pluto is running                                          [OK]
> Two or more interfaces found, checking IP forwarding                    [OK]
> Checking NAT and MASQUERADEing
> Checking for 'ip' command                                               [OK]
> Checking for 'iptables' command                                         [OK]
> Checking for 'setkey' command for native IPsec stack support            [OK]
> 
> Opportunistic Encryption DNS checks:
>    Looking for TXT in forward dns zone: vpntest.lan
>  [MISSING]
>    Does the machine have at least one non-private address?              [OK]
>    Looking for TXT in reverse dns zone: 120.30.13.82.in-addr.arpa.
>  [MISSING]
> 
> ipsec auto --up pix
> 112 "pix" #3: STATE_QUICK_I1: initiate
> 003 "pix" #3: ignoring informational payload, type IPSEC_RESPONDER_LIFETIME
> 004 "pix" #3: STATE_QUICK_I2: sent QI2, IPsec SA established
> {ESP=>0x9c3a3f8d <0xf6a61c99}
> 
> ipsec auto --status
> 000 interface lo/lo 127.0.0.1
> 000 interface eth0/eth0 192.168.168.230
> 000 interface ppp0/ppp0 82.13.30.120
> 000 %myid = (none)
> 000 debug raw+crypt+parsing+emitting+control+lifecycle+klips+dns+oppo+controlmore+pfkey+nattraversal+x509
> 000
> 000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64,
> keysizemax=64
> 000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8,
> keysizemin=192, keysizemax=192
> 000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
> keysizemin=128, keysizemax=128
> 000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
> keysizemin=160, keysizemax=160
> 000
> 000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
> keydeflen=128
> 000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
> keydeflen=192
> 000 algorithm IKE hash: id=2, name=OAKLEY_SHA, hashsize=20
> 000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
> 000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
> 000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
> 000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
> 000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
> 000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
> 000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
> 000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
> 000
> 000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,4,36}
> trans={0,4,96} attrs={0,4,160}
> 000
> 000 "pix": 192.168.168.0/24===82.13.30.120---194.145.148.5...194.72.147.114===10.0.10.0/24;
> erouted; eroute owner: #2
> 000 "pix":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s;
> rekey_fuzz: 100%; keyingtries: 0
> 000 "pix":   policy: PSK+ENCRYPT+TUNNEL+UP; prio: 24,24; interface: ppp0;
> 000 "pix":   newest ISAKMP SA: #1; newest IPsec SA: #2;
> 000 "pix":   IKE algorithms wanted: 5_000-1-5, 5_000-1-2, 5_000-2-5,
> 5_000-2-2, flags=-strict
> 000 "pix":   IKE algorithms found:  5_192-1_128-5, 5_192-1_128-2,
> 5_192-2_160-5, 5_192-2_160-2,
> 000 "pix":   IKE algorithm newest: 3DES_CBC_192-MD5-MODP1024
> 000 "pix":   ESP algorithms wanted: 3_000-1, flags=-strict
> 000 "pix":   ESP algorithms loaded: 3_000-1, flags=-strict
> 000 "pix":   ESP algorithm newest: 3DES_0-HMAC_MD5; pfsgroup=<N/A>
> 000
> 000 #2: "pix" STATE_QUICK_I2 (sent QI2, IPsec SA established);
> EVENT_SA_REPLACE in 27680s; newest IPSEC; eroute owner
> 000 #2: "pix" esp.753b2aef at 194.72.147.114 esp.b9f7db74 at 82.13.30.120
> tun.0 at 194.72.147.114 tun.0 at 82.13.30.120
> 000 #1: "pix" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE
> in 2937s; newest ISAKMP
> 000
>

More information about the Users mailing list