[Openswan Users] Firewall rules for Openswan and Ipsec tool in win xp...

Deepak Naidu deepak_nai at yahoo.com
Tue May 10 05:50:15 CEST 2005


Paul, I have logged the Oakley logs... but cant understand them can u figure out...  I dont get any errors in my VPN server logs..
 
Logs are below
 
 5-10: 09:11:24:762:554 Initialization OK
 5-10: 09:11:45:632:554 isadb_schedule_kill_oldPolicy_sas: 40db2282-11b8-4e85-b940c4f6beee4822 4
 5-10: 09:11:45:632:554 isadb_schedule_kill_oldPolicy_sas: 6a0aebec-6b2c-4bd3-bcab9c22da4c46d2 4
 5-10: 09:11:45:632:554 isadb_schedule_kill_oldPolicy_sas: ae561592-1846-4185-98c467319ae5b719 3
 5-10: 09:11:45:632:554 isadb_schedule_kill_oldPolicy_sas: 4855472b-c57f-40a8-aff10c3db39e6773 3
 5-10: 09:11:45:632:554 isadb_schedule_kill_oldPolicy_sas: a6f53fb9-a60b-422d-9c099d1e73e355d8 1
 5-10: 09:11:45:632:554 isadb_schedule_kill_oldPolicy_sas: 6c29f547-c022-4764-820245d8971bb05b 2
 5-10: 09:11:45:632:554 isadb_schedule_kill_oldPolicy_sas: b204636c-949a-473a-9bb36197ce0225ca 2
 5-10: 09:11:45:632:b08 entered kill_old_policy_sas 4
 5-10: 09:11:45:632:b08 entered kill_old_policy_sas 4
 5-10: 09:11:45:632:b08 entered kill_old_policy_sas 3
 5-10: 09:11:45:632:b08 entered kill_old_policy_sas 3
 5-10: 09:11:45:632:b08 entered kill_old_policy_sas 1
 5-10: 09:11:45:632:b08 entered kill_old_policy_sas 2
 5-10: 09:11:45:632:b08 entered kill_old_policy_sas 2
 5-10: 09:12:03:37:894 Acquire from driver: op=00000008 src=192.168.1.2.0 dst=192.168.2.234.0 proto = 0, SrcMask=255.255.255.255, DstMask=255.255.255.0, Tunnel 1, TunnelEndpt=202.149.x.x Inbound TunnelEndpt=192.168.1.2
 5-10: 09:12:03:37:b08 Filter to match: Src 202.149.x.x Dst 192.168.1.2
 5-10: 09:12:03:37:b08 MM PolicyName: 2
 5-10: 09:12:03:37:b08 MMPolicy dwFlags 2 SoftSAExpireTime 28800
 5-10: 09:12:03:37:b08 MMOffer[0] LifetimeSec 28800 QMLimit 1 DHGroup 2
 5-10: 09:12:03:37:b08 MMOffer[0] Encrypt: Triple DES CBC Hash: SHA
 5-10: 09:12:03:37:b08 MMOffer[1] LifetimeSec 28800 QMLimit 1 DHGroup 2
 5-10: 09:12:03:37:b08 MMOffer[1] Encrypt: Triple DES CBC Hash: MD5
 5-10: 09:12:03:37:b08 MMOffer[2] LifetimeSec 28800 QMLimit 1 DHGroup 1
 5-10: 09:12:03:37:b08 MMOffer[2] Encrypt: DES CBC Hash: SHA
 5-10: 09:12:03:37:b08 MMOffer[3] LifetimeSec 28800 QMLimit 1 DHGroup 1
 5-10: 09:12:03:37:b08 MMOffer[3] Encrypt: DES CBC Hash: MD5
 5-10: 09:12:03:37:b08 Auth[0]:RSA Sig C=IN, S=Maharashtra, L=Mumbai, O=Net, OU=IT, CN=Deepak, E=deepak at company.com AuthFlags 0
 5-10: 09:12:03:47:b08 QM PolicyName: Host-roadwarrior filter action dwFlags 1
 5-10: 09:12:03:47:b08 QMOffer[0] LifetimeKBytes 50000 LifetimeSec 3600
 5-10: 09:12:03:47:b08 QMOffer[0] dwFlags 0 dwPFSGroup -2147483648
 5-10: 09:12:03:47:b08  Algo[0] Operation: ESP Algo: Triple DES CBC HMAC: MD5
 5-10: 09:12:03:47:b08 Starting Negotiation: src = 192.168.1.2.0500, dst = 202.149.x.x.0500, proto = 00, context = 00000008, ProxySrc = 192.168.1.2.0000, ProxyDst = 192.168.2.0.0000 SrcMask = 255.255.255.255 DstMask = 255.255.255.0
 5-10: 09:12:03:47:b08 constructing ISAKMP Header
 5-10: 09:12:03:47:b08 constructing SA (ISAKMP)
 5-10: 09:12:03:47:b08 Constructing Vendor MS NT5 ISAKMPOAKLEY
 5-10: 09:12:03:47:b08 Constructing Vendor FRAGMENTATION
 5-10: 09:12:03:47:b08 Constructing Vendor draft-ietf-ipsec-nat-t-ike-02
 5-10: 09:12:03:47:b08 Constructing Vendor Vid-Initial-Contact
 5-10: 09:12:03:47:b08 
 5-10: 09:12:03:47:b08 Sending: SA = 0x000F0668 to 202.149.x.x:Type 2.500
 5-10: 09:12:03:47:b08 ISAKMP Header: (V1.0), len = 276
 5-10: 09:12:03:47:b08   I-COOKIE 5415e04dba12c029
 5-10: 09:12:03:47:b08   R-COOKIE 0000000000000000
 5-10: 09:12:03:47:b08   exchange: Oakley Main Mode
 5-10: 09:12:03:47:b08   flags: 0
 5-10: 09:12:03:47:b08   next payload: SA
 5-10: 09:12:03:47:b08   message ID: 00000000
 5-10: 09:12:03:47:b08 Ports S:f401 D:f401
 5-10: 09:12:03:107:b08 
 5-10: 09:12:03:107:b08 Receive: (get) SA = 0x000f0668 from 202.149.x.x.500
 5-10: 09:12:03:107:b08 ISAKMP Header: (V1.0), len = 140
 5-10: 09:12:03:107:b08   I-COOKIE 5415e04dba12c029
 5-10: 09:12:03:107:b08   R-COOKIE 23ebe6fb7bc0825f
 5-10: 09:12:03:107:b08   exchange: Oakley Main Mode
 5-10: 09:12:03:107:b08   flags: 0
 5-10: 09:12:03:107:b08   next payload: SA
 5-10: 09:12:03:107:b08   message ID: 00000000
 5-10: 09:12:03:107:b08 processing payload SA
 5-10: 09:12:03:107:b08 Received Phase 1 Transform 1
 5-10: 09:12:03:107:b08      Encryption Alg Triple DES CBC(5)
 5-10: 09:12:03:107:b08      Hash Alg SHA(2)
 5-10: 09:12:03:107:b08      Oakley Group 2
 5-10: 09:12:03:107:b08      Auth Method RSA Signature with Certificates(3)
 5-10: 09:12:03:107:b08      Life type in Seconds
 5-10: 09:12:03:107:b08      Life duration of 28800
 5-10: 09:12:03:107:b08 Phase 1 SA accepted: transform=1
 5-10: 09:12:03:107:b08 SA - Oakley proposal accepted
 5-10: 09:12:03:107:b08 processing payload VENDOR ID
 5-10: 09:12:03:107:b08 processing payload VENDOR ID
 5-10: 09:12:03:107:b08 processing payload VENDOR ID
 5-10: 09:12:03:107:b08 Received VendorId draft-ietf-ipsec-nat-t-ike-02
 5-10: 09:12:03:107:b08 ClearFragList
 5-10: 09:12:03:107:b08 constructing ISAKMP Header
 5-10: 09:12:03:167:b08 constructing KE
 5-10: 09:12:03:167:b08 constructing NONCE (ISAKMP)
 5-10: 09:12:03:167:b08 Constructing NatDisc
 5-10: 09:12:03:167:b08 
 5-10: 09:12:03:167:b08 Sending: SA = 0x000F0668 to 202.149.x.x:Type 2.500
 5-10: 09:12:03:167:b08 ISAKMP Header: (V1.0), len = 232
 5-10: 09:12:03:167:b08   I-COOKIE 5415e04dba12c029
 5-10: 09:12:03:167:b08   R-COOKIE 23ebe6fb7bc0825f
 5-10: 09:12:03:167:b08   exchange: Oakley Main Mode
 5-10: 09:12:03:167:b08   flags: 0
 5-10: 09:12:03:167:b08   next payload: KE
 5-10: 09:12:03:167:b08   message ID: 00000000
 5-10: 09:12:03:167:b08 Ports S:f401 D:f401
 5-10: 09:12:03:248:b08 
 5-10: 09:12:03:248:b08 Receive: (get) SA = 0x000f0668 from 202.149.x.x.500
 5-10: 09:12:03:248:b08 ISAKMP Header: (V1.0), len = 228
 5-10: 09:12:03:248:b08   I-COOKIE 5415e04dba12c029
 5-10: 09:12:03:248:b08   R-COOKIE 23ebe6fb7bc0825f
 5-10: 09:12:03:248:b08   exchange: Oakley Main Mode
 5-10: 09:12:03:248:b08   flags: 0
 5-10: 09:12:03:248:b08   next payload: KE
 5-10: 09:12:03:248:b08   message ID: 00000000
 5-10: 09:12:03:248:b08 processing payload KE
 5-10: 09:12:03:268:b08 processing payload NONCE
 5-10: 09:12:03:268:b08 processing payload NATDISC
 5-10: 09:12:03:268:b08 Processing NatHash
 5-10: 09:12:03:268:b08 Nat hash 923d1b992e53e76e6620d9ab298cfae6
 5-10: 09:12:03:268:b08 9c6f18d7
 5-10: 09:12:03:268:b08 SA StateMask2 1f
 5-10: 09:12:03:268:b08 processing payload NATDISC
 5-10: 09:12:03:268:b08 Processing NatHash
 5-10: 09:12:03:268:b08 Nat hash d8e12d6b3b0f4e3765e5d3c53303204b
 5-10: 09:12:03:268:b08 5780daf8
 5-10: 09:12:03:268:b08 SA StateMask2 5f
 5-10: 09:12:03:268:b08 ClearFragList
 5-10: 09:12:03:268:b08 Peer behind NAT
 5-10: 09:12:03:268:b08 Floated Ports Orig Me:f401 Peer:f401
 5-10: 09:12:03:268:b08 Floated Ports Me:9411 Peer:9411
 5-10: 09:12:03:268:b08 constructing ISAKMP Header
 5-10: 09:12:03:268:b08 constructing ID
 5-10: 09:12:03:268:b08 Received no valid CRPs.  Using all configured
 5-10: 09:12:03:268:b08 Looking for IPSec only cert
 5-10: 09:12:03:268:b08 failed to get chain 80092004
 5-10: 09:12:03:268:b08 Looking for any cert
 5-10: 09:12:03:268:b08 failed to get chain 80092004
 5-10: 09:12:03:268:b08 ProcessFailure: sa:000F0668 centry:00000000 status:35ee
 5-10: 09:12:03:268:b08 isadb_set_status sa:000F0668 centry:00000000 status 35ee
 5-10: 09:12:03:268:b08 Key Exchange Mode (Main Mode)
 5-10: 09:12:03:268:b08 Source IP Address 192.168.1.2  Source IP Address Mask 255.255.255.255  Destination IP Address 202.149.x.x  Destination IP Address Mask 255.255.255.255  Protocol 0  Source Port 0  Destination Port 0  IKE Local Addr 192.168.1.2  IKE Peer Addr 202.149.x.x
 5-10: 09:12:03:268:b08 Certificate based Identity.    Peer IP Address: 202.149.x.x
 5-10: 09:12:03:268:b08 Me
 5-10: 09:12:03:268:b08 IKE failed to find valid machine certificate
 5-10: 09:12:03:268:b08 0x80092004 0x0
 5-10: 09:12:03:268:b08 ProcessFailure: sa:000F0668 centry:00000000 status:35ee
 5-10: 09:12:03:268:b08 constructing ISAKMP Header
 5-10: 09:12:03:268:b08 constructing HASH (null)
 5-10: 09:12:03:268:b08 constructing NOTIFY 28
 5-10: 09:12:03:268:b08 constructing HASH (Notify/Delete)
 5-10: 09:12:03:268:b08 
 5-10: 09:12:03:268:b08 Sending: SA = 0x000F0668 to 202.149.x.x:Type 1.4500
 5-10: 09:12:03:268:b08 ISAKMP Header: (V1.0), len = 84
 5-10: 09:12:03:268:b08   I-COOKIE 5415e04dba12c029
 5-10: 09:12:03:268:b08   R-COOKIE 23ebe6fb7bc0825f
 5-10: 09:12:03:268:b08   exchange: ISAKMP Informational Exchange
 5-10: 09:12:03:268:b08   flags: 1 ( encrypted )
 5-10: 09:12:03:268:b08   next payload: HASH
 5-10: 09:12:03:268:b08   message ID: 04eea425
 5-10: 09:12:03:268:b08 Ports S:9411 D:9411
 5-10: 09:12:13:322:b08 
 5-10: 09:12:13:332:b08 Receive: (get) SA = 0x000f0668 from 202.149.x.x.500
 5-10: 09:12:13:332:b08 ISAKMP Header: (V1.0), len = 228
 5-10: 09:12:13:332:b08   I-COOKIE 5415e04dba12c029
 5-10: 09:12:13:332:b08   R-COOKIE 23ebe6fb7bc0825f
 5-10: 09:12:13:332:b08   exchange: Oakley Main Mode
 5-10: 09:12:13:332:b08   flags: 0
 5-10: 09:12:13:332:b08   next payload: KE
 5-10: 09:12:13:332:b08   message ID: 00000000
 5-10: 09:12:13:332:b08 received an unencrypted packet when crypto active
 5-10: 09:12:13:332:b08 GetPacket failed 35ec
 5-10: 09:12:33:321:b08 
 5-10: 09:12:33:321:b08 Receive: (get) SA = 0x000f0668 from 202.149.x.x.500
 5-10: 09:12:33:321:b08 ISAKMP Header: (V1.0), len = 228
 5-10: 09:12:33:321:b08   I-COOKIE 5415e04dba12c029
 5-10: 09:12:33:321:b08   R-COOKIE 23ebe6fb7bc0825f
 5-10: 09:12:33:321:b08   exchange: Oakley Main Mode
 5-10: 09:12:33:321:b08   flags: 0
 5-10: 09:12:33:321:b08   next payload: KE
 5-10: 09:12:33:321:b08   message ID: 00000000
 5-10: 09:12:33:321:b08 received an unencrypted packet when crypto active
 5-10: 09:12:33:321:b08 GetPacket failed 35ec

 
The logs are below

Paul Wouters <paul at xelerance.com> wrote:
On Mon, 9 May 2005, Deepak Naidu wrote:

> C:\ipsec>ping 192.168.2.234
> Pinging 192.168.2.234 with 32 bytes of data:
> Negotiating IP Security.
> Request timed out.
> Request timed out.
> Request timed out.
> Ping statistics for 192.168.2.234:
> Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

Check the oakley.log to see what Windows thinks is happening. And
check the openswan logs to see what it is saying. Though likely,
if this is a windows misconfiguration, openswan will just log
"no response to....." entries.

See the wiki on how to enable oakley.log on windows.

Paul

>
> Deepak Naidu wrote:
> Hi,
>
> I am using Openswan 2.3.1 VPN server on FC3
> 2.6.9smp kernel. It is behind a NAT and I have natted
> ports 4500, and 500. The issue is when using
> l2tpd+x509cert from Winxp with VPN dialer is working
> fine. But when using Mullers' ipsec.exe tool, with
> the below configs in the ipsec.conf of Winxp pc.... I
> am unable to ping my network.. It doesnt even give
> negotiating message, but host unreacheable....
>
> Should I have to write some more firewall rules to
> open the ports in my NAT.
>
> I have SP2 with support tools and ipseccmd.exe file..
>
> Winxp is a roadwarrior on dialup...
>
> Please advise me...
>
> Ipsec.conf on Winxp...
>
> conn roadwarrior
> pfs=yes
> left=%any
> right=202.x.x.x
> rightsubnet=192.168.2.0/24
> rightca="C=IN, S=state, L=location, O=company,
> OU=IT, CN=name, E=name at company.com"
> network=auto
> auto=start
>
>
> Regards,
> Deepak.
>
>
>
> ___________________________________________________________
> How much free photo storage do you get? Store your holiday
> snaps for FREE with Yahoo! Photos http://uk.photos.yahoo.com
> _______________________________________________
> Users mailing list
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
>
>
> ---------------------------------
> How much free photo storage do you get? Store your holiday snaps for FREE with Yahoo! Photos. Get Yahoo! Photos

		
---------------------------------
 Yahoo! Messenger  - want a free & easy way to contact your friends online?  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20050510/40a69632/attachment.htm


More information about the Users mailing list