[Openswan Users] Firewall rules for Openswan and Ipsec tool in
win xp...
Deepak Naidu
deepak_nai at yahoo.com
Tue May 10 05:50:15 CEST 2005
Paul, I have logged the Oakley logs... but cant understand them can u figure out... I dont get any errors in my VPN server logs..
Logs are below
5-10: 09:11:24:762:554 Initialization OK
5-10: 09:11:45:632:554 isadb_schedule_kill_oldPolicy_sas: 40db2282-11b8-4e85-b940c4f6beee4822 4
5-10: 09:11:45:632:554 isadb_schedule_kill_oldPolicy_sas: 6a0aebec-6b2c-4bd3-bcab9c22da4c46d2 4
5-10: 09:11:45:632:554 isadb_schedule_kill_oldPolicy_sas: ae561592-1846-4185-98c467319ae5b719 3
5-10: 09:11:45:632:554 isadb_schedule_kill_oldPolicy_sas: 4855472b-c57f-40a8-aff10c3db39e6773 3
5-10: 09:11:45:632:554 isadb_schedule_kill_oldPolicy_sas: a6f53fb9-a60b-422d-9c099d1e73e355d8 1
5-10: 09:11:45:632:554 isadb_schedule_kill_oldPolicy_sas: 6c29f547-c022-4764-820245d8971bb05b 2
5-10: 09:11:45:632:554 isadb_schedule_kill_oldPolicy_sas: b204636c-949a-473a-9bb36197ce0225ca 2
5-10: 09:11:45:632:b08 entered kill_old_policy_sas 4
5-10: 09:11:45:632:b08 entered kill_old_policy_sas 4
5-10: 09:11:45:632:b08 entered kill_old_policy_sas 3
5-10: 09:11:45:632:b08 entered kill_old_policy_sas 3
5-10: 09:11:45:632:b08 entered kill_old_policy_sas 1
5-10: 09:11:45:632:b08 entered kill_old_policy_sas 2
5-10: 09:11:45:632:b08 entered kill_old_policy_sas 2
5-10: 09:12:03:37:894 Acquire from driver: op=00000008 src=192.168.1.2.0 dst=192.168.2.234.0 proto = 0, SrcMask=255.255.255.255, DstMask=255.255.255.0, Tunnel 1, TunnelEndpt=202.149.x.x Inbound TunnelEndpt=192.168.1.2
5-10: 09:12:03:37:b08 Filter to match: Src 202.149.x.x Dst 192.168.1.2
5-10: 09:12:03:37:b08 MM PolicyName: 2
5-10: 09:12:03:37:b08 MMPolicy dwFlags 2 SoftSAExpireTime 28800
5-10: 09:12:03:37:b08 MMOffer[0] LifetimeSec 28800 QMLimit 1 DHGroup 2
5-10: 09:12:03:37:b08 MMOffer[0] Encrypt: Triple DES CBC Hash: SHA
5-10: 09:12:03:37:b08 MMOffer[1] LifetimeSec 28800 QMLimit 1 DHGroup 2
5-10: 09:12:03:37:b08 MMOffer[1] Encrypt: Triple DES CBC Hash: MD5
5-10: 09:12:03:37:b08 MMOffer[2] LifetimeSec 28800 QMLimit 1 DHGroup 1
5-10: 09:12:03:37:b08 MMOffer[2] Encrypt: DES CBC Hash: SHA
5-10: 09:12:03:37:b08 MMOffer[3] LifetimeSec 28800 QMLimit 1 DHGroup 1
5-10: 09:12:03:37:b08 MMOffer[3] Encrypt: DES CBC Hash: MD5
5-10: 09:12:03:37:b08 Auth[0]:RSA Sig C=IN, S=Maharashtra, L=Mumbai, O=Net, OU=IT, CN=Deepak, E=deepak at company.com AuthFlags 0
5-10: 09:12:03:47:b08 QM PolicyName: Host-roadwarrior filter action dwFlags 1
5-10: 09:12:03:47:b08 QMOffer[0] LifetimeKBytes 50000 LifetimeSec 3600
5-10: 09:12:03:47:b08 QMOffer[0] dwFlags 0 dwPFSGroup -2147483648
5-10: 09:12:03:47:b08 Algo[0] Operation: ESP Algo: Triple DES CBC HMAC: MD5
5-10: 09:12:03:47:b08 Starting Negotiation: src = 192.168.1.2.0500, dst = 202.149.x.x.0500, proto = 00, context = 00000008, ProxySrc = 192.168.1.2.0000, ProxyDst = 192.168.2.0.0000 SrcMask = 255.255.255.255 DstMask = 255.255.255.0
5-10: 09:12:03:47:b08 constructing ISAKMP Header
5-10: 09:12:03:47:b08 constructing SA (ISAKMP)
5-10: 09:12:03:47:b08 Constructing Vendor MS NT5 ISAKMPOAKLEY
5-10: 09:12:03:47:b08 Constructing Vendor FRAGMENTATION
5-10: 09:12:03:47:b08 Constructing Vendor draft-ietf-ipsec-nat-t-ike-02
5-10: 09:12:03:47:b08 Constructing Vendor Vid-Initial-Contact
5-10: 09:12:03:47:b08
5-10: 09:12:03:47:b08 Sending: SA = 0x000F0668 to 202.149.x.x:Type 2.500
5-10: 09:12:03:47:b08 ISAKMP Header: (V1.0), len = 276
5-10: 09:12:03:47:b08 I-COOKIE 5415e04dba12c029
5-10: 09:12:03:47:b08 R-COOKIE 0000000000000000
5-10: 09:12:03:47:b08 exchange: Oakley Main Mode
5-10: 09:12:03:47:b08 flags: 0
5-10: 09:12:03:47:b08 next payload: SA
5-10: 09:12:03:47:b08 message ID: 00000000
5-10: 09:12:03:47:b08 Ports S:f401 D:f401
5-10: 09:12:03:107:b08
5-10: 09:12:03:107:b08 Receive: (get) SA = 0x000f0668 from 202.149.x.x.500
5-10: 09:12:03:107:b08 ISAKMP Header: (V1.0), len = 140
5-10: 09:12:03:107:b08 I-COOKIE 5415e04dba12c029
5-10: 09:12:03:107:b08 R-COOKIE 23ebe6fb7bc0825f
5-10: 09:12:03:107:b08 exchange: Oakley Main Mode
5-10: 09:12:03:107:b08 flags: 0
5-10: 09:12:03:107:b08 next payload: SA
5-10: 09:12:03:107:b08 message ID: 00000000
5-10: 09:12:03:107:b08 processing payload SA
5-10: 09:12:03:107:b08 Received Phase 1 Transform 1
5-10: 09:12:03:107:b08 Encryption Alg Triple DES CBC(5)
5-10: 09:12:03:107:b08 Hash Alg SHA(2)
5-10: 09:12:03:107:b08 Oakley Group 2
5-10: 09:12:03:107:b08 Auth Method RSA Signature with Certificates(3)
5-10: 09:12:03:107:b08 Life type in Seconds
5-10: 09:12:03:107:b08 Life duration of 28800
5-10: 09:12:03:107:b08 Phase 1 SA accepted: transform=1
5-10: 09:12:03:107:b08 SA - Oakley proposal accepted
5-10: 09:12:03:107:b08 processing payload VENDOR ID
5-10: 09:12:03:107:b08 processing payload VENDOR ID
5-10: 09:12:03:107:b08 processing payload VENDOR ID
5-10: 09:12:03:107:b08 Received VendorId draft-ietf-ipsec-nat-t-ike-02
5-10: 09:12:03:107:b08 ClearFragList
5-10: 09:12:03:107:b08 constructing ISAKMP Header
5-10: 09:12:03:167:b08 constructing KE
5-10: 09:12:03:167:b08 constructing NONCE (ISAKMP)
5-10: 09:12:03:167:b08 Constructing NatDisc
5-10: 09:12:03:167:b08
5-10: 09:12:03:167:b08 Sending: SA = 0x000F0668 to 202.149.x.x:Type 2.500
5-10: 09:12:03:167:b08 ISAKMP Header: (V1.0), len = 232
5-10: 09:12:03:167:b08 I-COOKIE 5415e04dba12c029
5-10: 09:12:03:167:b08 R-COOKIE 23ebe6fb7bc0825f
5-10: 09:12:03:167:b08 exchange: Oakley Main Mode
5-10: 09:12:03:167:b08 flags: 0
5-10: 09:12:03:167:b08 next payload: KE
5-10: 09:12:03:167:b08 message ID: 00000000
5-10: 09:12:03:167:b08 Ports S:f401 D:f401
5-10: 09:12:03:248:b08
5-10: 09:12:03:248:b08 Receive: (get) SA = 0x000f0668 from 202.149.x.x.500
5-10: 09:12:03:248:b08 ISAKMP Header: (V1.0), len = 228
5-10: 09:12:03:248:b08 I-COOKIE 5415e04dba12c029
5-10: 09:12:03:248:b08 R-COOKIE 23ebe6fb7bc0825f
5-10: 09:12:03:248:b08 exchange: Oakley Main Mode
5-10: 09:12:03:248:b08 flags: 0
5-10: 09:12:03:248:b08 next payload: KE
5-10: 09:12:03:248:b08 message ID: 00000000
5-10: 09:12:03:248:b08 processing payload KE
5-10: 09:12:03:268:b08 processing payload NONCE
5-10: 09:12:03:268:b08 processing payload NATDISC
5-10: 09:12:03:268:b08 Processing NatHash
5-10: 09:12:03:268:b08 Nat hash 923d1b992e53e76e6620d9ab298cfae6
5-10: 09:12:03:268:b08 9c6f18d7
5-10: 09:12:03:268:b08 SA StateMask2 1f
5-10: 09:12:03:268:b08 processing payload NATDISC
5-10: 09:12:03:268:b08 Processing NatHash
5-10: 09:12:03:268:b08 Nat hash d8e12d6b3b0f4e3765e5d3c53303204b
5-10: 09:12:03:268:b08 5780daf8
5-10: 09:12:03:268:b08 SA StateMask2 5f
5-10: 09:12:03:268:b08 ClearFragList
5-10: 09:12:03:268:b08 Peer behind NAT
5-10: 09:12:03:268:b08 Floated Ports Orig Me:f401 Peer:f401
5-10: 09:12:03:268:b08 Floated Ports Me:9411 Peer:9411
5-10: 09:12:03:268:b08 constructing ISAKMP Header
5-10: 09:12:03:268:b08 constructing ID
5-10: 09:12:03:268:b08 Received no valid CRPs. Using all configured
5-10: 09:12:03:268:b08 Looking for IPSec only cert
5-10: 09:12:03:268:b08 failed to get chain 80092004
5-10: 09:12:03:268:b08 Looking for any cert
5-10: 09:12:03:268:b08 failed to get chain 80092004
5-10: 09:12:03:268:b08 ProcessFailure: sa:000F0668 centry:00000000 status:35ee
5-10: 09:12:03:268:b08 isadb_set_status sa:000F0668 centry:00000000 status 35ee
5-10: 09:12:03:268:b08 Key Exchange Mode (Main Mode)
5-10: 09:12:03:268:b08 Source IP Address 192.168.1.2 Source IP Address Mask 255.255.255.255 Destination IP Address 202.149.x.x Destination IP Address Mask 255.255.255.255 Protocol 0 Source Port 0 Destination Port 0 IKE Local Addr 192.168.1.2 IKE Peer Addr 202.149.x.x
5-10: 09:12:03:268:b08 Certificate based Identity. Peer IP Address: 202.149.x.x
5-10: 09:12:03:268:b08 Me
5-10: 09:12:03:268:b08 IKE failed to find valid machine certificate
5-10: 09:12:03:268:b08 0x80092004 0x0
5-10: 09:12:03:268:b08 ProcessFailure: sa:000F0668 centry:00000000 status:35ee
5-10: 09:12:03:268:b08 constructing ISAKMP Header
5-10: 09:12:03:268:b08 constructing HASH (null)
5-10: 09:12:03:268:b08 constructing NOTIFY 28
5-10: 09:12:03:268:b08 constructing HASH (Notify/Delete)
5-10: 09:12:03:268:b08
5-10: 09:12:03:268:b08 Sending: SA = 0x000F0668 to 202.149.x.x:Type 1.4500
5-10: 09:12:03:268:b08 ISAKMP Header: (V1.0), len = 84
5-10: 09:12:03:268:b08 I-COOKIE 5415e04dba12c029
5-10: 09:12:03:268:b08 R-COOKIE 23ebe6fb7bc0825f
5-10: 09:12:03:268:b08 exchange: ISAKMP Informational Exchange
5-10: 09:12:03:268:b08 flags: 1 ( encrypted )
5-10: 09:12:03:268:b08 next payload: HASH
5-10: 09:12:03:268:b08 message ID: 04eea425
5-10: 09:12:03:268:b08 Ports S:9411 D:9411
5-10: 09:12:13:322:b08
5-10: 09:12:13:332:b08 Receive: (get) SA = 0x000f0668 from 202.149.x.x.500
5-10: 09:12:13:332:b08 ISAKMP Header: (V1.0), len = 228
5-10: 09:12:13:332:b08 I-COOKIE 5415e04dba12c029
5-10: 09:12:13:332:b08 R-COOKIE 23ebe6fb7bc0825f
5-10: 09:12:13:332:b08 exchange: Oakley Main Mode
5-10: 09:12:13:332:b08 flags: 0
5-10: 09:12:13:332:b08 next payload: KE
5-10: 09:12:13:332:b08 message ID: 00000000
5-10: 09:12:13:332:b08 received an unencrypted packet when crypto active
5-10: 09:12:13:332:b08 GetPacket failed 35ec
5-10: 09:12:33:321:b08
5-10: 09:12:33:321:b08 Receive: (get) SA = 0x000f0668 from 202.149.x.x.500
5-10: 09:12:33:321:b08 ISAKMP Header: (V1.0), len = 228
5-10: 09:12:33:321:b08 I-COOKIE 5415e04dba12c029
5-10: 09:12:33:321:b08 R-COOKIE 23ebe6fb7bc0825f
5-10: 09:12:33:321:b08 exchange: Oakley Main Mode
5-10: 09:12:33:321:b08 flags: 0
5-10: 09:12:33:321:b08 next payload: KE
5-10: 09:12:33:321:b08 message ID: 00000000
5-10: 09:12:33:321:b08 received an unencrypted packet when crypto active
5-10: 09:12:33:321:b08 GetPacket failed 35ec
The logs are below
Paul Wouters <paul at xelerance.com> wrote:
On Mon, 9 May 2005, Deepak Naidu wrote:
> C:\ipsec>ping 192.168.2.234
> Pinging 192.168.2.234 with 32 bytes of data:
> Negotiating IP Security.
> Request timed out.
> Request timed out.
> Request timed out.
> Ping statistics for 192.168.2.234:
> Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
Check the oakley.log to see what Windows thinks is happening. And
check the openswan logs to see what it is saying. Though likely,
if this is a windows misconfiguration, openswan will just log
"no response to....." entries.
See the wiki on how to enable oakley.log on windows.
Paul
>
> Deepak Naidu wrote:
> Hi,
>
> I am using Openswan 2.3.1 VPN server on FC3
> 2.6.9smp kernel. It is behind a NAT and I have natted
> ports 4500, and 500. The issue is when using
> l2tpd+x509cert from Winxp with VPN dialer is working
> fine. But when using Mullers' ipsec.exe tool, with
> the below configs in the ipsec.conf of Winxp pc.... I
> am unable to ping my network.. It doesnt even give
> negotiating message, but host unreacheable....
>
> Should I have to write some more firewall rules to
> open the ports in my NAT.
>
> I have SP2 with support tools and ipseccmd.exe file..
>
> Winxp is a roadwarrior on dialup...
>
> Please advise me...
>
> Ipsec.conf on Winxp...
>
> conn roadwarrior
> pfs=yes
> left=%any
> right=202.x.x.x
> rightsubnet=192.168.2.0/24
> rightca="C=IN, S=state, L=location, O=company,
> OU=IT, CN=name, E=name at company.com"
> network=auto
> auto=start
>
>
> Regards,
> Deepak.
>
>
>
> ___________________________________________________________
> How much free photo storage do you get? Store your holiday
> snaps for FREE with Yahoo! Photos http://uk.photos.yahoo.com
> _______________________________________________
> Users mailing list
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
>
>
> ---------------------------------
> How much free photo storage do you get? Store your holiday snaps for FREE with Yahoo! Photos. Get Yahoo! Photos
---------------------------------
Yahoo! Messenger - want a free & easy way to contact your friends online?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20050510/40a69632/attachment.htm
More information about the Users
mailing list