[Openswan Users] Small Amounts of Traffic Only STILL

Phillip T. George phillip at eacsi.com
Tue May 10 11:23:03 CEST 2005 

Okay people,

I'm still having a problem with only being able to get small amounts of 
traffic thru the VPN.  I'm going to provide a bit more information and 
hope that someone can see the problem, because this is really getting 
frustrating.
Internet connection: LEFT is using Cox residential services, RIGHT is 
using Cox business services ( http://www.cox.com/Tulsa )
Linux distro: Fedora Core 3
Kernel version: Linux version 2.6.10-1.770_FC3 
(bhcompile at bugs.build.redhat.com) (gcc version 3.4.2 20041017 (Red Hat 
3.4.2-6.fc3)) #1 Thu Feb 24 14:00:27 EST 2005
Openswan version: 2.3.1

Recently installed RPMs:
openswan-2.3.1-1.i386.rpm
openswan-doc-2.3.1-1.i386.rpm
openswan-klips-2.3.1-2.6.10_1.770_FC3_1.i386.rpm
ipsec-tools-0.5-2.fc3.i386.rpm
kernel-2.6.10-1.770_FC3.i586.rpm
kernel-doc-2.6.10-1.770_FC3.noarch.rpm

(I was up to kernel version 2.6.11-1.14_FC3, but I realized there was an 
openswan-klips packages specific to 2.6.10-1.770_FC3 that make do the 
trick, which is why I downgraded to that version)

ipsec.conf :
version 2.0

config setup
        interfaces=%defaultroute
        klipsdebug=none
        plutowait=no
        uniqueids=yes

conn %default
        keyingtries=0

conn PHILLIPtoEACS
        authby=secret
        left=lanica.dyndns.org
        leftsubnet=192.168.192.0/24
        leftnexthop=%defaultroute
        right=70.182.220.68
        rightsubnet=192.168.0.0/24
        rightnexthop=%defaultroute
        compress=yes
        auto=start

include /etc/ipsec.d/examples/no_oe.conf



LEFT is a semi-dynamic address.  I write "semi-dynamic" because the IP 
doesn't really change that often.  I'm actually wanting to experiment 
with the IP changing a bit more for fun.  I have tried listing LEFT with 
the actual IP, but that didn't improve anything.

LEFT /var/log/messages
May 10 10:16:04 fire2pt5 kernel: NET: Registered protocol family 15
May 10 10:16:04 fire2pt5 ipsec_setup: KLIPS ipsec0 on eth1 
68.12.232.86/255.255.248.0 broadcast 68.12.239.255
May 10 10:16:04 fire2pt5 ipsec_setup: ...Openswan IPsec started
May 10 10:16:04 fire2pt5 ipsec_setup: Starting Openswan IPsec 2.3.1...
May 10 10:16:04 fire2pt5 ipsec_setup: insmod 
/lib/modules/2.6.10-1.770_FC3/kernel/net/key/af_key.ko
May 10 10:16:04 fire2pt5 ipsec_setup: insmod 
/lib/modules/2.6.10-1.770_FC3/kernel/net/ipv4/xfrm4_tunnel.ko
May 10 10:16:05 fire2pt5 ipsec__plutorun: 104 "PHILLIPtoEACS" #1: 
STATE_MAIN_I1: initiate
May 10 10:16:05 fire2pt5 ipsec__plutorun: ...could not start conn 
"PHILLIPtoEACS"

LEFT /var/log/secure
May 10 10:16:51 fire2pt5 ipsec__plutorun: Starting Pluto subsystem...
May 10 10:16:51 fire2pt5 pluto[8101]: Starting Pluto (Openswan Version 
2.3.1 X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID 
OEExalF{_o`m)
May 10 10:16:51 fire2pt5 pluto[8101]: Setting port floating to off
May 10 10:16:51 fire2pt5 pluto[8101]: port floating activate 0/1
May 10 10:16:51 fire2pt5 pluto[8101]:   including NAT-Traversal patch 
(Version 0.6c) [disabled]
May 10 10:16:51 fire2pt5 pluto[8101]: ike_alg_register_enc(): Activating 
OAKLEY_AES_CBC: Ok (ret=0)
May 10 10:16:51 fire2pt5 pluto[8101]: starting up 1 cryptographic helpers
May 10 10:16:51 fire2pt5 pluto[8101]: started helper pid=8102 (fd:6)
May 10 10:16:51 fire2pt5 pluto[8101]: Using Linux 2.6 IPsec interface code
May 10 10:16:51 fire2pt5 pluto[8101]: Could not change to directory 
'/etc/ipsec.d/cacerts'
May 10 10:16:51 fire2pt5 pluto[8101]: Changing to directory 
'/etc/ipsec.d/aacerts'
May 10 10:16:51 fire2pt5 pluto[8101]: Changing to directory 
'/etc/ipsec.d/ocspcerts'
May 10 10:16:51 fire2pt5 pluto[8101]: Could not change to directory 
'/etc/ipsec.d/crls'
May 10 10:16:52 fire2pt5 pluto[8101]: added connection description 
"PHILLIPtoEACS"
May 10 10:16:52 fire2pt5 pluto[8101]: listening for IKE messages
May 10 10:16:52 fire2pt5 pluto[8101]: adding interface eth1/eth1 
68.12.232.86:500
May 10 10:16:52 fire2pt5 pluto[8101]: adding interface eth0/eth0 
192.168.192.1:500
May 10 10:16:52 fire2pt5 pluto[8101]: adding interface lo/lo 127.0.0.1:500
May 10 10:16:52 fire2pt5 pluto[8101]: adding interface lo/lo ::1:500
May 10 10:16:52 fire2pt5 pluto[8101]: loading secrets from 
"/etc/ipsec.secrets"
May 10 10:16:52 fire2pt5 pluto[8101]: "PHILLIPtoEACS" #1: initiating 
Main Mode
May 10 10:16:52 fire2pt5 pluto[8101]: "PHILLIPtoEACS" #1: received 
Vendor ID payload [Openswan (this version) 2.3.1  X.509-1.5.4 
PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR]
May 10 10:16:52 fire2pt5 pluto[8101]: "PHILLIPtoEACS" #1: received 
Vendor ID payload [Dead Peer Detection]
May 10 10:16:52 fire2pt5 pluto[8101]: packet from 70.182.220.68:500: 
received Vendor ID payload [Openswan (this version) 2.3.1  X.509-1.5.4 
PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR]
May 10 10:16:52 fire2pt5 pluto[8101]: packet from 70.182.220.68:500: 
received Vendor ID payload [Dead Peer Detection]
May 10 10:16:52 fire2pt5 pluto[8101]: "PHILLIPtoEACS" #2: responding to 
Main Mode
May 10 10:16:52 fire2pt5 pluto[8101]: "PHILLIPtoEACS" #2: transition 
from state STATE_MAIN_R0 to state STATE_MAIN_R1
May 10 10:16:52 fire2pt5 pluto[8101]: "PHILLIPtoEACS" #1: transition 
from state STATE_MAIN_I1 to state STATE_MAIN_I2
May 10 10:16:52 fire2pt5 pluto[8101]: "PHILLIPtoEACS" #2: transition 
from state STATE_MAIN_R1 to state STATE_MAIN_R2
May 10 10:16:52 fire2pt5 pluto[8101]: "PHILLIPtoEACS" #2: packet 
rejected: should have been encrypted
May 10 10:16:52 fire2pt5 pluto[8101]: "PHILLIPtoEACS" #2: sending 
notification INVALID_FLAGS to 70.182.220.68:500
May 10 10:16:52 fire2pt5 pluto[8101]: "PHILLIPtoEACS" #2: failed to 
build notification for spisize=0
May 10 10:16:52 fire2pt5 pluto[8101]: "PHILLIPtoEACS" #2: Main mode peer 
ID is ID_IPV4_ADDR: '70.182.220.68'
May 10 10:16:52 fire2pt5 pluto[8101]: "PHILLIPtoEACS" #2: I did not send 
a certificate because I do not have one.
May 10 10:16:52 fire2pt5 pluto[8101]: "PHILLIPtoEACS" #2: transition 
from state STATE_MAIN_R2 to state STATE_MAIN_R3
May 10 10:16:52 fire2pt5 pluto[8101]: "PHILLIPtoEACS" #2: sent MR3, 
ISAKMP SA established
May 10 10:16:52 fire2pt5 pluto[8101]: "PHILLIPtoEACS" #3: responding to 
Quick Mode {msgid:d0abf27e}
May 10 10:16:52 fire2pt5 pluto[8101]: "PHILLIPtoEACS" #3: transition 
from state STATE_QUICK_R0 to state STATE_QUICK_R1
May 10 10:16:53 fire2pt5 pluto[8101]: "PHILLIPtoEACS" #3: transition 
from state STATE_QUICK_R1 to state STATE_QUICK_R2
May 10 10:16:53 fire2pt5 pluto[8101]: "PHILLIPtoEACS" #3: IPsec SA 
established {ESP=>0xc5e50ae5 <0xf409d6d4 xfrm=AES_0-HMAC_SHA1 
IPCOMP=>0x0000959c <0x000029fd}
May 10 10:17:02 fire2pt5 pluto[8101]: "PHILLIPtoEACS" #2: packet 
rejected: should have been encrypted
May 10 10:17:02 fire2pt5 pluto[8101]: "PHILLIPtoEACS" #2: sending 
notification INVALID_FLAGS to 70.182.220.68:500
May 10 10:17:02 fire2pt5 pluto[8101]: "PHILLIPtoEACS" #2: failed to 
build notification for spisize=0
May 10 10:17:02 fire2pt5 pluto[8101]: "PHILLIPtoEACS" #2: ignoring 
Delete SA payload: PROTO_IPSEC_ESP SA(0xf9677171) not found (maybe expired)
May 10 10:17:02 fire2pt5 pluto[8101]: "PHILLIPtoEACS" #2: received and 
ignored informational message
May 10 10:17:22 fire2pt5 pluto[8101]: "PHILLIPtoEACS" #2: packet 
rejected: should have been encrypted
May 10 10:17:22 fire2pt5 pluto[8101]: "PHILLIPtoEACS" #2: sending 
notification INVALID_FLAGS to 70.182.220.68:500
May 10 10:17:22 fire2pt5 pluto[8101]: "PHILLIPtoEACS" #2: failed to 
build notification for spisize=0


RIGHT /var/log/messages
May 10 09:19:39 testimax kernel: NET: Registered protocol family 15
May 10 09:19:39 testimax ipsec_setup: KLIPS ipsec0 on eth1 
70.182.220.68/255.255.255.224 broadcast 70.182.220.95
May 10 09:19:39 testimax ipsec_setup: ...Openswan IPsec started
May 10 09:19:39 testimax ipsec_setup: Starting Openswan IPsec 2.3.1...
May 10 09:19:39 testimax ipsec_setup: insmod 
/lib/modules/2.6.10-1.770_FC3/kernel/net/key/af_key.ko
May 10 09:19:39 testimax ipsec_setup: insmod 
/lib/modules/2.6.10-1.770_FC3/kernel/net/ipv4/xfrm4_tunnel.ko
May 10 09:19:41 testimax ipsec__plutorun: 104 "PHILLIPtoEACS" #1: 
STATE_MAIN_I1: initiate
May 10 09:19:41 testimax ipsec__plutorun: ...could not start conn 
"PHILLIPtoEACS"

RIGHT /var/log/secure
May 10 09:20:04 testimax ipsec__plutorun: Starting Pluto subsystem...
May 10 09:20:04 testimax pluto[7669]: Starting Pluto (Openswan Version 
2.3.1 X.5
09-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID OEExalF{_o`m)
May 10 09:20:04 testimax pluto[7669]: Setting port floating to off
May 10 09:20:04 testimax pluto[7669]: port floating activate 0/1
May 10 09:20:04 testimax pluto[7669]:   including NAT-Traversal patch 
(Version 0
.6c) [disabled]
May 10 09:20:04 testimax pluto[7669]: ike_alg_register_enc(): Activating 
OAKLEY_
AES_CBC: Ok (ret=0)
May 10 09:20:04 testimax pluto[7669]: starting up 1 cryptographic helpers
May 10 09:20:04 testimax pluto[7669]: started helper pid=7670 (fd:6)
May 10 09:20:04 testimax pluto[7669]: Using Linux 2.6 IPsec interface code
May 10 09:20:05 testimax pluto[7669]: Could not change to directory 
'/etc/ipsec.
d/cacerts'
May 10 09:20:05 testimax pluto[7669]: Changing to directory 
'/etc/ipsec.d/aacert
s'
May 10 09:20:05 testimax pluto[7669]: Changing to directory 
'/etc/ipsec.d/ocspce
rts'
May 10 09:20:05 testimax pluto[7669]: Could not change to directory 
'/etc/ipsec.
d/crls'
May 10 09:20:06 testimax pluto[7669]: added connection description 
"PHILLIPtoEAC
S"
May 10 09:20:06 testimax pluto[7669]: listening for IKE messages
May 10 09:20:06 testimax pluto[7669]: adding interface eth1/eth1 
70.182.220.68:5
00
May 10 09:20:06 testimax pluto[7669]: adding interface eth0/eth0 
192.168.0.110:5
00
May 10 09:20:06 testimax pluto[7669]: adding interface lo/lo 127.0.0.1:500
May 10 09:20:06 testimax pluto[7669]: adding interface lo/lo ::1:500
May 10 09:20:06 testimax pluto[7669]: loading secrets from 
"/etc/ipsec.secrets"
May 10 09:20:06 testimax pluto[7669]: "PHILLIPtoEACS" #1: initiating 
Main Mode
May 10 09:20:06 testimax pluto[7669]: "PHILLIPtoEACS" #1: received 
Vendor ID pay
load [Openswan (this version) 2.3.1  X.509-1.5.4 PLUTO_SENDS_VENDORID 
PLUTO_USES
_KEYRR]
May 10 09:20:06 testimax pluto[7669]: "PHILLIPtoEACS" #1: received 
Vendor ID pay
load [Dead Peer Detection]
May 10 09:20:06 testimax pluto[7669]: "PHILLIPtoEACS" #1: transition 
from state
STATE_MAIN_I1 to state STATE_MAIN_I2
May 10 09:20:06 testimax pluto[7669]: "PHILLIPtoEACS" #1: I did not send 
a certi
ficate because I do not have one.
May 10 09:20:06 testimax pluto[7669]: "PHILLIPtoEACS" #1: transition 
from state
STATE_MAIN_I2 to state STATE_MAIN_I3
May 10 09:20:06 testimax pluto[7669]: "PHILLIPtoEACS" #1: Main mode peer 
ID is I
D_IPV4_ADDR: '68.12.232.86'
May 10 09:20:06 testimax pluto[7669]: "PHILLIPtoEACS" #1: transition 
from state
STATE_MAIN_I3 to state STATE_MAIN_I4
May 10 09:20:06 testimax pluto[7669]: "PHILLIPtoEACS" #1: ISAKMP SA 
established
May 10 09:20:06 testimax pluto[7669]: "PHILLIPtoEACS" #2: initiating 
Quick Mode
PSK+ENCRYPT+COMPRESS+TUNNEL+PFS+UP {using isakmp#1}
May 10 09:20:08 testimax pluto[7669]: "PHILLIPtoEACS" #2: transition 
from state
STATE_QUICK_I1 to state STATE_QUICK_I2
May 10 09:20:08 testimax pluto[7669]: "PHILLIPtoEACS" #2: sent QI2, 
IPsec SA est
ablished {ESP=>0xcfc6435f <0x46df2a6c xfrm=AES_0-HMAC_SHA1 
IPCOMP=>0x00007bd2 <0
x000065ad}
May 10 09:20:18 testimax pluto[7669]: "PHILLIPtoEACS" #1: ignoring 
Delete SA pay
load: PROTO_IPSEC_ESP SA(0xaefaf390) not found (maybe expired)
May 10 09:20:18 testimax pluto[7669]: "PHILLIPtoEACS" #1: received and 
ignored i
nformational message


Ping test results (RIGHT client to LEFT client):
 >ping 192.168.192.10

Pinging 192.168.192.10 with 32 bytes of data:

Reply from 192.168.192.10: bytes=32 time=22ms TTL=126
Reply from 192.168.192.10: bytes=32 time=22ms TTL=126
Reply from 192.168.192.10: bytes=32 time=22ms TTL=126
Reply from 192.168.192.10: bytes=32 time=20ms TTL=126

Ping statistics for 192.168.192.10:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 20ms, Maximum = 22ms, Average = 21ms

[C:\Documents and Settings\EACSI]
 >ping 192.168.192.10 -l 60

Pinging 192.168.192.10 with 60 bytes of data:

Reply from 192.168.192.10: bytes=60 time=17ms TTL=126
Reply from 192.168.192.10: bytes=60 time=20ms TTL=126
Reply from 192.168.192.10: bytes=60 time=30ms TTL=126
Reply from 192.168.192.10: bytes=60 time=18ms TTL=126

Ping statistics for 192.168.192.10:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 17ms, Maximum = 30ms, Average = 21ms

[C:\Documents and Settings\EACSI]
 >ping 192.168.192.10 -l 64

Pinging 192.168.192.10 with 64 bytes of data:

Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 192.168.192.10:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),


Ping test results (RIGHT firewall to LEFT client):
[root at testimax ~]# ping -I 192.168.0.110 192.168.192.10 -w 4
PING 192.168.192.10 (192.168.192.10) from 192.168.0.110 : 56(84) bytes 
of data.
64 bytes from 192.168.192.10: icmp_seq=0 ttl=127 time=20.2 ms
64 bytes from 192.168.192.10: icmp_seq=1 ttl=127 time=19.1 ms
64 bytes from 192.168.192.10: icmp_seq=2 ttl=127 time=17.7 ms
64 bytes from 192.168.192.10: icmp_seq=3 ttl=127 time=18.8 ms

--- 192.168.192.10 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3002ms
rtt min/avg/max/mdev = 17.768/19.014/20.258/0.891 ms, pipe 2
[root at testimax ~]# ping -I 192.168.0.110 192.168.192.10 -w 4 -s 64
PING 192.168.192.10 (192.168.192.10) from 192.168.0.110 : 64(92) bytes 
of data.
72 bytes from 192.168.192.10: icmp_seq=0 ttl=127 time=18.5 ms
72 bytes from 192.168.192.10: icmp_seq=1 ttl=127 time=33.7 ms
72 bytes from 192.168.192.10: icmp_seq=2 ttl=127 time=26.9 ms
72 bytes from 192.168.192.10: icmp_seq=3 ttl=127 time=22.5 ms

--- 192.168.192.10 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3002ms
rtt min/avg/max/mdev = 18.530/25.429/33.776/5.658 ms, pipe 2
[root at testimax ~]# ping -I 192.168.0.110 192.168.192.10 -w 4 -s 128
PING 192.168.192.10 (192.168.192.10) from 192.168.0.110 : 128(156) bytes 
of data
.
136 bytes from 192.168.192.10: icmp_seq=0 ttl=127 time=32.3 ms
136 bytes from 192.168.192.10: icmp_seq=1 ttl=127 time=18.2 ms
136 bytes from 192.168.192.10: icmp_seq=2 ttl=127 time=20.8 ms
136 bytes from 192.168.192.10: icmp_seq=3 ttl=127 time=19.9 ms

--- 192.168.192.10 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3002ms
rtt min/avg/max/mdev = 18.257/22.873/32.378/5.569 ms, pipe 2
[root at testimax ~]# ping -I 192.168.0.110 192.168.192.10 -w 4 -s 256
PING 192.168.192.10 (192.168.192.10) from 192.168.0.110 : 256(284) bytes 
of data
.
264 bytes from 192.168.192.10: icmp_seq=0 ttl=127 time=20.2 ms
264 bytes from 192.168.192.10: icmp_seq=1 ttl=127 time=24.4 ms
264 bytes from 192.168.192.10: icmp_seq=2 ttl=127 time=29.5 ms
264 bytes from 192.168.192.10: icmp_seq=3 ttl=127 time=32.6 ms

--- 192.168.192.10 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3002ms
rtt min/avg/max/mdev = 20.219/26.709/32.662/4.767 ms, pipe 2
[root at testimax ~]# ping -I 192.168.0.110 192.168.192.10 -w 4 -s 1024
PING 192.168.192.10 (192.168.192.10) from 192.168.0.110 : 1024(1052) 
bytes of da
ta.

--- 192.168.192.10 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3000ms




ANY suggestions would be helpful!

Thanks,
Phillip

More information about the Users mailing list