[Openswan Users] WLAN IPsec implementation

Zach zach at zerobit.net
Fri May 13 12:27:36 CEST 2005 

Jacco, Paul thanks for the responses. Here's a diagram (a rather bad one, my
ASCII skills are lacking  =D ) of the network.

       /-Eth1(192.168.2.1/24)---Access Point*---Notebook(.2)  
Ubuntu
	 \-Eth0---|
		    |
                |-Wired LAN---Router-----Internet

*Eth1 plugged into LAN side of access point.

I tried implementing some of you all's suggestions, like taking out the
leftsubnet= statement, which was in there cause this config was copied over
from another Openswan setup I've got that would only work with it set like
that, dunno why. I also removed virtual_private=, and nat_traversal=. I've
managed to get a seg fault in 2.3.1 I'll paste it below.

May 13 10:51:08 localhost pluto[13383]: "wireless"[2] 192.168.2.2 #3:
ASSERTION FAILED at crypto.c:219: st->st_new_iv_len >= e->enc_blocksize

So I went back to 2.3.0 - and killed detailed logging. Here's what I've got
now.

May 13 11:11:06 localhost pluto[19937]: "wireless"[1] 192.168.2.2 #1:
responding to Main Mode from unknown peer 192.168.2.2
May 13 11:11:06 localhost pluto[19937]: "wireless"[1] 192.168.2.2 #1:
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
May 13 11:11:06 localhost pluto[19937]: "wireless"[1] 192.168.2.2 #1:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
May 13 11:11:06 localhost pluto[19937]: "wireless"[1] 192.168.2.2 #1: Main
mode peer ID is ID_DER_ASN1_DN: 'C=US, ST=TX, L=Dallas, O=Athena, OU=VPN,
CN=zach, E=zach at zerobit.net'
May 13 11:11:06 localhost pluto[19937]: "wireless"[1] 192.168.2.2 #1: no crl
from issuer "C=US, ST=TX, L=Dallas, O=Athena, OU=CA, CN=root,
E=root at athena.zerobit.net" found (strict=no)
May 13 11:11:06 localhost pluto[19937]: "wireless"[2] 192.168.2.2 #1:
deleting connection "wireless" instance with peer 192.168.2.2
{isakmp=#0/ipsec=#0}
May 13 11:11:06 localhost pluto[19937]: "wireless"[2] 192.168.2.2 #1: I am
sending my cert
May 13 11:11:06 localhost pluto[19937]: "wireless"[2] 192.168.2.2 #1:
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
May 13 11:11:06 localhost pluto[19937]: "wireless"[2] 192.168.2.2 #1: sent
MR3, ISAKMP SA established
May 13 11:11:06 localhost pluto[19937]: "wireless"[2] 192.168.2.2 #2:
responding to Quick Mode
May 13 11:11:06 localhost pluto[19937]: "wireless"[2] 192.168.2.2 #2:
transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
May 13 11:11:07 localhost pluto[19937]: "wireless"[2] 192.168.2.2 #2:
transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
May 13 11:11:07 localhost pluto[19937]: "wireless"[2] 192.168.2.2 #2: IPsec
SA established {ESP=>0x4d2ac50c <0x3c495da2}
May 13 11:11:07 localhost pluto[19937]: "wireless"[2] 192.168.2.2 #1:
received Delete SA payload: deleting ISAKMP State #1
May 13 11:11:07 localhost pluto[19937]: packet from 192.168.2.2:500:
received and ignored informational message
May 13 11:11:07 localhost pluto[19937]: "wireless"[2] 192.168.2.2 #2: next
payload type of ISAKMP Hash Payload has an unknown value: 159
May 13 11:11:07 localhost pluto[19937]: "wireless"[2] 192.168.2.2 #2:
malformed payload in packet
May 13 11:11:07 localhost pluto[19937]: "wireless"[2] 192.168.2.2 #2:
sending notification PAYLOAD_MALFORMED to 192.168.2.2:500

Seems as though the SA's being established, but something happens to kill
it?

Here's what my config file looks like after the changes.

# /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.13 2004/03/24 04:14:39 ken Exp $

# This file:  /usr/share/doc/openswan/ipsec.conf-sample
#
# Manual:     ipsec.conf.5

version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        # Debug-logging controls:  "none" for (almost) none, "all" for lots.
        klipsdebug=none
        plutodebug=none
# Add connections here


        # Left security gateway, subnet behind it, next hop toward right.
conn %default
        left=192.168.2.1
        leftrsasigkey=%cert
        rightrsasigkey=%cert
        leftcert=host.cert.pem


conn wireless
        leftprotoport=17/1701
        rightprotoport=17/1701
        pfs=no
        rekey=no
        right=%any
        auto=add

#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf

Also, I have pfs=no cause I didn't think the XP client did Perfect Forward
Security I'd love to use it But Mr. Gates said no   =D. The rekey=no was
added because of some problems I was having with Openswan re-keying (and
subsequently killing the connection) with XP/2000 connections on my other
Openswan implementation. It looks like with it off the XP client initiates a
rekey every hour or so and stays connected. But this was a while ago and I
can't remember what version of Openswan I was using. 
 
------------------------------------------------
PGP public key:
http://www.zerobit.net/zach.asc
 
KeyID:
0x98DEBD82 
 
-----Original Message-----
From: Jacco de Leeuw [mailto:jacco2 at dds.nl] 
Sent: Friday, May 13, 2005 3:43 AM
To: users at openswan.org
Subject: Re: [Openswan Users] WLAN IPsec implementation

Zach wrote:

> Hello everyone, I'm having a difficult time setting up a VPN connection 
> between my XP2/SP2 notebook and Ubuntu box running Openswan 2.3.1
> config setup
> 
>  # Debug-logging controls:  "none" for (almost) none, "all" for lots.
>  klipsdebug=none
>  plutodebug=all

Normally plutodebug=all is not needed. Most problems are simply due to
a configuration error.

>  virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16

You need to exclude your internal subnet here. Add this:
... ,%v4:!192.168.2.0/24

Assuming that this is indeed your internal subnet. But I don't think this
is the cause of the problem. You are probably not doing NAT on your WLAN,
right?

> conn %default
>         left=192.168.2.1
>         leftsubnet=192.168.2.1/32

This leftsubnet= probably confuses the conn wireless.
Could you remove it?

> conn wireless
>         leftprotoport=17/1701
>         rightprotoport=17/1701
>         pfs=no
>         rekey=no
>         right=%any
>         rightsubnet=vhost:%no,%priv
>         auto=add

rekey=no? Why is that?

> conn conntointernet
>         leftsubnet=0.0.0.0/0
>         also=wireless

This won't work with L2TP over IPsec. Once the packets are
delivered to the L2TP daemon, Openswan is not involved anymore.
So L2TP/PPP will have to do the forwarding to Internet.

Could you decribe your setup with a diagram or something? Is your
Ubuntu box behind a firewall? Remember, no L2TP daemon should be
accessible from the Internet for obvious security reasons.

Jacco
-- 
Jacco de Leeuw                         mailto:jacco2 at dds.nl
Zaandam, The Netherlands           http://www.jacco2.dds.nl

More information about the Users mailing list