[Openswan Users] WLAN IPsec implementation

Zach zach at zerobit.net
Sat May 14 17:14:21 CEST 2005


Did a little more testing myself and found out that with plutodebug=all in
2.3.1 I get:

cat /var/log/auth.log | grep -i "assertion"
May 13 10:51:08 localhost pluto[13383]: "wireless"[2] 192.168.2.2 #3:
ASSERTION FAILED at crypto.c:219: st->st_new_iv_len >= e->enc_blocksize



In 2.3.0 with plutodebug=none I get similar results to the same in 2.3.1
("established" security association that just gets inexplicably deleted).
Again with 2.3.0 plutodebug=all I get an assertion failed. However in a
different .c file.

cat /var/log/auth.log | grep -i "assertion"
May 14 16:01:53 localhost pluto[2944]: "wireless"[1] 192.168.2.3 #2:
ASSERTION FAILED at demux.c:1799: STATE_IKE_FLOOR <= from_state &&
from_state <= STATE_IKE_ROOF

I've since turned x509 cert auth off, opting for PSK instead to reduce some
complexity in my configuration. Anyone have any ideas what this could be?
I'm assuming it's something on my machine and not the code, but I haven't a
clue beyond that assumption.

------------------------------------------------
PGP public key:
http://www.zerobit.net/zach.asc
 
KeyID:
0x98DEBD82 
 
-----Original Message-----
From: Zach [mailto:zach at zerobit.net] 
Sent: Friday, May 13, 2005 11:28 AM
To: 'Jacco de Leeuw'; users at openswan.org; 'Paul Wouters'
Cc: zach at zerobit.net
Subject: RE: [Openswan Users] WLAN IPsec implementation

Jacco, Paul thanks for the responses. Here's a diagram (a rather bad one, my
ASCII skills are lacking  =D ) of the network.

       /-Eth1(192.168.2.1/24)---Access Point*---Notebook(.2)  
Ubuntu
	 \-Eth0---|
		    |
                |-Wired LAN---Router-----Internet

*Eth1 plugged into LAN side of access point.

I tried implementing some of you all's suggestions, like taking out the
leftsubnet= statement, which was in there cause this config was copied over
from another Openswan setup I've got that would only work with it set like
that, dunno why. I also removed virtual_private=, and nat_traversal=. I've
managed to get a seg fault in 2.3.1 I'll paste it below.

May 13 10:51:08 localhost pluto[13383]: "wireless"[2] 192.168.2.2 #3:
ASSERTION FAILED at crypto.c:219: st->st_new_iv_len >= e->enc_blocksize

So I went back to 2.3.0 - and killed detailed logging. Here's what I've got
now.

May 13 11:11:06 localhost pluto[19937]: "wireless"[1] 192.168.2.2 #1:
responding to Main Mode from unknown peer 192.168.2.2
May 13 11:11:06 localhost pluto[19937]: "wireless"[1] 192.168.2.2 #1:
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
May 13 11:11:06 localhost pluto[19937]: "wireless"[1] 192.168.2.2 #1:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
May 13 11:11:06 localhost pluto[19937]: "wireless"[1] 192.168.2.2 #1: Main
mode peer ID is ID_DER_ASN1_DN: 'C=US, ST=TX, L=Dallas, O=Athena, OU=VPN,
CN=zach, E=zach at zerobit.net'
May 13 11:11:06 localhost pluto[19937]: "wireless"[1] 192.168.2.2 #1: no crl
from issuer "C=US, ST=TX, L=Dallas, O=Athena, OU=CA, CN=root,
E=root at athena.zerobit.net" found (strict=no)
May 13 11:11:06 localhost pluto[19937]: "wireless"[2] 192.168.2.2 #1:
deleting connection "wireless" instance with peer 192.168.2.2
{isakmp=#0/ipsec=#0}
May 13 11:11:06 localhost pluto[19937]: "wireless"[2] 192.168.2.2 #1: I am
sending my cert
May 13 11:11:06 localhost pluto[19937]: "wireless"[2] 192.168.2.2 #1:
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
May 13 11:11:06 localhost pluto[19937]: "wireless"[2] 192.168.2.2 #1: sent
MR3, ISAKMP SA established
May 13 11:11:06 localhost pluto[19937]: "wireless"[2] 192.168.2.2 #2:
responding to Quick Mode
May 13 11:11:06 localhost pluto[19937]: "wireless"[2] 192.168.2.2 #2:
transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
May 13 11:11:07 localhost pluto[19937]: "wireless"[2] 192.168.2.2 #2:
transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
May 13 11:11:07 localhost pluto[19937]: "wireless"[2] 192.168.2.2 #2: IPsec
SA established {ESP=>0x4d2ac50c <0x3c495da2}
May 13 11:11:07 localhost pluto[19937]: "wireless"[2] 192.168.2.2 #1:
received Delete SA payload: deleting ISAKMP State #1
May 13 11:11:07 localhost pluto[19937]: packet from 192.168.2.2:500:
received and ignored informational message
May 13 11:11:07 localhost pluto[19937]: "wireless"[2] 192.168.2.2 #2: next
payload type of ISAKMP Hash Payload has an unknown value: 159
May 13 11:11:07 localhost pluto[19937]: "wireless"[2] 192.168.2.2 #2:
malformed payload in packet
May 13 11:11:07 localhost pluto[19937]: "wireless"[2] 192.168.2.2 #2:
sending notification PAYLOAD_MALFORMED to 192.168.2.2:500

Seems as though the SA's being established, but something happens to kill
it?

Here's what my config file looks like after the changes.

# /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.13 2004/03/24 04:14:39 ken Exp $

# This file:  /usr/share/doc/openswan/ipsec.conf-sample
#
# Manual:     ipsec.conf.5

version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        # Debug-logging controls:  "none" for (almost) none, "all" for lots.
        klipsdebug=none
        plutodebug=none
# Add connections here


        # Left security gateway, subnet behind it, next hop toward right.
conn %default
        left=192.168.2.1
        leftrsasigkey=%cert
        rightrsasigkey=%cert
        leftcert=host.cert.pem


conn wireless
        leftprotoport=17/1701
        rightprotoport=17/1701
        pfs=no
        rekey=no
        right=%any
        auto=add

#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf

Also, I have pfs=no cause I didn't think the XP client did Perfect Forward
Security I'd love to use it But Mr. Gates said no   =D. The rekey=no was
added because of some problems I was having with Openswan re-keying (and
subsequently killing the connection) with XP/2000 connections on my other
Openswan implementation. It looks like with it off the XP client initiates a
rekey every hour or so and stays connected. But this was a while ago and I
can't remember what version of Openswan I was using. 
 
------------------------------------------------
PGP public key:
http://www.zerobit.net/zach.asc
 
KeyID:
0x98DEBD82 
 
-----Original Message-----
From: Jacco de Leeuw [mailto:jacco2 at dds.nl] 
Sent: Friday, May 13, 2005 3:43 AM
To: users at openswan.org
Subject: Re: [Openswan Users] WLAN IPsec implementation

Zach wrote:

> Hello everyone, I'm having a difficult time setting up a VPN connection 
> between my XP2/SP2 notebook and Ubuntu box running Openswan 2.3.1
> config setup
> 
>  # Debug-logging controls:  "none" for (almost) none, "all" for lots.
>  klipsdebug=none
>  plutodebug=all

Normally plutodebug=all is not needed. Most problems are simply due to
a configuration error.

>  virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16

You need to exclude your internal subnet here. Add this:
... ,%v4:!192.168.2.0/24

Assuming that this is indeed your internal subnet. But I don't think this
is the cause of the problem. You are probably not doing NAT on your WLAN,
right?

> conn %default
>         left=192.168.2.1
>         leftsubnet=192.168.2.1/32

This leftsubnet= probably confuses the conn wireless.
Could you remove it?

> conn wireless
>         leftprotoport=17/1701
>         rightprotoport=17/1701
>         pfs=no
>         rekey=no
>         right=%any
>         rightsubnet=vhost:%no,%priv
>         auto=add

rekey=no? Why is that?

> conn conntointernet
>         leftsubnet=0.0.0.0/0
>         also=wireless

This won't work with L2TP over IPsec. Once the packets are
delivered to the L2TP daemon, Openswan is not involved anymore.
So L2TP/PPP will have to do the forwarding to Internet.

Could you decribe your setup with a diagram or something? Is your
Ubuntu box behind a firewall? Remember, no L2TP daemon should be
accessible from the Internet for obvious security reasons.

Jacco
-- 
Jacco de Leeuw                         mailto:jacco2 at dds.nl
Zaandam, The Netherlands           http://www.jacco2.dds.nl




More information about the Users mailing list