[Openswan Users] freeswan and openswan
Giovani Moda - MR Informática
giovani at mrinformatica.com.br
Wed Nov 23 16:00:12 CET 2005
Hi again folks.
I need to interopt a freeswan-1.99 with openswan-2.4.4. Believe me, it was
NOT my choice. Is there any way to do that?
I can successfully stabilish a tunnel between them, but I can't get any
trafic to go through it. It seems to me that the openswan side won't route
the packets into the KLIPS interface for some reason. At the freeswan side,
it "appears" to go through, considering that at the openswan side, the
firewall complais about blocking packet forward from the internal interface
to ipsec0. I mean, it tryes to answer the ping, but it gets stucked. The
other way around, I got nothing at all. Not even complains from the
firewall. Disabling firewall won't change a thing. Also I get nothing when
tcpdumping the KLIPS interface, at both sides.
Here are the logs:
openswan
Nov 23 15:49:31 vpn1 pluto[9756]: "net-to-net" #1: initiating Main Mode
Nov 23 15:49:31 vpn1 pluto[9756]: "net-to-net" #1: transition from state
STATE_MAIN_I1 to state STATE_MAIN_I2
Nov 23 15:49:31 vpn1 pluto[9756]: "net-to-net" #1: STATE_MAIN_I2: sent MI2,
expecting MR2
Nov 23 15:49:31 vpn1 pluto[9756]: "net-to-net" #1: I did not send a
certificate because I do not have one.
Nov 23 15:49:31 vpn1 pluto[9756]: "net-to-net" #1: transition from state
STATE_MAIN_I2 to state STATE_MAIN_I3
Nov 23 15:49:31 vpn1 pluto[9756]: "net-to-net" #1: STATE_MAIN_I3: sent MI3,
expecting MR3
Nov 23 15:49:31 vpn1 pluto[9756]: "net-to-net" #1: Main mode peer ID is
ID_FQDN: '@inet2.local'
Nov 23 15:49:31 vpn1 pluto[9756]: "net-to-net" #1: transition from state
STATE_MAIN_I3 to state STATE_MAIN_I4
Nov 23 15:49:31 vpn1 pluto[9756]: "net-to-net" #1: STATE_MAIN_I4: ISAKMP SA
established {auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_md5
group=modp1536}
Nov 23 15:49:31 vpn1 pluto[9756]: "net-to-net" #2: initiating Quick Mode
RSASIG+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1}
Nov 23 15:49:31 vpn1 pluto[9756]: "net-to-net" #2: transition from state
STATE_QUICK_I1 to state STATE_QUICK_I2
Nov 23 15:49:31 vpn1 pluto[9756]: "net-to-net" #2: STATE_QUICK_I2: sent QI2,
IPsec SA established {ESP=>0x5a871da7 <0x1f789391 xfrm=3DES_0-HMAC_MD5
NATD=none DPD=none}
Nov 23 15:49:33 vpn1 pluto[9756]: "net-to-net" #1: ignoring Delete SA
payload: PROTO_IPSEC_ESP SA(0x1f789391) not found (our SPI - bogus
implementation)
Nov 23 15:49:33 vpn1 pluto[9756]: "net-to-net" #1: received and ignored
informational message
Nov 23 15:49:33 vpn1 pluto[9756]: "net-to-net" #1: ignoring Delete SA
payload: PROTO_IPSEC_ESP SA(0x531efe03) not found (maybe expired)
Nov 23 15:49:33 vpn1 pluto[9756]: "net-to-net" #1: received and ignored
informational message
Nov 23 15:49:33 vpn1 pluto[9756]: "net-to-net" #1: ignoring Delete SA
payload: PROTO_IPSEC_ESP SA(0x531efe02) not found (maybe expired)
Nov 23 15:49:33 vpn1 pluto[9756]: "net-to-net" #1: received and ignored
informational message
Nov 23 15:49:35 vpn1 pluto[9756]: "net-to-net" #3: responding to Main Mode
Nov 23 15:49:35 vpn1 pluto[9756]: "net-to-net" #3: transition from state
STATE_MAIN_R0 to state STATE_MAIN_R1
Nov 23 15:49:35 vpn1 pluto[9756]: "net-to-net" #3: STATE_MAIN_R1: sent MR1,
expecting MI2
Nov 23 15:49:35 vpn1 pluto[9756]: "net-to-net" #3: transition from state
STATE_MAIN_R1 to state STATE_MAIN_R2
Nov 23 15:49:35 vpn1 pluto[9756]: "net-to-net" #3: STATE_MAIN_R2: sent MR2,
expecting MI3
Nov 23 15:49:35 vpn1 pluto[9756]: "net-to-net" #3: Main mode peer ID is
ID_FQDN: '@inet2.local'
Nov 23 15:49:35 vpn1 pluto[9756]: "net-to-net" #3: I did not send a
certificate because I do not have one.
Nov 23 15:49:35 vpn1 pluto[9756]: "net-to-net" #3: transition from state
STATE_MAIN_R2 to state STATE_MAIN_R3
Nov 23 15:49:35 vpn1 pluto[9756]: "net-to-net" #3: STATE_MAIN_R3: sent MR3,
ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192
prf=oakley_md5 group=modp1536}
Nov 23 15:49:35 vpn1 pluto[9756]: "net-to-net" #4: responding to Quick Mode
{msgid:9cf8dea0}
Nov 23 15:49:35 vpn1 pluto[9756]: "net-to-net" #4: transition from state
STATE_QUICK_R0 to state STATE_QUICK_R1
Nov 23 15:49:35 vpn1 pluto[9756]: "net-to-net" #4: STATE_QUICK_R1: sent QR1,
inbound IPsec SA installed, expecting QI2
Nov 23 15:49:35 vpn1 pluto[9756]: "net-to-net" #4: transition from state
STATE_QUICK_R1 to state STATE_QUICK_R2
Nov 23 15:49:35 vpn1 pluto[9756]: "net-to-net" #4: STATE_QUICK_R2: IPsec SA
established {ESP=>0xe5c91831 <0x1f789392 xfrm=3DES_0-HMAC_MD5 NATD=none
DPD=none}
freeswan
Nov 23 15:51:13 inet2 pluto[5321]: "net-to-net" #1: initiating Main Mode
Nov 23 15:51:13 inet2 pluto[5321]: "net-to-net" #1: ignoring Vendor ID
payload
Nov 23 15:51:13 inet2 pluto[5321]: "net-to-net" #1: ignoring Vendor ID
payload
Nov 23 15:51:13 inet2 pluto[5321]: "net-to-net" #1: Peer ID is ID_FQDN:
'@inet.local'
Nov 23 15:51:13 inet2 pluto[5321]: "net-to-net" #1: ISAKMP SA established
Nov 23 15:51:13 inet2 pluto[5321]: "net-to-net" #2: initiating Quick Mode
RSASIG+ENCRYPT+TUNNEL+PFS
Nov 23 15:51:13 inet2 pluto[5321]: "net-to-net" #2: sent QI2, IPsec SA
established
And the configs:
openswan
config setup
klipsdebug=none
plutodebug=none
interfaces="ipsec0=eth0"
uniqueids=yes
conn %default
keyingtries=0
compress=no
disablearrivalcheck=no
authby=rsasig
esp=3des
conn net-to-net
left=A.B.C.D
leftnexthop=A.B.C.E
leftsubnet=10.0.0.0/8
leftid=@inet2.local
leftrsasigkey=...
right=F.G.H.I
rightnexthop=F.G.H.J
rightsubnet=192.168.0.0/24
rightid=@inet.local
rightrsasigkey=...
auto=start
freeswan
config setup
interfaces="ipsec0=eth0"
klipsdebug=none
plutodebug=none
plutoload=%search
plutostart=%search
uniqueids=yes
conn %default
keyingtries=0
disablearrivalcheck=no
authby=rsasig
compress=no
esp=3des
conn net-to-net
left=A.B.C.D
leftnexthop=A.B.C.E
leftsubnet=10.0.0.0/8
leftid=@inet2.local
leftrsasigkey=...
right=F.G.H.I
rightnexthop=F.G.H.J
rightsubnet=192.168.0.0/24
rightid=@inet.local
rightrsasigkey=...
auto=start
Has anyone tryed such a dumb configuration before? I REALLY don't wanna have
to downgrade one of my servers because of this.
Thanks, and sorry for the long post.
Giovani
More information about the Users
mailing list