[Openswan Users] Openswan / SSH Sentinel problems

Philip Pemberton philpem at dsl.pipex.com
Fri Nov 25 23:51:13 CET 2005 

Hi,
  I've got an Openswan VPN set up between my firewall/router and a laptop
(via a wireless access point). For some reason, though, if I run SSH
Sentinel's diagnostics, I get this in /var/log/secure:

----------8<----------
root at polaris:~# tail /var/log/secure
Nov 25 23:13:52 polaris pluto[4265]: "roadwarrior"[1] 10.1.0.16 #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Nov 25 23:13:52 polaris pluto[4265]: "roadwarrior"[1] 10.1.0.16 #1: STATE_MAIN_R2: sent MR2, expecting MI3
Nov 25 23:13:53 polaris pluto[4265]: "roadwarrior"[1] 10.1.0.16 #1: ignoring informational payload, type IPSEC_INITIAL_CONTACT
Nov 25 23:13:53 polaris pluto[4265]: "roadwarrior"[1] 10.1.0.16 #1: Main mode peer ID is ID_DER_ASN1_DN: 'C=GB, ST=West Yorkshire, L=Leeds, O=Philpem VPN, CN=Philip Pemberton, E=philpem at dsl.pipex.com'
Nov 25 23:13:53 polaris pluto[4265]: "roadwarrior"[2] 10.1.0.16 #1: deleting connection "roadwarrior" instance with peer 10.1.0.16 {isakmp=#0/ipsec=#0}
Nov 25 23:13:53 polaris pluto[4265]: "roadwarrior"[2] 10.1.0.16 #1: I am sending my cert
Nov 25 23:13:53 polaris pluto[4265]: "roadwarrior"[2] 10.1.0.16 #1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Nov 25 23:13:53 polaris pluto[4265]: "roadwarrior"[2] 10.1.0.16 #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=aes_128 prf=oakley_md5 group=modp1024}
Nov 25 23:13:54 polaris pluto[4265]: "roadwarrior"[2] 10.1.0.16 #1: cannot respond to IPsec SA request because no connection is known for 0.0.0.0/0===10.1.0.1[C=GB, ST=West Yorkshire, L=Leeds, O=Philpem VPN, CN=Polaris VPN server, E=vpn at philpem.me.uk]...10.1.0.16[C=GB, ST=West Yorkshire, L=Leeds, O=Philpem VPN, CN=Philip Pemberton, E=philpem at dsl.pipex.com]===127.0.0.1/32
Nov 25 23:13:54 polaris pluto[4265]: "roadwarrior"[2] 10.1.0.16 #1: sending encrypted notification INVALID_ID_INFORMATION to 10.1.0.16:500
----------8<----------

.. and the diagnostic fails with the error "IKE Phase-2 / Exchanging IPSec
Proposals FAILED". If I connect normally (using "Select VPN"), I get this in
/var/log/secure:

----------8<----------
Nov 25 23:47:47 polaris pluto[3482]: "roadwarrior"[2] 10.1.0.16 #3: ignoring informational payload, type IPSEC_INITIAL_CONTACT
Nov 25 23:47:47 polaris pluto[3482]: "roadwarrior"[2] 10.1.0.16 #3: Main mode peer ID is ID_DER_ASN1_DN: 'C=GB, ST=West Yorkshire, L=Leeds, O=Philpem VPN, CN=Philip Pemberton, E=philpem at dsl.pipex.com'
Nov 25 23:47:47 polaris pluto[3482]: "roadwarrior"[2] 10.1.0.16 #3: I am sending my cert
Nov 25 23:47:47 polaris pluto[3482]: "roadwarrior"[2] 10.1.0.16 #3: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Nov 25 23:47:47 polaris pluto[3482]: "roadwarrior"[2] 10.1.0.16 #3: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1024}
Nov 25 23:47:47 polaris pluto[3482]: "roadwarrior-all"[1] 10.1.0.16 #4: responding to Quick Mode {msgid:db287de1}
Nov 25 23:47:47 polaris pluto[3482]: "roadwarrior-all"[1] 10.1.0.16 #4: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Nov 25 23:47:47 polaris pluto[3482]: "roadwarrior-all"[1] 10.1.0.16 #4: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Nov 25 23:47:48 polaris pluto[3482]: "roadwarrior-all"[1] 10.1.0.16 #4: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Nov 25 23:47:48 polaris pluto[3482]: "roadwarrior-all"[1] 10.1.0.16 #4: STATE_QUICK_R2: IPsec SA established {ESP=>0x52b10880 <0x566c1cb2 xfrm=3DES_0-HMAC_MD5 NATD=none DPD=none}
----------8<----------

.. and the connection succeeds (?!).

Here's my ipsec.conf:

----------8<----------
## based on http://www.natecarlson.com/linux/ipsec-x509.php

version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        interfaces="ipsec0=eth1"
        nat_traversal=yes
        virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16

conn %default
        keyingtries=1
        compress=yes
        disablearrivalcheck=no
        authby=rsasig
        leftrsasigkey=%cert
        rightrsasigkey=%cert

conn roadwarrior-net
        leftsubnet=10.1.0.0/16
        also=roadwarrior

conn roadwarrior-all
        leftsubnet=0.0.0.0/0
        also=roadwarrior

conn roadwarrior-l2tp
        pfs=no
        leftprotoport=17/0
        rightprotoport=17/1701
        also=roadwarrior

conn roadwarrior-l2tp-updatedwin
        pfs=no
        leftprotoport=17/1701
        rightprotoport=17/1701
        also=roadwarrior

conn roadwarrior
        left=10.1.0.1
        leftcert=host.polaris.pem
        right=%any
        rightsubnet=vhost:%no,%priv
        auto=add
        pfs=yes

#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf
----------8<----------

Does anyone have any idea what might be going on?

Thanks.
-- 
Phil.                              | Acorn RiscPC600 SA220 64MB+6GB 100baseT
philpem at philpem.me.uk              | Athlon64 3200+ A8VDeluxe R2 512MB+100GB
http://www.philpem.me.uk/          | Panasonic CF-25 Mk.2 Toughbook
... Outlaw junk mail, and save the trees!

More information about the Users mailing list