[Openswan Users] stop after SA established

sasa sasa at shoponweb.it
Mon Oct 17 13:23:35 CEST 2005 

Hi, this problem for me is very strange, on firts machine fw/vpn with fc3 I have:

#tcpdump -i eth1
11:49:36.078449 IP 10.0.0.10 > 192.168.1.2: icmp 40: echo reply seq 4024
11:49:41.737123 IP 192.168.1.2 > 10.0.0.10: icmp 40: echo request seq 4280

#tcpdump -i eth0 port 500
11:50:12.158138 IP 4.3.2.1.isakmp > 1.2.3.4.isakmp: isakmp: phase 1 I ident
11:50:12.159539 IP 1.2.3.4.isakmp > 4.3.2.1.isakmp: isakmp: phase 1 R ident
11:50:12.324934 IP 4.3.2.1.isakmp > 1.2.3.4.isakmp: isakmp: phase 1 I ident
11:50:12.694111 IP 1.2.3.4.isakmp > 4.3.2.1.isakmp: isakmp: phase 1 R ident
11:50:12.973139 IP 4.3.2.1.isakmp > 1.2.3.4.isakmp: isakmp: phase 1 I ident[E]
11:50:13.032669 IP 1.2.3.4.isakmp > 4.3.2.1.isakmp: isakmp: phase 1 R ident[E]
11:50:13.136043 IP 4.3.2.1.isakmp > 1.2.3.4.isakmp: isakmp: phase 2/others I oakley-quick[E]
11:50:13.203794 IP 1.2.3.4.isakmp > 4.3.2.1.isakmp: isakmp: phase 2/others R oakley-quick[E]
11:50:13.340631 IP 4.3.2.1.isakmp > 1.2.3.4.isakmp: isakmp: phase 2/others I oakley-quick[E]
11:50:25.342447 IP 1.2.3.4.isakmp > 4.3.2.1.isakmp: isakmp: phase 2/others R oakley-quick[E]

#ipsec whack --status
000 #11193: "sedeprinsedesecond":500 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 5170s
000 #11193: "sedeprinsedesecond" esp.10b6d50c at 4.3.2.1 esp.a8824b6b at 1.2.3.4 tun.0 at 4.3.2.1 tun.0 at 1.2.3.4
000 #11071: "sedeprinsedesecond":500 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 2572s
000 #11071: "sedeprinsedesecond" esp.9c5793a2 at 4.3.2.1 esp.7a17dd98 at 1.2.3.4 tun.0 at 4.3.2.1 tun.0 at 1.2.3.4
000 #11009: "sedeprinsedesecond":500 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 1239s

..on second machine vpn/fw with fc1 I have:

#ipsec whack --status
000 "sedeprinsedesecond": 192.168.1.0/24===4.3.2.1---4.3.2.2...1.2.3.5---1.2.3.4===10.0.0.0/24; erouted; eroute owner: #2
000 "sedeprinsedesecond":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "sedeprinsedesecond":   policy: RSASIG+ENCRYPT+TUNNEL+PFS+UP; prio: 24,24; interface: eth0;
000 "sedeprinsedesecond":   newest ISAKMP SA: #1; newest IPsec SA: #2;
000 "sedeprinsedesecond":   IKE algorithms wanted: 5_000-1-5, 5_000-1-2, 5_000-2-5, 5_000-2-2, flags=-strict
000 "sedeprinsedesecond":   IKE algorithms found:  5_192-1_128-5, 5_192-1_128-2, 5_192-2_160-5, 5_192-2_160-2,
000 "sedeprinsedesecond":   IKE algorithm newest: 3DES_CBC_192-MD5-MODP1536
000 "sedeprinsedesecond":   ESP algorithms wanted: 3_000-1, 3_000-2, flags=-strict
000 "sedeprinsedesecond":   ESP algorithms loaded: 3_000-1, 3_000-2, flags=-strict
000 "sedeprinsedesecond":   ESP algorithm newest: 3DES_0-HMAC_MD5; pfsgroup=<Phase1>
000
000 #2: "sedeprinsedesecond" STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 27838s; newest IPSEC; eroute owner
000 #2: "sedeprinsedesecond" esp.5603e697 at 1.2.3.4 esp.477dbcfb at 4.3.2.1 tun.1002 at 1.2.3.4 tun.1001 at 4.3.2.1
000 #1: "sedeprinsedesecond" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 2671s; newest ISAKMP
000

[root at fw root]# tcpdump -i ipsec0
tcpdump: listening on ipsec0
11:57:51.058002 server2003.lineaitalia.locale > 10.0.0.10: icmp: echo request
11:57:56.557973 server2003.lineaitalia.locale > 10.0.0.10: icmp: echo request
11:58:02.057878 server2003.lineaitalia.locale > 10.0.0.10: icmp: echo request

..why on the machine with address 192.168.1.2 I don't have a reply form ping to 10.0.0.10 ?? where is the problem ??
still thanks.

        Salvatore.

----- Original Message ----- 
From: "sasa" <sasa at shoponweb.it>
To: <users at openswan.org>
Sent: Wednesday, October 12, 2005 8:24 PM
Subject: [Openswan Users] stop after SA established


Hi, I have a problem with vpn site-to-site with two end-point then are two static public ip.
The authentication method then I have used is rsa key, on both end-point I have generated key in this mode:

#ipsec newhostkey --output /etc/ipsec.secrets

..and my ipsec.conf is:

config setup
 # eth0 e' l'int pub del fw
   interfaces="ipsec0=eth0"
   nat_traversal=yes
 
# default configuration

conn %default
      authby=rsasig
 
conn sedeprinsedesecond
    auto=start
    pfs=yes
    left=4.3.2.1
    leftsubnet=192.168.1.0/24
    leftnexthop=4.3.2.2

    leftrsasigkey=blablabla
    right=1.2.3.4
    rightsubnet=10.0.0.0/24
    rightnexthop=1.2.3.5
    rightrsasigkey=cccaaa 
 
000 "sedeprinsedesecond": 192.168.1.0/24===4.3.2.1:4500---4.3.2.2...1.2.3.5---1.2.3.4:4500===10.0.0.0/24; prospective erouted; eroute owner: #0
000 "sedeprinsedesecond":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "sedeprinsedesecond":   policy: RSASIG+ENCRYPT+TUNNEL+PFS+UP; prio: 24,24; interface: eth0;
000 "sedeprinsedesecond":   newest ISAKMP SA: #1; newest IPsec SA: #0;
000 "sedeprinsedesecond":   IKE algorithms wanted: 5_000-1-5, 5_000-1-2, 5_000-2-5, 5_000-2-2, flags=-strict
000 "sedeprinsedesecond":   IKE algorithms found:  5_192-1_128-5, 5_192-1_128-2, 5_192-2_160-5, 5_192-2_160-2,
000 "sedeprinsedesecond":   IKE algorithm newest: 3DES_CBC_192-MD5-MODP1536
000 "sedeprinsedesecond":   ESP algorithms wanted: 3_000-1, 3_000-2, flags=-strict
000 "sedeprinsedesecond":   ESP algorithms loaded: 3_000-1, 3_000-2, flags=-strict
000
000 #20: "sedeprinsedesecond" STATE_QUICK_I1 (sent QI1, expecting QR1); EVENT_RETRANSMIT in 2s
000 #1: "sedeprinsedesecond" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 1850s; newest ISAKMP
000


..where can be a problem ??
thanks.

        Salvatore.
_______________________________________________
Users mailing list
Users at openswan.org
http://lists.openswan.org/mailman/listinfo/users

More information about the Users mailing list