[Openswan Users] Multiple connection problems

Oliver Tomkins oliver.tomkins at alliedvehicles.co.uk
Fri Sep 2 15:02:40 CEST 2005


Does anybody think upgrading to the 2.6 from the 2.4 kernel might help 
us solve this problem?

Olly.

Oliver Tomkins wrote:
> Thanks Paul - that worked fine.
> 
> However the new release still does not allow me to have two connections 
> at the same time.
> 
> Either of our two client machines can connect independently without any 
> problems at all.  When one is connected the second is unable to do so.
> 
> The Windows 2000 client machines connect to our ipsec machine in the DMZ 
> - this used DNAT to forward the relevant packets to the L2TP box that is 
> on our internal subnet and allocates the client machines an IP address 
> on our internal subnet.  The process is reversed with SNAT for the 
> packets going back out to the client machines.
> 
> If a machine is connected then we can see the SA being established with 
> the second machine and then the disconnection.  Nothing shows in the 
> logs on the l2tp machine.
> 
> /var/log/secure/
> 
> Aug 23 10:20:31 mini pluto[15513]: "vpn2"[2] XXX.XXX.XXX.XXX #3: 
> received Delete SA(0xc718e48d) payload: deleting IPSEC State #
> 4
> Aug 23 10:20:31 mini pluto[15513]: | deleting state #4
> Aug 23 10:20:31 mini pluto[15513]: | processing connection vpn2[2] 
> XXX.XXX.XXX.XXX
> Aug 23 10:20:31 mini pluto[15513]: | **emit ISAKMP Message:
> Aug 23 10:20:31 mini pluto[15513]: |    initiator cookie:
> Aug 23 10:20:31 mini pluto[15513]: |   ef 4e fc ec  71 00 40 29
> Aug 23 10:20:31 mini pluto[15513]: |    responder cookie:
> Aug 23 10:20:31 mini pluto[15513]: |   b8 e1 2d 19  18 cf 44 08
> Aug 23 10:20:31 mini pluto[15513]: |    next payload type: ISAKMP_NEXT_HASH
> Aug 23 10:20:31 mini pluto[15513]: |    ISAKMP version: ISAKMP Version 1.0
> Aug 23 10:20:31 mini pluto[15513]: |    exchange type: ISAKMP_XCHG_INFO
> Aug 23 10:20:31 mini pluto[15513]: |    flags: ISAKMP_FLAG_ENCRYPTION
> Aug 23 10:20:31 mini pluto[15513]: |    message ID:  ab f5 18 3e
> Aug 23 10:20:31 mini pluto[15513]: | ***emit ISAKMP Hash Payload:
> Aug 23 10:20:31 mini pluto[15513]: |    next payload type: ISAKMP_NEXT_D
> Aug 23 10:20:31 mini pluto[15513]: | emitting 20 zero bytes of HASH(1) 
> into ISAKMP Hash Payload
> Aug 23 10:20:31 mini pluto[15513]: | emitting length of ISAKMP Hash 
> Payload: 24
> Aug 23 10:20:31 mini pluto[15513]: | ***emit ISAKMP Delete Payload:
> Aug 23 10:20:31 mini pluto[15513]: |    next payload type: ISAKMP_NEXT_NONE
> Aug 23 10:20:31 mini pluto[15513]: |    DOI: ISAKMP_DOI_IPSEC
> Aug 23 10:20:31 mini pluto[15513]: |    protocol ID: 3
> Aug 23 10:20:31 mini pluto[15513]: |    SPI size: 4
> Aug 23 10:20:31 mini pluto[15513]: |    number of SPIs: 1
> Aug 23 10:20:31 mini pluto[15513]: | emitting 4 raw bytes of delete 
> payload into ISAKMP Delete Payload
> Aug 23 10:20:31 mini pluto[15513]: | delete payload  af 7f b6 09
> Aug 23 10:20:31 mini pluto[15513]: | emitting length of ISAKMP Delete 
> Payload: 16
> Aug 23 10:20:31 mini pluto[15513]: | HASH(1) computed:
> Aug 23 10:20:31 mini pluto[15513]: |   01 b3 d9 01  c3 62 81 c4  a3 08 
> ff 98  b1 0a 95 37
> Aug 23 10:20:31 mini pluto[15513]: |   e9 fa 67 95
> Aug 23 10:20:31 mini pluto[15513]: | last Phase 1 IV:  a3 41 42 f7  9b 
> c4 c4 64
> Aug 23 10:20:31 mini pluto[15513]: | current Phase 1 IV:  a3 41 42 f7 9b 
> c4 c4 64
> Aug 23 10:20:31 mini pluto[15513]: | computed Phase 2 IV:
> Aug 23 10:20:31 mini pluto[15513]: |   b4 16 77 82  91 3e 11 12  dc 38 
> 51 b7  20 ee 09 95
> Aug 23 10:20:31 mini pluto[15513]: |   e4 71 ac a0
> Aug 23 10:20:31 mini pluto[15513]: | encrypting:
> Aug 23 10:20:31 mini pluto[15513]: |   0c 00 00 18  01 b3 d9 01  c3 62 
> 81 c4  a3 08 ff 98
> Aug 23 10:20:31 mini pluto[15513]: |   b1 0a 95 37  e9 fa 67 95  00 00 
> 00 10  00 00 00 01
> Aug 23 10:20:31 mini pluto[15513]: |   03 04 00 01  af 7f b6 09
> Aug 23 10:20:31 mini pluto[15513]: | IV:
> Aug 23 10:20:31 mini pluto[15513]: |   b4 16 77 82  91 3e 11 12  dc 38 
> 51 b7  20 ee 09 95
> Aug 23 10:20:31 mini pluto[15513]: |   e4 71 ac a0
> Aug 23 10:20:31 mini pluto[15513]: | encrypting using OAKLEY_3DES_CBC
> Aug 23 10:20:31 mini pluto[15513]: | next IV:  d2 6c ac 38  80 d7 a2 a4
> Aug 23 10:20:31 mini pluto[15513]: | emitting length of ISAKMP Message: 68
> Aug 23 10:20:31 mini pluto[15513]: | sending 68 bytes for delete notify 
> through eth0:500 to XXX.XXX.XXX.XXX:500:
> Aug 23 10:20:31 mini pluto[15513]: |   ef 4e fc ec  71 00 40 29  b8 e1 
> 2d 19  18 cf 44 08
> Aug 23 10:20:31 mini pluto[15513]: |   08 10 05 01  ab f5 18 3e  00 00 
> 00 44  8a 0a e2 67
> Aug 23 10:20:31 mini pluto[15513]: |   c3 cd 2f 4f  2c 35 6d 28  ca cd 
> 74 c6  c8 3d 0f 62
> Aug 23 10:20:31 mini pluto[15513]: |   36 c8 f4 6c  73 4d 1a 44  da b6 
> 10 fd  d2 6c ac 38
> Aug 23 10:20:31 mini pluto[15513]: |   80 d7 a2 a4
> Aug 23 10:20:31 mini pluto[15513]: | no suspended cryptographic state for 4
> Aug 23 10:20:31 mini pluto[15513]: | ICOOKIE:  ef 4e fc ec  71 00 40 29
> Aug 23 10:20:31 mini pluto[15513]: | RCOOKIE:  b8 e1 2d 19  18 cf 44 08
> Aug 23 10:20:31 mini pluto[15513]: | peer:  51 ab d9 d3
> Aug 23 10:20:31 mini pluto[15513]: | state hash entry 15
> Aug 23 10:20:31 mini pluto[15513]: | command executing down-host
> Aug 23 10:20:31 mini pluto[15513]: |   trusted_ca called with a=C=GB, 
> L=City, O=Company Ltd, OU=Information Technol
> ogy Dept, CN=cert.domain.co.uk, E=name at domain.co.uk b=C=GB, L=City, 
> O=Company Ltd, OU=Information
>  Technology Dept, CN=cert.domain.co.uk, E=name at domain.co.uk
> Aug 23 10:20:31 mini pluto[15513]: | executing down-host: 2>&1 
> PLUTO_VERSION='1.1' PLUTO_VERB='down-host' PLUTO_CONNECTION='vp
> n2' PLUTO_NEXT_HOP='<FIREWALL IP>' PLUTO_INTERFACE='ipsec0' 
> PLUTO_ME='<IPSEC IP>' PLUTO_MY_ID='C=GB, L=City, O=Allied Vehi
> cles Ltd, OU=Information Technology Dept, CN=ipsec.alliedvehicles.co.uk, 
> E=name at domain.co.uk' PLUTO_MY_CLIENT='<IPSEC IP>' 
> PLUTO_MY_CLIENT_NET='<IPSEC IP>' PLUTO_MY_CLIENT_MASK='255.255.255.255' 
> PLUTO_MY_PORT='1701' PLUTO_MY_PROTOCOL='17' PLUTO_PEER='XXX.XXX.XXX.XXX' 
> PLUTO_PEER_ID='C=GB, L=City, O=Company Ltd, OU=Information Technology 
> Dept, CN=machinename at domain.co.uk, E=name at domain.co.uk' 
> PLUTO_PEER_CLIENT='XXX.XXX.XXX.XXX/32' 
> PLUTO_PEER_CLIENT_NET='XXX.XXX.XXX.XXX' PL
> UTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='1701' 
> PLUTO_PEER_PROTOCOL='17' PLUTO_PEER_CA='C=GB, L=City, O=Company Ltd, 
> OU=Information Technology Dept, CN=cert.domain.co.uk, 
> E=name at domain.co.uk' PLUTO_CONN_POLICY
> ='RSASIG+ENCRYP
> Aug 23 10:20:31 mini pluto[15513]: | eroute_connection replace with 
> shunt eroute <IPSEC IP>/32:1701 --17-> XXX.XXX.XXX.XXX/32
> :1701 => %trap (raw_eroute)
> Aug 23 10:20:31 mini pluto[15513]: | pfkey_lib_debug:pfkey_msg_hdr_build:
> Aug 23 10:20:31 mini pluto[15513]: | 
> pfkey_lib_debug:pfkey_msg_hdr_build: on_entry &pfkey_ext=0p0xbfffe500 
> pfkey_ext=0p0xbfffe
> 7f0 *pfkey_ext=0p(nil).
> Aug 23 10:20:31 mini pluto[15513]: | 
> pfkey_lib_debug:pfkey_msg_hdr_build: on_exit &pfkey_ext=0p0xbfffe500 
> pfkey_ext=0p0xbfffe7
> f0 *pfkey_ext=0p0x80f7ad8.
> Aug 23 10:20:31 mini pluto[15513]: | pfkey_lib_debug:pfkey_sa_build: 
> spi=00000104 replay=0 sa_state=0 auth=0 encrypt=0 flags=2
> 
> ipsec.conf
> 
> config setup
>         # Debug-logging controls:  "none" for (almost) none, "all" for 
> lots.
>         # klipsdebug=none
>         # plutodebug="control parsing"
>         #klipsdebug=all
>         plutodebug=all
>         uniqueids=no
> 
> # Add connections here
> 
> conn vpn
>                 type=tunnel
>                 pfs=no
>                 compress=yes
>                 auto=add
>                 left=%defaultroute
>                 leftrsasigkey=%cert
>                 #leftid=@ipsec.domain.co.uk
>                 leftcert=ipsec.domain.co.uk.pem
>                 leftprotoport=17/1701
>                 right=%any
>                 rightid="C=GB,L=City,O=Company Ltd,OU=Information 
> Technology Dept,CN=name1.domain.co.uk,E=it at domain.co.uk"
>                 #right=%any
>                 rightrsasigkey=%cert
>                 rightprotoport=17/1701
>                 rightca=%same
> 
> conn vpn2
>                 type=tunnel
>                 pfs=no
>                 compress=yes
>                 auto=add
>         left=%defaultroute
>                 leftrsasigkey=%cert
>                 #leftid=@ipsec.domain.co.uk
>                 leftcert=ipsec.domain.co.uk.pem
>                 leftprotoport=17/1701
>                 right=%any
>                 rightid="C=GB,L=City,O=Company Ltd,OU=Information 
> Technology Dept,CN=name2.domain.co.uk,E=it at domain.co.uk"
>                 #right=%any
>                 rightrsasigkey=%cert
>                 rightprotoport=17/1701
>                 rightca=%same
>     
> l2tpd.conf
> 
> [global]
> ;listen-addr = XXX.XXX.XXX.XXX
> 
> [lns default]
> exclusive = no
> ip range = <INTERNAL IP RANGE>
> local ip = <L2TP ADDRESS ON LOCAL SUBNET>
> require chap = yes
> refuse pap = yes
> require authentication = yes
> name = l2tp.domain.co.uk
> ppp debug = yes
> pppoptfile = /etc/ppp/options.l2tpd
> length bit = yes
> 
> Any ideas?
> 
> Thanks,
> 
> Olly.
> ~
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> Paul Wouters wrote:
> 
>> On Mon, 22 Aug 2005, Oliver Tomkins wrote:
>>
>>> Yeah that is the code that I have here as well.
>>>
>>> It's redhat 7.3 and gcc-2.96-113
>>>
>>> Thanks,
>>>
>>> Olly.
>>>
>>> Paul Wouters wrote:
>>>
>>>> On Mon, 22 Aug 2005, Oliver Tomkins wrote:
>>>>
>>>>> However, dr8, dr9 and rc1 all give me this problem when I try to 
>>>>> upgrade?
>>>>>
>>>>> ike_alg.c: In function `ike_alg_register_hash':
>>>>> ike_alg.c:642: parse error before `int'
>>>>> ike_alg.c:646: `ret' undeclared (first use in this function)
>>
>>
>>
>> Either wait for 2.4.0rc2 or apply the following fix:
>>
>> Modified Files:
>>         ike_alg.c
>> Log Message:
>>         remove gcc-3/C++-ism.
>>
>>
>> Index: ike_alg.c
>> ===================================================================
>> RCS file: /xelerance/master/openswan-2/programs/pluto/ike_alg.c,v
>> retrieving revision 1.18
>> retrieving revision 1.19
>> diff -u -d -r1.18 -r1.19
>> --- ike_alg.c   5 Aug 2005 19:10:43 -0000       1.18
>> +++ ike_alg.c   22 Aug 2005 17:25:17 -0000      1.19
>> @@ -636,10 +636,9 @@
>>  ike_alg_register_hash(struct hash_desc *hash_desc)
>>  {
>>         const char *alg_name;
>> +       int ret=0;
>>
>>         alg_name = "<none>";
>> -
>> -       int ret=0;
>>         if (hash_desc->common.algo_id > OAKLEY_HASH_MAX) {
>>                 plog ("ike_alg_register_hash(): hash alg=%d < max=%d",
>>                                 hash_desc->common.algo_id, 
>> OAKLEY_HASH_MAX);
>>
>> Paul
>>
>>
>>
>>
> 
> The information in this e-mail is confidential. The contents may not be 
> disclosed or used by anyone other than the addressee. If you are not the 
> intended recipient, please notify the sender immediately by reply e-mail 
> and delete this message. Allied Vehicles cannot accept any 
> responsibility for the accuracy or completeness of this message as it 
> has been transmitted over a public network.
> For details of our products and services please visit our website at 
> www.alliedvehicles.co.uk
> _______________________________________________
> Users mailing list
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> 

The information in this e-mail is confidential. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient, please notify the sender immediately by reply e-mail and delete this message. Allied Vehicles cannot accept any responsibility for the accuracy or completeness of this message as it has been transmitted over a public network.
For details of our products and services please visit our website at www.alliedvehicles.co.uk


More information about the Users mailing list