[Openswan Users] net 2 net connection

William Man williamman at visualrock.co.uk
Tue Sep 13 09:55:52 CEST 2005


Hi all,
This is the first time i'm posting so apologies if i make any mistakes.
I am looking to make an ipsec connection between 2 sites, both running
Linux, below are some details
Site_1. External IP 20.0.0.1. Subnet 192.168.1.0/24
Site_2. External IP 10.0.0.1. Subnet 192.168.3.0/24
Site_1 is using red hat 9, using "Linux Openswan Ucvs2002Mar11_19:19:03/K"
Site_2 is using fedora core 3, using "Linux Openswan U2.3.1/K"
Below is the ipsec.conf
----------
version 2.0
config setup
interfaces=%defaultroute
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16
conn %default
keyingtries=1
compress=yes
disablearrivalcheck=no
authby=rsasig
conn net-to-net
left=20.0.0.1
leftsubnet=192.168.1.0/24
leftid=@site_1.mydomain.co.uk
leftnexthop=%defaultroute
leftrsasigkey=XXXXXX
right=10.0.0.1
rightsubnet=192.168.3.0/24
rightid=@site_2.mydomain.co.uk
rightnexthop=%defaultroute
rightrsasigkey=XXXX
auto=add
#include /etc/ipsec.d/examples/no_oe.conf
-------- end of ipsec.conf
when site_2 starts up ipsec, the whole of site_2 subnet goes down. Internet
is lost.
similar happens to site_1, intenet is lost.
I think there is some kind of routing error, but I'm not sure.
The firewall is iptables, and allows accept for 4500, 500, and ipsec
protocols.
Below is the log of site_2.secure
----------------------------
Sep 10 22:12:13 site_2 ipsec__plutorun: Starting Pluto subsystem...
Sep 10 22:12:13 site_2 pluto[404]: Starting Pluto (Openswan Version 2.3.1
X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID OEExalF{_o`m)
Sep 10 22:12:13 site_2 pluto[404]: Setting port floating to on
Sep 10 22:12:13 site_2 pluto[404]: port floating activate 1/1
Sep 10 22:12:13 site_2 pluto[404]: including NAT-Traversal patch (Version
0.6c)
Sep 10 22:12:13 site_2 pluto[404]: ike_alg_register_enc(): Activating
OAKLEY_AES_CBC: Ok (ret=0)
Sep 10 22:12:13 site_2 pluto[404]: starting up 1 cryptographic helpers
Sep 10 22:12:13 site_2 pluto[404]: started helper pid=405 (fd:6)
Sep 10 22:12:13 site_2 pluto[404]: Using Linux 2.6 IPsec interface code
Sep 10 22:12:13 site_2 pluto[404]: Changing to directory
'/etc/ipsec.d/cacerts'
Sep 10 22:12:13 site_2 pluto[404]: loaded CA cert file 'cacert.pem' (1058
bytes)
Sep 10 22:12:13 site_2 pluto[404]: Could not change to directory
'/etc/ipsec.d/aacerts'
Sep 10 22:12:13 site_2 pluto[404]: Could not change to directory
'/etc/ipsec.d/ocspcerts'
Sep 10 22:12:13 site_2 pluto[404]: Changing to directory '/etc/ipsec.d/crls'
Sep 10 22:12:13 site_2 pluto[404]: loaded crl file 'crl.pem' (443 bytes)
Sep 10 22:12:13 site_2 pluto[404]: added connection description
"packetdefault"
Sep 10 22:12:14 site_2 pluto[404]: added connection description "block"
Sep 10 22:12:14 site_2 pluto[404]: added connection description
"clear-or-private"
Sep 10 22:12:14 site_2 pluto[404]: added connection description "clear"
Sep 10 22:12:14 site_2 pluto[404]: added connection description
"private-or-clear"
Sep 10 22:12:14 site_2 pluto[404]: added connection description "private"
Sep 10 22:12:14 site_2 pluto[404]: listening for IKE messages
Sep 10 22:12:14 site_2 pluto[404]: adding interface eth1/eth1
192.168.3.1:500
Sep 10 22:12:14 site_2 pluto[404]: adding interface eth1/eth1
192.168.3.1:4500
Sep 10 22:12:14 site_2 pluto[404]: adding interface eth0/eth0 10.0.0.1:500
Sep 10 22:12:14 site_2 pluto[404]: adding interface eth0/eth0 10.0.0.1:4500
Sep 10 22:12:14 site_2 pluto[404]: adding interface lo/lo 127.0.0.1:500
Sep 10 22:12:14 site_2 pluto[404]: adding interface lo/lo 127.0.0.1:4500
Sep 10 22:12:14 site_2 pluto[404]: adding interface lo/lo ::1:500
Sep 10 22:12:14 site_2 pluto[404]: loading secrets from "/etc/ipsec.secrets"
Sep 10 22:12:14 site_2 pluto[404]: loading group
"/etc/ipsec.d/policies/private"
Sep 10 22:12:14 site_2 pluto[404]: loading group
"/etc/ipsec.d/policies/private-or-clear"
Sep 10 22:12:14 site_2 pluto[404]: loading group
"/etc/ipsec.d/policies/clear"
Sep 10 22:12:14 site_2 pluto[404]: loading group
"/etc/ipsec.d/policies/clear-or-private"
Sep 10 22:12:14 site_2 pluto[404]: loading group
"/etc/ipsec.d/policies/block"
Sep 10 22:12:15 site_2 pluto[404]: %hold otherwise handled during DNS lookup
for Opportunistic Initiation for 192.168.3.4 to 207.46.0.27
Sep 10 22:12:24 site_2 pluto[404]: %hold otherwise handled during DNS lookup
for Opportunistic Initiation for 10.0.0.1 to 192.168.1.3
Sep 10 22:12:30 site_2 pluto[404]: %hold otherwise handled during DNS lookup
for Opportunistic Initiation for 10.0.0.1 to 20.0.0.1
Sep 10 22:12:36 site_2 pluto[404]: packet from 20.0.0.1:500: received Vendor
ID payload [draft-ietf-ipsec-nat-t-ike-03] method set to=108
Sep 10 22:12:36 site_2 pluto[404]: packet from 20.0.0.1:500: received Vendor
ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using
method 108
Sep 10 22:12:36 site_2 pluto[404]: packet from 20.0.0.1:500: received Vendor
ID payload [draft-ietf-ipsec-nat-t-ike-00]
Sep 10 22:12:36 site_2 pluto[404]: "packetdefault"[1] 0.0.0.0/0===
...20.0.0.1===? #1: responding to Main Mode from unknown peer 20.0.0.1
Sep 10 22:12:36 site_2 pluto[404]: "packetdefault"[1] 0.0.0.0/0===
...20.0.0.1===? #1: transition from state STATE_MAIN_R0 to state
STATE_MAIN_R1
Sep 10 22:12:36 site_2 pluto[404]: "packetdefault"[1] 0.0.0.0/0===
...20.0.0.1===? #1: NAT-Traversal: Result using
draft-ietf-ipsec-nat-t-ike-02/03: no NAT detected
Sep 10 22:12:36 site_2 pluto[404]: "packetdefault"[1] 0.0.0.0/0===
...20.0.0.1===? #1: transition from state STATE_MAIN_R1 to state
STATE_MAIN_R2
Sep 10 22:12:36 site_2 pluto[404]: "packetdefault"[1] 0.0.0.0/0===
...20.0.0.1===? #1: Main mode peer ID is ID_IPV4_ADDR: '192.168.1.1'
Sep 10 22:12:36 site_2 pluto[404]: "packetdefault"[2] 0.0.0.0/0===
...20.0.0.1===? #1: deleting connection "packetdefault" instance with peer
20.0.0.1 {isakmp=#0/ipsec=#0}
Sep 10 22:12:36 site_2 pluto[404]: "packetdefault"[2] 0.0.0.0/0===
...20.0.0.1===? #1: Main mode peer ID is ID_IPV4_ADDR: '192.168.1.1'
Sep 10 22:12:36 site_2 pluto[404]: "packetdefault"[2] 0.0.0.0/0===
...20.0.0.1===? #1: no RSA public key known for '192.168.1.1'; DNS search
for KEY failed (failure querying DNS for KEY of 1.1.168.192.in-addr.arpa.:
Host name lookup failure)
Sep 10 22:12:36 site_2 pluto[404]: "packetdefault"[2] 0.0.0.0/0===
...20.0.0.1===? #1: sending encrypted notification INVALID_KEY_INFORMATION
to 20.0.0.1:500
Sep 10 22:12:36 site_2 pluto[404]: "packetdefault"[2] 0.0.0.0/0===
...20.0.0.1===? #1: failed to build notification for spisize=0
Sep 10 22:12:39 site_2 pluto[404]: %hold otherwise handled during DNS lookup
for Opportunistic Initiation for 10.0.0.1 to 192.168.3.4
Sep 10 22:12:47 site_2 pluto[404]: "packetdefault"[2] 0.0.0.0/0===
...20.0.0.1===? #1: Main mode peer ID is ID_IPV4_ADDR: '192.168.1.1'
Sep 10 22:12:47 site_2 pluto[404]: "packetdefault"[2] 0.0.0.0/0===
...20.0.0.1===? #1: Main mode peer ID is ID_IPV4_ADDR: '192.168.1.1'
Sep 10 22:12:47 site_2 pluto[404]: "packetdefault"[2] 0.0.0.0/0===
...20.0.0.1===? #1: no RSA public key known for '192.168.1.1'; DNS search
for KEY failed (failure querying DNS for KEY of 1.1.168.192.in-addr.arpa.:
Host name lookup failure)
Sep 10 22:12:47 site_2 pluto[404]: "packetdefault"[2] 0.0.0.0/0===
...20.0.0.1===? #1: sending encrypted notification INVALID_KEY_INFORMATION
to 20.0.0.1:500
Sep 10 22:12:47 site_2 pluto[404]: "packetdefault"[2] 0.0.0.0/0===
...20.0.0.1===? #1: failed to build notification for spisize=0
Sep 10 22:13:00 site_2 pluto[404]: %hold otherwise handled during DNS lookup
for Opportunistic Initiation for 65.54.142.189 to 192.168.3.4
Sep 10 22:13:06 site_2 pluto[404]: "packetdefault"[2] 0.0.0.0/0===
...20.0.0.1===? #1: Main mode peer ID is ID_IPV4_ADDR: '192.168.1.1'
Sep 10 22:13:06 site_2 pluto[404]: "packetdefault"[2] 0.0.0.0/0===
...20.0.0.1===? #1: Main mode peer ID is ID_IPV4_ADDR: '192.168.1.1'
Sep 10 22:13:06 site_2 pluto[404]: "packetdefault"[2] 0.0.0.0/0===
...20.0.0.1===? #1: no RSA public key known for '192.168.1.1'; DNS search
for KEY failed (failure querying DNS for KEY of 1.1.168.192.in-addr.arpa.:
Host name lookup failure)
Sep 10 22:13:06 site_2 pluto[404]: "packetdefault"[2] 0.0.0.0/0===
...20.0.0.1===? #1: sending encrypted notification INVALID_KEY_INFORMATION
to 20.0.0.1:500
Sep 10 22:13:06 site_2 pluto[404]: "packetdefault"[2] 0.0.0.0/0===
...20.0.0.1===? #1: failed to build notification for spisize=0
Sep 10 22:13:08 site_2 pluto[404]: %hold otherwise handled during DNS lookup
for Opportunistic Initiation for 10.0.0.1 to 20.0.0.1
Sep 10 22:13:17 site_2 pluto[404]: %hold otherwise handled during DNS lookup
for Opportunistic Initiation for 192.168.3.4 to 160.36.241.110
Sep 10 22:13:18 site_2 pluto[404]: shutting down
Sep 10 22:13:18 site_2 pluto[404]: forgetting secrets
Sep 10 22:13:18 site_2 pluto[404]: "packetdefault"[2] 0.0.0.0/0===
...20.0.0.1===?: deleting connection "packetdefault" instance with peer
20.0.0.1 {isakmp=#0/ipsec=#0}
Sep 10 22:13:18 site_2 pluto[404]: "packetdefault" #1: deleting state
(STATE_MAIN_R2)
Sep 10 22:13:18 site_2 pluto[404]: "private": deleting connection
Sep 10 22:13:18 site_2 pluto[404]: "private-or-clear#0.0.0.0/0": deleting
connection
Sep 10 22:13:18 site_2 pluto[404]: "private-or-clear": deleting connection
Sep 10 22:13:18 site_2 pluto[404]: "clear": deleting connection
Sep 10 22:13:18 site_2 pluto[404]: "clear-or-private": deleting connection
Sep 10 22:13:18 site_2 pluto[404]: "block": deleting connection
Sep 10 22:13:18 site_2 pluto[404]: "packetdefault": deleting connection
Sep 10 22:13:18 site_2 pluto[404]: shutting down interface lo/lo ::1:500
Sep 10 22:13:18 site_2 pluto[404]: shutting down interface lo/lo
127.0.0.1:4500
Sep 10 22:13:18 site_2 pluto[404]: shutting down interface lo/lo
127.0.0.1:500
Sep 10 22:13:18 site_2 pluto[404]: shutting down interface eth0/eth0
10.0.0.1:4500
Sep 10 22:13:18 site_2 pluto[404]: shutting down interface eth0/eth0
10.0.0.1:500
Sep 10 22:13:18 site_2 pluto[404]: shutting down interface eth1/eth1
192.168.3.1:4500
Sep 10 22:13:18 site_2 pluto[404]: shutting down interface eth1/eth1
192.168.3.1:500
-------------
End of the secure.log
I was wondering if anyone can give me a clue what is going wrong.
I am abit concered with the lines
"%hold otherwise handled during DNS lookup for Opportunistic Initiation for
"
What do these mean?
Thanks in advance for any help

William

________________________________________________________________
This email has been scanned by ClamAV, and should be virus free.


More information about the Users mailing list