Fw: [Openswan Users]

Sun Apr 23 06:37:56 CEST 2006

Hi All,

Many thanks to everyone that has chipped in to help me understand and compile Openswan.

I have now got to the configuration stage but things aren't working right at the moment.

My Openswan server is behind a firewall, which has public Internet address, the vpn clients will be Windows XP (and sometimes windows 2000). The XP clients are all updated with service pack 1 and the Windows 2000 clients are with SP4. They will be roadwarriors.

I have configured the ipsec.secret with RSA key ( from ipsec newkeyhost command) and PSK, neither work. I have switched the authby parameter between rsasig, secret and rsasig|secret.

Questions:
a.) Do I need to update the windows clients to work with Openswan? I read somewhere in the book that this error msg is from Windows offering 1DES.
b.) I really would like to use the rsasig parameter with openswan authentication. How can I configure it as PSK?
c.) I am using lsipsectool on the windows clients, any configuration tips?

My goal is to use certificate-based authentication but I need to get this working as soon as possible, thus PSK for now.

I will appreciate further assistance.

The following are the errors messages from various sources:

<snip from /var/log/auth.log>
Apr 23 05:48:55 aparo pluto[3425]: "syseng"[90] 194.165.179.50 #90: Can't authenticate: no preshared key found for `10.10.1.57' and `%any'.  Attribute OAKLEY_AUTHENTICATION_METHOD
Apr 23 05:48:55 aparo pluto[3425]: "syseng"[90] 194.165.179.50 #90: no acceptable Oakley Transform
Apr 23 05:48:55 aparo pluto[3425]: "syseng"[90] 194.165.179.50 #90: sending notification NO_PROPOSAL_CHOSEN to 194.165.179.50:500
Apr 23 05:48:55 aparo pluto[3425]: "syseng"[90] 194.165.179.50: deleting connection "syseng" instance with peer 194.165.179.50 {isakmp=#0/ipsec=#0}
Apr 23 05:48:59 aparo pluto[3425]: packet from 194.165.179.50:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000003]
Apr 23 05:48:59 aparo pluto[3425]: "syseng"[91] 194.165.179.50 #91: responding to Main Mode from unknown peer 194.165.179.50
Apr 23 05:48:59 aparo pluto[3425]: "syseng"[91] 194.165.179.50 #91: Can't authenticate: no preshared key found for `10.10.1.57' and `%any'.  Attribute OAKLEY_AUTHENTICATION_METHOD
Apr 23 05:48:59 aparo pluto[3425]: "syseng"[91] 194.165.179.50 #91: no acceptable Oakley Transform
Apr 23 05:48:59 aparo pluto[3425]: "syseng"[91] 194.165.179.50 #91: sending notification NO_PROPOSAL_CHOSEN to 194.165.179.50:500
Apr 23 05:48:59 aparo pluto[3425]: "syseng"[91] 194.165.179.50: deleting connection "syseng" instance with peer 194.165.179.50 {isakmp=#0/ipsec=#0}
Apr 23 05:49:07 aparo pluto[3425]: packet from 194.165.179.50:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000003]
Apr 23 05:49:07 aparo pluto[3425]: "syseng"[92] 194.165.179.50 #92: responding to Main Mode from unknown peer 194.165.179.50
Apr 23 05:49:07 aparo pluto[3425]: "syseng"[92] 194.165.179.50 #92: Can't authenticate: no preshared key found for `10.10.1.57' and `%any'.  Attribute OAKLEY_AUTHENTICATION_METHOD
Apr 23 05:49:07 aparo pluto[3425]: "syseng"[92] 194.165.179.50 #92: no acceptable Oakley Transform
Apr 23 05:49:07 aparo pluto[3425]: "syseng"[92] 194.165.179.50 #92: sending notification NO_PROPOSAL_CHOSEN to 194.165.179.50:500
Apr 23 05:49:07 aparo pluto[3425]: "syseng"[92] 194.165.179.50: deleting connection "syseng" instance with peer 194.165.179.50 {isakmp=#0/ipsec=#0}
Apr 23 05:49:13 aparo pluto[3425]: packet from 194.165.179.50:500: ignoring Delete SA payload: not encrypted
Apr 23 05:49:13 aparo pluto[3425]: packet from 194.165.179.50:500: received and ignored informational message

<snip from openswan fireall log - iptables>
May 22 06:58:38 robbob kernel: UDP Accept:IN=eth0 OUT=eth1 SRC=194.165.179.50 DST=10.10.1.57 LEN=136 TOS=0x00 PREC=0x00 TTL=121 ID=16704 PROTO=UDP SPT=500 DPT=500 LEN=116
May 22 06:58:42 robbob kernel: UDP Accept:IN=eth0 OUT=eth1 SRC=194.165.179.50 DST=10.10.1.57 LEN=136 TOS=0x00 PREC=0x00 TTL=121 ID=16724 PROTO=UDP SPT=500 DPT=500 LEN=116
May 22 06:58:50 robbob kernel: UDP Accept:IN=eth0 OUT=eth1 SRC=194.165.179.50 DST=10.10.1.57 LEN=136 TOS=0x00 PREC=0x00 TTL=121 ID=16745 PROTO=UDP SPT=500 DPT=500 LEN=116
May 22 06:58:56 robbob kernel: UDP Accept:IN=eth0 OUT=eth1 SRC=194.165.179.50 DST=10.10.1.57 LEN=84 TOS=0x00 PREC=0x00 TTL=121 ID=16765 PROTO=UDP SPT=500 DPT=500 LEN=64

<ipsec.conf>
10.10.1.57 %any : PSK "c1343b3494dde5be58864c32d7a70546"
: RSA   {
        # RSA 2192 bits   aparo   Thu Apr 20 23:58:07 2006
        # for signatures only, UNSAFE FOR ENCRYPTION
        #pubkey=0sAQOK9i0m3/hLM2IMpr/9OSRexS0xqjXFJz5iGYNcOMKZYGvnaYdYBTJ3HS0LCDYt7Kb19kVDPzHI4Qq+8y
e8hO4bm7tBIWLsKXj2KzGANn9IKW3bIynZacl2hymP+Vppvy5T2+HfbnogmjtKajD7dBUF2t4q8Y5eBfIJfqDKwAT6lLInpQlJqf
VIFneA5xa18+eHsb5OpGXdIUMxjCRRgmf10LToE4yqfSI71tjBzwKpwVtJpAfNTRUdMEL9/2jQlv5HBYXwnXxVpZg9PX6K9U2c9e
2CpUZsVdrB5UaCbuy9Jn8cp1zYHpAIZSCU1mcYQmLuSmk+4a3iuZpHchmTivShwl6UdLGAi+xxUQKMtvd4jQfH
        Modulus: 0x8af62d26dff84b33620ca6bffd39245ec52d31aa35c5273e6219835c38c299606be76987580532771
d2d0b08362deca6f5f645433f31c8e10abef327bc84ee1b9bbb412162ec2978f62b3180367f48296ddb2329d969c97687298
ff95a69bf2e53dbe1df6e7a209a3b4a6a30fb741505dade2af18e5e05f2097ea0cac004fa94b227a50949a9f548167780e71
6b5f3e787b1be4ea465dd2143318c24518267f5d0b4e8138caa7d223bd6d8c1cf02a9c15b49a407cd4d151d3042fdff68d09
6fe470585f09d7c55a5983d3d7e8af54d9cf5ed82a5466c55dac1e546826eecbd267f1ca75cd81e9008652094d667184262e
e4a693ee1ade2b99a477219938af4a1c25e9474b1808bec7151028cb6f7788d07c7
        PublicExponent: 0x03
        # everything after this point is secret
        PrivateExponent: 0x172907867aa961dde5acc67554dedb6520dcdd9c5e4b868a65aeeb3a0975c43abca691968
eab88692f8781d6b3b2521bd3a90b8b3532f6d02c7528869f6b7d0499f48adae5d206e97e5c8840091536b1924f3086f991a
193c13197fee466f532634f504fe7bf056f09e1bc5d7f3e0380f9cfb1d2ed0faba856ea7021caab7f18c85bf0d6e19c538c0
37d74fd0aac173923c255e4473429735c2ca09e24dd09134ea626dfd74e144011b2ce3272b33db24bb7b709807da054908bf
5e7c7c040bdf227feb5b0853443d386b9183e4d4f8bb487effe2f52d0a2f6b52d0324a98d5d84494375a819911c22a9f6732
39ce8e72069e2cab5bdaa80329a9d7b8a3d27d9c5f69de4f76600e274a5236033e7450f5553
        Prime1: 0xf65dad425506b4fb812476e7730a4d391b3dff795c400dd6b1c2ec7b237e8a1bf5bf24ae830ad662b1
9ef0b7c6f8a49db5b35ddd3722d00beaa58848c7456d859261c1e0b6ad39f367544b04e4b77e76eb27bf23c243960c330700
de60aee8531759247a55419ce16199f9b5e97cc261e91c8b4c60f1fc6ae86d810c7d6c1148c17fb198b138225049
        Prime2: 0x90654b945861dbb5a2967e11b9da1fe10a8a6ffaf7f174221e3be805b28517b5b0446e704c2cbd3249
bade12945a7d2f458732dd17efba8e2ae8263195d6a11d82852b346ec31cc7568e652596ba8a82bb10b06f31295f59320b9a
09247a77420d74ff17158b5b4a6d7e84e95266f608bea4a909bb138ab3ae7395d89f1a8c6cb0ae99e6daa20eb78f
        Exponent1: 0xa43e73818e0478a7ab6da49a4cb188d0bcd3ffa63d800939cbd7485217a9b167f92a1874575c8ee
c7669f5cfd9fb186923cce93e24c1e007f1c3b03084d8f3ae6196814079c8d14cef8d8758987a544f476fd4c281826408220
4ab3eeb1f458cba3b6da6e3811340ebbbfbce9ba881969b685cdd95f6a847459e5608539d60db2baa7665cb7ac18adb
        Exponent2: 0x604387b83aebe7ce6c64540bd13c1540b1b19ffca54ba2c1697d455921ae0fce7582f44add7328c
c31273eb70d91a8ca2e5a21e8ba9fd1b41c9ac4210e8f1613ac58c77849d76884e45eee190f270701d20b204a20c63f90cc0
7bc061851a4d6b3a354ba0e5ce786f3a9adf0e199f95b29c31b5bd20d0722744d0e906a11b2f320746699e716b47a5f
        Coefficient: 0xd30465d4e45df402b81c283ae95274c51b5710ed20ae016a9b64e2dd7b73a8d0647aa7a06bbf4
5dbb1e7598d38210b2290e0580fb4c54d27cca86c097f7041af1e6cf372f2d060f66671d657d65199a5c866cf6f013d368c0
075ef3afee41effe02ee63b4b6dbfeabe8ebca2325a8e66b4e5a4f9a1a8135073cb79198cdd5c7a68958b45fa3a8d71d2
        }
# do not change the indenting of that "}"

</etc/ipsec.conf>
## Openswan IPSec version 2

# Specify the version of Openswan we are running

version 2

# Global configuration section:
config setup
        nat_traversal=yes
        # klipdebug=all
        # plutodebug=control
        interfaces="ipsec0=eth1"

# General connection section:
conn %default
        authby=secret
        #authby=secret|rsasig

# Systems Engineering vpn connection definition:
conn syseng
        left=10.10.1.57
        leftnexthop=193.95.xxx.xxx
        type=tunnel
        leftrsasigkey=0sAQOK9i0m3/hLM2IMpr/9OSRexS0xqjXFJz5iGYNcOMKZYGvnaYdYBTJ3HS0LCDYt7Kb19kVDPzHI
4Qq+8ye8hO4bm7tBIWLsKXj2KzGANn9IKW3bIynZacl2hymP+Vppvy5T2+HfbnogmjtKajD7dBUF2t4q8Y5eBfIJfqDKwAT6lLIn
pQlJqfVIFneA5xa18+eHsb5OpGXdIUMxjCRRgmf10LToE4yqfSI71tjBzwKpwVtJpAfNTRUdMEL9/2jQlv5HBYXwnXxVpZg9PX6K
9U2c9e2CpUZsVdrB5UaCbuy9Jn8cp1zYHpAIZSCU1mcYQmLuSmk+4a3iuZpHchmTivShwl6UdLGAi+xxUQKMtvd4jQfH
        right=%any
        rightid=@gbenga
        rightrsasigkey=0sAQOK9i0m3/hLM2IMpr/9OSRexS0xqjXFJz5iGYNcOMKZYGvnaYdYBTJ3HS0LCDYt7Kb19kVDPzH
I4Qq+8ye8hO4bm7tBIWLsKXj2KzGANn9IKW3bIynZacl2hymP+Vppvy5T2+HfbnogmjtKajD7dBUF2t4q8Y5eBfIJfqDKwAT6lLI
npQlJqfVIFneA5xa18+eHsb5OpGXdIUMxjCRRgmf10LToE4yqfSI71tjBzwKpwVtJpAfNTRUdMEL9/2jQlv5HBYXwnXxVpZg9PX6
K9U2c9e2CpUZsVdrB5UaCbuy9Jn8cp1zYHpAIZSCU1mcYQmLuSmk+4a3iuZpHchmTivShwl6UdLGAi+xxUQKMtvd4jQfH
        auto=add

include /etc/ipsec.d/examples/no_oe.conf

---end---

Thank you all.
Gbenga

On Thu, 20 Apr 2006, Gbenga wrote:

> I recompiled the kernel again, this time with kernel 2.6.16 and enabled CONFIG_IPSEC_NAT_TRAVERSAL=y and CONFIG_KLIPS=m.
>
> This compiled ok and I was able to compile and install user-land: modprobe ipsec  (ok)
>
> However, when I ran ipsec verify, NAT Traversal support failed ??
>
> aparo:/home/osogbetun# ipsec verify
> Checking your system to see if IPsec got installed and started correctly:
> Version check and ipsec on-path                                 [OK]
> Linux Openswan 2.4.5 (klips)
> Checking for IPsec support in kernel                            [OK]
> KLIPS detected, checking for NAT Traversal support              [FAILED]

This check is most certainly wrong. The code for creating the proc file
by the nat-t patch seems to be missing from the 2.4 branch. So ignore this
error for now.