Fw: [Openswan Users]

Gbenga stjames08 at yahoo.co.uk
Mon Apr 24 01:05:20 CEST 2006 

Hi all,

This has got a little bit better. I realised I didn't set the routing properly for the vpn server,  now that is done and the error message has changed to this. I cannot establish connection yet. I also included the virtual_interface parameter in the config setup.

Just a remider, I will still appreciate response to how to properly configure openswan to use RSA key as PSK.


Many thanks,
Gbenga

<error msg>
Apr 24 00:41:07 aparo pluto[5218]: | *received 108 bytes from 194.165.182.162:500 on eth1 (port=500)
Apr 24 00:41:07 aparo pluto[5218]: |  processing packet with exchange type=ISAKMP_XCHG_IDPROT (2)
Apr 24 00:41:07 aparo pluto[5218]: packet from 194.165.182.162:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000003]
Apr 24 00:41:07 aparo pluto[5218]: | instantiated "syseng" for 194.165.182.162
Apr 24 00:41:07 aparo pluto[5218]: | creating state object #1 at 0x8103900
Apr 24 00:41:07 aparo pluto[5218]: | processing connection syseng[1] 194.165.182.162
Apr 24 00:41:07 aparo pluto[5218]: | ICOOKIE:  83 0a ef 31  cc b2 db d9
Apr 24 00:41:07 aparo pluto[5218]: | RCOOKIE:  37 0f 0a 39  f7 2a 1c af
Apr 24 00:41:07 aparo pluto[5218]: | peer:  c2 a5 b6 a2
Apr 24 00:41:07 aparo pluto[5218]: | state hash entry 25
Apr 24 00:41:07 aparo pluto[5218]: | inserting event EVENT_SO_DISCARD, timeout in 0 seconds for #1
Apr 24 00:41:07 aparo pluto[5218]: "syseng"[1] 194.165.182.162 #1: responding to Main Mode from unknown peer 194.165.182.162
Apr 24 00:41:07 aparo pluto[5218]: | started looking for secret for 10.10.1.57->@gbenga of kind PPK_PSK
Apr 24 00:41:07 aparo pluto[5218]: | instantiating him to 0.0.0.0
Apr 24 00:41:07 aparo pluto[5218]: | actually looking for secret for 10.10.1.57->0.0.0.0 of kind PPK_PSK
Apr 24 00:41:07 aparo pluto[5218]: | 1: compared PSK 0.0.0.0 to 10.10.1.57 / @gbenga -> 2
Apr 24 00:41:07 aparo pluto[5218]: | 2: compared PSK 10.10.1.57 to 10.10.1.57 / @gbenga -> 6
Apr 24 00:41:07 aparo pluto[5218]: | best_match 0>6 best=0x8102428 (line=1)
Apr 24 00:41:07 aparo pluto[5218]: | concluding with best_match=6 best=0x8102428 (lineno=1)
Apr 24 00:41:07 aparo pluto[5218]: | complete state transition with STF_OK
Apr 24 00:41:07 aparo pluto[5218]: "syseng"[1] 194.165.182.162 #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Apr 24 00:41:07 aparo pluto[5218]: | sending reply packet to 194.165.182.162:500 (from port=500)
Apr 24 00:41:07 aparo pluto[5218]: | sending 120 bytes for STATE_MAIN_R0 through eth1:500 to 194.165.182.162:500:
Apr 24 00:41:07 aparo pluto[5218]: | inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #1
Apr 24 00:41:07 aparo pluto[5218]: "syseng"[1] 194.165.182.162 #1: STATE_MAIN_R1: sent MR1, expecting MI2
Apr 24 00:41:07 aparo pluto[5218]: | modecfg pull: noquirk policy:push not-client
Apr 24 00:41:07 aparo pluto[5218]: | phase 1 is done, looking for phase 1 to unpend
Apr 24 00:41:07 aparo pluto[5218]: | next event EVENT_RETRANSMIT in 10 seconds for #1
Apr 24 00:41:07 aparo pluto[5218]: |
Apr 24 00:41:07 aparo pluto[5218]: | *received 56 bytes from 194.165.182.162:500 on eth1 (port=500)
Apr 24 00:41:07 aparo pluto[5218]: |  processing packet with exchange type=ISAKMP_XCHG_INFO (5)
Apr 24 00:41:07 aparo pluto[5218]: | ICOOKIE:  83 0a ef 31  cc b2 db d9
Apr 24 00:41:07 aparo pluto[5218]: | RCOOKIE:  00 00 00 00  00 00 00 00
Apr 24 00:41:07 aparo pluto[5218]: | peer:  c2 a5 b6 a2
Apr 24 00:41:07 aparo pluto[5218]: | state hash entry 12
Apr 24 00:41:07 aparo pluto[5218]: | p15 state object not found
Apr 24 00:41:07 aparo pluto[5218]: packet from 194.165.182.162:500: ignoring Delete SA payload: not encrypted
Apr 24 00:41:07 aparo pluto[5218]: packet from 194.165.182.162:500: received and ignored informational message
Apr 24 00:41:07 aparo pluto[5218]: | complete state transition with STF_IGNORE
Apr 24 00:41:07 aparo pluto[5218]: | next event EVENT_RETRANSMIT in 10 seconds for #1
Apr 24 00:41:17 aparo pluto[5218]: |
Apr 24 00:41:17 aparo pluto[5218]: | *time to handle event
Apr 24 00:41:17 aparo pluto[5218]: | handling event EVENT_RETRANSMIT
Apr 24 00:41:17 aparo pluto[5218]: | event after this is EVENT_SHUNT_SCAN in 67 seconds
Apr 24 00:41:17 aparo pluto[5218]: | processing connection syseng[1] 194.165.182.162
Apr 24 00:41:17 aparo pluto[5218]: | handling event EVENT_RETRANSMIT for 194.165.182.162 "syseng" #1
Apr 24 00:41:17 aparo pluto[5218]: | sending 120 bytes for EVENT_RETRANSMIT through eth1:500 to 194.165.182.162:500:
Apr 24 00:41:17 aparo pluto[5218]: | inserting event EVENT_RETRANSMIT, timeout in 20 seconds for #1
Apr 24 00:41:17 aparo pluto[5218]: | next event EVENT_RETRANSMIT in 20 seconds for #1
Apr 24 00:41:37 aparo pluto[5218]: |
Apr 24 00:41:37 aparo pluto[5218]: | *time to handle event
Apr 24 00:41:37 aparo pluto[5218]: | handling event EVENT_RETRANSMIT
Apr 24 00:41:37 aparo pluto[5218]: | event after this is EVENT_SHUNT_SCAN in 47 seconds
Apr 24 00:41:37 aparo pluto[5218]: | processing connection syseng[1] 194.165.182.162
Apr 24 00:41:37 aparo pluto[5218]: | handling event EVENT_RETRANSMIT for 194.165.182.162 "syseng" #1
Apr 24 00:41:37 aparo pluto[5218]: | sending 120 bytes for EVENT_RETRANSMIT through eth1:500 to 194.165.182.162:500:
Apr 24 00:41:37 aparo pluto[5218]: | inserting event EVENT_RETRANSMIT, timeout in 40 seconds for #1
Apr 24 00:41:37 aparo pluto[5218]: | next event EVENT_RETRANSMIT in 40 seconds for #1
Apr 24 00:41:37 aparo pluto[5218]: |
Apr 24 00:41:37 aparo pluto[5218]: | *received 56 bytes from 194.165.182.162:500 on eth1 (port=500)
Apr 24 00:41:37 aparo pluto[5218]: |  processing packet with exchange type=ISAKMP_XCHG_INFO (5)
Apr 24 00:41:37 aparo pluto[5218]: | ICOOKIE:  83 0a ef 31  cc b2 db d9
Apr 24 00:41:37 aparo pluto[5218]: | RCOOKIE:  37 0f 0a 39  f7 2a 1c af
Apr 24 00:41:37 aparo pluto[5218]: | peer:  c2 a5 b6 a2
Apr 24 00:41:37 aparo pluto[5218]: | state hash entry 25
Apr 24 00:41:37 aparo pluto[5218]: | peer and cookies match on #1, provided msgid 00000000 vs 00000000/00000000
Apr 24 00:41:37 aparo pluto[5218]: | p15 state object #1 found, in STATE_MAIN_R1
Apr 24 00:41:37 aparo pluto[5218]: | processing connection syseng[1] 194.165.182.162
Apr 24 00:41:37 aparo pluto[5218]: "syseng"[1] 194.165.182.162 #1: ignoring informational payload, type INVALID_COOKIE
Apr 24 00:41:37 aparo pluto[5218]: | processing informational INVALID_COOKIE (4)
Apr 24 00:41:37 aparo pluto[5218]: "syseng"[1] 194.165.182.162 #1: received and ignored informational message
Apr 24 00:41:37 aparo pluto[5218]: | complete state transition with STF_IGNORE
Apr 24 00:41:37 aparo pluto[5218]: | next event EVENT_RETRANSMIT in 40 seconds for #1


Hi All,

Many thanks to everyone that has chipped in to help me understand and compile Openswan.

I have now got to the configuration stage but things aren't working right at the moment.

My Openswan server is behind a firewall, which has public Internet address, the vpn clients will be Windows XP (and sometimes windows 2000). The XP clients are all updated with service pack 1 and the Windows 2000 clients are with SP4. They will be roadwarriors.

I have configured the ipsec.secret with RSA key ( from ipsec newkeyhost command) and PSK, neither work. I have switched the authby parameter between rsasig, secret and rsasig|secret.

Questions:
a.) Do I need to update the windows clients to work with Openswan? I read somewhere in the book that this error msg is from Windows offering 1DES.
b.) I really would like to use the rsasig parameter with openswan authentication. How can I configure it as PSK?
c.) I am using lsipsectool on the windows clients, any configuration tips?

My goal is to use certificate-based authentication but I need to get this working as soon as possible, thus PSK for now.

I will appreciate further assistance.

The following are the errors messages from various sources:

<snip from /var/log/auth.log>
Apr 23 05:48:55 aparo pluto[3425]: "syseng"[90] 194.165.179.50 #90: Can't authenticate: no preshared key found for `10.10.1.57' and `%any'.  Attribute OAKLEY_AUTHENTICATION_METHOD
Apr 23 05:48:55 aparo pluto[3425]: "syseng"[90] 194.165.179.50 #90: no acceptable Oakley Transform
Apr 23 05:48:55 aparo pluto[3425]: "syseng"[90] 194.165.179.50 #90: sending notification NO_PROPOSAL_CHOSEN to 194.165.179.50:500
Apr 23 05:48:55 aparo pluto[3425]: "syseng"[90] 194.165.179.50: deleting connection "syseng" instance with peer 194.165.179.50 {isakmp=#0/ipsec=#0}
Apr 23 05:48:59 aparo pluto[3425]: packet from 194.165.179.50:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000003]
Apr 23 05:48:59 aparo pluto[3425]: "syseng"[91] 194.165.179.50 #91: responding to Main Mode from unknown peer 194.165.179.50
Apr 23 05:48:59 aparo pluto[3425]: "syseng"[91] 194.165.179.50 #91: Can't authenticate: no preshared key found for `10.10.1.57' and `%any'.  Attribute OAKLEY_AUTHENTICATION_METHOD
Apr 23 05:48:59 aparo pluto[3425]: "syseng"[91] 194.165.179.50 #91: no acceptable Oakley Transform
Apr 23 05:48:59 aparo pluto[3425]: "syseng"[91] 194.165.179.50 #91: sending notification NO_PROPOSAL_CHOSEN to 194.165.179.50:500
Apr 23 05:48:59 aparo pluto[3425]: "syseng"[91] 194.165.179.50: deleting connection "syseng" instance with peer 194.165.179.50 {isakmp=#0/ipsec=#0}
Apr 23 05:49:07 aparo pluto[3425]: packet from 194.165.179.50:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000003]
Apr 23 05:49:07 aparo pluto[3425]: "syseng"[92] 194.165.179.50 #92: responding to Main Mode from unknown peer 194.165.179.50
Apr 23 05:49:07 aparo pluto[3425]: "syseng"[92] 194.165.179.50 #92: Can't authenticate: no preshared key found for `10.10.1.57' and `%any'.  Attribute OAKLEY_AUTHENTICATION_METHOD
Apr 23 05:49:07 aparo pluto[3425]: "syseng"[92] 194.165.179.50 #92: no acceptable Oakley Transform
Apr 23 05:49:07 aparo pluto[3425]: "syseng"[92] 194.165.179.50 #92: sending notification NO_PROPOSAL_CHOSEN to 194.165.179.50:500
Apr 23 05:49:07 aparo pluto[3425]: "syseng"[92] 194.165.179.50: deleting connection "syseng" instance with peer 194.165.179.50 {isakmp=#0/ipsec=#0}
Apr 23 05:49:13 aparo pluto[3425]: packet from 194.165.179.50:500: ignoring Delete SA payload: not encrypted
Apr 23 05:49:13 aparo pluto[3425]: packet from 194.165.179.50:500: received and ignored informational message


<snip from openswan fireall log - iptables>
May 22 06:58:38 robbob kernel: UDP Accept:IN=eth0 OUT=eth1 SRC=194.165.179.50 DST=10.10.1.57 LEN=136 TOS=0x00 PREC=0x00 TTL=121 ID=16704 PROTO=UDP SPT=500 DPT=500 LEN=116
May 22 06:58:42 robbob kernel: UDP Accept:IN=eth0 OUT=eth1 SRC=194.165.179.50 DST=10.10.1.57 LEN=136 TOS=0x00 PREC=0x00 TTL=121 ID=16724 PROTO=UDP SPT=500 DPT=500 LEN=116
May 22 06:58:50 robbob kernel: UDP Accept:IN=eth0 OUT=eth1 SRC=194.165.179.50 DST=10.10.1.57 LEN=136 TOS=0x00 PREC=0x00 TTL=121 ID=16745 PROTO=UDP SPT=500 DPT=500 LEN=116
May 22 06:58:56 robbob kernel: UDP Accept:IN=eth0 OUT=eth1 SRC=194.165.179.50 DST=10.10.1.57 LEN=84 TOS=0x00 PREC=0x00 TTL=121 ID=16765 PROTO=UDP SPT=500 DPT=500 LEN=64

<ipsec.conf>
10.10.1.57 %any : PSK "c1343b3494dde5be58864c32d7a70546"
: RSA   {
        # RSA 2192 bits   aparo   Thu Apr 20 23:58:07 2006
        # for signatures only, UNSAFE FOR ENCRYPTION
        #pubkey=0sAQOK9i0m3/hLM2IMpr/9OSRexS0xqjXFJz5iGYNcOMKZYGvnaYdYBTJ3HS0LCDYt7Kb19kVDPzHI4Qq+8y
e8hO4bm7tBIWLsKXj2KzGANn9IKW3bIynZacl2hymP+Vppvy5T2+HfbnogmjtKajD7dBUF2t4q8Y5eBfIJfqDKwAT6lLInpQlJqf
VIFneA5xa18+eHsb5OpGXdIUMxjCRRgmf10LToE4yqfSI71tjBzwKpwVtJpAfNTRUdMEL9/2jQlv5HBYXwnXxVpZg9PX6K9U2c9e
2CpUZsVdrB5UaCbuy9Jn8cp1zYHpAIZSCU1mcYQmLuSmk+4a3iuZpHchmTivShwl6UdLGAi+xxUQKMtvd4jQfH
        Modulus: 0x8af62d26dff84b33620ca6bffd39245ec52d31aa35c5273e6219835c38c299606be76987580532771
d2d0b08362deca6f5f645433f31c8e10abef327bc84ee1b9bbb412162ec2978f62b3180367f48296ddb2329d969c97687298
ff95a69bf2e53dbe1df6e7a209a3b4a6a30fb741505dade2af18e5e05f2097ea0cac004fa94b227a50949a9f548167780e71
6b5f3e787b1be4ea465dd2143318c24518267f5d0b4e8138caa7d223bd6d8c1cf02a9c15b49a407cd4d151d3042fdff68d09
6fe470585f09d7c55a5983d3d7e8af54d9cf5ed82a5466c55dac1e546826eecbd267f1ca75cd81e9008652094d667184262e
e4a693ee1ade2b99a477219938af4a1c25e9474b1808bec7151028cb6f7788d07c7
        PublicExponent: 0x03
        # everything after this point is secret
        PrivateExponent: 0x172907867aa961dde5acc67554dedb6520dcdd9c5e4b868a65aeeb3a0975c43abca691968
eab88692f8781d6b3b2521bd3a90b8b3532f6d02c7528869f6b7d0499f48adae5d206e97e5c8840091536b1924f3086f991a
193c13197fee466f532634f504fe7bf056f09e1bc5d7f3e0380f9cfb1d2ed0faba856ea7021caab7f18c85bf0d6e19c538c0
37d74fd0aac173923c255e4473429735c2ca09e24dd09134ea626dfd74e144011b2ce3272b33db24bb7b709807da054908bf
5e7c7c040bdf227feb5b0853443d386b9183e4d4f8bb487effe2f52d0a2f6b52d0324a98d5d84494375a819911c22a9f6732
39ce8e72069e2cab5bdaa80329a9d7b8a3d27d9c5f69de4f76600e274a5236033e7450f5553
        Prime1: 0xf65dad425506b4fb812476e7730a4d391b3dff795c400dd6b1c2ec7b237e8a1bf5bf24ae830ad662b1
9ef0b7c6f8a49db5b35ddd3722d00beaa58848c7456d859261c1e0b6ad39f367544b04e4b77e76eb27bf23c243960c330700
de60aee8531759247a55419ce16199f9b5e97cc261e91c8b4c60f1fc6ae86d810c7d6c1148c17fb198b138225049
        Prime2: 0x90654b945861dbb5a2967e11b9da1fe10a8a6ffaf7f174221e3be805b28517b5b0446e704c2cbd3249
bade12945a7d2f458732dd17efba8e2ae8263195d6a11d82852b346ec31cc7568e652596ba8a82bb10b06f31295f59320b9a
09247a77420d74ff17158b5b4a6d7e84e95266f608bea4a909bb138ab3ae7395d89f1a8c6cb0ae99e6daa20eb78f
        Exponent1: 0xa43e73818e0478a7ab6da49a4cb188d0bcd3ffa63d800939cbd7485217a9b167f92a1874575c8ee
c7669f5cfd9fb186923cce93e24c1e007f1c3b03084d8f3ae6196814079c8d14cef8d8758987a544f476fd4c281826408220
4ab3eeb1f458cba3b6da6e3811340ebbbfbce9ba881969b685cdd95f6a847459e5608539d60db2baa7665cb7ac18adb
        Exponent2: 0x604387b83aebe7ce6c64540bd13c1540b1b19ffca54ba2c1697d455921ae0fce7582f44add7328c
c31273eb70d91a8ca2e5a21e8ba9fd1b41c9ac4210e8f1613ac58c77849d76884e45eee190f270701d20b204a20c63f90cc0
7bc061851a4d6b3a354ba0e5ce786f3a9adf0e199f95b29c31b5bd20d0722744d0e906a11b2f320746699e716b47a5f
        Coefficient: 0xd30465d4e45df402b81c283ae95274c51b5710ed20ae016a9b64e2dd7b73a8d0647aa7a06bbf4
5dbb1e7598d38210b2290e0580fb4c54d27cca86c097f7041af1e6cf372f2d060f66671d657d65199a5c866cf6f013d368c0
075ef3afee41effe02ee63b4b6dbfeabe8ebca2325a8e66b4e5a4f9a1a8135073cb79198cdd5c7a68958b45fa3a8d71d2
        }
# do not change the indenting of that "}"

</etc/ipsec.conf>
## Openswan IPSec version 2

# Specify the version of Openswan we are running

version 2

# Global configuration section:
config setup
        nat_traversal=yes
        # klipdebug=all
        # plutodebug=control
        interfaces="ipsec0=eth1"

# General connection section:
conn %default
        authby=secret
        #authby=secret|rsasig

# Systems Engineering vpn connection definition:
conn syseng
        left=10.10.1.57
        leftnexthop=193.95.xxx.xxx
        type=tunnel
        leftrsasigkey=0sAQOK9i0m3/hLM2IMpr/9OSRexS0xqjXFJz5iGYNcOMKZYGvnaYdYBTJ3HS0LCDYt7Kb19kVDPzHI
4Qq+8ye8hO4bm7tBIWLsKXj2KzGANn9IKW3bIynZacl2hymP+Vppvy5T2+HfbnogmjtKajD7dBUF2t4q8Y5eBfIJfqDKwAT6lLIn
pQlJqfVIFneA5xa18+eHsb5OpGXdIUMxjCRRgmf10LToE4yqfSI71tjBzwKpwVtJpAfNTRUdMEL9/2jQlv5HBYXwnXxVpZg9PX6K
9U2c9e2CpUZsVdrB5UaCbuy9Jn8cp1zYHpAIZSCU1mcYQmLuSmk+4a3iuZpHchmTivShwl6UdLGAi+xxUQKMtvd4jQfH
        right=%any
        rightid=@gbenga
        rightrsasigkey=0sAQOK9i0m3/hLM2IMpr/9OSRexS0xqjXFJz5iGYNcOMKZYGvnaYdYBTJ3HS0LCDYt7Kb19kVDPzH
I4Qq+8ye8hO4bm7tBIWLsKXj2KzGANn9IKW3bIynZacl2hymP+Vppvy5T2+HfbnogmjtKajD7dBUF2t4q8Y5eBfIJfqDKwAT6lLI
npQlJqfVIFneA5xa18+eHsb5OpGXdIUMxjCRRgmf10LToE4yqfSI71tjBzwKpwVtJpAfNTRUdMEL9/2jQlv5HBYXwnXxVpZg9PX6
K9U2c9e2CpUZsVdrB5UaCbuy9Jn8cp1zYHpAIZSCU1mcYQmLuSmk+4a3iuZpHchmTivShwl6UdLGAi+xxUQKMtvd4jQfH
        auto=add

include /etc/ipsec.d/examples/no_oe.conf

---end---

Thank you all.
Gbenga



On Thu, 20 Apr 2006, Gbenga wrote:

> I recompiled the kernel again, this time with kernel 2.6.16 and enabled CONFIG_IPSEC_NAT_TRAVERSAL=y and CONFIG_KLIPS=m.
>
> This compiled ok and I was able to compile and install user-land: modprobe ipsec  (ok)
>
> However, when I ran ipsec verify, NAT Traversal support failed ??
>
> aparo:/home/osogbetun# ipsec verify
> Checking your system to see if IPsec got installed and started correctly:
> Version check and ipsec on-path                                 [OK]
> Linux Openswan 2.4.5 (klips)
> Checking for IPsec support in kernel                            [OK]
> KLIPS detected, checking for NAT Traversal support              [FAILED]

This check is most certainly wrong. The code for creating the proc file
by the nat-t patch seems to be missing from the 2.4 branch. So ignore this
error for now.





_______________________________________________
Users at openswan.org
http://lists.openswan.org/mailman/listinfo/users
Building and Integrating Virtual Private Networks with Openswan: 
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

More information about the Users mailing list