[Openswan Users]
Tomasz Grzelak
tgrzelak at wktpolska.com.pl
Tue Aug 1 00:22:15 CEST 2006
Paul Wouters wrote:
Jul 31 13:52:58 localhost pluto[19518]: "roadwarrior"[2] W.X.Y.Z #2:
STATE_QUICK_R2: IPsec SA established {ESP=>0x92103582 <0xb8fbb2f0
xfrm=3DES_0-HMAC_MD5 NATD=W.X.Y.Z:13631 DPD=none}
>> ERROR: asynchronous network error report on eth0 (sport=4500) for message to
>> W.X.Y.Z port 13631, complainant A.B.C.D: No route to host [errno 113, origin
>> ICMP type 3 code 1 (not authenticated)]
>
> Openswan is trying to send replies for W.X.Y.Z via A.B.C.D. My guess is that
> NAT was not properly detected. Can you shod the full IPsec SA established line?
> It should show whether or not NAT is in use.
>
here you are, the short version, one line:
Jul 31 13:52:58 localhost pluto[19518]: "roadwarrior"[2] W.X.Y.Z #2:
STATE_QUICK_R2: IPsec SA established {ESP=>0x92103582 <0xb8fbb2f0
xfrm=3DES_0-HMAC_MD5 NATD=W.X.Y.Z:13631 DPD=none}
the longer version, including ISAKMP SA, SA installation, and IPSec SA.
I took it from the pluto log;
the ISAKMP SA first:
-------------------------------------------------------------------------
Jul 31 13:52:57 localhost pluto[19518]: | searching for certificate
PPK_RSA:AwEAAdWfZ vs PPK_RSA:AwEAAdWfZ
Jul 31 13:52:57 localhost pluto[19518]: | signing hash with RSA Key
*AwEAAdWfZ
Jul 31 13:52:57 localhost pluto[19518]: | complete state transition with
STF_OK
Jul 31 13:52:57 localhost pluto[19518]: "roadwarrior"[2] W.X.Y.Z #1:
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Jul 31 13:52:57 localhost pluto[19518]: | sending reply packet to
W.X.Y.Z:13628 (from port=500)
Jul 31 13:52:57 localhost pluto[19518]: | NAT-T: new mapping
W.X.Y.Z:13628/13631)
Jul 31 13:52:57 localhost pluto[19518]: | processing connection
roadwarrior[2] W.X.Y.Z
Jul 31 13:52:57 localhost pluto[19518]: | sending 932 bytes for
STATE_MAIN_R2 through eth0:4500 to W.X.Y.Z:13631:
Jul 31 13:52:57 localhost pluto[19518]: | inserting event
EVENT_SA_EXPIRE, timeout in 28800 seconds for #1
Jul 31 13:52:57 localhost pluto[19518]: "roadwarrior"[2] W.X.Y.Z #1:
STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG
cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp2048}
-------------------------------------------------------------------------
next the SA is installed:
-------------------------------------------------------------------------
Jul 31 13:52:57 localhost pluto[19518]: "roadwarrior"[2] W.X.Y.Z #2:
responding to Quick Mode {msgid:31f3a79f}
Jul 31 13:52:57 localhost pluto[19518]: |
compute_proto_keymat:needed_len (after ESP enc)=24
Jul 31 13:52:57 localhost pluto[19518]: |
compute_proto_keymat:needed_len (after ESP auth)=40
Jul 31 13:52:57 localhost pluto[19518]: | install_inbound_ipsec_sa()
checking if we can route
Jul 31 13:52:57 localhost pluto[19518]: | route owner of
"roadwarrior"[2] W.X.Y.Z unrouted: NULL; eroute owner: NULL
Jul 31 13:52:57 localhost pluto[19518]: | could_route called for
roadwarrior (kind=CK_INSTANCE)
Jul 31 13:52:57 localhost pluto[19518]: | add inbound eroute
W.X.Y.Z/32:1701 --17-> A.B.C.D/32:1701 => tun.10000 at A.B.C.D (raw_eroute)
Jul 31 13:52:57 localhost pluto[19518]: | complete state transition with
STF_OK
Jul 31 13:52:57 localhost pluto[19518]: "roadwarrior"[2] W.X.Y.Z #2:
transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Jul 31 13:52:57 localhost pluto[19518]: | sending reply packet to
W.X.Y.Z:13631 (from port=4500)
Jul 31 13:52:57 localhost pluto[19518]: | sending 188 bytes for
STATE_QUICK_R0 through eth0:4500 to W.X.Y.Z:13631:
Jul 31 13:52:57 localhost pluto[19518]: | inserting event
EVENT_RETRANSMIT, timeout in 10 seconds for #2
Jul 31 13:52:58 localhost pluto[19518]: "roadwarrior"[2] W.X.Y.Z #2:
STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
-------------------------------------------------------------------------
and finally we have the IPSec SA established:
-------------------------------------------------------------------------
Jul 31 13:52:58 localhost pluto[19518]: | executing up-host: 2>&1
PLUTO_VERSION='1.1' PLUTO_VERB='up-host' PLUTO_CONNECTION='roadwarrior'
PLUTO_NEXT_HOP='W.X.Y.Z' PLUTO_INTERFACE='eth0' PLUTO_ME='A.B.C.D'
PLUTO_MY_ID='C=PL, ST=Malopolska, L=Krakow, O=WKT-Polska Sp. z o.o.,
OU=Centrala, CN=Openswan 2.4.6rc3, E=tgrzelak at wktpolska.com.pl'
PLUTO_MY_CLIENT='A.B.C.D/32' PLUTO_MY_CLIENT_NET='A.B.C.D'
PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='1701'
PLUTO_MY_PROTOCOL='17' PLUTO_PEER='W.X.Y.Z' PLUTO_PEER_ID='C=PL,
ST=Malopolska, L=Krakow, O=WKT-Polska Sp. z o.o., OU=Centrala,
CN=vpntest, E=tgrzelak at wktpolska.com.pl' PLUTO_PEER_CLIENT='W.X.Y.Z/32'
PLUTO_PEER_CLIENT_NET='W.X.Y.Z' PLUTO_PEER_CLIENT_MASK='255.255.255.255'
PLUTO_PEER_PORT='1701' PLUTO_PEER_PROTOCOL='17' PLUTO_PEER_CA='C=PL,
ST=Malopolska, L=Krakow, O=WKT-Polska Sp. z o.o., OU=Centrala, CN=CA,
E=tgrzelak at wktpolska.com.pl'
PLUTO_CONN_POLICY='RSASIG+ENCRYPT+COMPRESS+TUNNEL+DONTREKEY' ipsec _updown
Jul 31 13:52:58 localhost pluto[19518]: | route_and_eroute:
firewall_notified: true
Jul 31 13:52:58 localhost pluto[19518]: | command executing prepare-host
Jul 31 13:52:58 localhost pluto[19518]: | executing prepare-host: 2>&1
PLUTO_VERSION='1.1' PLUTO_VERB='prepare-host'
PLUTO_CONNECTION='roadwarrior' PLUTO_NEXT_HOP='W.X.Y.Z'
PLUTO_INTERFACE='eth0' PLUTO_ME='A.B.C.D' PLUTO_MY_ID='C=PL,
ST=Malopolska, L=Krakow, O=WKT-Polska Sp. z o.o., OU=Centrala,
CN=Openswan 2.4.6rc3, E=tgrzelak at wktpolska.com.pl'
PLUTO_MY_CLIENT='A.B.C.D/32' PLUTO_MY_CLIENT_NET='A.B.C.D'
PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='1701'
PLUTO_MY_PROTOCOL='17' PLUTO_PEER='W.X.Y.Z' PLUTO_PEER_ID='C=PL,
ST=Malopolska, L=Krakow, O=WKT-Polska Sp. z o.o., OU=Centrala,
CN=vpntest, E=tgrzelak at wktpolska.com.pl' PLUTO_PEER_CLIENT='W.X.Y.Z/32'
PLUTO_PEER_CLIENT_NET='W.X.Y.Z' PLUTO_PEER_CLIENT_MASK='255.255.255.255'
PLUTO_PEER_PORT='1701' PLUTO_PEER_PROTOCOL='17' PLUTO_PEER_CA='C=PL,
ST=Malopolska, L=Krakow, O=WKT-Polska Sp. z o.o., OU=Centrala, CN=CA,
E=tgrzelak at wktpolska.com.pl'
PLUTO_CONN_POLICY='RSASIG+ENCRYPT+COMPRESS+TUNNEL+DONTREKEY' ipsec _updown
Jul 31 13:52:58 localhost pluto[19518]: | command executing route-host
Jul 31 13:52:58 localhost pluto[19518]: | executing route-host: 2>&1
PLUTO_VERSION='1.1' PLUTO_VERB='route-host'
PLUTO_CONNECTION='roadwarrior' PLUTO_NEXT_HOP='W.X.Y.Z'
PLUTO_INTERFACE='eth0' PLUTO_ME='A.B.C.D' PLUTO_MY_ID='C=PL,
ST=Malopolska, L=Krakow, O=WKT-Polska Sp. z o.o., OU=Centrala,
CN=Openswan 2.4.6rc3, E=tgrzelak at wktpolska.com.pl'
PLUTO_MY_CLIENT='A.B.C.D/32' PLUTO_MY_CLIENT_NET='A.B.C.D'
PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='1701'
PLUTO_MY_PROTOCOL='17' PLUTO_PEER='W.X.Y.Z' PLUTO_PEER_ID='C=PL,
ST=Malopolska, L=Krakow, O=WKT-Polska Sp. z o.o., OU=Centrala,
CN=vpntest, E=tgrzelak at wktpolska.com.pl' PLUTO_PEER_CLIENT='W.X.Y.Z/32'
PLUTO_PEER_CLIENT_NET='W.X.Y.Z' PLUTO_PEER_CLIENT_MASK='255.255.255.255'
PLUTO_PEER_PORT='1701' PLUTO_PEER_PROTOCOL='17' PLUTO_PEER_CA='C=PL,
ST=Malopolska, L=Krakow, O=WKT-Polska Sp. z o.o., OU=Centrala, CN=CA,
E=tgrzelak at wktpolska.com.pl'
PLUTO_CONN_POLICY='RSASIG+ENCRYPT+COMPRESS+TUNNEL+DONTREKEY' ipsec _updown
Jul 31 13:52:58 localhost pluto[19518]: | route_and_eroute: instance
"roadwarrior"[2] W.X.Y.Z, setting eroute_owner
{spd=0x8107e1c,sr=0x8107e1c} to #2 (was #0) (newest_ipsec_sa=#0)
Jul 31 13:52:58 localhost pluto[19518]: | complete state transition with
STF_OK
Jul 31 13:52:58 localhost pluto[19518]: "roadwarrior"[2] W.X.Y.Z #2:
transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Jul 31 13:52:58 localhost pluto[19518]: | inserting event
EVENT_SA_EXPIRE, timeout in 3600 seconds for #2
Jul 31 13:52:58 localhost pluto[19518]: "roadwarrior"[2] W.X.Y.Z #2:
STATE_QUICK_R2: IPsec SA established {ESP=>0x92103582 <0xb8fbb2f0
xfrm=3DES_0-HMAC_MD5 NATD=W.X.Y.Z:13631 DPD=none}
-------------------------------------------------------------------------
Regards,
Tomasz Grzelak
More information about the Users
mailing list