[Openswan Users] Openswan U2.4.4/K2.6.15.7-ubuntu1.1282006 (netkey) - Windows Xp with sp2

Andy Gay andy at andynet.net
Wed Aug 30 09:29:24 EDT 2006


On Wed, 2006-08-30 at 09:26 +0200, Jure wrote:
> I have one server Kubuntu with Linux Openswan
> U2.4.4/K2.6.15.7-ubuntu1.1282006 (netkey)
> 
> on this computer I have two network cards
> 
> one eth0 - direct connection with ppp0 for adsl modem
> IP: 192.168.0.3
> broadcast: 192.168.0.255
> mask: 255.255.255.0
> 
> second eth1 for crossover cabel with Windows Xp client
> IP: 192.168.0.4
> broadcast: 192.168.0.255
> mask: 255.255.255.0
> 
eth0 and eth1 are using the same network. So when you send packets to
192.168.0.5 it will probably try to send them out of eth0. You need to
get the 2 interfaces on different network numbers.

What are you trying to do here? It appears you're trying to run ipsec
between 2 directly connected computers. Why?
 
> my ipsec.conf on Linux is
> 
> version 2.0
> 
> config setup
>         interfaces="ipsec0=eth1"
>         klipsdebug=none
>         plutodebug=all

You should set plutodebug="none"

>         uniqueids=yes
>         nat_traversal=yes
> 
> conn %default
>         keyingtries=0
>         disablearrivalcheck=no
>         authby=rsasig
> 
> conn babylon3-do-babylon1
>         type=tunnel
>         authby=rsasig
>         left=192.168.0.4
>         leftnexthop=%direct
>         right=192.168.0.5
>         rightnexthop=%direct
>         leftrsasigkey=%cert
>         rightrsasigkey=%cert
>         leftcert=babylon3.pem
>         rightcert=babylon4.pem
>         keyingtries=0
>         auto=start
>         pfs=yes
> 
> eth1 network card is direct connected with crossover cabel
> on my Windows Xp client with service pack 2 in which I have
> one network card
> 
> eth0
> IP: 192.168.0.5
> mask: 255.255.255.0
> gateway: 192.168.0.4
> 
> 
> c:\ipsec\ipsec.conf
> 
> conn babylon3-do-babylon1
>     left=%any
>     right=192.168.0.4
>     rightsubnet=192.168.0.0/24
>  rightca="C=S,S=Slovenia,L=Ljubljana,O=g,CN=Jure,E=babylon9 at gmail.com"
>     network=auto
>     auto=start
>     pfs=yes
> 
> c:\ipsec\ipsec.exe
> 
> The problem is when I connect and then pinging Kubuntu server. First is
> negotiating for IP security. But then I can't get any packets
> back, always lost 4 packets.
> 
> my log /var/log/auth.log says
> 
> Aug 30 09:20:18 localhost pluto[19001]: "babylon3-do-babylon1" #1:
> initiating Main Mode
> Aug 30 09:20:20 localhost pluto[19001]: initiate on demand from
> 192.168.0.4:0 to 192.168.0.5:0 proto=0 state: fos_start because: acquire
> Aug 30 09:20:47 localhost pluto[19001]: packet from 192.168.0.5:1:
> ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
> Aug 30 09:20:47 localhost pluto[19001]: packet from 192.168.0.5:1:
> ignoring Vendor ID payload [FRAGMENTATION]
> Aug 30 09:20:49 localhost pluto[19001]: packet from 192.168.0.5:1:
> received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set
> to=106
> Aug 30 09:20:50 localhost pluto[19001]: packet from 192.168.0.5:1:
> ignoring Vendor ID payload [Vid-Initial-Contact]
> Aug 30 09:20:51 localhost pluto[19001]: "babylon3-do-babylon1" #2:
> responding to Main Mode
> Aug 30 09:20:51 localhost pluto[19001]: "babylon3-do-babylon1" #2:
> transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
> Aug 30 09:20:52 localhost pluto[19001]: "babylon3-do-babylon1" #2:
> STATE_MAIN_R1: sent MR1, expecting MI2
> Aug 30 09:20:53 localhost pluto[19001]: packet from 192.168.0.5:1:
> ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
> Aug 30 09:20:53 localhost pluto[19001]: packet from 192.168.0.5:1:
> ignoring Vendor ID payload [FRAGMENTATION]
> Aug 30 09:20:54 localhost pluto[19001]: packet from 192.168.0.5:1:
> received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set
> to=106
> Aug 30 09:20:54 localhost pluto[19001]: packet from 192.168.0.5:1:
> ignoring Vendor ID payload [Vid-Initial-Contact]
> Aug 30 09:20:54 localhost pluto[19001]: "babylon3-do-babylon1" #3:
> responding to Main Mode
> Aug 30 09:20:54 localhost pluto[19001]: "babylon3-do-babylon1" #3:
> transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
> Aug 30 09:20:54 localhost pluto[19001]: "babylon3-do-babylon1" #3:
> STATE_MAIN_R1: sent MR1, expecting MI2
> Aug 30 09:20:54 localhost pluto[19001]: "babylon3-do-babylon1" #2:
> ERROR: asynchronous network error report on eth1 (sport=500) for message
> to 192.168.0.5 port 1, complainant 192.168.0.4: No route to host [errno
> 113, origin ICMP type 3 code 1 (not authenticated)]

So it lost contact with the other system. Probably it's trying to send
packets out eth0.

> Aug 30 09:20:54 localhost pluto[19001]: "babylon3-do-babylon1" #3:
> ERROR: asynchronous network error report on eth1 (sport=500) for message
> to 192.168.0.5 port 1, complainant 192.168.0.4: No route to host [errno
> 113, origin ICMP type 3 code 1 (not authenticated)]
> 
> Can anybody help me, I would really appreciate any help guys!
> 
> 
> 
> 
> 
> 
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan: 
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
> 



More information about the Users mailing list