[Openswan Users] Ike Mode Config and virtual IP

Marco Berizzi pupilla at hotmail.com
Thu Feb 9 11:50:02 CET 2006 

Andreas Steffen wrote:

>strongSwan's configuration setup for an IKE Mode Config server is
>quite different from Openswan's.
>
>Here is an example taken from
>
>   http://www.strongswan.org/uml/testresults/mode-config/
>
>------------------------------------------------------------------------
># /etc/ipsec.conf - strongSwan IPsec configuration file
>
>version	2.0	# conforms to second version of ipsec.conf specification
>
>config setup
>	crlcheckinterval=180
>	strictcrlpolicy=no
>
>conn %default
>	left=192.168.0.1
>	leftsubnet=10.1.0.0/16
>	leftsourceip=10.1.0.1
>	leftnexthop=%direct
>	leftcert=moonCert.pem
>	leftid=@moon.strongswan.org
>	leftupdown=/etc/ipsec.updown
>
>conn rw-carol
>	right=%any
>	rightid=carol at strongswan.org
>	rightsourceip=10.3.0.1         # virtual IP reserved for carol
>	auto=add
>
>conn rw-dave
>	right=%any
>	rightid=dave at strongswan.org
>	rightsourceip=10.3.0.2         # virtual IP reserved for dave
>	auto=add
>

>With strongSwan
>
>    right|leftsourceip=x.x.x.x automatically implies
>    right|leftsubnet=x.x.x.x/32 if subnet is not defined
>
>whereas Openswan requires an explicit subnet definition.

Thanks for the reply Andreas.
I have added leftsubnet=x.x.x.x/32 to ipsec.conf:

conn IMCFG
        left=%any
        leftsourceip=172.31.254.55
        leftsubnet=172.31.254.55/32
        right=10.1.2.10
        rightid=10.1.2.10
        rightsubnet=172.16.1.0/24
        authby=secret
        auto=add
        pfs=yes
        compress=yes
        leftrsasigkey=none
        rightrsasigkey=none
        keyingtries=0
        rightupdown=/usr/local/lib/ipsec/_updown_x509

but openswan and NCP don't talk each other. Here is the log:

Feb  9 11:39:15 Calimero ipsec__plutorun: Starting Pluto subsystem...
Feb  9 11:39:15 Calimero pluto[12681]: Starting Pluto (Openswan Version 
2.4.5rc4 X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID 
OEd|k]dnjtCG)
Feb  9 11:39:15 Calimero pluto[12681]: Setting NAT-Traversal port-4500 
floating to off
Feb  9 11:39:15 Calimero pluto[12681]:    port floating activation criteria 
nat_t=0/port_fload=1
Feb  9 11:39:15 Calimero pluto[12681]:   including NAT-Traversal patch 
(Version 0.6c) [disabled]
Feb  9 11:39:15 Calimero pluto[12681]: ike_alg_register_enc(): Activating 
OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)
Feb  9 11:39:15 Calimero pluto[12681]: ike_alg_register_enc(): Activating 
OAKLEY_TWOFISH_CBC: Ok (ret=0)
Feb  9 11:39:15 Calimero pluto[12681]: ike_alg_register_enc(): Activating 
OAKLEY_SERPENT_CBC: Ok (ret=0)
Feb  9 11:39:15 Calimero pluto[12681]: ike_alg_register_enc(): Activating 
OAKLEY_AES_CBC: Ok (ret=0)
Feb  9 11:39:15 Calimero pluto[12681]: ike_alg_register_enc(): Activating 
OAKLEY_BLOWFISH_CBC: Ok (ret=0)
Feb  9 11:39:15 Calimero pluto[12681]: ike_alg_register_hash(): Activating 
OAKLEY_SHA2_512: Ok (ret=0)
Feb  9 11:39:15 Calimero pluto[12681]: ike_alg_register_hash(): Activating 
OAKLEY_SHA2_256: Ok (ret=0)
Feb  9 11:39:15 Calimero pluto[12681]: starting up 1 cryptographic helpers
Feb  9 11:39:15 Calimero pluto[12681]: started helper pid=12691 (fd:6)
Feb  9 11:39:15 Calimero pluto[12681]: Using Linux 2.6 IPsec interface code 
on 2.6.16-rc2-git5
Feb  9 11:39:15 Calimero pluto[12681]: Changing to directory 
'/etc/ipsec.d/cacerts'
Feb  9 11:39:15 Calimero pluto[12681]: Changing to directory 
'/etc/ipsec.d/aacerts'
Feb  9 11:39:15 Calimero pluto[12681]: Changing to directory 
'/etc/ipsec.d/ocspcerts'
Feb  9 11:39:15 Calimero pluto[12681]: Changing to directory 
'/etc/ipsec.d/crls'
Feb  9 11:39:15 Calimero pluto[12681]:   Warning: empty directory
Feb  9 11:39:15 Calimero pluto[12681]: Changing to directory 
'/etc/ipsec.d/acerts'
Feb  9 11:39:15 Calimero pluto[12681]: added connection description "IMCFG"
Feb  9 11:39:16 Calimero pluto[12681]: listening for IKE messages
Feb  9 11:39:16 Calimero pluto[12681]: adding interface eth1/eth1 
10.1.2.10:500
Feb  9 11:39:16 Calimero pluto[12681]: adding interface eth0/eth0 
172.16.1.247:500
Feb  9 11:39:16 Calimero pluto[12681]: adding interface lo/lo 127.0.0.1:500
Feb  9 11:39:16 Calimero pluto[12681]: loading secrets from 
"/etc/ipsec.secrets"
Feb  9 11:39:29 Calimero pluto[12681]: packet from 10.1.2.1:500: ignoring 
unknown Vendor ID payload [da8e937880010000]
Feb  9 11:39:29 Calimero pluto[12681]: packet from 10.1.2.1:500: received 
Vendor ID payload [XAUTH]
Feb  9 11:39:29 Calimero pluto[12681]: packet from 10.1.2.1:500: received 
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but port 
floating is off
Feb  9 11:39:29 Calimero pluto[12681]: packet from 10.1.2.1:500: received 
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but port 
floating is off
Feb  9 11:39:29 Calimero pluto[12681]: packet from 10.1.2.1:500: ignoring 
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Feb  9 11:39:29 Calimero pluto[12681]: packet from 10.1.2.1:500: received 
Vendor ID payload [RFC 3947] meth=109, but port floating is off
Feb  9 11:39:29 Calimero pluto[12681]: packet from 10.1.2.1:500: received 
Vendor ID payload [Dead Peer Detection]
Feb  9 11:39:29 Calimero pluto[12681]: packet from 10.1.2.1:500: ignoring 
unknown Vendor ID payload [eb4c1b788afd4a9cb7730a68d56d088b]
Feb  9 11:39:29 Calimero pluto[12681]: packet from 10.1.2.1:500: received 
Vendor ID payload [Cisco-Unity]
Feb  9 11:39:29 Calimero pluto[12681]: "IMCFG"[1] 10.1.2.1 #1: responding to 
Main Mode from unknown peer 10.1.2.1
Feb  9 11:39:29 Calimero pluto[12681]: "IMCFG"[1] 10.1.2.1 #1: transition 
from state STATE_MAIN_R0 to state STATE_MAIN_R1
Feb  9 11:39:29 Calimero pluto[12681]: "IMCFG"[1] 10.1.2.1 #1: 
STATE_MAIN_R1: sent MR1, expecting MI2
Feb  9 11:39:29 Calimero pluto[12681]: "IMCFG"[1] 10.1.2.1 #1: transition 
from state STATE_MAIN_R1 to state STATE_MAIN_R2
Feb  9 11:39:29 Calimero pluto[12681]: "IMCFG"[1] 10.1.2.1 #1: 
STATE_MAIN_R2: sent MR2, expecting MI3
Feb  9 11:39:30 Calimero pluto[12681]: "IMCFG"[1] 10.1.2.1 #1: ignoring 
informational payload, type IPSEC_INITIAL_CONTACT
Feb  9 11:39:30 Calimero pluto[12681]: "IMCFG"[1] 10.1.2.1 #1: Main mode 
peer ID is ID_IPV4_ADDR: '10.1.2.1'
Feb  9 11:39:30 Calimero pluto[12681]: "IMCFG"[1] 10.1.2.1 #1: I did not 
send a certificate because I do not have one.
Feb  9 11:39:30 Calimero pluto[12681]: "IMCFG"[1] 10.1.2.1 #1: transition 
from state STATE_MAIN_R2 to state STATE_MAIN_R3
Feb  9 11:39:30 Calimero pluto[12681]: "IMCFG"[1] 10.1.2.1 #1: 
STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY 
cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1024}
Feb  9 11:39:30 Calimero pluto[12681]: "IMCFG"[1] 10.1.2.1 #1: received 
MODECFG message when in state STATE_MAIN_R3, and we aren't xauth client
Feb  9 11:39:40 Calimero last message repeated 3 times
Feb  9 11:39:43 Calimero pluto[12681]: "IMCFG"[1] 10.1.2.1 #1: received 
Delete SA payload: deleting ISAKMP State #1
Feb  9 11:39:43 Calimero pluto[12681]: "IMCFG"[1] 10.1.2.1: deleting 
connection "IMCFG" instance with peer 10.1.2.1 {isakmp=#0/ipsec=#0}
Feb  9 11:39:43 Calimero pluto[12681]: packet from 10.1.2.1:500: received 
and ignored informational message

More information about the Users mailing list