[Openswan Users] Ike Mode Config and virtual IP
Marco Berizzi
pupilla at hotmail.com
Thu Feb 9 11:50:02 CET 2006
Andreas Steffen wrote:
>strongSwan's configuration setup for an IKE Mode Config server is
>quite different from Openswan's.
>
>Here is an example taken from
>
> http://www.strongswan.org/uml/testresults/mode-config/
>
>------------------------------------------------------------------------
># /etc/ipsec.conf - strongSwan IPsec configuration file
>
>version 2.0 # conforms to second version of ipsec.conf specification
>
>config setup
> crlcheckinterval=180
> strictcrlpolicy=no
>
>conn %default
> left=192.168.0.1
> leftsubnet=10.1.0.0/16
> leftsourceip=10.1.0.1
> leftnexthop=%direct
> leftcert=moonCert.pem
> leftid=@moon.strongswan.org
> leftupdown=/etc/ipsec.updown
>
>conn rw-carol
> right=%any
> rightid=carol at strongswan.org
> rightsourceip=10.3.0.1 # virtual IP reserved for carol
> auto=add
>
>conn rw-dave
> right=%any
> rightid=dave at strongswan.org
> rightsourceip=10.3.0.2 # virtual IP reserved for dave
> auto=add
>
>With strongSwan
>
> right|leftsourceip=x.x.x.x automatically implies
> right|leftsubnet=x.x.x.x/32 if subnet is not defined
>
>whereas Openswan requires an explicit subnet definition.
Thanks for the reply Andreas.
I have added leftsubnet=x.x.x.x/32 to ipsec.conf:
conn IMCFG
left=%any
leftsourceip=172.31.254.55
leftsubnet=172.31.254.55/32
right=10.1.2.10
rightid=10.1.2.10
rightsubnet=172.16.1.0/24
authby=secret
auto=add
pfs=yes
compress=yes
leftrsasigkey=none
rightrsasigkey=none
keyingtries=0
rightupdown=/usr/local/lib/ipsec/_updown_x509
but openswan and NCP don't talk each other. Here is the log:
Feb 9 11:39:15 Calimero ipsec__plutorun: Starting Pluto subsystem...
Feb 9 11:39:15 Calimero pluto[12681]: Starting Pluto (Openswan Version
2.4.5rc4 X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID
OEd|k]dnjtCG)
Feb 9 11:39:15 Calimero pluto[12681]: Setting NAT-Traversal port-4500
floating to off
Feb 9 11:39:15 Calimero pluto[12681]: port floating activation criteria
nat_t=0/port_fload=1
Feb 9 11:39:15 Calimero pluto[12681]: including NAT-Traversal patch
(Version 0.6c) [disabled]
Feb 9 11:39:15 Calimero pluto[12681]: ike_alg_register_enc(): Activating
OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)
Feb 9 11:39:15 Calimero pluto[12681]: ike_alg_register_enc(): Activating
OAKLEY_TWOFISH_CBC: Ok (ret=0)
Feb 9 11:39:15 Calimero pluto[12681]: ike_alg_register_enc(): Activating
OAKLEY_SERPENT_CBC: Ok (ret=0)
Feb 9 11:39:15 Calimero pluto[12681]: ike_alg_register_enc(): Activating
OAKLEY_AES_CBC: Ok (ret=0)
Feb 9 11:39:15 Calimero pluto[12681]: ike_alg_register_enc(): Activating
OAKLEY_BLOWFISH_CBC: Ok (ret=0)
Feb 9 11:39:15 Calimero pluto[12681]: ike_alg_register_hash(): Activating
OAKLEY_SHA2_512: Ok (ret=0)
Feb 9 11:39:15 Calimero pluto[12681]: ike_alg_register_hash(): Activating
OAKLEY_SHA2_256: Ok (ret=0)
Feb 9 11:39:15 Calimero pluto[12681]: starting up 1 cryptographic helpers
Feb 9 11:39:15 Calimero pluto[12681]: started helper pid=12691 (fd:6)
Feb 9 11:39:15 Calimero pluto[12681]: Using Linux 2.6 IPsec interface code
on 2.6.16-rc2-git5
Feb 9 11:39:15 Calimero pluto[12681]: Changing to directory
'/etc/ipsec.d/cacerts'
Feb 9 11:39:15 Calimero pluto[12681]: Changing to directory
'/etc/ipsec.d/aacerts'
Feb 9 11:39:15 Calimero pluto[12681]: Changing to directory
'/etc/ipsec.d/ocspcerts'
Feb 9 11:39:15 Calimero pluto[12681]: Changing to directory
'/etc/ipsec.d/crls'
Feb 9 11:39:15 Calimero pluto[12681]: Warning: empty directory
Feb 9 11:39:15 Calimero pluto[12681]: Changing to directory
'/etc/ipsec.d/acerts'
Feb 9 11:39:15 Calimero pluto[12681]: added connection description "IMCFG"
Feb 9 11:39:16 Calimero pluto[12681]: listening for IKE messages
Feb 9 11:39:16 Calimero pluto[12681]: adding interface eth1/eth1
10.1.2.10:500
Feb 9 11:39:16 Calimero pluto[12681]: adding interface eth0/eth0
172.16.1.247:500
Feb 9 11:39:16 Calimero pluto[12681]: adding interface lo/lo 127.0.0.1:500
Feb 9 11:39:16 Calimero pluto[12681]: loading secrets from
"/etc/ipsec.secrets"
Feb 9 11:39:29 Calimero pluto[12681]: packet from 10.1.2.1:500: ignoring
unknown Vendor ID payload [da8e937880010000]
Feb 9 11:39:29 Calimero pluto[12681]: packet from 10.1.2.1:500: received
Vendor ID payload [XAUTH]
Feb 9 11:39:29 Calimero pluto[12681]: packet from 10.1.2.1:500: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but port
floating is off
Feb 9 11:39:29 Calimero pluto[12681]: packet from 10.1.2.1:500: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but port
floating is off
Feb 9 11:39:29 Calimero pluto[12681]: packet from 10.1.2.1:500: ignoring
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Feb 9 11:39:29 Calimero pluto[12681]: packet from 10.1.2.1:500: received
Vendor ID payload [RFC 3947] meth=109, but port floating is off
Feb 9 11:39:29 Calimero pluto[12681]: packet from 10.1.2.1:500: received
Vendor ID payload [Dead Peer Detection]
Feb 9 11:39:29 Calimero pluto[12681]: packet from 10.1.2.1:500: ignoring
unknown Vendor ID payload [eb4c1b788afd4a9cb7730a68d56d088b]
Feb 9 11:39:29 Calimero pluto[12681]: packet from 10.1.2.1:500: received
Vendor ID payload [Cisco-Unity]
Feb 9 11:39:29 Calimero pluto[12681]: "IMCFG"[1] 10.1.2.1 #1: responding to
Main Mode from unknown peer 10.1.2.1
Feb 9 11:39:29 Calimero pluto[12681]: "IMCFG"[1] 10.1.2.1 #1: transition
from state STATE_MAIN_R0 to state STATE_MAIN_R1
Feb 9 11:39:29 Calimero pluto[12681]: "IMCFG"[1] 10.1.2.1 #1:
STATE_MAIN_R1: sent MR1, expecting MI2
Feb 9 11:39:29 Calimero pluto[12681]: "IMCFG"[1] 10.1.2.1 #1: transition
from state STATE_MAIN_R1 to state STATE_MAIN_R2
Feb 9 11:39:29 Calimero pluto[12681]: "IMCFG"[1] 10.1.2.1 #1:
STATE_MAIN_R2: sent MR2, expecting MI3
Feb 9 11:39:30 Calimero pluto[12681]: "IMCFG"[1] 10.1.2.1 #1: ignoring
informational payload, type IPSEC_INITIAL_CONTACT
Feb 9 11:39:30 Calimero pluto[12681]: "IMCFG"[1] 10.1.2.1 #1: Main mode
peer ID is ID_IPV4_ADDR: '10.1.2.1'
Feb 9 11:39:30 Calimero pluto[12681]: "IMCFG"[1] 10.1.2.1 #1: I did not
send a certificate because I do not have one.
Feb 9 11:39:30 Calimero pluto[12681]: "IMCFG"[1] 10.1.2.1 #1: transition
from state STATE_MAIN_R2 to state STATE_MAIN_R3
Feb 9 11:39:30 Calimero pluto[12681]: "IMCFG"[1] 10.1.2.1 #1:
STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1024}
Feb 9 11:39:30 Calimero pluto[12681]: "IMCFG"[1] 10.1.2.1 #1: received
MODECFG message when in state STATE_MAIN_R3, and we aren't xauth client
Feb 9 11:39:40 Calimero last message repeated 3 times
Feb 9 11:39:43 Calimero pluto[12681]: "IMCFG"[1] 10.1.2.1 #1: received
Delete SA payload: deleting ISAKMP State #1
Feb 9 11:39:43 Calimero pluto[12681]: "IMCFG"[1] 10.1.2.1: deleting
connection "IMCFG" instance with peer 10.1.2.1 {isakmp=#0/ipsec=#0}
Feb 9 11:39:43 Calimero pluto[12681]: packet from 10.1.2.1:500: received
and ignored informational message
More information about the Users
mailing list