[Openswan Users] Vigor2600 & Openswan 2.4.5rc5

Roberto Fichera kernel at tekno-soft.it
Tue Feb 21 12:37:28 CET 2006


At 10.19 21/02/2006, Roberto Fichera wrote:
 ><html>
 ><DIV>I'm testing another configuration as Paul suggest. Basically I 
had to set
 >the</DIV>
 ><DIV>Openswan as initiator with a sort keylife in order to avoid
 >Virgor's being
 >as</DIV>
 ><DIV>initiator itself.</DIV><BR>
 ><DIV>&gt;</DIV>
 ><DIV>&gt;&gt; On the Vigor side I changed:</DIV>
 ><DIV>&gt;&gt;</DIV>
 ><DIV>&gt;&gt; Call direction: both</DIV>
 ><DIV>&gt;&gt; Idel timeout: 3600 (secs)</DIV>
 ><DIV>&gt;&gt;</DIV>
 ><DIV>&gt;&gt; IPSec security method:</DIV>
 ><DIV>&gt;&gt; High(ESP): 3DES with Authentication</DIV>
 ><DIV>&gt;&gt;</DIV>
 ><DIV>&gt;&gt; Advange Menu:</DIV>
 ><DIV>&gt;&gt; IKE phase 1 proposal: 3DES_MD5_G2</DIV>
 ><DIV>&gt;&gt; IKE phase 1 key lifetime: 28800 (default)</DIV>
 ><DIV>&gt;&gt; IKE phase 2 key lifetime: 3600 (default)</DIV>
 ><DIV>&gt;&gt;</DIV>
 ><DIV>&gt;&gt; on /etc/ipsec.conf</DIV>
 ><DIV>&gt;&gt;</DIV>
 ><DIV>&gt;&gt; basically I tried auto=add and auto=start (current 
config)</DIV>
 ><DIV>&gt;&gt; but the tunnel isn't rekeyed correctly.</DIV>
 ><DIV>&gt;&gt;</DIV>
 ><DIV>&gt;&gt; Is the vigor2600 preferred to be the initiator and
 >Openswan I had
 >to</DIV>
 ><DIV>&gt;&gt; set auto=add, or Openswan must be the initiator?</DIV>
 ><DIV>&gt;</DIV>
 ><DIV>&gt;It should work both ways.&nbsp; That being said, while 
you're testing
 >this,</DIV>
 ><DIV>&gt;getting the vigor2600 to initiate the connection should 
make it</DIV>
 ><DIV>&gt;immediately obvious whether your settings are correct or not.</DIV>
 ><DIV>&gt;</DIV>
 ><DIV>&gt;Without knowing the error it is showing in your logs, it 
never hurts
 >to</DIV>
 ><DIV>&gt;match your key lifetimes in your connection definition in
 >ipsec.conf:</DIV>
 ><DIV>&gt;</DIV>
 ><DIV>&gt;ikelifetime=8h</DIV>
 ><DIV>&gt;keylife=1h</DIV><BR>
 ><DIV>I'll sent the log later today, I would test the configuration where the
 >virgor</DIV>
 ><DIV>is dial-in only. In the meanwhile I'll set those as 2h and 1h on </DIV>
 ><DIV>Openswan side,</DIV>
 ><DIV>while on the vigor side those will be the default 8h and 1h, just be
 >sure</DIV>
 ><DIV>that virgor doesn't initiate the rekey :-\!

Now I'm getting this:

ipsec auto --status relevant part:

000 "vigor2600-vpn": 
192.168.1.0/24===192.168.1.101...xxx.yyy.zzz.kkk===192.168.11.0/24; 
prospective erouted; eroute owner: #0
000 "vigor2600-vpn":     srcip=unset; dstip=unset; srcup=ipsec 
_updown; dstup=ipsec _updown;
000 "vigor2600-vpn":   ike_life: 7200s; ipsec_life: 3600s; 
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1
000 "vigor2600-vpn":   policy: PSK+ENCRYPT+TUNNEL; prio: 24,24; 
interface: eth0;
000 "vigor2600-vpn":   newest ISAKMP SA: #0; newest IPsec SA: #0;
...
000 #27: "vigor2600-vpn":500 STATE_QUICK_I1 (sent QI1, expecting 
QR1); EVENT_RETRANSMIT in 16s; nodpd
000 #20: "vigor2600-vpn":500 STATE_QUICK_I2 (sent QI2, IPsec SA 
established); EVENT_SA_EXPIRE in 837s; newest IPSEC; eroute owner
000 #20: "vigor2600-vpn" esp.fefcfa5f at xxx.yyy.zzz.kkk 
esp.68a5327b at 192.168.1.101 tun.0 at xxx.yyy.zzz.kkk tun.0 at 192.168.1.101
000 #5: "vigor2600-vpn":500 STATE_MAIN_I4 (ISAKMP SA established); 
EVENT_SA_REPLACE in 796s; newest ISAKMP; nodpd

/var/log/secure shows:

Feb 21 10:45:06 vpn pluto[10117]: "vigor2600-vpn" #5: initiating Main Mode
Feb 21 10:45:07 vpn pluto[10117]: "vigor2600-vpn" #5: transition from 
state STATE_MAIN_I1 to state STATE_MAIN_I2
Feb 21 10:45:07 vpn pluto[10117]: "vigor2600-vpn" #5: STATE_MAIN_I2: 
sent MI2, expecting MR2
Feb 21 10:45:08 vpn pluto[10117]: "vigor2600-vpn" #5: I did not send 
a certificate because I do not have one.
Feb 21 10:45:08 vpn pluto[10117]: "vigor2600-vpn" #5: transition from 
state STATE_MAIN_I2 to state STATE_MAIN_I3
Feb 21 10:45:08 vpn pluto[10117]: "vigor2600-vpn" #5: STATE_MAIN_I3: 
sent MI3, expecting MR3
Feb 21 10:45:08 vpn pluto[10117]: "vigor2600-vpn" #5: Main mode peer 
ID is ID_IPV4_ADDR: 'xxx.yyy.zzz.kkk'
Feb 21 10:45:08 vpn pluto[10117]: "vigor2600-vpn" #5: transition from 
state STATE_MAIN_I3 to state STATE_MAIN_I4
Feb 21 10:45:08 vpn pluto[10117]: "vigor2600-vpn" #5: STATE_MAIN_I4: 
ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY 
cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
Feb 21 10:45:08 vpn pluto[10117]: "vigor2600-vpn" #10: initiating 
Quick Mode PSK+ENCRYPT+TUNNEL+UP {using isakmp#5}
Feb 21 10:45:08 vpn pluto[10117]: "vigor2600-vpn" #10: transition 
from state STATE_QUICK_I1 to state STATE_QUICK_I2
Feb 21 10:45:08 vpn pluto[10117]: "vigor2600-vpn" #10: 
STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0xfefcfa5e 
<0x3ce6ee61 xfrm=3DES_0 HMAC_SHA1 NATD=none DPD=none}
Feb 21 11:35:10 vpn pluto[10117]: "vigor2600-vpn" #20: initiating 
Quick Mode PSK+ENCRYPT+TUNNEL+UP to replace #10 {using isakmp#5}
Feb 21 11:35:10 vpn pluto[10117]: "vigor2600-vpn" #20: transition 
from state STATE_QUICK_I1 to state STATE_QUICK_I2
Feb 21 11:35:10 vpn pluto[10117]: "vigor2600-vpn" #20: 
STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0xfefcfa5f 
<0x68a5327b xfrm=3DES_0 HMAC_SHA1 NATD=none DPD=none}
Feb 21 11:35:10 vpn pluto[10117]: "vigor2600-vpn" #5: received Delete 
SA(0xfefcfa5e) payload: deleting IPSEC State #10
Feb 21 11:35:10 vpn pluto[10117]: "vigor2600-vpn" #5: received and 
ignored informational message

Here the tunnel is completly locked. So, I had to 'ipsec auto --down 
vigor2600-vpn'
to get it working:

Feb 21 12:20:19 vpn pluto[10117]: "vigor2600-vpn" #27: initiating 
Quick Mode PSK+ENCRYPT+TUNNEL+UP to replace #20 {using isakmp#5}
Feb 21 12:21:29 vpn pluto[10117]: "vigor2600-vpn" #27: max number of 
retransmissions (2) reached STATE_QUICK_I1
Feb 21 12:22:11 vpn pluto[10117]: "vigor2600-vpn": terminating SAs 
using this connection
Feb 21 12:22:11 vpn pluto[10117]: "vigor2600-vpn" #20: deleting state 
(STATE_QUICK_I2)
Feb 21 12:22:11 vpn pluto[10117]: "vigor2600-vpn" #5: deleting state 
(STATE_MAIN_I4)
...
Feb 21 12:35:15 vpn pluto[10117]: "vigor2600-vpn" #35: initiating Main Mode
Feb 21 12:35:15 vpn pluto[10117]: "vigor2600-vpn" #35: transition 
from state STATE_MAIN_I1 to state STATE_MAIN_I2
Feb 21 12:35:15 vpn pluto[10117]: "vigor2600-vpn" #35: STATE_MAIN_I2: 
sent MI2, expecting MR2
Feb 21 12:35:16 vpn pluto[10117]: "vigor2600-vpn" #35: I did not send 
a certificate because I do not have one.
Feb 21 12:35:16 vpn pluto[10117]: "vigor2600-vpn" #35: transition 
from state STATE_MAIN_I2 to state STATE_MAIN_I3
Feb 21 12:35:16 vpn pluto[10117]: "vigor2600-vpn" #35: STATE_MAIN_I3: 
sent MI3, expecting MR3
Feb 21 12:35:16 vpn pluto[10117]: "vigor2600-vpn" #35: Main mode peer 
ID is ID_IPV4_ADDR: 'xxx.yyy.zzz.kkk'
Feb 21 12:35:16 vpn pluto[10117]: "vigor2600-vpn" #35: transition 
from state STATE_MAIN_I3 to state STATE_MAIN_I4
Feb 21 12:35:16 vpn pluto[10117]: "vigor2600-vpn" #35: STATE_MAIN_I4: 
ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY 
cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
Feb 21 12:35:16 vpn pluto[10117]: "vigor2600-vpn" #36: initiating 
Quick Mode PSK+ENCRYPT+TUNNEL {using isakmp#35}
Feb 21 12:35:17 vpn pluto[10117]: "vigor2600-vpn" #36: transition 
from state STATE_QUICK_I1 to state STATE_QUICK_I2
Feb 21 12:35:17 vpn pluto[10117]: "vigor2600-vpn" #36: 
STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0xfefcfa60 
<0xafe69bb4 xfrm=3DES_0-HMAC_SHA1 NATD=none DPD=none}

ipsec auto --status relevant part

000 "vigor2600-vpn": 
192.168.1.0/24===192.168.1.101...xxx.yyy.zzz.kkk===192.168.11.0/24; 
erouted; eroute owner: #36
000 "vigor2600-vpn":     srcip=unset; dstip=unset; srcup=ipsec 
_updown; dstup=ipsec _updown;
000 "vigor2600-vpn":   ike_life: 7200s; ipsec_life: 3600s; 
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1
000 "vigor2600-vpn":   policy: PSK+ENCRYPT+TUNNEL; prio: 24,24; 
interface: eth0;
000 "vigor2600-vpn":   newest ISAKMP SA: #35; newest IPsec SA: #36;
000 "vigor2600-vpn":   IKE algorithm newest: 3DES_CBC_192-SHA1-MODP1024
...
000 #36: "vigor2600-vpn":500 STATE_QUICK_I2 (sent QI2, IPsec SA 
established); EVENT_SA_REPLACE in 2255s; newest IPSEC; eroute owner
000 #36: "vigor2600-vpn" esp.fefcfa60 at xxx.yyy.zzz.kkk 
esp.afe69bb4 at 192.168.1.101 tun.0 at xxx.yyy.zzz.kkk tun.0 at 192.168.1.101
000 #35: "vigor2600-vpn":500 STATE_MAIN_I4 (ISAKMP SA established); 
EVENT_SA_REPLACE in 5782s; newest ISAKMP; nodpd


Roberto Fichera. 



More information about the Users mailing list