[Openswan Users] Vigor2600 & Openswan 2.4.5rc5
Roberto Fichera
kernel at tekno-soft.it
Tue Feb 21 12:37:28 CET 2006
At 10.19 21/02/2006, Roberto Fichera wrote:
><html>
><DIV>I'm testing another configuration as Paul suggest. Basically I
had to set
>the</DIV>
><DIV>Openswan as initiator with a sort keylife in order to avoid
>Virgor's being
>as</DIV>
><DIV>initiator itself.</DIV><BR>
><DIV>></DIV>
><DIV>>> On the Vigor side I changed:</DIV>
><DIV>>></DIV>
><DIV>>> Call direction: both</DIV>
><DIV>>> Idel timeout: 3600 (secs)</DIV>
><DIV>>></DIV>
><DIV>>> IPSec security method:</DIV>
><DIV>>> High(ESP): 3DES with Authentication</DIV>
><DIV>>></DIV>
><DIV>>> Advange Menu:</DIV>
><DIV>>> IKE phase 1 proposal: 3DES_MD5_G2</DIV>
><DIV>>> IKE phase 1 key lifetime: 28800 (default)</DIV>
><DIV>>> IKE phase 2 key lifetime: 3600 (default)</DIV>
><DIV>>></DIV>
><DIV>>> on /etc/ipsec.conf</DIV>
><DIV>>></DIV>
><DIV>>> basically I tried auto=add and auto=start (current
config)</DIV>
><DIV>>> but the tunnel isn't rekeyed correctly.</DIV>
><DIV>>></DIV>
><DIV>>> Is the vigor2600 preferred to be the initiator and
>Openswan I had
>to</DIV>
><DIV>>> set auto=add, or Openswan must be the initiator?</DIV>
><DIV>></DIV>
><DIV>>It should work both ways. That being said, while
you're testing
>this,</DIV>
><DIV>>getting the vigor2600 to initiate the connection should
make it</DIV>
><DIV>>immediately obvious whether your settings are correct or not.</DIV>
><DIV>></DIV>
><DIV>>Without knowing the error it is showing in your logs, it
never hurts
>to</DIV>
><DIV>>match your key lifetimes in your connection definition in
>ipsec.conf:</DIV>
><DIV>></DIV>
><DIV>>ikelifetime=8h</DIV>
><DIV>>keylife=1h</DIV><BR>
><DIV>I'll sent the log later today, I would test the configuration where the
>virgor</DIV>
><DIV>is dial-in only. In the meanwhile I'll set those as 2h and 1h on </DIV>
><DIV>Openswan side,</DIV>
><DIV>while on the vigor side those will be the default 8h and 1h, just be
>sure</DIV>
><DIV>that virgor doesn't initiate the rekey :-\!
Now I'm getting this:
ipsec auto --status relevant part:
000 "vigor2600-vpn":
192.168.1.0/24===192.168.1.101...xxx.yyy.zzz.kkk===192.168.11.0/24;
prospective erouted; eroute owner: #0
000 "vigor2600-vpn": srcip=unset; dstip=unset; srcup=ipsec
_updown; dstup=ipsec _updown;
000 "vigor2600-vpn": ike_life: 7200s; ipsec_life: 3600s;
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1
000 "vigor2600-vpn": policy: PSK+ENCRYPT+TUNNEL; prio: 24,24;
interface: eth0;
000 "vigor2600-vpn": newest ISAKMP SA: #0; newest IPsec SA: #0;
...
000 #27: "vigor2600-vpn":500 STATE_QUICK_I1 (sent QI1, expecting
QR1); EVENT_RETRANSMIT in 16s; nodpd
000 #20: "vigor2600-vpn":500 STATE_QUICK_I2 (sent QI2, IPsec SA
established); EVENT_SA_EXPIRE in 837s; newest IPSEC; eroute owner
000 #20: "vigor2600-vpn" esp.fefcfa5f at xxx.yyy.zzz.kkk
esp.68a5327b at 192.168.1.101 tun.0 at xxx.yyy.zzz.kkk tun.0 at 192.168.1.101
000 #5: "vigor2600-vpn":500 STATE_MAIN_I4 (ISAKMP SA established);
EVENT_SA_REPLACE in 796s; newest ISAKMP; nodpd
/var/log/secure shows:
Feb 21 10:45:06 vpn pluto[10117]: "vigor2600-vpn" #5: initiating Main Mode
Feb 21 10:45:07 vpn pluto[10117]: "vigor2600-vpn" #5: transition from
state STATE_MAIN_I1 to state STATE_MAIN_I2
Feb 21 10:45:07 vpn pluto[10117]: "vigor2600-vpn" #5: STATE_MAIN_I2:
sent MI2, expecting MR2
Feb 21 10:45:08 vpn pluto[10117]: "vigor2600-vpn" #5: I did not send
a certificate because I do not have one.
Feb 21 10:45:08 vpn pluto[10117]: "vigor2600-vpn" #5: transition from
state STATE_MAIN_I2 to state STATE_MAIN_I3
Feb 21 10:45:08 vpn pluto[10117]: "vigor2600-vpn" #5: STATE_MAIN_I3:
sent MI3, expecting MR3
Feb 21 10:45:08 vpn pluto[10117]: "vigor2600-vpn" #5: Main mode peer
ID is ID_IPV4_ADDR: 'xxx.yyy.zzz.kkk'
Feb 21 10:45:08 vpn pluto[10117]: "vigor2600-vpn" #5: transition from
state STATE_MAIN_I3 to state STATE_MAIN_I4
Feb 21 10:45:08 vpn pluto[10117]: "vigor2600-vpn" #5: STATE_MAIN_I4:
ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
Feb 21 10:45:08 vpn pluto[10117]: "vigor2600-vpn" #10: initiating
Quick Mode PSK+ENCRYPT+TUNNEL+UP {using isakmp#5}
Feb 21 10:45:08 vpn pluto[10117]: "vigor2600-vpn" #10: transition
from state STATE_QUICK_I1 to state STATE_QUICK_I2
Feb 21 10:45:08 vpn pluto[10117]: "vigor2600-vpn" #10:
STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0xfefcfa5e
<0x3ce6ee61 xfrm=3DES_0 HMAC_SHA1 NATD=none DPD=none}
Feb 21 11:35:10 vpn pluto[10117]: "vigor2600-vpn" #20: initiating
Quick Mode PSK+ENCRYPT+TUNNEL+UP to replace #10 {using isakmp#5}
Feb 21 11:35:10 vpn pluto[10117]: "vigor2600-vpn" #20: transition
from state STATE_QUICK_I1 to state STATE_QUICK_I2
Feb 21 11:35:10 vpn pluto[10117]: "vigor2600-vpn" #20:
STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0xfefcfa5f
<0x68a5327b xfrm=3DES_0 HMAC_SHA1 NATD=none DPD=none}
Feb 21 11:35:10 vpn pluto[10117]: "vigor2600-vpn" #5: received Delete
SA(0xfefcfa5e) payload: deleting IPSEC State #10
Feb 21 11:35:10 vpn pluto[10117]: "vigor2600-vpn" #5: received and
ignored informational message
Here the tunnel is completly locked. So, I had to 'ipsec auto --down
vigor2600-vpn'
to get it working:
Feb 21 12:20:19 vpn pluto[10117]: "vigor2600-vpn" #27: initiating
Quick Mode PSK+ENCRYPT+TUNNEL+UP to replace #20 {using isakmp#5}
Feb 21 12:21:29 vpn pluto[10117]: "vigor2600-vpn" #27: max number of
retransmissions (2) reached STATE_QUICK_I1
Feb 21 12:22:11 vpn pluto[10117]: "vigor2600-vpn": terminating SAs
using this connection
Feb 21 12:22:11 vpn pluto[10117]: "vigor2600-vpn" #20: deleting state
(STATE_QUICK_I2)
Feb 21 12:22:11 vpn pluto[10117]: "vigor2600-vpn" #5: deleting state
(STATE_MAIN_I4)
...
Feb 21 12:35:15 vpn pluto[10117]: "vigor2600-vpn" #35: initiating Main Mode
Feb 21 12:35:15 vpn pluto[10117]: "vigor2600-vpn" #35: transition
from state STATE_MAIN_I1 to state STATE_MAIN_I2
Feb 21 12:35:15 vpn pluto[10117]: "vigor2600-vpn" #35: STATE_MAIN_I2:
sent MI2, expecting MR2
Feb 21 12:35:16 vpn pluto[10117]: "vigor2600-vpn" #35: I did not send
a certificate because I do not have one.
Feb 21 12:35:16 vpn pluto[10117]: "vigor2600-vpn" #35: transition
from state STATE_MAIN_I2 to state STATE_MAIN_I3
Feb 21 12:35:16 vpn pluto[10117]: "vigor2600-vpn" #35: STATE_MAIN_I3:
sent MI3, expecting MR3
Feb 21 12:35:16 vpn pluto[10117]: "vigor2600-vpn" #35: Main mode peer
ID is ID_IPV4_ADDR: 'xxx.yyy.zzz.kkk'
Feb 21 12:35:16 vpn pluto[10117]: "vigor2600-vpn" #35: transition
from state STATE_MAIN_I3 to state STATE_MAIN_I4
Feb 21 12:35:16 vpn pluto[10117]: "vigor2600-vpn" #35: STATE_MAIN_I4:
ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
Feb 21 12:35:16 vpn pluto[10117]: "vigor2600-vpn" #36: initiating
Quick Mode PSK+ENCRYPT+TUNNEL {using isakmp#35}
Feb 21 12:35:17 vpn pluto[10117]: "vigor2600-vpn" #36: transition
from state STATE_QUICK_I1 to state STATE_QUICK_I2
Feb 21 12:35:17 vpn pluto[10117]: "vigor2600-vpn" #36:
STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0xfefcfa60
<0xafe69bb4 xfrm=3DES_0-HMAC_SHA1 NATD=none DPD=none}
ipsec auto --status relevant part
000 "vigor2600-vpn":
192.168.1.0/24===192.168.1.101...xxx.yyy.zzz.kkk===192.168.11.0/24;
erouted; eroute owner: #36
000 "vigor2600-vpn": srcip=unset; dstip=unset; srcup=ipsec
_updown; dstup=ipsec _updown;
000 "vigor2600-vpn": ike_life: 7200s; ipsec_life: 3600s;
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1
000 "vigor2600-vpn": policy: PSK+ENCRYPT+TUNNEL; prio: 24,24;
interface: eth0;
000 "vigor2600-vpn": newest ISAKMP SA: #35; newest IPsec SA: #36;
000 "vigor2600-vpn": IKE algorithm newest: 3DES_CBC_192-SHA1-MODP1024
...
000 #36: "vigor2600-vpn":500 STATE_QUICK_I2 (sent QI2, IPsec SA
established); EVENT_SA_REPLACE in 2255s; newest IPSEC; eroute owner
000 #36: "vigor2600-vpn" esp.fefcfa60 at xxx.yyy.zzz.kkk
esp.afe69bb4 at 192.168.1.101 tun.0 at xxx.yyy.zzz.kkk tun.0 at 192.168.1.101
000 #35: "vigor2600-vpn":500 STATE_MAIN_I4 (ISAKMP SA established);
EVENT_SA_REPLACE in 5782s; newest ISAKMP; nodpd
Roberto Fichera.
More information about the Users
mailing list