[Openswan Users] SA established but not ping

sasa sasa at shoponweb.it
Mon Jan 2 18:17:45 CET 2006 

Hi, on one end-point (with kernel 26 and openswan 2.4.4-1) I have a strange 
situation, in log file (var/log/messages)I have :

Jan  2 17:54:26 fw2 ipsec__plutorun: 104 "princ-cardito" #1: STATE_MAIN_I1: 
initiate
Jan  2 17:54:26 fw2 ipsec__plutorun: ...could not start conn "princ-cardito"

.. in /varlog/secure I have:

Jan  2 17:54:26 fw2 pluto[5278]: added connection description "left-road"
Jan  2 17:54:26 fw2 pluto[5278]: added connection description 
"princ-cardito"
Jan  2 17:54:26 fw2 pluto[5278]: listening for IKE messages
Jan  2 17:54:26 fw2 pluto[5278]: adding interface ipsec0/eth0 1.2.3.4:500
Jan  2 17:54:26 fw2 pluto[5278]: adding interface ipsec0/eth0 1.2.3.4:4500
Jan  2 17:54:26 fw2 pluto[5278]: loading secrets from "/etc/ipsec.secrets"
Jan  2 17:54:26 fw2 pluto[5278]: "princ-cardito" #1: initiating Main Mode
...
Jan  2 17:54:48 fw2 pluto[5278]: "princ-cardito" #2: responding to Main Mode
Jan  2 17:54:48 fw2 pluto[5278]: "princ-cardito" #2: transition from state 
STATE_MAIN_R0 to state STATE_MAIN_R1
Jan  2 17:54:48 fw2 pluto[5278]: "princ-cardito" #2: STATE_MAIN_R1: sent 
MR1, expecting MI2
Jan  2 17:54:48 fw2 pluto[5278]: "princ-cardito" #2: NAT-Traversal: Result 
using 3: peer is NATed
Jan  2 17:54:48 fw2 pluto[5278]: "princ-cardito" #2: transition from state 
STATE_MAIN_R1 to state STATE_MAIN_R2
Jan  2 17:54:48 fw2 pluto[5278]: "princ-cardito" #2: STATE_MAIN_R2: sent 
MR2, expecting MI3

..but because is used NAT-T if 'princ-cardito' is a site-to-site connection 
with both end-point with ip pubblic address static (on both with openswan) 
??

..and then:

Jan  2 17:54:49 fw2 pluto[5278]: | NAT-T: new mapping 5.6.7.8:1/4500)
Jan  2 17:54:49 fw2 pluto[5278]: "princ-cardito" #2: STATE_MAIN_R3: sent 
MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 
prf=oakley_md5 group=modp1536}
Jan  2 17:54:49 fw2 pluto[5278]: "princ-cardito" #3: responding to Quick 
Mode {msgid:71cae9ed}
Jan  2 17:54:49 fw2 pluto[5278]: "princ-cardito" #3: transition from state 
STATE_QUICK_R0 to state STATE_QUICK_R1
Jan  2 17:54:49 fw2 pluto[5278]: "princ-cardito" #3: STATE_QUICK_R1: sent 
QR1, inbound IPsec SA installed, expecting QI2
Jan  2 17:54:49 fw2 pluto[5278]: "princ-cardito" #3: transition from state 
STATE_QUICK_R1 to state STATE_QUICK_R2
Jan  2 17:54:49 fw2 pluto[5278]: "princ-cardito" #3: STATE_QUICK_R2: IPsec 
SA established {ESP=>0x4e571584 <0x30c7f1ea xfrm=3DES_0-HMAC_MD5 
NATD=5.6.7.8:4500 DPD=none}

..because in log file there is "IPsec SA established" but in log file there 
is writed "could not start conn "princ-cardito", and in "--status" I have:

000 "princ-cardito":     srcip=unset; dstip=unset; srcup=ipsec _updown; 
dstup=ipsec _updown;
000 "princ-cardito":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 
540s; rekey_fuzz: 100%; keyingtries: 0
000 "princ-cardito":   policy: RSASIG+ENCRYPT+TUNNEL+PFS+DONTREKEY+UP; prio: 
24,24; interface: eth0;
000 "princ-cardito":   newest ISAKMP SA: #2; newest IPsec SA: #3;
000 "princ-cardito":   IKE algorithm newest: 3DES_CBC_192-MD5-MODP1536
000 "princ-cardito":   ESP algorithms wanted: 3_000-1, flags=-strict
000 "princ-cardito":   ESP algorithms loaded: 3_000-1, flags=-strict
000 "princ-cardito":   ESP algorithm newest: 3DES_0-HMAC_MD5; 
pfsgroup=<Phase1>
000
000 #1: "princ-cardito":500 STATE_MAIN_I1 (sent MI1, expecting MR1); 
EVENT_RETRANSMIT in 24s; nodpd
000 #1: pending Phase 2 for "princ-cardito" replacing #0
000 #3: "princ-cardito":4500 STATE_QUICK_R2 (IPsec SA established); 
EVENT_SA_EXPIRE in 28657s; newest IPSEC; eroute owner
000 #3: "princ-cardito" esp.4e571584 at 5.6.7.8 esp.30c7f1ea at 1.2.3.4 
tun.1002 at 5.6.7.8 tun.1001 at 1.2.3.4
000 #2: "princ-cardito":4500 STATE_MAIN_R3 (sent MR3, ISAKMP SA 
established); EVENT_SA_EXPIRE in 3457s; newest ISAKMP; lastdpd=-1s(seq in:0 
out:0)
000

.. on ipsec.conf I have used on both end-point the parameter "esp=3des-md5".
thanks.

------
Salvatore.





----- Original Message ----- 
From: "sasa" <sasa at shoponweb.it>
To: <users at openswan.org>
Sent: Thursday, December 29, 2005 5:07 PM
Subject: [Openswan Users] SA established but not ping


> Hi, I have a problem with a connection LAN-to-LAN, the ipsec is 
> established but I don't try ping from pc behind vpn server, in appareance 
> I don't have nobody error in log file, in particular on one vpn-point I 
> have:
>
> ipsec.conf
>
> config setup
> 
> virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.1.0/16,%v4:192.168.0.0/24,%v4:!10.0.1.0/24
>   interfaces="ipsec0=eth0"
>
> conn %default
> authby=rsasig
> rekey=no
> esp=3des-md5
>
> conn princ-cardito
>  auto=start
>  pfs=yes
>  left=5.6.7.8
>  leftsubnet=192.168.0.0/24
>  leftnexthop=5.6.7.9
>  # RSA 2192 bits   test2   Thu Dec 29 14:09:50 2005
>        leftrsasigkey=0s..
> #sede right cardito
>  right=1.2.3.4
>  rightsubnet=10.0.1.0/24
>  rightnexthop=1.2.3.5
>  # RSA 2192 bits   fw2   Thu Dec 29 14:00:00 2005
>        rightrsasigkey=0sAQ...
>
> ..in log file:
>
> Dec 29 16:34:48 fw2 pluto[7924]: Setting NAT-Traversal port-4500 floating 
> to off
> Dec 29 16:34:48 fw2 pluto[7924]:    port floating activation criteria 
> nat_t=0/port_fload=1
> Dec 29 16:34:48 fw2 pluto[7924]:   including NAT-Traversal patch (Version 
> 0.6c) [disabled]
> Dec 29 16:34:48 fw2 pluto[7924]: ike_alg_register_enc(): Activating 
> OAKLEY_AES_CBC: Ok (ret=0)
> Dec 29 16:34:48 fw2 pluto[7924]: starting up 1 cryptographic helpers
> Dec 29 16:34:48 fw2 pluto[7924]: started helper pid=7925 (fd:6)
> Dec 29 16:34:48 fw2 pluto[7924]: Using KLIPS IPsec interface code on 
> 2.6.9-1.667.root
> Dec 29 16:34:48 fw2 pluto[7924]: Could not change to directory 
> '/etc/ipsec.d/cacerts'
> Dec 29 16:34:48 fw2 pluto[7924]: Could not change to directory 
> '/etc/ipsec.d/aacerts'
> Dec 29 16:34:48 fw2 pluto[7924]: Could not change to directory 
> '/etc/ipsec.d/ocspcerts'
> Dec 29 16:34:48 fw2 pluto[7924]: Could not change to directory 
> '/etc/ipsec.d/crls'
> Dec 29 16:34:48 fw2 pluto[7924]: added connection description "left-road"
> Dec 29 16:34:48 fw2 pluto[7924]: added connection description 
> "princ-cardito"
> Dec 29 16:34:48 fw2 pluto[7924]: listening for IKE messages
> Dec 29 16:34:48 fw2 pluto[7924]: adding interface ipsec0/eth0 1.2.3.4:500
> Dec 29 16:34:48 fw2 pluto[7924]: loading secrets from "/etc/ipsec.secrets"
> Dec 29 16:34:48 fw2 pluto[7924]: "princ-cardito" #1: initiating Main Mode
> Dec 29 16:34:51 fw2 pluto[7924]: initiate on demand from 10.0.1.2:0 to 
> 192.168.0.2:0 proto=0 state: fos_start because: acquire
> Dec 29 16:34:56 fw2 pluto[7924]: packet from 5.6.7.8:1: ignoring unknown 
> Vendor ID payload [4f454f50487f447340705155]
> Dec 29 16:34:56 fw2 pluto[7924]: packet from 5.6.7.8:1: received Vendor ID 
> payload [Dead Peer Detection]
> Dec 29 16:34:56 fw2 pluto[7924]: packet from 5.6.7.8:1: received Vendor ID 
> payload [RFC 3947] meth=109, but port floating is off
> Dec 29 16:34:56 fw2 pluto[7924]: packet from 5.6.7.8:1: received Vendor ID 
> payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but port floating is off
> Dec 29 16:34:56 fw2 pluto[7924]: packet from 5.6.7.8:1: received Vendor ID 
> payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but port floating is off
> Dec 29 16:34:56 fw2 pluto[7924]: packet from 5.6.7.8:1: ignoring Vendor ID 
> payload [draft-ietf-ipsec-nat-t-ike-00]
> Dec 29 16:34:56 fw2 pluto[7924]: "princ-cardito" #2: responding to Main 
> Mode
> Dec 29 16:34:56 fw2 pluto[7924]: "princ-cardito" #2: transition from state 
> STATE_MAIN_R0 to state STATE_MAIN_R1
> Dec 29 16:34:56 fw2 pluto[7924]: "princ-cardito" #2: STATE_MAIN_R1: sent 
> MR1, expecting MI2
> Dec 29 16:34:56 fw2 pluto[7924]: "princ-cardito" #2: transition from state 
> STATE_MAIN_R1 to state STATE_MAIN_R2
> Dec 29 16:34:56 fw2 pluto[7924]: "princ-cardito" #2: STATE_MAIN_R2: sent 
> MR2, expecting MI3
> Dec 29 16:34:57 fw2 pluto[7924]: "princ-cardito" #2: Main mode peer ID is 
> ID_IPV4_ADDR: '5.6.7.8'
> Dec 29 16:34:57 fw2 pluto[7924]: "princ-cardito" #2: I did not send a 
> certificate because I do not have one.
> Dec 29 16:34:57 fw2 pluto[7924]: "princ-cardito" #2: transition from state 
> STATE_MAIN_R2 to state STATE_MAIN_R3
> Dec 29 16:34:57 fw2 pluto[7924]: "princ-cardito" #2: STATE_MAIN_R3: sent 
> MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 
> prf=oakley_md5 group=modp1536}
> Dec 29 16:34:57 fw2 pluto[7924]: "princ-cardito" #3: responding to Quick 
> Mode {msgid:056743c8}
> Dec 29 16:34:57 fw2 pluto[7924]: "princ-cardito" #3: transition from state 
> STATE_QUICK_R0 to state STATE_QUICK_R1
> Dec 29 16:34:57 fw2 pluto[7924]: "princ-cardito" #3: STATE_QUICK_R1: sent 
> QR1, inbound IPsec SA installed, expecting QI2
> Dec 29 16:34:57 fw2 pluto[7924]: "princ-cardito" #3: transition from state 
> STATE_QUICK_R1 to state STATE_QUICK_R2
> Dec 29 16:34:57 fw2 pluto[7924]: "princ-cardito" #3: STATE_QUICK_R2: IPsec 
> SA established {ESP=>0x2f26635a <0xbd01e599 xfrm=3DES_0-HMAC_MD5 NATD=none 
> DPD=none}
> Dec 29 16:35:06 fw2 pluto[7924]: "princ-cardito" #2: ignoring Delete SA 
> payload: PROTO_IPSEC_ESP SA(0x2f266358) not found (maybe expired)
> Dec 29 16:35:06 fw2 pluto[7924]: "princ-cardito" #2: received and ignored 
> informational message
>
> 000 "princ-cardito": 
> 10.0.1.0/24===1.2.3.4---1.2.3.5...5.6.7.9---5.6.7.8===192.168.0.0/24; 
> erouted; eroute owner: #3
> 000 "princ-cardito":     srcip=unset; dstip=unset; srcup=ipsec _updown; 
> dstup=ipsec _updown;
> 000 "princ-cardito":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 
> 540s; rekey_fuzz: 100%; keyingtries: 0
> 000 "princ-cardito":   policy: RSASIG+ENCRYPT+TUNNEL+PFS+DONTREKEY+UP; 
> prio: 24,24; interface: eth0;
> 000 "princ-cardito":   newest ISAKMP SA: #2; newest IPsec SA: #3;
> 000 "princ-cardito":   IKE algorithm newest: 3DES_CBC_192-MD5-MODP1536
> 000 "princ-cardito":   ESP algorithms wanted: 3_000-1, flags=-strict
> 000 "princ-cardito":   ESP algorithms loaded: 3_000-1, flags=-strict
> 000 "princ-cardito":   ESP algorithm newest: 3DES_0-HMAC_MD5; 
> pfsgroup=<Phase1>
> 000
> 000 #1: "princ-cardito":500 STATE_MAIN_I1 (sent MI1, expecting MR1); 
> EVENT_RETRANSMIT in 40s; nodpd
> 000 #1: pending Phase 2 for "princ-cardito" replacing #0
> 000 #1: pending Phase 2 for "princ-cardito" replacing #0
> 000 #3: "princ-cardito":1 STATE_QUICK_R2 (IPsec SA established); 
> EVENT_SA_EXPIRE in 28579s; newest IPSEC; eroute owner
> 000 #3: "princ-cardito" used 110s ago; esp.2f26635a at 5.6.7.8 
> esp.bd01e599 at 1.2.3.4 tun.1002 at 5.6.7.8 tun.1001 at 1.2.3.4
> 000 #2: "princ-cardito":1 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); 
> EVENT_SA_EXPIRE in 3379s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0)
> 000
>
> ..on second end-point I have:
>
> ipsec.conf
>
> config setup
>       interfaces="ipsec0=eth0"
>       nat_traversal=yes
>
> conn %default
>      authby=rsasig
>      esp=3des-md5
>      rekey=no
>
> conn princ-cardito
>  auto=start
>  pfs=yes
> #sede left princ
>  left=5.6.7.8
>  leftsubnet=192.168.0.0/24
>  leftnexthop=5.6.7.9
>  # RSA 2192 bits   test2   Thu Dec 29 14:09:50 2005
>        leftrsasigkey=0s..
> #sede right cardito
>  right=1.2.3.4
>  rightsubnet=10.0.1.0/24
>  rightnexthop=1.2.3.5
>  # RSA 2192 bits   fw2   Thu Dec 29 14:00:00 2005
>        rightrsasigkey=0sA...
>
> ...in log file:
>
> 000 #11: "princ-cardito":500 STATE_QUICK_I2 (sent QI2, IPsec SA 
> established); EVENT_SA_REPLACE_IF_USED in 27936s; newest IPSEC; eroute 
> owner
> 000 #11: "princ-cardito" used 116s ago; esp.bd01e599 at 1.2.3.4 
> esp.2f26635a at 5.6.7.8tun.1004@1.2.3.4 tun.1003 at 5.6.7.9
> 000 #10: "princ-cardito":500 STATE_MAIN_I4 (ISAKMP SA established); 
> EVENT_SA_REPLACE_IF_USED in 2237s; newest ISAKMP; lastdpd=-1s(seq in:0 
> out:0)
> 000
>
> Thanks.
>
> ------
> Salvatore.
>
> _______________________________________________
> Users mailing list
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
>

More information about the Users mailing list