[Openswan Users] tunnel with fix ip works, with dyn ip not

lars behrens lars at hfk-bremen.de
Mon Jan 23 22:11:05 CET 2006 

hi,

i´ve got a debian-sarge openswan-box with a static IP.

two other debian-boxes with static IPs and roadwarriors via L2TPd can 
connect without problems.

all are using PSK though I know that the usage of RSA should be 
preferred ... ;-)


now I want to set up a connection with another box thats connecting via 
dsl and a dynamic IP.

the other box protects a 192.168.117.x/24-LAN.

when i´m setting in the temporary IP from the roadwarrior-gateway on 
both the VPN-gateway and the dyn-ip-roadwarrior-gateway, the tunnel is 
coming up.

when i am using right=%any on the VPN-gateway and right=%defaultroute 
on the roadwarrior-gateway, the tunnel fails.

I am starting the ipsec first on the gateway and then I am doing a

ipsec auto --add weserblick

on the roadwarrior I just start the ipsec because I sat the parameter

auto=start.



the log on the VPN-gateway says:

Jan 23 21:58:24 lin174 pluto[25437]: "weserblick"[1] 84.137.212.80 #2: 
"weserblick": 192.168.115.0/24===1.2.25.239...%virtual===?; unrouted; 
eroute owner: #0
Jan 23 21:58:24 lin174 pluto[25437]: "weserblick"[1] 84.137.212.80 #2: 
"weserblick":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 
540s; rekey_fuzz: 100%; keyingtries: 1
Jan 23 21:58:24 lin174 pluto[25437]: "weserblick"[1] 84.137.212.80 #2: 
"weserblick":   policy: PSK+ENCRYPT+TUNNEL; prio: 24,32; interface: 
ppp0;
Jan 23 21:58:24 lin174 pluto[25437]: "weserblick"[1] 84.137.212.80 #2: 
"weserblick":   newest ISAKMP SA: #0; newest IPsec SA: #0;
Jan 23 21:58:24 lin174 pluto[25437]: "weserblick"[1] 84.137.212.80 #2: 
"weserblick":   IKE algorithms wanted: 5_000-1-5, 5_000-1-2, 5_000-2-5, 
5_000-2-2, flags=-strict
Jan 23 21:58:24 lin174 pluto[25437]: "weserblick"[1] 84.137.212.80 #2: 
"weserblick":   IKE algorithms found:  5_192-1_128-5, 5_192-1_128-2, 
5_192-2_160-5, 5_192-2_160-2,
Jan 23 21:58:24 lin174 pluto[25437]: "weserblick"[1] 84.137.212.80 #2: 
"weserblick":   ESP algorithms wanted: 3_000-1, 3_000-2, flags=-strict
Jan 23 21:58:24 lin174 pluto[25437]: "weserblick"[1] 84.137.212.80 #2: 
"weserblick":   ESP algorithms loaded: 3_000-1, 3_000-2, flags=-strict
Jan 23 21:58:24 lin174 pluto[25437]: "weserblick"[1] 84.137.212.80 #2: 
"weserblick"[1]: 192.168.115.0/24===1.2.25.239...84.137.212.80; 
unrouted; eroute owner: #0
Jan 23 21:58:24 lin174 pluto[25437]: "weserblick"[1] 84.137.212.80 #2: 
"weserblick"[1]:   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 
540s; rekey_fuzz: 100%; keyingtries: 1
Jan 23 21:58:24 lin174 pluto[25437]: "weserblick"[1] 84.137.212.80 #2: 
"weserblick"[1]:   policy: PSK+ENCRYPT+TUNNEL; prio: 24,32; interface: 
ppp0;
Jan 23 21:58:24 lin174 pluto[25437]: "weserblick"[1] 84.137.212.80 #2: 
"weserblick"[1]:   newest ISAKMP SA: #1; newest IPsec SA: #0;
Jan 23 21:58:24 lin174 pluto[25437]: "weserblick"[1] 84.137.212.80 #2: 
"weserblick"[1]:   IKE algorithms wanted: 5_000-1-5, 5_000-1-2, 
5_000-2-5, 5_000-2-2, flags=-strict
Jan 23 21:58:24 lin174 pluto[25437]: "weserblick"[1] 84.137.212.80 #2: 
"weserblick"[1]:   IKE algorithms found:  5_192-1_128-5, 5_192-1_128-2, 
5_192-2_160-5, 5_192-2_160-2,
Jan 23 21:58:24 lin174 pluto[25437]: "weserblick"[1] 84.137.212.80 #2: 
"weserblick"[1]:   IKE algorithm newest: 3DES_CBC_192-MD5-MODP1536
Jan 23 21:58:24 lin174 pluto[25437]: "weserblick"[1] 84.137.212.80 #2: 
"weserblick"[1]:   ESP algorithms wanted: 3_000-1, 3_000-2, 
flags=-strict
Jan 23 21:58:24 lin174 pluto[25437]: "weserblick"[1] 84.137.212.80 #2: 
"weserblick"[1]:   ESP algorithms loaded: 3_000-1, 3_000-2, 
flags=-strict
Jan 23 21:58:24 lin174 pluto[25437]: "weserblick"[1] 84.137.212.80 #2:

- then there is a time-out of about 10 seconds; the log on the 
roadwarrior-gateway says:

Jan 23 22:54:37 weserblickgw pluto[6697]: "weserblick" #1: initiating 
Main Mode
Jan 23 22:54:37 weserblickgw pluto[6697]: "weserblick" #1: received 
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] method set to=108
Jan 23 22:54:37 weserblickgw pluto[6697]: "weserblick" #1: enabling 
possible NAT-traversal with method RFC 3947 (NAT-Traversal)
Jan 23 22:54:37 weserblickgw pluto[6697]: "weserblick" #1: transition 
from state STATE_MAIN_I1 to state STATE_MAIN_I2
Jan 23 22:54:37 weserblickgw pluto[6697]: "weserblick" #1: 
STATE_MAIN_I2: sent MI2, expecting MR2
Jan 23 22:54:37 weserblickgw pluto[6697]: "weserblick" #1: I did not 
send a certificate because I do not have one.
Jan 23 22:54:37 weserblickgw pluto[6697]: "weserblick" #1: 
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: no NAT 
detected
Jan 23 22:54:37 weserblickgw pluto[6697]: "weserblick" #1: transition 
from state STATE_MAIN_I2 to state STATE_MAIN_I3
Jan 23 22:54:37 weserblickgw pluto[6697]: "weserblick" #1: 
STATE_MAIN_I3: sent MI3, expecting MR3
Jan 23 22:54:37 weserblickgw pluto[6697]: "weserblick" #1: Main mode 
peer ID is ID_IPV4_ADDR: '1.2.25.239'
Jan 23 22:54:37 weserblickgw pluto[6697]: "weserblick" #1: transition 
from state STATE_MAIN_I3 to state STATE_MAIN_I4
Jan 23 22:54:37 weserblickgw pluto[6697]: "weserblick" #1: 
STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY 
cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1536}
Jan 23 22:54:37 weserblickgw pluto[6697]: "weserblick" #2: initiating 
Quick Mode PSK+ENCRYPT+TUNNEL+UP {using isakmp#1}


- because it pauses 10 seconds.

after that, the ipsec on the VPN--gateway starts up automatically:

Jan 23 21:58:34 lin174 ipsec__plutorun: Restarting Pluto subsystem...
Jan 23 21:58:34 lin174 pluto[25616]: Starting Pluto (Openswan Version 
2.2.0 X.509-1.5.4 PLUTO_USES_KEYRR)

(...)

-and so on; while the roadwarrior-getway logs:

Jan 23 22:54:47 weserblickgw pluto[6697]: "weserblick" #2: ERROR: 
asynchronous network error report on ppp0 (sport=500) for message to 
1.2.25.239 port 500, complainant 1.2.25.239: Connection refused [errno 
111, origin ICMP type 3 code 3 (not authenticated)]

the time on the gateway is not synchronized, btw.


here´s my ipsec.conf on the VPN-gateway:


version 2

config setup
           plutodebug="none"
           nat_traversal=yes
           virtual_private=%v4:192.168.117.0/24

conn weserblick
           authby=secret
           keyingtries=1
           left=1.2.25.239
           leftsubnet=192.168.115.0/24
           right=%any
           rightsubnet=vhost:%no,%priv
           pfs=no
           auto=add

include /etc/ipsec.d/examples/no_oe.conf


- the ipsec.conf on the dyn-IP-roadwarrior-gateway:

version 2

config setup
           plutodebug="none"
           nat_traversal=yes
           uniqueids=yes
           interfaces=%defaultroute
           virtual_private=%v4:192.168.117.0/24,%v4:192.168.115.0/24

conn weserblick
           authby=secret
           keyingtries=0
           right=%defaultroute
           left=217.91.25.239
           leftsubnet=192.168.115.0/24
           pfs=no
           auto=start

include /etc/ipsec.d/examples/no_oe.conf


I have tried to change left and right, pfs=no and yes, uiqueids and 
kyeingtries - no change of the behaviour.

as I said, when I am setting in the dynamic IP on both boxes, the 
tunnel starts up immediately, so it shouldnt be a problem with the 
firewall.


any ideas?!


thanx a lot in advance!


lars

More information about the Users mailing list