[Openswan Users]

Andy fs at globalnetit.com
Tue Jul 4 23:45:21 CEST 2006


On Tue, 2006-07-04 at 20:14 -0400, jack wrote:
> I'm running openswan 2.4.6rc1 on slackware with kernel 2.6.17.
> 
> I'm pretty sure the tunnel is up:
> 000 #1: "rfd":500 STATE_MAIN_I4 (ISAKMP SA established); 
> EVENT_SA_REPLACE in 27523s; newest ISAKMP; nodpd
That message only tells you phase 1 (IKE) completed OK. You need to see
an "IPsec SA established" to know that phase 2 is OK and your tunnel is
up.

Your ipsec auto --status output does have that though, so it looks like
all is well.

> 
> But traffic to the rightside does not get encrypted, using tcpdump on 
> the outside interface of the box running openswan shows the traffic in 
> the clear.

Do you see cleartext packets in both directions? It's normal to see both
ESP and cleartext for arriving packets -  tcpdump sees packets before
and after they get decrypted. So you should expect to see just ESP
outbound, and both for inbound.

This may have changed in 2.6.17 though.

To verify this properly, you need to hook up another system to your
outside segment and run the tcpdump there. It should only see ESP
packets.

> 
> I previously ran freeswan  1.99, so I used to seeing the ipsec0 interfaces.
> 
> The box that runs openswan also runs iptables, I've tried the VPN tunnel 
> after flushing the iptables rules with iptables -F. I'm using the same 
> iptables config is used with freswan 1.99.
That's not likely to work correctly, if you don't have ipsecx interfaces
anymore. 
> 
> ipsec verify shows ok for everything but RSA private key and 
> Opportunistic Encryption Support which is disabled.
> 
> ipsec setup --status shows 1 tunnels up
> 
> ipsec auto --status | more shows a bunch of stuff
> 000 interface eth0/eth0 192.168.3.1
> 000 interface eth1/eth1 x.x.x.33
> 000 interface lo/lo 127.0.0.1
> 000 %myid = (none)
> 000 debug 
> raw+crypt+parsing+emitting+control+lifecycle+klips+dns+oppo+controlmore+pfkey+nattraversal+x509

Wow. Is this from 'plutodebug=all'? You should turn that off if you want
to use this tunnel in production.

> 000 
> 000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, 
> keysizemax=64
> 000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, 
> keysizemax=192
> 000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, 
> keysizemax=0
> 000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, 
> keysizemax=256
> 000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, 
> keysizemin=128, keysizemax=128
> 000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, 
> keysizemin=160, keysizemax=160
> 000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, 
> keysizemin=256, keysizemax=256
> 000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0
> 000 
> 000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, 
> keydeflen=192
> 000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, 
> keydeflen=128
> 000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
> 000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
> 000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
> 000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
> 000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
> 000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
> 000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
> 000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
> 000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
> 000 
> 000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,0,0} 
> trans={0,0,0} attrs={0,0,0}
> 000 
> 000 "rfd": 
> 192.168.3.0/24===x.x.x.33---x.x.x..1...x.x.x.1---x.x.x.8===172.16.24.0/21; 
> erouted; eroute owner: #2
> 000 "rfd":     srcip=unset; dstip=unset; srcup=ipsec _updown; 
> dstup=ipsec _updown;
> 000 "rfd":   ike_life: 28800s; ipsec_life: 3600s; rekey_margin: 540s; 
> rekey_fuzz: 100%; keyingtries: 0
> 000 "rfd":   policy: PSK+ENCRYPT+TUNNEL+PFS+UP; prio: 24,21; interface: 
> eth1;
> 000 "rfd":   newest ISAKMP SA: #1; newest IPsec SA: #2;
> 000 "rfd":   IKE algorithm newest: 3DES_CBC_192-MD5-MODP1024
> 000 
> 000 #2: "rfd":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); 
> EVENT_SA_REPLACE in 1438s; newest IPSEC; eroute owner
> 000 #2: "rfd" esp.32f38b55 at x.x.x.8 esp.eac916ce at x.x.x.33 tun.0 at x.x.x.8 
> tun.0 at x.x.x.33
> 000 #1: "rfd":500 STATE_MAIN_I4 (ISAKMP SA established); 
> EVENT_SA_REPLACE in 26785s; newest ISAKMP; nodpd
> 000 
> 
> As far as I can tell everything looks good, I must be missing something.
> 
> 
> 
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan: 
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
-- 
Andy <fs at globalnetit.com>



More information about the Users mailing list