[Openswan Users] Openswam 2.2.0 to Cisco IOS, working but not

John Serink jserink2004 at yahoo.com
Thu Jun 1 00:56:56 CEST 2006 

Hi ALl:

My system:
Linux Openswan U2.2.0/K2.6.8-16-486-rx (native)
Linux rx1000test 2.6.8-16-486-rx #1 Wed Mar 15
15:33:23 UTC 2006 i586 GNU/Linux


Ok, have have brought up a IPSec tunnel with a cisco
IOS router:
#sho version
Cisco IOS Software, 2800 Software
(C2800NM-ADVIPSERVICESK9-M), Version 12.4(3c), RELEASE
SOFTWARE (fc1)

Now, its all seems to work..../var/log/auth.log:
Jun  1 13:56:23 localhost pluto[20025]: added
connection description "GDC1"
Jun  1 13:57:10 localhost pluto[20025]: "GDC1" #1:
initiating Main Mode
Jun  1 13:57:10 localhost pluto[20025]: "GDC1" #1:
transition from state STATE_MAIN_I1 to state
STATE_MAIN_I2
Jun  1 13:57:10 localhost pluto[20025]: "GDC1" #1:
ignoring Vendor ID payload [Cisco-Unity]
Jun  1 13:57:10 localhost pluto[20025]: "GDC1" #1:
received Vendor ID payload [Dead Peer Detection]
Jun  1 13:57:10 localhost pluto[20025]: "GDC1" #1:
ignoring Vendor ID payload
[98b9c31fa3ae366c48180ce40386634f]
Jun  1 13:57:10 localhost pluto[20025]: "GDC1" #1:
ignoring Vendor ID payload [XAUTH]
Jun  1 13:57:10 localhost pluto[20025]: "GDC1" #1: I
did not send a certificate because I do not have one.
Jun  1 13:57:11 localhost pluto[20025]: "GDC1" #1:
transition from state STATE_MAIN_I2 to state
STATE_MAIN_I3
Jun  1 13:57:11 localhost pluto[20025]: "GDC1" #1:
Peer ID is ID_IPV4_ADDR: '160.96.97.248'
Jun  1 13:57:11 localhost pluto[20025]: "GDC1" #1:
transition from state STATE_MAIN_I3 to state
STATE_MAIN_I4
Jun  1 13:57:11 localhost pluto[20025]: "GDC1" #1:
ISAKMP SA established
Jun  1 13:57:11 localhost pluto[20025]: "GDC1" #2:
initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP {using
isakmp#1}
Jun  1 13:57:11 localhost pluto[20025]: "GDC1" #2:
ignoring informational payload, type
IPSEC_RESPONDER_LIFETIME
Jun  1 13:57:12 localhost pluto[20025]: "GDC1" #2:
transition from state STATE_QUICK_I1 to state
STATE_QUICK_I2
Jun  1 13:57:12 localhost pluto[20025]: "GDC1" #2:
sent QI2, IPsec SA established {ESP=>0x056ee180
<0x9fb8255

IPSec SA established looks good to me.
Cisco debug:
SirentRouter#show debug

Cryptographic Subsystem:
  Crypto ISAKMP debugging is on
  Crypto IPSEC debugging is on
Jun  1 06:01:24.739: ISAKMP:(0:15:HW:2): processing
NONCE payload. message ID = -435997288
*Jun  1 06:01:24.739: ISAKMP:(0:15:HW:2): processing
ID payload. message ID = -435997288
*Jun  1 06:01:24.743: ISAKMP:(0:15:HW:2): processing
ID payload. message ID = -435997288
*Jun  1 06:01:24.743: ISAKMP:(0:15:HW:2): asking for 1
spis from ipsec
*Jun  1 06:01:24.743: ISAKMP:(0:15:HW:2):Node
-435997288, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Jun  1 06:01:24.743: ISAKMP:(0:15:HW:2):Old State =
IKE_QM_READY  New State = IKE_QM_SPI_STARVE
*Jun  1 06:01:24.743: IPSEC(key_engine): got a queue
event with 1 kei messages
*Jun  1 06:01:24.743: IPSEC(spi_response): getting spi
91152768 for SA
        from 160.96.97.248 to 202.42.98.101 for prot 3
*Jun  1 06:01:24.743: ISAKMP: received ke message
(2/1)
*Jun  1 06:01:24.751: ISAKMP: Locking peer struct
0x46F5877C, IPSEC refcount 1 for for stuff_ke
*Jun  1 06:01:24.751: ISAKMP:(0:15:HW:2): Creating
IPSec SAs
*Jun  1 06:01:24.751:         inbound SA from
202.42.98.101 to 160.96.97.248 (f/i)  0/ 0
        (proxy 192.168.1.96 to 192.168.1.0)
*Jun  1 06:01:24.751:         has spi 0x56EE180 and
conn_id 0 and flags 2
*Jun  1 06:01:24.751:         lifetime of 28800
seconds
*Jun  1 06:01:24.751:         has client flags 0x0
*Jun  1 06:01:24.751:         outbound SA from
160.96.97.248 to 202.42.98.101 (f/i) 0/0
        (proxy 192.168.1.0 to 192.168.1.96)
*Jun  1 06:01:24.751:         has spi -1615321763 and
conn_id 0 and flags A
*Jun  1 06:01:24.751:         lifetime of 28800
seconds
*Jun  1 06:01:24.751:         has client flags 0x0
*Jun  1 06:01:24.751: IPSEC(key_engine): got a queue
event with 2 kei messages
*Jun  1 06:01:24.751: IPSEC(initialize_sas): ,
  (key eng. msg.) INBOUND local= 160.96.97.248,
remote= 202.42.98.101,
    local_proxy= 192.168.1.0/255.255.255.240/0/0
(type=4),
    remote_proxy= 192.168.1.96/255.255.255.240/0/0
(type=4),
    protocol= ESP, transform= esp-aes esp-md5-hmac 
(Tunnel),
    lifedur= 28800s and 0kb,
    spi= 0x56EE180(91152768), conn_id= 0, keysize=
128, flags= 0x2
*Jun  1 06:01:24.751: IPSEC(initialize_sas): ,
  (key eng. msg.) OUTBOUND local= 160.96.97.248,
remote= 202.42.98.101,
    local_proxy= 192.168.1.0/255.255.255.240/0/0
(type=4),
    remote_proxy= 192.168.1.96/255.255.255.240/0/0
(type=4),
    protocol= ESP, transform= esp-aes esp-md5-hmac 
(Tunnel),
    lifedur= 28800s and 0kb,
    spi= 0x9FB8255D(2679645533), conn_id= 0, keysize=
128, flags= 0xA
*Jun  1 06:01:24.751: Crypto mapdb : proxy_match
        src addr     : 192.168.1.0
        dst addr     : 192.168.1.96
        protocol     : 0
        src port     : 0
        dst port     : 0
*Jun  1 06:01:24.751: IPSec: Flow_switching Allocated
flow for sibling 8000000D
*Jun  1 06:01:24.751: IPSEC(policy_db_add_ident): src
192.168.1.0, dest 192.168.1.96, dest_port 0

*Jun  1 06:01:24.751: ISAKMP: Locking peer struct
0x46F5877C, IPSEC refcount 2 for from
create_transforms
*Jun  1 06:01:24.751: IPSEC(create_sa): sa created,
  (sa) sa_dest= 160.96.97.248, sa_proto= 50,
    sa_spi= 0x56EE180(91152768),
    sa_trans= esp-aes esp-md5-hmac , sa_conn_id= 2001
*Jun  1 06:01:24.751: IPSEC(create_sa): sa created,
  (sa) sa_dest= 202.42.98.101, sa_proto= 50,
    sa_spi= 0x9FB8255D(2679645533),
    sa_trans= esp-aes esp-md5-hmac , sa_conn_id= 2004
*Jun  1 06:01:24.751: ISAKMP: Unlocking IPSEC struct
0x46F5877C from create_transforms, count 1
*Jun  1 06:01:24.755: ISAKMP:(0:15:HW:2): sending
packet to 202.42.98.101 my_port 500 peer_port 500 (R)
QM_IDLE
*Jun  1 06:01:24.755: ISAKMP:(0:15:HW:2):Node
-435997288, Input = IKE_MESG_FROM_IPSEC, IKE_SPI_REPLY
*Jun  1 06:01:24.755: ISAKMP:(0:15:HW:2):Old State =
IKE_QM_SPI_STARVE  New State = IKE_QM_R_QM2
*Jun  1 14:01:24 SGP:
%MV64340_ETHERNET-5-LATECOLLISION: GigabitEthernet0/0,
late collision error
*Jun  1 14:01:24 SGP:
%MV64340_ETHERNET-5-LATECOLLISION: GigabitEthernet0/0,
late collision error
*Jun  1 06:01:26.415: ISAKMP (0:268435471): received
packet from 202.42.98.101 dport 500 sport 500 Global
(R) QM_IDLE
*Jun  1 06:01:26.419: ISAKMP:(0:15:HW:2):deleting node
-435997288 error FALSE reason "QM done (await)"
*Jun  1 06:01:26.419: ISAKMP:(0:15:HW:2):Node
-435997288, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Jun  1 06:01:26.419: ISAKMP:(0:15:HW:2):Old State =
IKE_QM_R_QM2  New State = IKE_QM_PHASE2_COMPLETE
*Jun  1 06:01:26.419: IPSEC(key_engine): got a queue
event with 1 kei messages
*Jun  1 06:01:26.419:
IPSEC(key_engine_enable_outbound): rec'd enable notify
from ISAKMP
*Jun  1 06:01:26.419:
IPSEC(key_engine_enable_outbound): enable SA with spi
2679645533/50
*Jun  1 06:01:57.911: ISAKMP:(0:2:HW:2):purging SA.,
sa=46FB9EB0, delme=46FB9EB0
*Jun  1 06:02:16.419: ISAKMP:(0:15:HW:2):purging node
-435997288


To me it looks like everything is up, but....
Here is the ipsec look output:
rx1000test Thu Jun  1 14:20:34 SGT 2006
cat: /proc/net/ipsec_spigrp: No such file or directory
cat: /proc/net/ipsec_eroute: No such file or directory
grep: /proc/net/ipsec_tncfg: No such file or directory
sort: open failed: /proc/net/ipsec_spi: No such file
or directory
Destination     Gateway         Genmask         Flags 
 MSS Window  irtt Iface
0.0.0.0         0.0.0.0         0.0.0.0         U     
   0 0          0 ppp1
192.168.1.0     160.96.97.248   255.255.255.240 UG    
   0 0          0 ppp1
202.42.98.1     0.0.0.0         255.255.255.255 UH    
   0 0          0 ppp1

ANd the ip addr list output:
rx1000test:~# ip addr list
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd
00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc
pfifo_fast qlen 1000
    link/ether 00:0a:dc:04:7d:dc brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.97/28 brd 192.168.1.255 scope
global eth1
4: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc
pfifo_fast qlen 1000
    link/ether 00:0a:dc:04:7d:dd brd ff:ff:ff:ff:ff:ff
    inet 192.168.2.1/24 brd 192.168.2.255 scope global
eth2
6: w1adsl: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc
pfifo_fast qlen 1000
    link/ether 00:77:77:77:7b:b3 brd ff:ff:ff:ff:ff:ff
7: ppp1: <POINTOPOINT,MULTICAST,NOARP,UP> mtu 1452
qdisc pfifo_fast qlen 3
    link/ppp
    inet 202.42.98.101 peer 202.42.98.1/32 scope
global ppp1

Note the complete lack of an ipsec0 interface.

I can't ping from the Cisco nor can I ping from the
openswan side.

Here is the network:

192.168.1.0/28 192.168.1.1 160.96.97.248 160.96.97.250
Internal
LAN---Gateway---external----Gateway---Internet
202.42.98.1 202.42.98.101 192.168.1.97 192.168.1.96/28
Internet-Gateway--PPPoE interface--Internal gateway
Network

Here is my open swan ipsec.conf file:
rx1000test:/# cat /etc/ipsec.conf
# /etc/ipsec.conf - Openswan IPsec configuration file
version 2.0     # conforms to second version of
ipsec.conf specification
config setup
        # Debug-logging controls:  "none" for (almost)
none, "all" for lots.
        klipsdebug=none
        plutodebug=none
    interfaces=%defaultroute
        uniqueids=yes

# Add connections here

#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf

conn GDC1
        authby=secret
        auto=start
        left=%defaultroute
        leftid=@rx1000test
        leftsubnet=192.168.1.96/28
        ike=aes128-md5-modp1024
        esp=aes128-md5
        right=160.96.97.248
        rightsubnet=192.168.1.1/28
        type=tunnel
        pfs=no
        keyingtries=0

SO, everything looks good. There are two problems:
No ipsec0 interface gets created,
Can't ping from one subnet to the other.

ANy hints?

Cheers,
John


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam
protection around 
http://mail.yahoo.com 

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

More information about the Users mailing list