[Openswan Users] Openswan 2.2.0 almost working with PSKs to Cisco IOS 12.4

John Serink jserink2004 at yahoo.com
Thu Jun 1 11:38:04 CEST 2006 

Hi All:

Found another mistake in my ipsec.conf file and fixed
it.
Changed the shorewall settings for the broadcast
address of ppp1(PPPoE) to nothing, had is originally
set to detect. A bunch of errors have disappeared from
the /var/lo/auth.log, however, I still can't ping
between subnets behind the Cisco or behind the
openswan.
Here is my ipsec.conf:
rx1000test:~# cat /etc/ipsec.conf
# /etc/ipsec.conf - Openswan IPsec configuration file
version 2.0     # conforms to second version of
ipsec.conf specification
config setup
        # Debug-logging controls:  "none" for (almost)
none, "all" for lots.
        klipsdebug=none
        plutodebug=none
    interfaces=%defaultroute
        uniqueids=yes

# Add connections here

conn GDC1
        authby=secret
        auto=start
        left=%defaultroute
        leftid=@rx1000test
        leftsubnet=192.168.1.96/28
        ike=aes128-md5-modp1024
        esp=aes128-md5
        right=160.96.97.248
        rightsubnet=192.168.1.0/28
        type=tunnel
        pfs=yes
        keyingtries=3
        dpddelay=30
        dpdtimeout=120
        dpdaction=hold

        #Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf


The keep alives are working as am watching the cisco
debug output. Here is the output of the Cisco command:
show crypto ipsec sa:
SirentRouter#show crypto ipsec sa

interface: GigabitEthernet0/0
    Crypto map tag: rtptrans, local addr 160.96.97.248

   protected vrf: (none)
   local  ident (addr/mask/prot/port):
(192.168.1.0/255.255.255.240/0/0)
   remote ident (addr/mask/prot/port):
(192.168.1.96/255.255.255.240/0/0)
   current_peer 202.42.98.101 port 500
     PERMIT, flags={}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 204, #pkts decrypt: 204, #pkts
verify: 204
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress
failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 160.96.97.248, remote crypto
endpt.: 202.42.98.101
     path mtu 1500, ip mtu 1500
     current outbound spi: 0x99609BCB(2573245387)

     inbound esp sas:
      spi: 0xC4F13AC(206508972)
        transform: esp-aes esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 2004, flow_id: AIM-VPN/EPII-PLUS:4,
crypto map: rtptrans
        sa timing: remaining key lifetime (k/sec):
(4544485/3291)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE
      spi: 0xD4459F8F(3561332623)
        transform: esp-aes esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 2008, flow_id: AIM-VPN/EPII-PLUS:8,
crypto map: rtptrans
        sa timing: remaining key lifetime (k/sec):
(4485508/3290)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x8EB0835(149620789)
        transform: esp-aes esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 2002, flow_id: AIM-VPN/EPII-PLUS:2,
crypto map: rtptrans
        sa timing: remaining key lifetime (k/sec):
(4544486/3289)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE
      spi: 0x99609BCB(2573245387)
        transform: esp-aes esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 2001, flow_id: AIM-VPN/EPII-PLUS:1,
crypto map: rtptrans
        sa timing: remaining key lifetime (k/sec):
(4485532/3288)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

You can see the subnets are there and the tunnel is
up, but no ping responses. Here is the output from the
/var/log/auth.log
Jun  2 01:28:15 localhost ipsec__plutorun: Starting
Pluto subsystem...
Jun  2 01:28:15 localhost pluto[25428]: Starting Pluto
(Openswan Version 2.2.0 X.509-1.5.4 PLUTO_USES_KEYRR)
Jun  2 01:28:15 localhost pluto[25428]:   including
NAT-Traversal patch (Version 0.6c) [disabled]
Jun  2 01:28:15 localhost pluto[25428]:
ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok
(ret=0)
Jun  2 01:28:15 localhost pluto[25428]: Using Linux
2.6 IPsec interface code
Jun  2 01:28:16 localhost pluto[25428]: Changing to
directory '/etc/ipsec.d/cacerts'
Jun  2 01:28:16 localhost pluto[25428]: Could not
change to directory '/etc/ipsec.d/aacerts'
Jun  2 01:28:16 localhost pluto[25428]: Changing to
directory '/etc/ipsec.d/ocspcerts'
Jun  2 01:28:16 localhost pluto[25428]: Changing to
directory '/etc/ipsec.d/crls'
Jun  2 01:28:16 localhost pluto[25428]:   Warning:
empty directory
Jun  2 01:28:20 localhost pluto[25428]: added
connection description "GDC1"
Jun  2 01:28:20 localhost pluto[25428]: listening for
IKE messages
Jun  2 01:28:20 localhost pluto[25428]: adding
interface ppp1/ppp1 202.42.98.101
Jun  2 01:28:20 localhost pluto[25428]: adding
interface eth2/eth2 192.168.2.1
Jun  2 01:28:20 localhost pluto[25428]: adding
interface eth1/eth1 192.168.1.97
Jun  2 01:28:20 localhost pluto[25428]: adding
interface lo/lo 127.0.0.1
Jun  2 01:28:20 localhost pluto[25428]: loading
secrets from "/etc/ipsec.secrets"
Jun  2 01:28:21 localhost pluto[25428]: "GDC1" #1:
initiating Main Mode
Jun  2 01:28:22 localhost pluto[25428]: "GDC1" #1:
transition from state STATE_MAIN_I1 to state
STATE_MAIN_I2
Jun  2 01:28:22 localhost pluto[25428]: "GDC1" #1:
ignoring Vendor ID payload [Cisco-Unity]
Jun  2 01:28:22 localhost pluto[25428]: "GDC1" #1:
received Vendor ID payload [Dead Peer Detection]
Jun  2 01:28:22 localhost pluto[25428]: "GDC1" #1:
ignoring Vendor ID payload
[98b9c31f63812c24b87d3bbe3cbe8717]
Jun  2 01:28:22 localhost pluto[25428]: "GDC1" #1:
ignoring Vendor ID payload [XAUTH]
Jun  2 01:28:22 localhost pluto[25428]: "GDC1" #1: I
did not send a certificate because I do not have one.
Jun  2 01:28:22 localhost pluto[25428]: "GDC1" #1:
transition from state STATE_MAIN_I2 to state
STATE_MAIN_I3
Jun  2 01:28:22 localhost pluto[25428]: "GDC1" #1:
Peer ID is ID_IPV4_ADDR: '160.96.97.248'
Jun  2 01:28:22 localhost pluto[25428]: "GDC1" #1:
transition from state STATE_MAIN_I3 to state
STATE_MAIN_I4
Jun  2 01:28:22 localhost pluto[25428]: "GDC1" #1:
ISAKMP SA established
Jun  2 01:28:22 localhost pluto[25428]: "GDC1" #2:
initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS {using
isakmp#1}
Jun  2 01:28:22 localhost pluto[25428]: "GDC1" #2:
ignoring informational payload, type
IPSEC_RESPONDER_LIFETIME
Jun  2 01:28:23 localhost pluto[25428]: "GDC1" #2:
Dead Peer Detection (RFC 3706) enabled
Jun  2 01:28:23 localhost pluto[25428]: "GDC1" #2:
transition from state STATE_QUICK_I1 to state
STATE_QUICK_I2
Jun  2 01:28:23 localhost pluto[25428]: "GDC1" #2:
sent QI2, IPsec SA established {ESP=>0x0c4f13ac
<0x08eb0835}
Jun  2 01:28:23 localhost pluto[25428]: "GDC1" #3:
initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP {using
isakmp#1}
Jun  2 01:28:23 localhost pluto[25428]: "GDC1" #3:
ignoring informational payload, type
IPSEC_RESPONDER_LIFETIME
Jun  2 01:28:24 localhost pluto[25428]: "GDC1" #3:
Dead Peer Detection (RFC 3706) enabled
Jun  2 01:28:24 localhost pluto[25428]: "GDC1" #3:
transition from state STATE_QUICK_I1 to state
STATE_QUICK_I2
Jun  2 01:28:24 localhost pluto[25428]: "GDC1" #3:
sent QI2, IPsec SA established {ESP=>0xd4459f8f
<0x99609bcb}



The last line says it all....problem is, no pings.

ANy pointers?

Cheers,
John

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam
protection around 
http://mail.yahoo.com 

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

More information about the Users mailing list