[Openswan Users] Re: openswan net to net configuration

Alain JUPIN ajupin at sigmapole.fr
Tue Mar 7 11:31:42 CET 2006 

Hi,

I've more informations about my problem.

On the client, when I do the following command
    aldebaran root # ipsec auto --up sigma

The result is :
104 "sigma" #1: STATE_MAIN_I1: initiate
003 "sigma" #1: received Vendor ID payload [Openswan (this version) 
2.4.4  X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR]
003 "sigma" #1: received Vendor ID payload [Dead Peer Detection]
003 "sigma" #1: received Vendor ID payload [RFC 3947] method set to=109
106 "sigma" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "sigma" #1: NAT-Traversal: Result using 3: no NAT detected
108 "sigma" #1: STATE_MAIN_I3: sent MI3, expecting MR3
004 "sigma" #1: STATE_MAIN_I4: ISAKMP SA established 
{auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_md5 
group=modp1536}
117 "sigma" #2: STATE_QUICK_I1: initiate
010 "sigma" #2: STATE_QUICK_I1: retransmission; will wait 20s for response
010 "sigma" #2: STATE_QUICK_I1: retransmission; will wait 40s for response

This is the LOG when I start IPSec with '/etc/init.d/ipsec start'
Mar  7 11:30:48 meissa ipsec_setup: Starting Openswan IPsec 2.4.4...
Mar  7 11:30:48 meissa NET: Registered protocol family 15
Mar  7 11:30:48 meissa ipsec_setup: insmod 
/lib/modules/2.6.15-gentoo-r1/kernel/net/key/af_key.ko
Mar  7 11:30:48 meissa ipsec_setup: insmod 
/lib/modules/2.6.15-gentoo-r1/kernel/net/ipv4/xfrm4_tunnel.ko
Mar  7 11:30:48 meissa Initializing IPsec netlink socket
Mar  7 11:30:48 meissa ipsec_setup: insmod 
/lib/modules/2.6.15-gentoo-r1/kernel/net/xfrm/xfrm_user.ko
Mar  7 11:30:48 meissa ipsec_setup: KLIPS ipsec0 on eth1 
83.206.137.225/255.255.255.248 broadcast 83.206.137.231
Mar  7 11:30:48 meissa ipsec__plutorun: Starting Pluto subsystem...
Mar  7 11:30:48 meissa ipsec_setup: ...Openswan IPsec started
Mar  7 11:30:48 meissa pluto[12418]: Starting Pluto (Openswan Version 
2.4.4 X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID 
OEz}FFFfgr_e)
Mar  7 11:30:48 meissa pluto[12418]: Setting NAT-Traversal port-4500 
floating to on
Mar  7 11:30:48 meissa pluto[12418]:    port floating activation 
criteria nat_t=1/port_fload=1
Mar  7 11:30:48 meissa pluto[12418]:   including NAT-Traversal patch 
(Version 0.6c)
Mar  7 11:30:48 meissa pluto[12418]: ike_alg_register_enc(): Activating 
OAKLEY_AES_CBC: Ok (ret=0)
Mar  7 11:30:48 meissa pluto[12418]: starting up 1 cryptographic helpers
Mar  7 11:30:48 meissa pluto[12418]: started helper pid=12426 (fd:6)
Mar  7 11:30:48 meissa pluto[12418]: Using Linux 2.6 IPsec interface 
code on 2.6.15-gentoo-r1
Mar  7 11:30:48 meissa pluto[12418]: Changing to directory 
'/etc/ipsec/ipsec.d/cacerts'
Mar  7 11:30:48 meissa pluto[12418]:   loaded CA cert file 'cacert.pem' 
(1224 bytes)
Mar  7 11:30:48 meissa pluto[12418]: Changing to directory 
'/etc/ipsec/ipsec.d/aacerts'
Mar  7 11:30:48 meissa pluto[12418]: Changing to directory 
'/etc/ipsec/ipsec.d/ocspcerts'
Mar  7 11:30:48 meissa pluto[12418]: Changing to directory 
'/etc/ipsec/ipsec.d/crls'
Mar  7 11:30:48 meissa pluto[12418]:   loaded crl file 'crl.pem' (491 
bytes)
Mar  7 11:30:49 meissa pluto[12418]: added connection description "sigma"
Mar  7 11:30:49 meissa pluto[12418]: listening for IKE messages
Mar  7 11:30:49 meissa pluto[12418]: adding interface 
eth2:FWB1/eth2:FWB1 10.33.203.20:500
Mar  7 11:30:49 meissa pluto[12418]: adding interface 
eth2:FWB1/eth2:FWB1 10.33.203.20:4500
Mar  7 11:30:49 meissa pluto[12418]: adding interface eth2/eth2 
10.33.203.2:500
Mar  7 11:30:49 meissa pluto[12418]: adding interface eth2/eth2 
10.33.203.2:4500
Mar  7 11:30:49 meissa pluto[12418]: adding interface lo/lo 127.0.0.1:500
Mar  7 11:30:49 meissa pluto[12418]: adding interface lo/lo 127.0.0.1:4500
Mar  7 11:30:49 meissa pluto[12418]: adding interface eth1/eth1 
83.206.137.225:500
Mar  7 11:30:49 meissa pluto[12418]: adding interface eth1/eth1 
83.206.137.225:4500
Mar  7 11:30:49 meissa pluto[12418]: adding interface eth0/eth0 
192.168.1.1:500
Mar  7 11:30:49 meissa pluto[12418]: adding interface eth0/eth0 
192.168.1.1:4500
Mar  7 11:30:49 meissa pluto[12418]: loading secrets from 
"/etc/ipsec/ipsec.secrets"

And now the LOG when I try to initiate a VPN connection (by doing ipsec 
auto --up sigma on the client)

Mar  7 11:32:13 meissa pluto[12418]: packet from 82.224.134.170:500: 
received Vendor ID payload [Openswan (this version) 2.4.4  X.509-1.5.4 
PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR]
Mar  7 11:32:13 meissa pluto[12418]: packet from 82.224.134.170:500: 
received Vendor ID payload [Dead Peer Detection]
Mar  7 11:32:13 meissa pluto[12418]: packet from 82.224.134.170:500: 
received Vendor ID payload [RFC 3947] method set to=109
Mar  7 11:32:13 meissa pluto[12418]: packet from 82.224.134.170:500: 
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but 
already using method 109
Mar  7 11:32:13 meissa pluto[12418]: packet from 82.224.134.170:500: 
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but 
already using method 109
Mar  7 11:32:13 meissa pluto[12418]: packet from 82.224.134.170:500: 
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Mar  7 11:32:13 meissa pluto[12418]: "sigma" #1: responding to Main Mode
Mar  7 11:32:13 meissa pluto[12418]: "sigma" #1: transition from state 
STATE_MAIN_R0 to state STATE_MAIN_R1
Mar  7 11:32:13 meissa pluto[12418]: "sigma" #1: STATE_MAIN_R1: sent 
MR1, expecting MI2
Mar  7 11:32:13 meissa pluto[12418]: "sigma" #1: NAT-Traversal: Result 
using 3: no NAT detected
Mar  7 11:32:13 meissa pluto[12418]: "sigma" #1: transition from state 
STATE_MAIN_R1 to state STATE_MAIN_R2
Mar  7 11:32:13 meissa pluto[12418]: "sigma" #1: STATE_MAIN_R2: sent 
MR2, expecting MI3
Mar  7 11:32:13 meissa pluto[12418]: "sigma" #1: Main mode peer ID is 
ID_FQDN: '@aldebaran.jupin.net'
Mar  7 11:32:13 meissa pluto[12418]: "sigma" #1: I did not send a 
certificate because I do not have one.
Mar  7 11:32:13 meissa pluto[12418]: "sigma" #1: multiple ipsec.secrets 
entries with distinct secrets match endpoints: first secret used
Mar  7 11:32:13 meissa pluto[12418]: "sigma" #1: transition from state 
STATE_MAIN_R2 to state STATE_MAIN_R3
Mar  7 11:32:13 meissa pluto[12418]: "sigma" #1: STATE_MAIN_R3: sent 
MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG 
cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1536}
Mar  7 11:32:13 meissa pluto[12418]: "sigma" #2: responding to Quick 
Mode {msgid:d5fd897b}
Mar  7 11:32:13 meissa pluto[12418]: "sigma" #2: ERROR: netlink response 
for Add SA esp.9f5ee79f at 83.206.137.225 included errno 38: Function not 
implemented

I don't understand very well this error message (ERROR: netlink response 
for Add SA) associated with "Function not implemented"
It seems that tcpdump isn't helpful to debug my problem.

Is it an RSA problem ?

Cordially,

Elekaj

More information about the Users mailing list