[Openswan Users] Linux to Linux VPconnection

Can Akalin canakalin77 at gmail.com
Thu May 11 16:48:39 CEST 2006


Hello all,

I have been trying to establish a VPN connection between two Linux machines
using x509 certificates. Here is the  information to dig out the problem;

I have a local VPN gateway that is a Suse Linux SLES kernel 2.6.5  and is
behind a router. It has  openswan v.2.4.5 installed and  It's IP address is
10.10.10.10/24

My remote machine is a Suse Linux 10  kernel 2.6.13 and has openswan
2.4.5installed as well.

The remote machine's IP address is  192.168.1.109.

The router's outside interface and the remote machine are in the same
network.

The router's outside interface IP address is 192.168.1.203

I hope this next line  helps to illustrate the network;

VPN Gateway (10.10.10.10)<------------> (10.10.10.1)Router
(192.168.1.203)<-------------------->
(192.168.1.109)Remote Machine

And here is the ipsec.conf files;


GATEWAY ipsec.conf

# /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.15.2.2 2005/11/14 20:10:27 paul Exp $

# This file:  /usr/local/share/doc/openswan/ipsec.conf-sample
#
# Manual:     ipsec.conf.5


version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        # plutodebug / klipsdebug = "all", "none" or a combation from below:
        # "raw crypt parsing emitting control klips pfkey natt x509 private"
        # eg:
        # plutodebug="control parsing"
        #
        # Only enable klipsdebug=all if you are a developer
        interfaces=%defaultroute
        nat_traversal=yes
        virtual_private=%v4:10.0.0.0/8,$v4:172.16.0.0/12,%v4:192.168.0.0/24

conn %default
        keyingtries=1
        compress=yes
        disablearrivalcheck=no
        authby=rsasig
        leftrsasigkey=%cert
        rightrsasigkey=%cert
        auto=add

conn roadwarrior-net
        leftsubnet=10.10.10.0/24
        also=roadwarrior

conn roadwarrior
        left=%defaultroute
        rightcert=gate.example.com.pem
        right=%any
        rightsubnet=vhost:%no,%priv
        auto=add
        pfs=yes
        rekey=no

conn block
        auto=ignore

conn private
        auto=ignore

conn private-or-clear
        auto=ignore

conn clear-or-private
        auto=ignore

conn clear
        auto=ignore

conn packetdefault
        auto=ignore


REMOTE MACHINE ipsec.conf

# /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.15.2.2 2005/11/14 20:10:27 paul Exp $

# This file:  /usr/share/doc/packages/openswan/ipsec.conf-sample
#
# Manual:     ipsec.conf.5


version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        # plutodebug / klipsdebug = "all", "none" or a combation from below:
        # "raw crypt parsing emitting control klips pfkey natt x509 private"
        # eg:
        # plutodebug="control parsing"
        #
        # Only enable klipsdebug=all if you are a developer
        #
        # NAT-TRAVERSAL support, see README.NAT-Traversal
        nat_traversal=yes
        interfaces=%defaultroute
        # Certificate Revocation List handling:
        #crlcheckinterval=600
        #strictcrlpolicy=yes
        plutowait=yes


conn %default
        # keyingtries default to %forever
        keyingtries=1
        compress=yes
        authby=rsasig
        # Sig keys (default: %dnsondemand)
        leftrsasigkey=%cert
        rightrsasigkey=%cert
        # Lifetimes, defaults are 1h/8hrs
        #ikelifetime=20m
        #keylife=1h
        #rekeymargin=8m

#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf


conn roadwarrior-net
        leftsubnet=10.10.10.0/24
        also=roadwarrior

conn roadwarrior
        left=192.168.1.203
        leftcert=gate.example.com.pem
        right=%defaultroute
        rightcert=lin.example.com.pem
        auto=add
        pfs=yes

conn block
        auto=ignore

conn private
        auto=ignore

conn private-or-clear
        auto=ignore

conn clear-or-private
        auto=ignore

conn clear
        auto=ignore

conn packetdefault
        auto=ignore




GATEWAY /var/log/messages

May 11 15:30:41 linux pluto[13089]: packet from 192.168.1.109:500: ignoring
unknown Vendor ID payload [4f457a7d4646466667725
f65]
May 11 15:30:41 linux pluto[13089]: packet from 192.168.1.109:500: received
Vendor ID payload [Dead Peer Detection]
May 11 15:30:41 linux pluto[13089]: packet from 192.168.1.109:500: received
Vendor ID payload [RFC 3947] method set to=110
May 11 15:30:41 linux pluto[13089]: packet from 192.168.1.109:500: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03
] meth=108, but already using method 110
May 11 15:30:41 linux pluto[13089]: packet from 192.168.1.109:500: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02
] meth=107, but already using method 110
May 11 15:30:41 linux pluto[13089]: packet from 192.168.1.109:500: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00
]
May 11 15:30:41 linux pluto[13089]: "roadwarrior"[1] 192.168.1.109 #1:
responding to Main Mode from unknown peer 192.168.1.1
09
May 11 15:30:41 linux pluto[13089]: "roadwarrior"[1] 192.168.1.109 #1:
transition from state STATE_MAIN_R0 to state STATE_MA
IN_R1
May 11 15:30:41 linux pluto[13089]: "roadwarrior"[1] 192.168.1.109 #1:
STATE_MAIN_R1: sent MR1, expecting MI2
May 11 15:30:41 linux pluto[13089]: "roadwarrior"[1] 192.168.1.109 #1:
NAT-Traversal: Result using 3: i am NATed
May 11 15:30:41 linux pluto[13089]: "roadwarrior"[1] 192.168.1.109 #1:
transition from state STATE_MAIN_R1 to state STATE_MA
IN_R2
May 11 15:30:41 linux pluto[13089]: "roadwarrior"[1] 192.168.1.109 #1:
STATE_MAIN_R2: sent MR2, expecting MI3
May 11 15:30:42 linux pluto[13089]: "roadwarrior"[1] 192.168.1.109 #1: Main
mode peer ID is ID_DER_ASN1_DN: 'C=CA, ST=Ontari
o, L=Toronto, O=Springboard, CN=Ozgun, E=ozgun at springboardnetworks.com'
May 11 15:30:42 linux pluto[13089]: "roadwarrior"[1] 192.168.1.109 #1: no
suitable connection for peer 'C=CA, ST=Ontario, L=
Toronto, O=Springboard, CN=Ozgun, E=ozgun at springboardnetworks.com'
May 11 15:30:42 linux pluto[13089]: "roadwarrior"[1] 192.168.1.109 #1:
sending encrypted notification INVALID_ID_INFORMATION
 to 192.168.1.109:500
May 11 15:30:51 linux pluto[13089]: "roadwarrior"[1] 192.168.1.109 #1: Main
mode peer ID is ID_DER_ASN1_DN: 'C=CA, ST=Ontari
o, L=Toronto, O=Springboard, CN=Ozgun, E=ozgun at springboardnetworks.com'
May 11 15:30:52 linux pluto[13089]: "roadwarrior"[1] 192.168.1.109 #1: no
suitable connection for peer 'C=CA, ST=Ontario, L=
Toronto, O=Springboard, CN=Ozgun, E=ozgun at springboardnetworks.com'
May 11 15:30:52 linux pluto[13089]: "roadwarrior"[1] 192.168.1.109 #1:
sending encrypted notification INVALID_ID_INFORMATION
 to 192.168.1.109:500
May 11 15:31:12 linux pluto[13089]: "roadwarrior"[1] 192.168.1.109 #1: Main
mode peer ID is ID_DER_ASN1_DN: 'C=CA, ST=Ontari
o, L=Toronto, O=Springboard, CN=Ozgun, E=ozgun at springboardnetworks.com'


REMOTE MACHINE /var/log/messages

May 11 15:30:41 linuxlaptop pluto[14324]: "roadwarrior-net" #1: initiating
Main Mode
May 11 15:30:41 linuxlaptop pluto[14324]: "roadwarrior-net" #1: ignoring
unknown Vendor ID payload [4f456e4d43757f784f704063]
May 11 15:30:41 linuxlaptop pluto[14324]: "roadwarrior-net" #1: received
Vendor ID payload [Dead Peer Detection]
May 11 15:30:41 linuxlaptop pluto[14324]: "roadwarrior-net" #1: received
Vendor ID payload [RFC 3947] method set to=109
May 11 15:30:41 linuxlaptop pluto[14324]: "roadwarrior-net" #1: enabling
possible NAT-traversal with method 3
May 11 15:30:41 linuxlaptop pluto[14324]: "roadwarrior-net" #1: transition
from state STATE_MAIN_I1 to state STATE_MAIN_I2
May 11 15:30:41 linuxlaptop pluto[14324]: "roadwarrior-net" #1:
STATE_MAIN_I2: sent MI2, expecting MR2
May 11 15:30:41 linuxlaptop pluto[14324]: "roadwarrior-net" #1:
NAT-Traversal: Result using 3: peer is NATed
May 11 15:30:41 linuxlaptop pluto[14324]: "roadwarrior-net" #1: I am sending
my cert
May 11 15:30:41 linuxlaptop pluto[14324]: "roadwarrior-net" #1: I am sending
a certificate request
May 11 15:30:41 linuxlaptop pluto[14324]: "roadwarrior-net" #1: transition
from state STATE_MAIN_I2 to state STATE_MAIN_I3
May 11 15:30:41 linuxlaptop pluto[14324]: "roadwarrior-net" #1:
STATE_MAIN_I3: sent MI3, expecting MR3
May 11 15:30:41 linuxlaptop pluto[14324]: "roadwarrior-net" #1: ignoring
informational payload, type INVALID_ID_INFORMATION
May 11 15:30:41 linuxlaptop pluto[14324]: "roadwarrior-net" #1: received and
ignored informational message
May 11 15:30:50 linuxlaptop pluto[14324]: "roadwarrior-net" #1: discarding
duplicate packet; already STATE_MAIN_I3
May 11 15:30:51 linuxlaptop pluto[14324]: "roadwarrior-net" #1: ignoring
informational payload, type INVALID_ID_INFORMATION
May 11 15:30:51 linuxlaptop pluto[14324]: "roadwarrior-net" #1: received and
ignored informational message
May 11 15:31:11 linuxlaptop pluto[14324]: "roadwarrior-net" #1: discarding
duplicate packet; already STATE_MAIN_I3
May 11 15:31:11 linuxlaptop pluto[14324]: "roadwarrior-net" #1: ignoring
informational payload, type INVALID_ID_INFORMATION
May 11 15:31:11 linuxlaptop pluto[14324]: "roadwarrior-net" #1: received and
ignored informational message
May 11 15:31:51 linuxlaptop pluto[14324]: "roadwarrior-net" #1: max number
of retransmissions (2) reached STATE_MAIN_I3.  Possible authentication
failure: no acceptable response to our first encrypted message



Can anybody help me on this?

One extra question is that I am so confused with the left, right,
leftsubnet, rightsubnet, leftcert, rightcert of roadwarrior section of the
ipsec.conf files. which left is which and whose's right is other's right?
Especially the rightcert and leftcert of the ipsec.conf files are so
confusing? Can anybody explain me this to me clearly or send me a link to
read. I did a google search on this for a couple of hours but couldn't find
a clue.

Thank you very much.

/Can
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20060511/90d8efa6/attachment-0001.htm


More information about the Users mailing list