[Openswan Users] Linux to Linux VPconnection
Can Akalin
canakalin77 at gmail.com
Thu May 11 16:48:39 CEST 2006
Hello all,
I have been trying to establish a VPN connection between two Linux machines
using x509 certificates. Here is the information to dig out the problem;
I have a local VPN gateway that is a Suse Linux SLES kernel 2.6.5 and is
behind a router. It has openswan v.2.4.5 installed and It's IP address is
10.10.10.10/24
My remote machine is a Suse Linux 10 kernel 2.6.13 and has openswan
2.4.5installed as well.
The remote machine's IP address is 192.168.1.109.
The router's outside interface and the remote machine are in the same
network.
The router's outside interface IP address is 192.168.1.203
I hope this next line helps to illustrate the network;
VPN Gateway (10.10.10.10)<------------> (10.10.10.1)Router
(192.168.1.203)<-------------------->
(192.168.1.109)Remote Machine
And here is the ipsec.conf files;
GATEWAY ipsec.conf
# /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.15.2.2 2005/11/14 20:10:27 paul Exp $
# This file: /usr/local/share/doc/openswan/ipsec.conf-sample
#
# Manual: ipsec.conf.5
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
# plutodebug / klipsdebug = "all", "none" or a combation from below:
# "raw crypt parsing emitting control klips pfkey natt x509 private"
# eg:
# plutodebug="control parsing"
#
# Only enable klipsdebug=all if you are a developer
interfaces=%defaultroute
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,$v4:172.16.0.0/12,%v4:192.168.0.0/24
conn %default
keyingtries=1
compress=yes
disablearrivalcheck=no
authby=rsasig
leftrsasigkey=%cert
rightrsasigkey=%cert
auto=add
conn roadwarrior-net
leftsubnet=10.10.10.0/24
also=roadwarrior
conn roadwarrior
left=%defaultroute
rightcert=gate.example.com.pem
right=%any
rightsubnet=vhost:%no,%priv
auto=add
pfs=yes
rekey=no
conn block
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear-or-private
auto=ignore
conn clear
auto=ignore
conn packetdefault
auto=ignore
REMOTE MACHINE ipsec.conf
# /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.15.2.2 2005/11/14 20:10:27 paul Exp $
# This file: /usr/share/doc/packages/openswan/ipsec.conf-sample
#
# Manual: ipsec.conf.5
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
# plutodebug / klipsdebug = "all", "none" or a combation from below:
# "raw crypt parsing emitting control klips pfkey natt x509 private"
# eg:
# plutodebug="control parsing"
#
# Only enable klipsdebug=all if you are a developer
#
# NAT-TRAVERSAL support, see README.NAT-Traversal
nat_traversal=yes
interfaces=%defaultroute
# Certificate Revocation List handling:
#crlcheckinterval=600
#strictcrlpolicy=yes
plutowait=yes
conn %default
# keyingtries default to %forever
keyingtries=1
compress=yes
authby=rsasig
# Sig keys (default: %dnsondemand)
leftrsasigkey=%cert
rightrsasigkey=%cert
# Lifetimes, defaults are 1h/8hrs
#ikelifetime=20m
#keylife=1h
#rekeymargin=8m
#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf
conn roadwarrior-net
leftsubnet=10.10.10.0/24
also=roadwarrior
conn roadwarrior
left=192.168.1.203
leftcert=gate.example.com.pem
right=%defaultroute
rightcert=lin.example.com.pem
auto=add
pfs=yes
conn block
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear-or-private
auto=ignore
conn clear
auto=ignore
conn packetdefault
auto=ignore
GATEWAY /var/log/messages
May 11 15:30:41 linux pluto[13089]: packet from 192.168.1.109:500: ignoring
unknown Vendor ID payload [4f457a7d4646466667725
f65]
May 11 15:30:41 linux pluto[13089]: packet from 192.168.1.109:500: received
Vendor ID payload [Dead Peer Detection]
May 11 15:30:41 linux pluto[13089]: packet from 192.168.1.109:500: received
Vendor ID payload [RFC 3947] method set to=110
May 11 15:30:41 linux pluto[13089]: packet from 192.168.1.109:500: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03
] meth=108, but already using method 110
May 11 15:30:41 linux pluto[13089]: packet from 192.168.1.109:500: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02
] meth=107, but already using method 110
May 11 15:30:41 linux pluto[13089]: packet from 192.168.1.109:500: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00
]
May 11 15:30:41 linux pluto[13089]: "roadwarrior"[1] 192.168.1.109 #1:
responding to Main Mode from unknown peer 192.168.1.1
09
May 11 15:30:41 linux pluto[13089]: "roadwarrior"[1] 192.168.1.109 #1:
transition from state STATE_MAIN_R0 to state STATE_MA
IN_R1
May 11 15:30:41 linux pluto[13089]: "roadwarrior"[1] 192.168.1.109 #1:
STATE_MAIN_R1: sent MR1, expecting MI2
May 11 15:30:41 linux pluto[13089]: "roadwarrior"[1] 192.168.1.109 #1:
NAT-Traversal: Result using 3: i am NATed
May 11 15:30:41 linux pluto[13089]: "roadwarrior"[1] 192.168.1.109 #1:
transition from state STATE_MAIN_R1 to state STATE_MA
IN_R2
May 11 15:30:41 linux pluto[13089]: "roadwarrior"[1] 192.168.1.109 #1:
STATE_MAIN_R2: sent MR2, expecting MI3
May 11 15:30:42 linux pluto[13089]: "roadwarrior"[1] 192.168.1.109 #1: Main
mode peer ID is ID_DER_ASN1_DN: 'C=CA, ST=Ontari
o, L=Toronto, O=Springboard, CN=Ozgun, E=ozgun at springboardnetworks.com'
May 11 15:30:42 linux pluto[13089]: "roadwarrior"[1] 192.168.1.109 #1: no
suitable connection for peer 'C=CA, ST=Ontario, L=
Toronto, O=Springboard, CN=Ozgun, E=ozgun at springboardnetworks.com'
May 11 15:30:42 linux pluto[13089]: "roadwarrior"[1] 192.168.1.109 #1:
sending encrypted notification INVALID_ID_INFORMATION
to 192.168.1.109:500
May 11 15:30:51 linux pluto[13089]: "roadwarrior"[1] 192.168.1.109 #1: Main
mode peer ID is ID_DER_ASN1_DN: 'C=CA, ST=Ontari
o, L=Toronto, O=Springboard, CN=Ozgun, E=ozgun at springboardnetworks.com'
May 11 15:30:52 linux pluto[13089]: "roadwarrior"[1] 192.168.1.109 #1: no
suitable connection for peer 'C=CA, ST=Ontario, L=
Toronto, O=Springboard, CN=Ozgun, E=ozgun at springboardnetworks.com'
May 11 15:30:52 linux pluto[13089]: "roadwarrior"[1] 192.168.1.109 #1:
sending encrypted notification INVALID_ID_INFORMATION
to 192.168.1.109:500
May 11 15:31:12 linux pluto[13089]: "roadwarrior"[1] 192.168.1.109 #1: Main
mode peer ID is ID_DER_ASN1_DN: 'C=CA, ST=Ontari
o, L=Toronto, O=Springboard, CN=Ozgun, E=ozgun at springboardnetworks.com'
REMOTE MACHINE /var/log/messages
May 11 15:30:41 linuxlaptop pluto[14324]: "roadwarrior-net" #1: initiating
Main Mode
May 11 15:30:41 linuxlaptop pluto[14324]: "roadwarrior-net" #1: ignoring
unknown Vendor ID payload [4f456e4d43757f784f704063]
May 11 15:30:41 linuxlaptop pluto[14324]: "roadwarrior-net" #1: received
Vendor ID payload [Dead Peer Detection]
May 11 15:30:41 linuxlaptop pluto[14324]: "roadwarrior-net" #1: received
Vendor ID payload [RFC 3947] method set to=109
May 11 15:30:41 linuxlaptop pluto[14324]: "roadwarrior-net" #1: enabling
possible NAT-traversal with method 3
May 11 15:30:41 linuxlaptop pluto[14324]: "roadwarrior-net" #1: transition
from state STATE_MAIN_I1 to state STATE_MAIN_I2
May 11 15:30:41 linuxlaptop pluto[14324]: "roadwarrior-net" #1:
STATE_MAIN_I2: sent MI2, expecting MR2
May 11 15:30:41 linuxlaptop pluto[14324]: "roadwarrior-net" #1:
NAT-Traversal: Result using 3: peer is NATed
May 11 15:30:41 linuxlaptop pluto[14324]: "roadwarrior-net" #1: I am sending
my cert
May 11 15:30:41 linuxlaptop pluto[14324]: "roadwarrior-net" #1: I am sending
a certificate request
May 11 15:30:41 linuxlaptop pluto[14324]: "roadwarrior-net" #1: transition
from state STATE_MAIN_I2 to state STATE_MAIN_I3
May 11 15:30:41 linuxlaptop pluto[14324]: "roadwarrior-net" #1:
STATE_MAIN_I3: sent MI3, expecting MR3
May 11 15:30:41 linuxlaptop pluto[14324]: "roadwarrior-net" #1: ignoring
informational payload, type INVALID_ID_INFORMATION
May 11 15:30:41 linuxlaptop pluto[14324]: "roadwarrior-net" #1: received and
ignored informational message
May 11 15:30:50 linuxlaptop pluto[14324]: "roadwarrior-net" #1: discarding
duplicate packet; already STATE_MAIN_I3
May 11 15:30:51 linuxlaptop pluto[14324]: "roadwarrior-net" #1: ignoring
informational payload, type INVALID_ID_INFORMATION
May 11 15:30:51 linuxlaptop pluto[14324]: "roadwarrior-net" #1: received and
ignored informational message
May 11 15:31:11 linuxlaptop pluto[14324]: "roadwarrior-net" #1: discarding
duplicate packet; already STATE_MAIN_I3
May 11 15:31:11 linuxlaptop pluto[14324]: "roadwarrior-net" #1: ignoring
informational payload, type INVALID_ID_INFORMATION
May 11 15:31:11 linuxlaptop pluto[14324]: "roadwarrior-net" #1: received and
ignored informational message
May 11 15:31:51 linuxlaptop pluto[14324]: "roadwarrior-net" #1: max number
of retransmissions (2) reached STATE_MAIN_I3. Possible authentication
failure: no acceptable response to our first encrypted message
Can anybody help me on this?
One extra question is that I am so confused with the left, right,
leftsubnet, rightsubnet, leftcert, rightcert of roadwarrior section of the
ipsec.conf files. which left is which and whose's right is other's right?
Especially the rightcert and leftcert of the ipsec.conf files are so
confusing? Can anybody explain me this to me clearly or send me a link to
read. I did a google search on this for a couple of hours but couldn't find
a clue.
Thank you very much.
/Can
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20060511/90d8efa6/attachment-0001.htm
More information about the Users
mailing list