[Openswan Users] Roadwarrior conection problems.
Fabio Ferreira
fabio.ferreira at markway.com.br
Thu Oct 5 10:30:00 EDT 2006
Paul,
My other end is a station Windows XP with SP2 (dial-up conection). I
have an IPTABLES Firewall with Ipsec/Openswan on my server.
########################################################################
############################
It´s my /etc/ipsec.conf (server)
config setup
#interfaces=%defaultroute
interfaces="ipsec0=eth0"
nat_traversal=yes
virtual_private=%v4:192.168.1.0/8
# plutodebug=all
conn %default
keyingtries=1
compress=yes
disablearrivalcheck=no
authby=rsasig
leftrsasigkey=%cert
rightrsasigkey=%cert
conn roadwarrior_jackson
leftsubnet=192.168.1.0/255.255.255.0
left=200.150.147.244
leftnexthop=200.150.147.241
leftcert=jackson.pem
right=%any
auto=add
pfs=yes
conn block
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear-or-private
auto=ignore
conn clear
auto=ignore
conn packetdefault
auto=ignore
########################################################################
##############################
# cd /etc/pki/CA/
# openssl x509 -in cacert.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 0 (0x0)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=BR, ST=RJ, O=markway,
CN=CA/emailAddress=fabio.ferreira at markway.com.br
Validity
Not Before: Oct 4 12:42:19 2006 GMT
Not After : Oct 3 12:42:19 2009 GMT
Subject: C=BR, ST=RJ, O=markway,
CN=CA/emailAddress=fabio.ferreira at markway.com.br
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:c4:0b:91:c3:bb:72:10:75:4e:d7:f5:b2:6c:71:
bc:b1:31:69:7b:c8:cb:6c:3a:f4:5e:63:df:5a:10:
3a:2c:f4:0f:e9:fd:fd:44:c9:79:0b:88:d8:6d:13:
0c:d8:09:9c:57:7b:3b:bd:1c:fb:aa:44:09:68:b0:
9c:9c:c8:9f:1b:9f:73:30:b0:a2:dd:eb:7f:89:fc:
0d:05:90:79:54:65:54:12:48:59:c9:7c:f3:2b:9b:
f5:d0:7c:da:58:33:fb:19:f4:12:41:19:e9:04:a9:
38:37:15:ba:43:1a:09:0b:35:b6:b9:a3:ce:49:51:
51:b0:ee:85:4e:13:e4:c7:4d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
B5:13:D4:25:8A:92:12:AB:09:89:0F:3E:76:95:6F:C0:D3:B6:79:DB
X509v3 Authority Key Identifier:
keyid:B5:13:D4:25:8A:92:12:AB:09:89:0F:3E:76:95:6F:C0:D3:B6:79:DB
Signature Algorithm: sha1WithRSAEncryption
36:92:8f:93:7e:ab:14:90:7b:21:11:86:59:3e:c0:4c:15:c7:
14:d7:31:47:ef:c8:9c:47:80:e8:76:a2:5b:45:29:64:b8:e6:
9f:d8:6d:20:6b:b1:7a:6c:e8:90:28:23:fe:03:79:b7:c8:79:
7d:9d:5d:7b:f6:28:31:43:c4:d1:8b:2e:2d:a1:62:fe:f8:29:
6e:b9:db:d0:1e:73:04:a2:16:3f:8a:39:c6:c3:3e:85:d5:87:
4d:fc:a1:d3:74:08:95:3f:ec:70:1d:8e:55:41:5e:00:e5:48:
f1:cb:0e:c6:3d:dd:60:1a:c5:80:08:54:5e:58:6d:74:9d:67:
b8:e7
########################################################################
####################################
My ipsec.conf ( Client )
conn roadwarrior
left=%any
right="200.150.147.244"
rightca="C=BR,ST=RJ,O=markway,CN=CA,E=fabio.ferreira at markway.com.br"
network=auto
auto=start
pfs=yes
conn roadwarrior-net
left=%any
right="200.150.147.244"
rightsubnet="192.168.1.0/255.255.255.0"
rightca="C=BR,ST=RJ,O=markway,CN=CA,E=fabio.ferreira at markway.com.br"
network=auto
auto=start
pfs=yes
conn roadwarrior-all
left=%any
right="200.150.147.244"
rightca="C=BR,ST=RJ,O=markway,CN=CA,E=fabio.ferreira at markway.com.br"
network=auto
#rightsubnet=*
rightsubnet="192.168.1.0/255.255.255.0"
network=auto
auto=start
pfs=yes
########################################################################
#####################################
/var/log/secure
Oct 5 11:24:05 frwmarkway pluto[15356]: packet from 201.5.11.4:500:
ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Oct 5 11:24:05 frwmarkway pluto[15356]: packet from 201.5.11.4:500:
ignoring Vendor ID payload [FRAGMENTATION]
Oct 5 11:24:05 frwmarkway pluto[15356]: packet from 201.5.11.4:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set
to=106
Oct 5 11:24:05 frwmarkway pluto[15356]: packet from 201.5.11.4:500:
ignoring Vendor ID payload [Vid-Initial-Contact]
Oct 5 11:24:05 frwmarkway pluto[15356]: "roadwarrior_jackson"[1]
201.5.11.4 #1: responding to Main Mode from unknown peer 201.5.11.4
Oct 5 11:24:05 frwmarkway pluto[15356]: "roadwarrior_jackson"[1]
201.5.11.4 #1: transition from state STATE_MAIN_R0 to state
STATE_MAIN_R1
Oct 5 11:24:05 frwmarkway pluto[15356]: "roadwarrior_jackson"[1]
201.5.11.4 #1: STATE_MAIN_R1: sent MR1, expecting MI2
Oct 5 11:24:05 frwmarkway pluto[15356]: "roadwarrior_jackson"[1]
201.5.11.4 #1: NAT-Traversal: Result using
draft-ietf-ipsec-nat-t-ike-02/03: no NAT detected
Oct 5 11:24:05 frwmarkway pluto[15356]: "roadwarrior_jackson"[1]
201.5.11.4 #1: transition from state STATE_MAIN_R1 to state
STATE_MAIN_R2
Oct 5 11:24:05 frwmarkway pluto[15356]: "roadwarrior_jackson"[1]
201.5.11.4 #1: STATE_MAIN_R2: sent MR2, expecting MI3
Oct 5 11:24:06 frwmarkway pluto[15356]: "roadwarrior_jackson"[1]
201.5.11.4 #1: discarding duplicate packet; already STATE_MAIN_R2
Oct 5 11:24:06 frwmarkway pluto[15356]: "roadwarrior_jackson"[1]
201.5.11.4 #1: next payload type of ISAKMP Hash Payload has an unknown
value: 136
Oct 5 11:24:06 frwmarkway pluto[15356]: "roadwarrior_jackson"[1]
201.5.11.4 #1: malformed payload in packet
Oct 5 11:24:06 frwmarkway pluto[15356]: "roadwarrior_jackson"[1]
201.5.11.4 #1: sending notification PAYLOAD_MALFORMED to 201.5.11.4:500
Oct 5 11:25:15 frwmarkway pluto[15356]: "roadwarrior_jackson"[1]
201.5.11.4 #1: max number of retransmissions (2) reached STATE_MAIN_R2
Oct 5 11:25:15 frwmarkway pluto[15356]: "roadwarrior_jackson"[1]
201.5.11.4: deleting connection "roadwarrior_jackson" instance with peer
201.5.11.4 {isakmp=#0/ipsec=#0}
Oct 5 11:25:55 frwmarkway pluto[15356]: packet from 201.5.11.4:500:
Informational Exchange is for an unknown (expired?) SA
Oct 5 11:25:55 frwmarkway pluto[15356]: packet from 201.5.11.4:500:
ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Oct 5 11:25:55 frwmarkway pluto[15356]: packet from 201.5.11.4:500:
ignoring Vendor ID payload [FRAGMENTATION]
Oct 5 11:25:55 frwmarkway pluto[15356]: packet from 201.5.11.4:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set
to=106
Oct 5 11:25:55 frwmarkway pluto[15356]: packet from 201.5.11.4:500:
ignoring Vendor ID payload [Vid-Initial-Contact]
Oct 5 11:25:55 frwmarkway pluto[15356]: "roadwarrior_jackson"[2]
201.5.11.4 #2: responding to Main Mode from unknown peer 201.5.11.4
Oct 5 11:25:55 frwmarkway pluto[15356]: "roadwarrior_jackson"[2]
201.5.11.4 #2: transition from state STATE_MAIN_R0 to state
STATE_MAIN_R1
Oct 5 11:25:55 frwmarkway pluto[15356]: "roadwarrior_jackson"[2]
201.5.11.4 #2: STATE_MAIN_R1: sent MR1, expecting MI2
Oct 5 11:25:55 frwmarkway pluto[15356]: "roadwarrior_jackson"[2]
201.5.11.4 #2: NAT-Traversal: Result using
draft-ietf-ipsec-nat-t-ike-02/03: no NAT detected
Oct 5 11:25:55 frwmarkway pluto[15356]: "roadwarrior_jackson"[2]
201.5.11.4 #2: transition from state STATE_MAIN_R1 to state
STATE_MAIN_R2
Oct 5 11:25:55 frwmarkway pluto[15356]: "roadwarrior_jackson"[2]
201.5.11.4 #2: STATE_MAIN_R2: sent MR2, expecting MI3
Oct 5 11:25:55 frwmarkway pluto[15356]: "roadwarrior_jackson"[2]
201.5.11.4 #2: next payload type of ISAKMP Hash Payload has an unknown
value: 86
Oct 5 11:25:55 frwmarkway pluto[15356]: "roadwarrior_jackson"[2]
201.5.11.4 #2: malformed payload in packet
Oct 5 11:25:55 frwmarkway pluto[15356]: "roadwarrior_jackson"[2]
201.5.11.4 #2: sending notification PAYLOAD_MALFORMED to 201.5.11.4:500
########################################################################
#####################################
Ipsec whack --status
000 "roadwarrior_jackson": 192.168.1.0/24===200.150.147.244[C=BR, ST=RJ,
L=RJ, O=markway, CN=jackson,
E=jackson.schemes at markway.com.br]---200.150.147.241...%any; unrouted;
eroute owner: #0
000 "roadwarrior_jackson": srcip=unset; dstip=unset; srcup=ipsec
_updown; dstup=ipsec _updown;
000 "roadwarrior_jackson": CAs: 'C=BR, ST=RJ, O=markway, CN=CA,
E=fabio.ferreira at markway.com.br'...'%any'
000 "roadwarrior_jackson": ike_life: 3600s; ipsec_life: 28800s;
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1
000 "roadwarrior_jackson": policy: RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS;
prio: 24,32; interface: eth0;
000 "roadwarrior_jackson": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "roadwarrior_jackson"[1]: 192.168.1.0/24===200.150.147.244[C=BR,
ST=RJ, L=RJ, O=markway, CN=jackson,
E=jackson.schemes at markway.com.br]---200.150.147.241...201.5.11.4;
unrouted; eroute owner: #0
000 "roadwarrior_jackson"[1]: srcip=unset; dstip=unset; srcup=ipsec
_updown; dstup=ipsec _updown;
000 "roadwarrior_jackson"[1]: CAs: 'C=BR, ST=RJ, O=markway, CN=CA,
E=fabio.ferreira at markway.com.br'...'%any'
000 "roadwarrior_jackson"[1]: ike_life: 3600s; ipsec_life: 28800s;
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1
000 "roadwarrior_jackson"[1]: policy:
RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS; prio: 24,32; interface: eth0;
000 "roadwarrior_jackson"[1]: newest ISAKMP SA: #0; newest IPsec SA:
#0;
000
000 #1: "roadwarrior_jackson"[1] 201.5.11.4:500 STATE_MAIN_R2 (sent MR2,
expecting MI3); EVENT_RETRANSMIT in 3s; nodpd
########################################################################
#####################################
Thanks,
Fabio Ferreira - Consultor de TI
Markway Business & Informática LTDA
Tel/Fax: 55-21-22624312
http://www.markway.com.br
"15 ANOS CRIANDO NEGÓCIOS"
Quer falar sobre nosso atendimento ?
Envie mensagem ao nosso Setor da Qualidade.
qualidade at markway.com.br
More information about the Users
mailing list