[Openswan Users] Stuck Connection
Mark Olliver
mark at olliver.me.uk
Tue Oct 10 12:04:16 EDT 2006
Hi,
Thanks for the reply,
I presume you mean the following for the config:
conn iecollo-ukoffice
left=81.17.242.10
leftsubnet=192.168.242.0/24
leftsourceip=192.168.242.254
right=212.159.53.154
rightsubnet=192.168.234.0/24
rightsourceip=192.168.234.1
type=tunnel
dpddelay=9
dpdtimeout=30
dpdaction=restart
pfs=yes
rekey=yes
rekeymargin=600
rekeyfuzz=100%
keylife=3600
keyingtries=10
ikelifetime=28800
compress=yes
authby=secret
auto=start
You say the NAT will break the connection, surely as I am only NAT'ing eth0
packets that are going directly out eth1 and not via ipsec then the ipsec
packets should not be effected?
Yes I am using kernel 2.6.8 and ipsec 2.4.6 but I did not see any errors
when building both built ok,as far as I know, would you suggest a different
combination?
The remote device is a snapgear cyberquard device running their latest
kernel which runs some form of Pluto/klips I belive.
Let me know if you need any further info.
Regards,
Mark
******************************************************************
Mark Olliver BSc (Hons)
-----Original Message-----
From: Paul Wouters [mailto:paul at xelerance.com]
Sent: 10 October 2006 16:50
To: Mark Olliver
Cc: users at openswan.org
Subject: Re: [Openswan Users] Stuck Connection
On Tue, 10 Oct 2006, Mark Olliver wrote:
> Local Lan 192.168.242.0/24 eth0
> |
> Local Firewall ipsec0
> |
> Local Public 81.17.242.10 eth1
> |
> |
> Remote Public 212.159.53.154 eth1
> |
> Remote Firewall ipsec0
> |
> Remote Lan 192.168.234.0/23 eth0
> Config Settings
> conn ielan-ukoflan
> leftsubnet=192.168.242.0/24
> rightsubnet=192.168.234.0/24
> also=iecollo-ukoffice
>
> conn iecollo-ukoflan
> leftsubnet=81.17.242.10/32
You are better of using a single connection with
both left/right subnets and using leftsourceip= and
rightsourceip= to denote the inner IP's of the gateways
so they can talk to each over over the vpn without the
need for 4 tunnels.
> iptables -t nat -A POSTROUTING -s 192.168.242.0/24 -d \! 192.168.234.0/24
-o
> eth1 -j SNAT --to 81.17.242.81
I assume the other had has the same kind of NAT rule, or packets will still
break.
> Oct 10 14:53:53 ie-fw1 pluto[7054]: 1 bad entries in virtual_private -
none
> loaded
since you're not using NAT harmless, but perhsps fix/comment out the line.
> Oct 10 14:53:53 ie-fw1 pluto[7054]: Using KLIPS IPsec interface code on
> 2.6.18
You are using klips on 2.6.18 with openswan 2.4.6? You must have patched
the source then to fix various config.h related issues?
> sent QI2, IPsec SA established {ESP=>0xee37a1ca <0x
> 6f27582e xfrm=AES_0-HMAC_SHA1 IPCOMP=>0x0000a621 <0x0000daea NATD=none
> DPD=enabled}
looks good.
> Oct 10 14:54:16 ie-fw1 pluto[7054]: packet from 212.159.53.154:500: Quick
> Mode message is for a non-existent (expired?) ISAKMP SA
Not sure what that is. Are all 4 tunnels up and stable, or does it keep
negotiating?
> Oct 10 14:39:15 Pluto[194]: "OFFICE-IE_0" #140: responding to Main Mode
> Oct 10 14:39:15 Pluto[194]: "OFFICE-IE_0" #140: NAT-Traversal: Result
using
> draft-ietf-ipsec-nat-t-ike-02/03: no NAT detected
> Oct 10 14:39:16 Pluto[194]: "OFFICE-IE_0" #140: sent MR3, ISAKMP SA
> established
> Oct 10 14:39:16 Pluto[194]: "OFFICE-IE_1" #141: using deflate compression
> Oct 10 14:39:16 Pluto[194]: "OFFICE-IE_1" #141: responding to Quick Mode
> Oct 10 14:39:16 Pluto[194]: "OFFICE-IE_1" #141: ESP transform ESP_AES /
auth
> AUTH_ALGORITHM_HMAC_SHA1 implemented
What is this software? pluto with a capital P? Some messages I do not
recognise. Is this a freeswan/openswan derivative?
> Oct 10 14:42:39 Pluto[194]: "OFFICE-IE_2" #145: using deflate compression
> Oct 10 14:42:39 Pluto[194]: "OFFICE-IE_2" #145: responding to Quick Mode
> Oct 10 14:42:39 Pluto[194]: "OFFICE-IE_2" #145: ESP transform ESP_AES /
auth
> AUTH_ALGORITHM_HMAC_SHA1 implemented
> Oct 10 14:42:48 Pluto[194]: "OFFICE-IE_2" #145: discarding duplicate
packet;
> already STATE_QUICK_R1
> Oct 10 14:43:49 last message repeated 1 time(s)
> Oct 10 14:43:49 Pluto[194]: "OFFICE-IE_2" #145: max number of
> retransmissions (2) reached STATE_QUICK_R1
So it seems negotiating keeps looping. Try using 1 tunnel and see if that
improves things.
Paul
More information about the Users
mailing list