[Openswan Users] Newbie have , problems with PSK

John Joseph jjk_saji at yahoo.com
Wed Sep 13 09:13:20 EDT 2006 


Hi
  I am a new user , I am trying to do Openswan VPN on
test basis using PSK keys 

1>    I had installed Openswan on a machine which have
two interface 
      Eth1 = 192.168.20.202/24
      Eth0 = 192.168.242.100/24; => the interface
which I used to connect to the clients

2>    I have another XP machine ,on the subnet
192.168.242.0/24  with IP 192.168.242.135 . which is
the VPN client 

when I do a tcpdump on the VPN server , I get this
result 
[root at psa examples]# tcpdump -i eth0 port 500 -n
tcpdump: verbose output suppressed, use -v or -vv for
full protocol decode
listening on eth0, link-type EN10MB (Ethernet),
capture size 96 bytes
18:59:36.179042 IP 192.168.242.100.isakmp >
192.168.242.135.isakmp: isakmp: phase 1 I ident
18:59:46.176330 IP 192.168.242.100.isakmp >
192.168.242.135.isakmp: isakmp: phase 1 I ident
19:00:06.174062 IP 192.168.242.100.isakmp >
192.168.242.135.isakmp: isakmp: phase 1 I ident
19:00:46.169767 IP 192.168.242.100.isakmp >
192.168.242.135.isakmp: isakmp: phase 1 I ident
19:00:56.169046 IP 192.168.242.100.isakmp >
192.168.242.135.isakmp: isakmp: phase 1 I ident
**************************
my /etc/ipsec.conf is 

**********************************************
version 2.0
config setup
        interfaces=%defaultroute
        klipsdebug=none
        plutodebug=none
        overridemtu=1200
        nat_traversal=yes
       
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12

conn %default
        keyingtries=3
        compress=yes
        disablearrivalcheck=no
        authby=secret
        type=tunnel
        keyexchange=ike
        ikelifetime=240m
        keylife=60m

conn l2tp-psk
        pfs=no
        left=192.168.242.100
        leftnexthop=192.168.242.1
        #right=%any
        right=192.168.242.135
        rightsubnet=0.0.0.0/0
        auto=start

**************
my "ipsec verify"  shows 
ipsec verify
Checking your system to see if IPsec got installed and
started correctly:
Version check and ipsec on-path                       
         [OK]
Linux Openswan U2.4.6/K2.6.9-42.0.2.EL (netkey)
Checking for IPsec support in kernel                  
         [OK]
NETKEY detected, testing for disabled ICMP
send_redirects       [OK]
NETKEY detected, testing for disabled ICMP
accept_redirects     [OK]
Checking for RSA private key (/etc/ipsec.secrets)     
         [DISABLED]
  ipsec showhostkey: no default key in
"/etc/ipsec.secrets"
Checking that pluto is running                        
         [OK]
Two or more interfaces found, checking IP forwarding  
         [OK]
Checking NAT and MASQUERADEing
Checking for 'ip' command                             
         [OK]
Checking for 'iptables' command                       
         [OK]
Opportunistic Encryption Support                      
         [DISABLED]


**********************
" ipsec whack --status " shows
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz}
:context={0,0,0} trans={0,0,0} attrs={0,0,0}
000
000 "l2tp-psk":
192.168.242.100---192.168.242.1...192.168.242.135===0.0.0.0/0;
prospective erouted; eroute owner: #0
000 "l2tp-psk":     srcip=unset; dstip=unset;
srcup=ipsec _updown; dstup=ipsec _updown;
000 "l2tp-psk":   ike_life: 14400s; ipsec_life: 3600s;
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3
000 "l2tp-psk":   policy:
PSK+ENCRYPT+COMPRESS+TUNNEL+UP; prio: 32,0; interface:
eth0;
000 "l2tp-psk":   newest ISAKMP SA: #0; newest IPsec
SA: #0;
000
000 #2: "l2tp-psk":500 STATE_MAIN_I1 (sent MI1,
expecting MR1); EVENT_RETRANSMIT in 6s; nodpd
000 #2: pending Phase 2 for "l2tp-psk" replacing #0
000


###############################################################3

Now
if I change right=%any in  "/etc/ipsec.conf" , I get
this message in /var/log/messages
"" ipsec__plutorun: 029 "l2tp-psk": cannot initiate
connection without knowing peer IP address
(kind=CK_TEMPLATE)
Sep 13 19:18:32 psa ipsec__plutorun: ...could not
start conn "l2tp-psk"

 I  request advice on,
        1> Whether my vpn is working properly  when I
give "right=192.168.242.135" in ipsec.conf, the
tcpdump is 
[root at psa examples]# tcpdump -i eth0 port 500 -n
tcpdump: verbose output suppressed, use -v or -vv for
full protocol decode
listening on eth0, link-type EN10MB (Ethernet),
capture size 96 bytes
18:59:36.179042 IP 192.168.242.100.isakmp >
192.168.242.135.isakmp: isakmp: phase 1 I ident
18:59:46.176330 IP 192.168.242.100.isakmp >
192.168.242.135.isakmp: isakmp: phase 1 I ident
19:00:06.174062 IP 192.168.242.100.isakmp >
192.168.242.135.isakmp: isakmp: phase 1 I ident
19:00:46.169767 IP 192.168.242.100.isakmp >
192.168.242.135.isakmp: isakmp: phase 1 I ident
19:00:56.169046 IP 192.168.242.100.isakmp >
192.168.242.135.isakmp: isakmp: phase 1 I ident 

	2> Why I do not initiate a connection when I give 
right=%any in ipsec.conf
	
                      Guidance requested 
                              Thanks 
                                  Joseph John 






		
___________________________________________________________ 
Yahoo! Photos – NEW, now offering a quality print service from just 8p a photo http://uk.photos.yahoo.com

More information about the Users mailing list