[Openswan Users] Openswan and Netopia in aggressive mode

Andy Van den Heede andy.vandenheede at secuteam.com
Sun Sep 24 04:00:31 EDT 2006 

Hello Openswan Users,

 

I am trying to configure openswan for a vpn with a Netopia router in
aggressive mode. I use aggressive mode (I know it is not so safe!),
because I have a lot of Netopia routers, and with a Netopia router it is
not possible to define a left id and right id in main mode (it will use
default the external address). All my Netopia routers have a dynamic ip
address. Also define a dyndns account is not possible on the Netopia.

 

When I use main mode with 1 Netopia router, the vpn is working perfect.
When I use more than 1 Netopia router, I can't build up the two tunnels.

 

In log files I have this:

 

Sep 24 09:48:22 axsweb pluto[30079]: "openswan"[1] 80.201.162.93 #1:
Aggressive mode peer ID is ID_FQDN: '@netopia.ipsec'

Sep 24 09:48:22 axsweb pluto[30079]: "openswan"[1] 80.201.162.93 #1:
responding to Aggressive Mode, state #1, connection "openswan" from
80.201.162.93

Sep 24 09:48:22 axsweb pluto[30079]: "openswan"[1] 80.201.162.93 #1:
transition from state STATE_AGGR_R0 to state STATE_AGGR_R1

Sep 24 09:48:22 axsweb pluto[30079]: "openswan"[1] 80.201.162.93 #1:
STATE_AGGR_R1: sent AR1, expecting AI2

Sep 24 09:48:22 axsweb pluto[30079]: "openswan"[1] 80.201.162.93 #1:
packet rejected: should have been encrypted

Sep 24 09:48:22 axsweb pluto[30079]: "openswan"[1] 80.201.162.93 #1:
sending notification INVALID_FLAGS to 80.201.162.93:500

Sep 24 09:48:22 axsweb pluto[30079]: "openswan"[1] 80.201.162.93 #1:
next payload type of ISAKMP Hash Payload has an unknown value: 56

Sep 24 09:48:22 axsweb pluto[30079]: "openswan"[1] 80.201.162.93 #1:
malformed payload in packet

Sep 24 09:48:22 axsweb pluto[30079]: "openswan"[1] 80.201.162.93 #1:
sending notification PAYLOAD_MALFORMED to 80.201.162.93:500

Sep 24 09:48:24 axsweb pluto[30079]: "openswan"[1] 80.201.162.93 #1:
Quick Mode message is unacceptable because it is for an incomplete
ISAKMP SA

Sep 24 09:48:24 axsweb pluto[30079]: "openswan"[1] 80.201.162.93 #1:
sending notification PAYLOAD_MALFORMED to 80.201.162.93:500

Sep 24 09:48:40 axsweb pluto[30079]: "openswan"[1] 80.201.162.93 #1:
Quick Mode message is unacceptable because it is for an incomplete
ISAKMP SA

Sep 24 09:48:40 axsweb pluto[30079]: "openswan"[1] 80.201.162.93 #1:
sending notification PAYLOAD_MALFORMED to 80.201.162.93:500

Sep 24 09:48:55 axsweb pluto[30079]: "openswan"[1] 80.201.162.93 #1:
Quick Mode message is unacceptable because it is for an incomplete
ISAKMP SA

Sep 24 09:48:55 axsweb pluto[30079]: "openswan"[1] 80.201.162.93 #1:
sending notification PAYLOAD_MALFORMED to 80.201.162.93:500

 

My ipsec.conf file looks like this:

 

conn openswan

        left="62.166.214.114"

        leftsubnet="192.168.123.0/255.255.255.0"

        leftnexthop="62.166.214.113"

        leftid="@openswan.ipsec"

        right="0.0.0.0"

        rightsubnet="10.0.0.0/255.255.255.0"

        rightid="@netopia.ipsec"

        auto="add"

        authby="secret"

        type="tunnel"

        keyexchange="ike"

        auth="esp"

        pfs="no"

        ike="3des-md5-modp1024"

        ikelifetime="28800"

        esp="3des-md5-96"

        keylife="3600"

        aggrmode="yes"

        rekey="yes"

 

My ipsec.secrets:

 

@openswan.ipsec @netopia.ipsec: PSK "PreSharedKey"

 

Whe I only remove the aggrmode="yes" in my ipsec.conf file and also
change the settings on the Netopia from aggressive mode to main=mode,
the vpn tunnel builds up directly (this is the log file below):

 

Sep 24 09:58:21 axsweb pluto[32522]: "openswan"[1] 80.201.162.93 #1:
responding to Main Mode from unknown peer 80.201.162.93

Sep 24 09:58:21 axsweb pluto[32522]: "openswan"[1] 80.201.162.93 #1:
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1

Sep 24 09:58:21 axsweb pluto[32522]: "openswan"[1] 80.201.162.93 #1:
STATE_MAIN_R1: sent MR1, expecting MI2

Sep 24 09:58:21 axsweb pluto[32522]: "openswan"[1] 80.201.162.93 #1:
ignoring unknown Vendor ID payload [3652d8cb0c2e66807ce8b6adf4a7a26c]

Sep 24 09:58:21 axsweb pluto[32522]: "openswan"[1] 80.201.162.93 #1:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2

Sep 24 09:58:21 axsweb pluto[32522]: "openswan"[1] 80.201.162.93 #1:
STATE_MAIN_R2: sent MR2, expecting MI3

Sep 24 09:58:21 axsweb pluto[32522]: "openswan"[1] 80.201.162.93 #1:
Main mode peer ID is ID_IPV4_ADDR: '0.0.0.0'

Sep 24 09:58:21 axsweb pluto[32522]: "openswan"[1] 80.201.162.93 #1:
switched from "openswan" to "openswan"

Sep 24 09:58:21 axsweb pluto[32522]: "openswan"[2] 80.201.162.93 #1:
deleting connection "openswan" instance with peer 80.201.162.93
{isakmp=#0/ipsec=#0}

Sep 24 09:58:21 axsweb pluto[32522]: "openswan"[2] 80.201.162.93 #1: I
did not send a certificate because I do not have one.

Sep 24 09:58:21 axsweb pluto[32522]: "openswan"[2] 80.201.162.93 #1:
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3

Sep 24 09:58:21 axsweb pluto[32522]: "openswan"[2] 80.201.162.93 #1:
STATE_MAIN_R3: sent MR3, ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5
group=modp1024}

Sep 24 09:58:22 axsweb pluto[32522]: "openswan"[2] 80.201.162.93 #2:
responding to Quick Mode {msgid:1b7445e5}

Sep 24 09:58:22 axsweb pluto[32522]: "openswan"[2] 80.201.162.93 #2:
transition from state STATE_QUICK_R0 to state STATE_QUICK_R1

Sep 24 09:58:22 axsweb pluto[32522]: "openswan"[2] 80.201.162.93 #2:
STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2

Sep 24 09:58:22 axsweb pluto[32522]: "openswan"[2] 80.201.162.93 #2:
transition from state STATE_QUICK_R1 to state STATE_QUICK_R2

Sep 24 09:58:22 axsweb pluto[32522]: "openswan"[2] 80.201.162.93 #2:
STATE_QUICK_R2: IPsec SA established {ESP=>0x863d0c7a <0x50d8ba1b
xfrm=3DES_0-HMAC_MD5 NATD=none DPD=none}

 

If I run "ipsec auto --status" :

 

000 interface lo/lo 127.0.0.1

000 interface eth0/eth0 62.166.214.114

000 interface eth1/eth1 192.168.123.1

000 %myid = (none)

000 debug none

000

000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64,
keysizemax=64

000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192,
keysizemax=192

000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8,
keysizemin=40, keysizemax=448

000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0,
keysizemax=0

000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128,
keysizemax=256

000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8,
keysizemin=128, keysizemax=256

000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8,
keysizemin=128, keysizemax=256

000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
keysizemin=128, keysizemax=128

000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
keysizemin=160, keysizemax=160

000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256,
keysizemin=256, keysizemax=256

000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0,
keysizemax=0

000

000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
keydeflen=192

000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
keydeflen=128

000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16

000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20

000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024

000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536

000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048

000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072

000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096

000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144

000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192

000

000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,0,0}
trans={0,0,0} attrs={0,0,0}

000

000 "openswan":
192.168.123.0/24===62.166.214.114---62.166.214.113...%any===10.0.0.0/24;
unrouted; eroute owner: #0

000 "openswan":     srcip=unset; dstip=unset; srcup=ipsec _updown;
dstup=ipsec _updown;

000 "openswan":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin:
540s; rekey_fuzz: 100%; keyingtries: 0

000 "openswan":   policy: PSK+ENCRYPT+TUNNEL; prio: 24,24; interface:
eth0;

000 "openswan":   newest ISAKMP SA: #0; newest IPsec SA: #0;

000 "openswan":   ESP algorithms wanted: 3_000-1, flags=strict

000 "openswan":   ESP algorithms loaded: 3_000-1, flags=strict

000 "openswan"[2]:
192.168.123.0/24===62.166.214.114---62.166.214.113...80.201.162.93[0.0.0
.0]===10.0.0.0/24; erouted; eroute owner: #2

000 "openswan"[2]:     srcip=unset; dstip=unset; srcup=ipsec _updown;
dstup=ipsec _updown;

000 "openswan"[2]:   ike_life: 3600s; ipsec_life: 28800s; rekey_margin:
540s; rekey_fuzz: 100%; keyingtries: 0

000 "openswan"[2]:   policy: PSK+ENCRYPT+TUNNEL; prio: 24,24; interface:
eth0;

000 "openswan"[2]:   newest ISAKMP SA: #1; newest IPsec SA: #2;

000 "openswan"[2]:   IKE algorithm newest: 3DES_CBC_192-MD5-MODP1024

000 "openswan"[2]:   ESP algorithms wanted: 3_000-1, flags=strict

000 "openswan"[2]:   ESP algorithms loaded: 3_000-1, flags=strict

000 "openswan"[2]:   ESP algorithm newest: 3DES_0-HMAC_MD5;
pfsgroup=<N/A>

000

000 #2: "openswan"[2] 80.201.162.93:500 STATE_QUICK_R2 (IPsec SA
established); EVENT_SA_REPLACE in 3132s; newest IPSEC; eroute owner

000 #2: "openswan"[2] 80.201.162.93 esp.863d0c7a at 80.201.162.93
esp.50d8ba1b at 62.166.214.114 tun.0 at 80.201.162.93 tun.0 at 62.166.214.114

000 #1: "openswan"[2] 80.201.162.93:500 STATE_MAIN_R3 (sent MR3, ISAKMP
SA established); EVENT_SA_REPLACE in 3131s; newest ISAKMP; nodpd

 

Do I have to change something in the ipsec.conf I use aggressive mode?

 

 

Andy Van den Heede

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20060924/3986ca27/attachment-0001.html

More information about the Users mailing list