[Openswan Users] Problem at Quick mode

Adrian Wee Chin Mun cmwee at itee.uq.edu.au
Thu Apr 19 01:48:40 EDT 2007 

Hi,
	I am trying to get Openswan running on an embedded system. My test
bed is a host to host network with a PC on one end and the embedded system
on the other. I have confirmed that the PC system work as I have tested it
with another PC running Openswan with the same conf file. 
So far I have had some success but I seem to be stuck at Quick mode. Quick
mode starts but does not complete on the embedded system but seems to
complete on the PC. I have read some FAQ and troubleshooting guide on the
internet (the wiki) which suggest that it is a configuration/parameters
problem. The conf files are duplicated across both systems to make sure
there is not confusion there. I have tried using tcpdump to get more
information but since it is already encrypted at this point, I can't get
much out of it. I would appreciate any suggestions on what I did wrong or
how I can troubleshoot this. I have attached the conf file, the log and
terminal output of the PC and also the terminal output of the embedded
system.

Thank you
Adrian


ipsec.conf file

# /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.15.2.4 2006/07/11 16:17:53 paul Exp $

# This file:  /usr/local/share/doc/openswan/ipsec.conf-sample
#
# Manual:     ipsec.conf.5


version	2.0	# conforms to second version of ipsec.conf specification

# basic configuration
config setup
	# plutodebug / klipsdebug = "all", "none" or a combation from below:
	# "raw crypt parsing emitting control klips pfkey natt x509 private"
	# eg:
	# plutodebug="control parsing"
	#
	# Only enable klipsdebug=all if you are a developer
	#
	# NAT-TRAVERSAL support, see README.NAT-Traversal
	nat_traversal=no
	#
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
	#
	# enable this if you see "failed to find any available worker"
	nhelpers=0
	interfaces="ipsec0=eth0"

# Add connections here
conn host-to-host
	left=192.168.0.5
	
leftrsasigkey=0sAQO098JW9u241mh2FvotWXgX8qyeQvtZH/1Eo9/+DgnRBkUNBMd8F3Ri/7AJ
f7H8NYc98X05cLdzV6ApyLKHYd9rgdGSP8W9RZfw1nr4ers57Ys0PcW1medCxmOnqTgqOnpCIyXn
yTbZm4dC2xY3P/ot1Eg9aTS/kh2ImhVNz7A2bCNIoK4r95NNGMyT1omfFzwopV8y+wEEZdwikwP2
fnMuKcogVrprITFYpTq+VTKdfkYC3pQ8UTBjqeqk+sC+gEuIcyVIVsHprmK/FBxaG1Fw12slks9m
HPoml8tsLyLzf7v7rZvU8WfcSVFg655WEhAibVcEhYnNZvJLZQpP/wgGl+ydblChez8iBxLcgRU5
n4qp          # Local vitals
	right=192.168.0.10                # Remote vitals
	
rightrsasigkey=0sAQPVtiqab4v0qUoMnSaoVCXEdzI4gaBTbbm2yvh5ZWM+UTTaFTymdST5R1B
3BYbHdMo1kNgPW486e05XKvA/z+4N9IIX2kcXFA4wFYv/nJsezqQthhCuDGr1DlhrY1PaPvd0Ukm
KBK3corTuBtZBNdtPP8xBh/sfIdVPk0UxCKqzZ2A1W7f2tzcljm20Agkqx4TphuvSefQ/evtZEsF
8DBXDdcWsWGJ2ujNYhC26OjjOMVyPEwqupNx+d0tTHE38Xu0ykpF33ncpMvUwnZXgLtgBSaN1ihW
PW93DRIV45Ykn8Wa1+btmXPZCoWFroPcqiu8tJ83OBmd4HDLxk8Wu/ikUNsMojkfA06cwUjxl269
7YN2t   #
	auto=add                       # authorizes but doesn't start this
                                   # connection at startup
#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf



The log output on the PC:

Apr 17 13:42:11 localhost pluto[29023]: "host-to-host" #1: responding to
Main Mode
Apr 17 13:42:11 localhost pluto[29023]: "host-to-host" #1: transition from
state STATE_MAIN_R0 to state STATE_MAIN_R1
Apr 17 13:42:11 localhost pluto[29023]: "host-to-host" #1: STATE_MAIN_R1:
sent MR1, expecting MI2
Apr 17 13:42:13 localhost pluto[29023]: "host-to-host" #1: transition from
state STATE_MAIN_R1 to state STATE_MAIN_R2
Apr 17 13:42:13 localhost pluto[29023]: "host-to-host" #1: STATE_MAIN_R2:
sent MR2, expecting MI3
Apr 17 13:42:20 localhost pluto[29023]: "host-to-host" #1: Main mode peer ID
is ID_IPV4_ADDR: '192.168.0.5'
Apr 17 13:42:20 localhost pluto[29023]: "host-to-host" #1: I did not send a
certificate because I do not have one.
Apr 17 13:42:20 localhost pluto[29023]: "host-to-host" #1: transition from
state STATE_MAIN_R2 to state STATE_MAIN_R3
Apr 17 13:42:20 localhost pluto[29023]: "host-to-host" #1: STATE_MAIN_R3:
sent MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG
cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1536}
Apr 17 13:42:22 localhost pluto[29023]: "host-to-host" #2: responding to
Quick Mode {msgid:7ba4489f}
Apr 17 13:42:22 localhost pluto[29023]: "host-to-host" #2: transition from
state STATE_QUICK_R0 to state STATE_QUICK_R1
Apr 17 13:42:22 localhost pluto[29023]: "host-to-host" #2: STATE_QUICK_R1:
sent QR1, inbound IPsec SA installed, expecting QI2
Apr 17 13:42:32 localhost pluto[29023]: "host-to-host" #2: discarding
duplicate packet; already STATE_QUICK_R1
Apr 17 13:42:52 localhost pluto[29023]: "host-to-host" #2: discarding
duplicate packet; already STATE_QUICK_R1
Apr 17 13:43:34 localhost pluto[29023]: "host-to-host" #3: responding to
Quick Mode {msgid:4d021b53}
Apr 17 13:43:34 localhost pluto[29023]: "host-to-host" #3: transition from
state STATE_QUICK_R0 to state STATE_QUICK_R1
Apr 17 13:43:34 localhost pluto[29023]: "host-to-host" #3: STATE_QUICK_R1:
sent QR1, inbound IPsec SA installed, expecting QI2
Apr 17 13:43:34 localhost pluto[29023]: "host-to-host" #1: ignoring
informational payload, type INVALID_MESSAGE_ID
Apr 17 13:43:34 localhost pluto[29023]: "host-to-host" #1: received and
ignored informational message
Apr 17 13:43:43 localhost pluto[29023]: "host-to-host" #3: discarding
duplicate packet; already STATE_QUICK_R1
Apr 17 13:44:03 localhost pluto[29023]: "host-to-host" #3: discarding
duplicate packet; already STATE_QUICK_R1
Apr 17 13:44:12 localhost pluto[29023]: "host-to-host" #1: ignoring
informational payload, type INVALID_MESSAGE_ID
Apr 17 13:44:12 localhost pluto[29023]: "host-to-host" #1: received and
ignored informational message
Apr 17 13:44:45 localhost pluto[29023]: "host-to-host" #4: responding to
Quick Mode {msgid:dac39802}
Apr 17 13:44:45 localhost pluto[29023]: "host-to-host" #4: transition from
state STATE_QUICK_R0 to state STATE_QUICK_R1
Apr 17 13:44:45 localhost pluto[29023]: "host-to-host" #4: STATE_QUICK_R1:
sent QR1, inbound IPsec SA installed, expecting QI2
Apr 17 13:44:45 localhost pluto[29023]: "host-to-host" #1: ignoring
informational payload, type INVALID_MESSAGE_ID
Apr 17 13:44:45 localhost pluto[29023]: "host-to-host" #1: received and
ignored informational message
Apr 17 13:44:52 localhost pluto[29023]: "host-to-host" #1: ignoring
informational payload, type INVALID_MESSAGE_ID
Apr 17 13:44:52 localhost pluto[29023]: "host-to-host" #1: received and
ignored informational message
Apr 17 13:44:55 localhost pluto[29023]: "host-to-host" #4: discarding
duplicate packet; already STATE_QUICK_R1

....keeps going on

The output on terminal on the PC:

002 "host-to-host" #2: initiating Main Mode
104 "host-to-host" #2: STATE_MAIN_I1: initiate
003 "host-to-host" #2: ignoring unknown Vendor ID payload
[4f456e4d43757f784f704063]
003 "host-to-host" #2: received Vendor ID payload [Dead Peer Detection]
002 "host-to-host" #2: transition from state STATE_MAIN_I1 to state
STATE_MAIN_I2
106 "host-to-host" #2: STATE_MAIN_I2: sent MI2, expecting MR2
002 "host-to-host" #2: I did not send a certificate because I do not have
one.
002 "host-to-host" #2: transition from state STATE_MAIN_I2 to state
STATE_MAIN_I3
108 "host-to-host" #2: STATE_MAIN_I3: sent MI3, expecting MR3
002 "host-to-host" #2: Main mode peer ID is ID_IPV4_ADDR: '192.168.0.5'
002 "host-to-host" #2: transition from state STATE_MAIN_I3 to state
STATE_MAIN_I4
004 "host-to-host" #2: STATE_MAIN_I4: ISAKMP SA established
{auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_md5
group=modp1536}
002 "host-to-host" #3: initiating Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS+UP
{using isakmp#2}
117 "host-to-host" #3: STATE_QUICK_I1: initiate
002 "host-to-host" #3: transition from state STATE_QUICK_I1 to state
STATE_QUICK_I2
004 "host-to-host" #3: STATE_QUICK_I2: sent QI2, IPsec SA established
{ESP=>0x51f3bf38 <0x1dc16f43 xfrm=AES_0-HMAC_SHA1 NATD=none DPD=none}


The output on the terminal on the embedded system:

002 listening for IKE messages
002 adding interface ipsec0/eth0 192.168.0.5:500
002 loading secrets from "/tmp/nfs/version1/ipsec.secrets"
# Jan  1 00:29:34 pluto[104]: packet from 192.168.0.10:500: ignoring unknown
Ven
dor ID payload [4f454e7c454d716b5f4d6c67]
Jan  1 00:29:34 pluto[104]: packet from 192.168.0.10:500: received Vendor ID
payload [Dead Peer Detection]
Jan  1 00:29:34 pluto[104]: "host-to-host" #1: responding to Main Mode
Jan  1 00:29:34 pluto[104]: "host-to-host" #1: transition from state
STATE_MAIN_R0 to state STATE_MAIN_R1
Jan  1 00:29:34 pluto[104]: "host-to-host" #1: STATE_MAIN_R1: sent MR1,
expecting MI2
Jan  1 00:29:36 pluto[104]: "host-to-host" #1: WARNING: calc_dh_shared():
for OAKLEY_GROUP_MODP1536 took 1311633 usec
Jan  1 00:29:36 pluto[104]: "host-to-host" #1: transition from state
STATE_MAIN_R1 to state STATE_MAIN_R2
Jan  1 00:29:36 pluto[104]: "host-to-host" #1: STATE_MAIN_R2: sent MR2,
expecting MI3
Jan  1 00:29:37 pluto[104]: "host-to-host" #1: Main mode peer ID is
ID_IPV4_ADDR: '192.168.0.10'
Jan  1 00:29:37 pluto[104]: "host-to-host" #1: I did not send a certificate
because I do not have one.
Jan  1 00:29:43 pluto[104]: "host-to-host" #1: transition from state
STATE_MAIN_R2 to state STATE_MAIN_R3
Jan  1 00:29:43 pluto[104]: "host-to-host" #1: STATE_MAIN_R3: sent MR3,
ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192
prf=oakley_md5 group=modp1536}
Jan  1 00:29:44 pluto[104]: "host-to-host" #2: responding to Quick Mode
{msgid:f085e8ee}
Jan  1 00:29:46 pluto[104]: "host-to-host" #2: WARNING: calc_dh_shared():
for OAKLEY_GROUP_MODP1536 took 1309277 usec
Jan  1 00:29:46 pluto[104]: "host-to-host" #2: transition from state
STATE_QUICK_R0 to state STATE_QUICK_R1
Jan  1 00:29:46 pluto[104]: "host-to-host" #2: STATE_QUICK_R1: sent QR1,
inbound IPsec SA installed, expecting QI2
Jan  1 00:29:51 pluto[104]: "host-to-host" #2: up-host output: syntax error
Jan  1 00:29:51 pluto[104]: "host-to-host" #2: up-host command exited with
status 255
Jan  1 00:29:56 pluto[104]: "host-to-host" #2: discarding duplicate packet;
already STATE_QUICK_R1
Jan  1 00:30:16 pluto[104]: "host-to-host" #2: discarding duplicate packet;
already STATE_QUICK_R1

...removed repeated sections....and eventually


#2: max number of retransmissions (
20) reached STATE_QUICK_R1
Jan  1 00:42:56 pluto[104]: |   02 04 00 03  00 0b 00 00  00 00 00 10  00 00
00 68
Jan  1 00:42:56 pluto[104]: |   00 03 00 01  51 f3 bf 38  00 01 00 00  00 00
00 00
Jan  1 00:42:56 pluto[104]: |   ff ff ff ff  00 00 00 00  00 03 00 05  00 00
00 00
Jan  1 00:42:56 pluto[104]: |   00 02 00 00  c0 a8 00 0a  00 00 00 00  00 00
00 00
Jan  1 00:42:56 pluto[104]: |   00 03 00 06  00 00 00 00  00 02 00 00  c0 a8
00 05
Jan  1 00:42:56 pluto[104]: |   00 00 00 00  00 00 00 00

More information about the Users mailing list