[Openswan Users] Problem at Quickmode (repost)

Adrian Wee Chin Mun cmwee at itee.uq.edu.au
Tue Apr 24 00:16:48 EDT 2007 

Hello,
        Sorry for the repost, I think I posted my question/problem wrongly
the last time. It came up in someone else's thread rather than on a new
thread. Would of course appreciate any comments on this.
 
 
        I am trying to get Openswan running on an embedded system. My test
bed is a host to host network with a PC on one end and the embedded system
on the other. I have confirmed that the PC system work as I have tested it
with another PC running Openswan with the same conf file. 
So far I have had some success but I seem to be stuck at Quick mode. Quick
mode starts but does not complete on the embedded system but seems to
complete on the PC. I have read some FAQ and troubleshooting guide on the
internet (the wiki) which suggest that it is a configuration/parameters
problem. The conf files are duplicated across both systems to make sure
there is not confusion there. I have tried using tcpdump to get more
information but since it is already encrypted at this point, I can't get
much out of it. I would appreciate any suggestions on what I did wrong or
how I can troubleshoot this. I have attached the conf file, the log and
terminal output of the PC and also the terminal output of the embedded
system.
 
Thank you
Adrian
 
 
ipsec.conf file
 
# /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.15.2.4 2006/07/11 16:17:53 paul Exp $
 
# This file:  /usr/local/share/doc/openswan/ipsec.conf-sample
#
# Manual:     ipsec.conf.5
 
 
version 2.0     # conforms to second version of ipsec.conf specification
 
# basic configuration
config setup
        # plutodebug / klipsdebug = "all", "none" or a combation from below:
        # "raw crypt parsing emitting control klips pfkey natt x509 private"
        # eg:
        # plutodebug="control parsing"
        #
        # Only enable klipsdebug=all if you are a developer
        #
        # NAT-TRAVERSAL support, see README.NAT-Traversal
        nat_traversal=no
        #
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
        #
        # enable this if you see "failed to find any available worker"
        nhelpers=0
        interfaces="ipsec0=eth0"
 
# Add connections here
conn host-to-host
        left=192.168.0.5
        
leftrsasigkey=0sAQO098JW9u241mh2FvotWXgX8qyeQvtZH/1Eo9/+DgnRBkUNBMd8F3Ri/7AJ
f7H8NYc98X05cLdzV6ApyLKHYd9rgdGSP8W9RZfw1nr4ers57Ys0PcW1medCxmOnqTgqOnpCIyXn
yTbZm4dC2xY3P/ot1Eg9aTS/kh2ImhVNz7A2bCNIoK4r95NNGMyT1omfFzwopV8y+wEEZdwikwP2
fnMuKcogVrprITFYpTq+VTKdfkYC3pQ8UTBjqeqk+sC+gEuIcyVIVsHprmK/FBxaG1Fw12slks9m
HPoml8tsLyLzf7v7rZvU8WfcSVFg655WEhAibVcEhYnNZvJLZQpP/wgGl+ydblChez8iBxLcgRU5
n4qp          # Local vitals
        right=192.168.0.10                # Remote vitals
        
rightrsasigkey=0sAQPVtiqab4v0qUoMnSaoVCXEdzI4gaBTbbm2yvh5ZWM+UTTaFTymdST5R1B
3BYbHdMo1kNgPW486e05XKvA/z+4N9IIX2kcXFA4wFYv/nJsezqQthhCuDGr1DlhrY1PaPvd0Ukm
KBK3corTuBtZBNdtPP8xBh/sfIdVPk0UxCKqzZ2A1W7f2tzcljm20Agkqx4TphuvSefQ/evtZEsF
8DBXDdcWsWGJ2ujNYhC26OjjOMVyPEwqupNx+d0tTHE38Xu0ykpF33ncpMvUwnZXgLtgBSaN1ihW
PW93DRIV45Ykn8Wa1+btmXPZCoWFroPcqiu8tJ83OBmd4HDLxk8Wu/ikUNsMojkfA06cwUjxl269
7YN2t   #
        auto=add                       # authorizes but doesn't start this
                                   # connection at startup
#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf
 
 
 
The log output on the PC:
 
Apr 17 13:42:11 localhost pluto[29023]: "host-to-host" #1: responding to
Main Mode
Apr 17 13:42:11 localhost pluto[29023]: "host-to-host" #1: transition from
state STATE_MAIN_R0 to state STATE_MAIN_R1
Apr 17 13:42:11 localhost pluto[29023]: "host-to-host" #1: STATE_MAIN_R1:
sent MR1, expecting MI2
Apr 17 13:42:13 localhost pluto[29023]: "host-to-host" #1: transition from
state STATE_MAIN_R1 to state STATE_MAIN_R2
Apr 17 13:42:13 localhost pluto[29023]: "host-to-host" #1: STATE_MAIN_R2:
sent MR2, expecting MI3
Apr 17 13:42:20 localhost pluto[29023]: "host-to-host" #1: Main mode peer ID
is ID_IPV4_ADDR: '192.168.0.5'
Apr 17 13:42:20 localhost pluto[29023]: "host-to-host" #1: I did not send a
certificate because I do not have one.
Apr 17 13:42:20 localhost pluto[29023]: "host-to-host" #1: transition from
state STATE_MAIN_R2 to state STATE_MAIN_R3
Apr 17 13:42:20 localhost pluto[29023]: "host-to-host" #1: STATE_MAIN_R3:
sent MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG
cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1536}
Apr 17 13:42:22 localhost pluto[29023]: "host-to-host" #2: responding to
Quick Mode {msgid:7ba4489f}
Apr 17 13:42:22 localhost pluto[29023]: "host-to-host" #2: transition from
state STATE_QUICK_R0 to state STATE_QUICK_R1
Apr 17 13:42:22 localhost pluto[29023]: "host-to-host" #2: STATE_QUICK_R1:
sent QR1, inbound IPsec SA installed, expecting QI2
Apr 17 13:42:32 localhost pluto[29023]: "host-to-host" #2: discarding
duplicate packet; already STATE_QUICK_R1
Apr 17 13:42:52 localhost pluto[29023]: "host-to-host" #2: discarding
duplicate packet; already STATE_QUICK_R1
Apr 17 13:43:34 localhost pluto[29023]: "host-to-host" #3: responding to
Quick Mode {msgid:4d021b53}
Apr 17 13:43:34 localhost pluto[29023]: "host-to-host" #3: transition from
state STATE_QUICK_R0 to state STATE_QUICK_R1
Apr 17 13:43:34 localhost pluto[29023]: "host-to-host" #3: STATE_QUICK_R1:
sent QR1, inbound IPsec SA installed, expecting QI2
Apr 17 13:43:34 localhost pluto[29023]: "host-to-host" #1: ignoring
informational payload, type INVALID_MESSAGE_ID
Apr 17 13:43:34 localhost pluto[29023]: "host-to-host" #1: received and
ignored informational message
Apr 17 13:43:43 localhost pluto[29023]: "host-to-host" #3: discarding
duplicate packet; already STATE_QUICK_R1
Apr 17 13:44:03 localhost pluto[29023]: "host-to-host" #3: discarding
duplicate packet; already STATE_QUICK_R1
Apr 17 13:44:12 localhost pluto[29023]: "host-to-host" #1: ignoring
informational payload, type INVALID_MESSAGE_ID
Apr 17 13:44:12 localhost pluto[29023]: "host-to-host" #1: received and
ignored informational message
Apr 17 13:44:45 localhost pluto[29023]: "host-to-host" #4: responding to
Quick Mode {msgid:dac39802}
Apr 17 13:44:45 localhost pluto[29023]: "host-to-host" #4: transition from
state STATE_QUICK_R0 to state STATE_QUICK_R1
Apr 17 13:44:45 localhost pluto[29023]: "host-to-host" #4: STATE_QUICK_R1:
sent QR1, inbound IPsec SA installed, expecting QI2
Apr 17 13:44:45 localhost pluto[29023]: "host-to-host" #1: ignoring
informational payload, type INVALID_MESSAGE_ID
Apr 17 13:44:45 localhost pluto[29023]: "host-to-host" #1: received and
ignored informational message
Apr 17 13:44:52 localhost pluto[29023]: "host-to-host" #1: ignoring
informational payload, type INVALID_MESSAGE_ID
Apr 17 13:44:52 localhost pluto[29023]: "host-to-host" #1: received and
ignored informational message
Apr 17 13:44:55 localhost pluto[29023]: "host-to-host" #4: discarding
duplicate packet; already STATE_QUICK_R1
 
....keeps going on
 
The output on terminal on the PC:
 
002 "host-to-host" #2: initiating Main Mode
104 "host-to-host" #2: STATE_MAIN_I1: initiate
003 "host-to-host" #2: ignoring unknown Vendor ID payload
[4f456e4d43757f784f704063]
003 "host-to-host" #2: received Vendor ID payload [Dead Peer Detection]
002 "host-to-host" #2: transition from state STATE_MAIN_I1 to state
STATE_MAIN_I2
106 "host-to-host" #2: STATE_MAIN_I2: sent MI2, expecting MR2
002 "host-to-host" #2: I did not send a certificate because I do not have
one.
002 "host-to-host" #2: transition from state STATE_MAIN_I2 to state
STATE_MAIN_I3
108 "host-to-host" #2: STATE_MAIN_I3: sent MI3, expecting MR3
002 "host-to-host" #2: Main mode peer ID is ID_IPV4_ADDR: '192.168.0.5'
002 "host-to-host" #2: transition from state STATE_MAIN_I3 to state
STATE_MAIN_I4
004 "host-to-host" #2: STATE_MAIN_I4: ISAKMP SA established
{auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_md5
group=modp1536}
002 "host-to-host" #3: initiating Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS+UP
{using isakmp#2}
117 "host-to-host" #3: STATE_QUICK_I1: initiate
002 "host-to-host" #3: transition from state STATE_QUICK_I1 to state
STATE_QUICK_I2
004 "host-to-host" #3: STATE_QUICK_I2: sent QI2, IPsec SA established
{ESP=>0x51f3bf38 <0x1dc16f43 xfrm=AES_0-HMAC_SHA1 NATD=none DPD=none}
 
 
The output on the terminal on the embedded system:
 
002 listening for IKE messages
002 adding interface ipsec0/eth0 192.168.0.5:500
002 loading secrets from "/tmp/nfs/version1/ipsec.secrets"
# Jan  1 00:29:34 pluto[104]: packet from 192.168.0.10:500: ignoring unknown
Ven
dor ID payload [4f454e7c454d716b5f4d6c67]
Jan  1 00:29:34 pluto[104]: packet from 192.168.0.10:500: received Vendor ID
payload [Dead Peer Detection]
Jan  1 00:29:34 pluto[104]: "host-to-host" #1: responding to Main Mode
Jan  1 00:29:34 pluto[104]: "host-to-host" #1: transition from state
STATE_MAIN_R0 to state STATE_MAIN_R1
Jan  1 00:29:34 pluto[104]: "host-to-host" #1: STATE_MAIN_R1: sent MR1,
expecting MI2
Jan  1 00:29:36 pluto[104]: "host-to-host" #1: WARNING: calc_dh_shared():
for OAKLEY_GROUP_MODP1536 took 1311633 usec
Jan  1 00:29:36 pluto[104]: "host-to-host" #1: transition from state
STATE_MAIN_R1 to state STATE_MAIN_R2
Jan  1 00:29:36 pluto[104]: "host-to-host" #1: STATE_MAIN_R2: sent MR2,
expecting MI3
Jan  1 00:29:37 pluto[104]: "host-to-host" #1: Main mode peer ID is
ID_IPV4_ADDR: '192.168.0.10'
Jan  1 00:29:37 pluto[104]: "host-to-host" #1: I did not send a certificate
because I do not have one.
Jan  1 00:29:43 pluto[104]: "host-to-host" #1: transition from state
STATE_MAIN_R2 to state STATE_MAIN_R3
Jan  1 00:29:43 pluto[104]: "host-to-host" #1: STATE_MAIN_R3: sent MR3,
ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192
prf=oakley_md5 group=modp1536}
Jan  1 00:29:44 pluto[104]: "host-to-host" #2: responding to Quick Mode
{msgid:f085e8ee}
Jan  1 00:29:46 pluto[104]: "host-to-host" #2: WARNING: calc_dh_shared():
for OAKLEY_GROUP_MODP1536 took 1309277 usec
Jan  1 00:29:46 pluto[104]: "host-to-host" #2: transition from state
STATE_QUICK_R0 to state STATE_QUICK_R1
Jan  1 00:29:46 pluto[104]: "host-to-host" #2: STATE_QUICK_R1: sent QR1,
inbound IPsec SA installed, expecting QI2
Jan  1 00:29:51 pluto[104]: "host-to-host" #2: up-host output: syntax error
Jan  1 00:29:51 pluto[104]: "host-to-host" #2: up-host command exited with
status 255
Jan  1 00:29:56 pluto[104]: "host-to-host" #2: discarding duplicate packet;
already STATE_QUICK_R1
Jan  1 00:30:16 pluto[104]: "host-to-host" #2: discarding duplicate packet;
already STATE_QUICK_R1
 
...removed repeated sections....and eventually
 
 
#2: max number of retransmissions (
20) reached STATE_QUICK_R1
Jan  1 00:42:56 pluto[104]: |   02 04 00 03  00 0b 00 00  00 00 00 10  00 00
00 68
Jan  1 00:42:56 pluto[104]: |   00 03 00 01  51 f3 bf 38  00 01 00 00  00 00
00 00
Jan  1 00:42:56 pluto[104]: |   ff ff ff ff  00 00 00 00  00 03 00 05  00 00
00 00
Jan  1 00:42:56 pluto[104]: |   00 02 00 00  c0 a8 00 0a  00 00 00 00  00 00
00 00
Jan  1 00:42:56 pluto[104]: |   00 03 00 06  00 00 00 00  00 02 00 00  c0 a8
00 05
Jan  1 00:42:56 pluto[104]: |   00 00 00 00  00 00 00 00

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20070424/79116648/attachment-0001.html

More information about the Users mailing list