[Openswan Users] Juniper Openswan config issues
Ioannis Mavroukakis
imavroukakis at gameaccount.com
Tue Dec 18 17:02:40 EST 2007
Here you go Peter ,no access to the Juniper logs, but I don't believe I can even reach that far!
auth.log:Dec 18 21:54:09 stormbringer pluto[6456]: shutting down
auth.log:Dec 18 21:54:09 stormbringer pluto[6456]: forgetting secrets
auth.log:Dec 18 21:54:09 stormbringer pluto[6456]: "databaseGib": deleting connection
auth.log:Dec 18 21:54:09 stormbringer pluto[6456]: "databaseGib" #1: deleting state (STATE_MAIN_I1)
auth.log:Dec 18 21:54:09 stormbringer pluto[6456]: shutting down interface lo/lo 127.0.0.1:4500
auth.log:Dec 18 21:54:09 stormbringer pluto[6456]: shutting down interface lo/lo 127.0.0.1:500
auth.log:Dec 18 21:54:09 stormbringer pluto[6456]: shutting down interface eth1/eth1 192.168.1.69:4500
auth.log:Dec 18 21:54:09 stormbringer pluto[6456]: shutting down interface eth1/eth1 192.168.1.69:500
auth.log:Dec 18 21:54:39 stormbringer ipsec__plutorun: Starting Pluto subsystem...
auth.log:Dec 18 21:54:39 stormbringer pluto[6889]: Starting Pluto (Openswan Version 2.4.6 X.509-1.5.4 LDAP_V3 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID OElLO]RdWNRD)
auth.log:Dec 18 21:54:39 stormbringer pluto[6889]: Setting NAT-Traversal port-4500 floating to on
auth.log:Dec 18 21:54:39 stormbringer pluto[6889]: port floating activation criteria nat_t=1/port_fload=1
auth.log:Dec 18 21:54:39 stormbringer pluto[6889]: including NAT-Traversal patch (Version 0.6c)
auth.log:Dec 18 21:54:39 stormbringer pluto[6889]: WARNING: Open of /dev/hw_random failed in init_rnd_pool(), trying alternate sources of random
auth.log:Dec 18 21:54:39 stormbringer pluto[6889]: WARNING: Using /dev/urandom as the source of random
auth.log:Dec 18 21:54:39 stormbringer pluto[6889]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
auth.log:Dec 18 21:54:39 stormbringer pluto[6889]: no helpers will be started, all cryptographic operations will be done inline
auth.log:Dec 18 21:54:39 stormbringer pluto[6889]: Using Linux 2.6 IPsec interface code on 2.6.22-14-generic
auth.log:Dec 18 21:54:40 stormbringer pluto[6889]: Changing to directory '/etc/ipsec.d/cacerts'
auth.log:Dec 18 21:54:40 stormbringer pluto[6889]: Changing to directory '/etc/ipsec.d/aacerts'
auth.log:Dec 18 21:54:40 stormbringer pluto[6889]: Changing to directory '/etc/ipsec.d/ocspcerts'
auth.log:Dec 18 21:54:40 stormbringer pluto[6889]: Changing to directory '/etc/ipsec.d/crls'
auth.log:Dec 18 21:54:40 stormbringer pluto[6889]: Warning: empty directory
auth.log:Dec 18 21:54:40 stormbringer pluto[6889]: added connection description "databaseGib"
auth.log:Dec 18 21:54:40 stormbringer pluto[6889]: listening for IKE messages
auth.log:Dec 18 21:54:40 stormbringer pluto[6889]: adding interface eth1/eth1 192.168.1.69:500
auth.log:Dec 18 21:54:40 stormbringer pluto[6889]: adding interface eth1/eth1 192.168.1.69:4500
auth.log:Dec 18 21:54:40 stormbringer pluto[6889]: adding interface lo/lo 127.0.0.1:500
auth.log:Dec 18 21:54:40 stormbringer pluto[6889]: adding interface lo/lo 127.0.0.1:4500
auth.log:Dec 18 21:54:40 stormbringer pluto[6889]: loading secrets from "/etc/ipsec.secrets"
auth.log:Dec 18 21:54:40 stormbringer pluto[6889]: "databaseGib" #1: initiating Main Mode
daemon.log:Dec 18 21:54:40 stormbringer ipsec__plutorun: 104 "databaseGib" #1: STATE_MAIN_I1: initiate
daemon.log:Dec 18 21:54:40 stormbringer ipsec__plutorun: ...could not start conn "databaseGib"
Y.
On Tue, 18 Dec 2007 10:59:42 -0500, "Peter McGill" <petermcgill at goco.net> wrote:
> First comment out your plutodebug line, the extra debugging logs usually
> only get in the way.
> Then restart and attempt to connect again. There should be an error
> indication in the logs.
> There should be more information in the logs, sometimes the logs go into
> different files.
> On my system the logs you're seeing are in /var/log/syslog, but most of
> the useful logs go into
> /var/log/secure.
> Try grep 'pluto' /var/log/*
> Also try checking the Juniper's logs if possible.
>
> Peter McGill
>
>
>> -----Original Message-----
>> From: users-bounces at openswan.org
>> [mailto:users-bounces at openswan.org] On Behalf Of Ioannis Mavroukakis
>> Sent: December 17, 2007 5:45 PM
>> To: users at openswan.org
>> Subject: [Openswan Users] Juniper Openswan config issues
>>
>> Hello fellow listers :-) . I'm hoping to pick someones' brain
>> about the config/connection issues I have
>> with openswan as a client to a Juniper ns204.
>>
>> This is my setup:
>>
>> version 2.0 # conforms to second version of ipsec.conf
>> specification
>>
>> # basic configuration
>> config setup
>> interfaces=%defaultroute
>> # plutodebug / klipsdebug = "all", "none" or a
>> combation from below:
>> # "raw crypt parsing emitting control klips pfkey
>> natt x509 private"
>> # eg:
>> # plutodebug="control parsing"
>> #
>> # Only enable klipsdebug=all if you are a developer
>> plutodebug="all"
>> #
>> # NAT-TRAVERSAL support, see README.NAT-Traversal
>> nat_traversal=yes
>>
>> #virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
>> #
>> # enable this if you see "failed to find any available worker"
>> #nhelpers=0
>>
>> # Add connections here
>>
>> # sample VPN connections, see /etc/ipsec.d/examples/
>> conn gib
>> #
>> #local
>> #
>> left=%defaultroute
>> #leftsubnet=192.168.1.0/24
>> #leftnexthop=%defaultroute
>> leftid=@myuserid
>> #
>> #destination
>> #
>> right=195.x.x.x
>> rightsubnet=10.x.x.x/16
>> auto=start
>> type=tunnel
>> authby=secret
>> ike=3des-md5
>> keyexchange=ike
>> pfs=no
>> esp=3des-md5
>> rekey=yes
>> #Disable Opportunistic Encryption
>> include /etc/ipsec.d/examples/no_oe.conf
>>
>> ipsec verify gives me the following
>>
>> Checking your system to see if IPsec got installed and
>> started correctly:
>> Version check and ipsec on-path [OK]
>> Linux Openswan U2.4.6/K2.6.22-14-generic (netkey)
>> Checking for IPsec support in kernel [OK]
>> NETKEY detected, testing for disabled ICMP send_redirects [OK]
>> NETKEY detected, testing for disabled ICMP accept_redirects [OK]
>> Checking for RSA private key (/etc/ipsec.secrets)
>> [DISABLED]
>> ipsec showhostkey: no default key in "/etc/ipsec.secrets"
>> Checking that pluto is running [OK]
>> Two or more interfaces found, checking IP forwarding [OK]
>> Checking NAT and MASQUERADEing [OK]
>> Checking for 'ip' command [OK]
>> Checking for 'iptables' command [OK]
>> Opportunistic Encryption Support
>> [DISABLED]
>>
>>
>> Starting openswan (ipsec setup start) gives me the following
>>
>>
>> Dec 17 22:02:26 stormbringer kernel: [ 5643.674916] NET:
>> Registered protocol family 15
>> Dec 17 22:02:26 stormbringer kernel: [ 5643.741055]
>> Initializing XFRM netlink socket
>> Dec 17 22:02:27 stormbringer ipsec_setup: KLIPS ipsec0 on
>> eth1 192.168.1.69/255.255.255.0 broadcast 192.168.1.255
>> Dec 17 22:02:27 stormbringer ipsec_setup: ...Openswan IPsec started
>> Dec 17 22:02:27 stormbringer ipsec_setup: Starting Openswan
>> IPsec 2.4.6...
>> Dec 17 22:02:27 stormbringer ipsec_setup: insmod
>> /lib/modules/2.6.22-14-generic/kernel/net/key/af_key.ko
>> Dec 17 22:02:27 stormbringer ipsec_setup: insmod
>> /lib/modules/2.6.22-14-generic/kernel/net/ipv4/xfrm4_tunnel.ko
>> Dec 17 22:02:27 stormbringer ipsec_setup: insmod
>> /lib/modules/2.6.22-14-generic/kernel/net/xfrm/xfrm_user.ko
>> Dec 17 22:02:28 stormbringer ipsec__plutorun: 104 "gib" #1:
>> STATE_MAIN_I1: initiate
>> Dec 17 22:02:28 stormbringer ipsec__plutorun: ...could not
>> start conn "gib"
>>
>> Can anyone shed some light on this?
>>
>> Thank you,
>>
>> Yiannis
>>
>> _______________________________________________
>> Users at openswan.org
>> http://lists.openswan.org/mailman/listinfo/users
>> Building and Integrating Virtual Private Networks with Openswan:
>> http://www.amazon.com/gp/product/1904811256/104-3099591-294632
>> 7?n=283155
More information about the Users
mailing list