[Openswan Users] Juniper Openswan config issues

Peter McGill petermcgill at goco.net
Wed Dec 19 13:02:37 EST 2007


Usually it will attempt to connect a few times, it's strange that it
stops at the start of the first. Are you sure that's all the logs?

Have you allowed IPSec traffic in your iptables firewall rules?

Do you have a default route?

What is the output of:
ifconfig
&
netstat -rn
&
iptables -t filter -n -L -v
iptables -t nat -n -L -v
iptables -t mangle -n -L -v


Peter McGill
 

> -----Original Message-----
> From: users-bounces at openswan.org 
> [mailto:users-bounces at openswan.org] On Behalf Of Ioannis Mavroukakis
> Sent: December 18, 2007 5:03 PM
> To: users at openswan.org
> Subject: Re: [Openswan Users] Juniper Openswan config issues
> 
> 
> Here you go Peter ,no access to the Juniper logs, but I don't 
> believe I can even reach that far!
> 
> auth.log:Dec 18 21:54:09 stormbringer pluto[6456]: shutting down
> auth.log:Dec 18 21:54:09 stormbringer pluto[6456]: forgetting secrets
> auth.log:Dec 18 21:54:09 stormbringer pluto[6456]: 
> "databaseGib": deleting connection
> auth.log:Dec 18 21:54:09 stormbringer pluto[6456]: 
> "databaseGib" #1: deleting state (STATE_MAIN_I1)
> auth.log:Dec 18 21:54:09 stormbringer pluto[6456]: shutting 
> down interface lo/lo 127.0.0.1:4500
> auth.log:Dec 18 21:54:09 stormbringer pluto[6456]: shutting 
> down interface lo/lo 127.0.0.1:500
> auth.log:Dec 18 21:54:09 stormbringer pluto[6456]: shutting 
> down interface eth1/eth1 192.168.1.69:4500
> auth.log:Dec 18 21:54:09 stormbringer pluto[6456]: shutting 
> down interface eth1/eth1 192.168.1.69:500
> auth.log:Dec 18 21:54:39 stormbringer ipsec__plutorun: 
> Starting Pluto subsystem...
> auth.log:Dec 18 21:54:39 stormbringer pluto[6889]: Starting 
> Pluto (Openswan Version 2.4.6 X.509-1.5.4 LDAP_V3 
> PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID OElLO]RdWNRD)
> auth.log:Dec 18 21:54:39 stormbringer pluto[6889]: Setting 
> NAT-Traversal port-4500 floating to on
> auth.log:Dec 18 21:54:39 stormbringer pluto[6889]:    port 
> floating activation criteria nat_t=1/port_fload=1
> auth.log:Dec 18 21:54:39 stormbringer pluto[6889]:   
> including NAT-Traversal patch (Version 0.6c)
> auth.log:Dec 18 21:54:39 stormbringer pluto[6889]: WARNING: 
> Open of /dev/hw_random failed in init_rnd_pool(), trying 
> alternate sources of random
> auth.log:Dec 18 21:54:39 stormbringer pluto[6889]: WARNING: 
> Using /dev/urandom as the source of random
> auth.log:Dec 18 21:54:39 stormbringer pluto[6889]: 
> ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
> auth.log:Dec 18 21:54:39 stormbringer pluto[6889]: no helpers 
> will be started, all cryptographic operations will be done inline
> auth.log:Dec 18 21:54:39 stormbringer pluto[6889]: Using 
> Linux 2.6 IPsec interface code on 2.6.22-14-generic
> auth.log:Dec 18 21:54:40 stormbringer pluto[6889]: Changing 
> to directory '/etc/ipsec.d/cacerts'
> auth.log:Dec 18 21:54:40 stormbringer pluto[6889]: Changing 
> to directory '/etc/ipsec.d/aacerts'
> auth.log:Dec 18 21:54:40 stormbringer pluto[6889]: Changing 
> to directory '/etc/ipsec.d/ocspcerts'
> auth.log:Dec 18 21:54:40 stormbringer pluto[6889]: Changing 
> to directory '/etc/ipsec.d/crls'
> auth.log:Dec 18 21:54:40 stormbringer pluto[6889]:   Warning: 
> empty directory
> auth.log:Dec 18 21:54:40 stormbringer pluto[6889]: added 
> connection description "databaseGib"
> auth.log:Dec 18 21:54:40 stormbringer pluto[6889]: listening 
> for IKE messages
> auth.log:Dec 18 21:54:40 stormbringer pluto[6889]: adding 
> interface eth1/eth1 192.168.1.69:500
> auth.log:Dec 18 21:54:40 stormbringer pluto[6889]: adding 
> interface eth1/eth1 192.168.1.69:4500
> auth.log:Dec 18 21:54:40 stormbringer pluto[6889]: adding 
> interface lo/lo 127.0.0.1:500
> auth.log:Dec 18 21:54:40 stormbringer pluto[6889]: adding 
> interface lo/lo 127.0.0.1:4500
> auth.log:Dec 18 21:54:40 stormbringer pluto[6889]: loading 
> secrets from "/etc/ipsec.secrets"
> auth.log:Dec 18 21:54:40 stormbringer pluto[6889]: 
> "databaseGib" #1: initiating Main Mode
> 
> daemon.log:Dec 18 21:54:40 stormbringer ipsec__plutorun: 104 
> "databaseGib" #1: STATE_MAIN_I1: initiate
> daemon.log:Dec 18 21:54:40 stormbringer ipsec__plutorun: 
> ...could not start conn "databaseGib"
> 
> Y.
> 
> On Tue, 18 Dec 2007 10:59:42 -0500, "Peter McGill" 
> <petermcgill at goco.net> wrote:
> > First comment out your plutodebug line, the extra debugging 
> logs usually
> > only get in the way.
> > Then restart and attempt to connect again. There should be an error
> > indication in the logs.
> > There should be more information in the logs, sometimes the 
> logs go into
> > different files.
> > On my system the logs you're seeing are in /var/log/syslog, 
> but most of
> > the useful logs go into
> > /var/log/secure.
> > Try grep 'pluto' /var/log/*
> > Also try checking the Juniper's logs if possible.
> > 
> > Peter McGill
> > 
> > 
> >> -----Original Message-----
> >> From: users-bounces at openswan.org
> >> [mailto:users-bounces at openswan.org] On Behalf Of Ioannis 
> Mavroukakis
> >> Sent: December 17, 2007 5:45 PM
> >> To: users at openswan.org
> >> Subject: [Openswan Users] Juniper Openswan config issues
> >>
> >> Hello fellow listers :-) . I'm hoping to pick someones' brain
> >> about the config/connection issues I have
> >> with openswan as a client to a Juniper ns204.
> >>
> >> This is my setup:
> >>
> >> version 2.0     # conforms to second version of ipsec.conf
> >> specification
> >>
> >> # basic configuration
> >> config setup
> >>         interfaces=%defaultroute
> >>         # plutodebug / klipsdebug = "all", "none" or a
> >> combation from below:
> >>         # "raw crypt parsing emitting control klips pfkey
> >> natt x509 private"
> >>         # eg:
> >>         # plutodebug="control parsing"
> >>         #
> >>         # Only enable klipsdebug=all if you are a developer
> >>         plutodebug="all"
> >>         #
> >>         # NAT-TRAVERSAL support, see README.NAT-Traversal
> >>         nat_traversal=yes
> >>
> >> 
> #virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
> >>         #
> >>         # enable this if you see "failed to find any 
> available worker"
> >>         #nhelpers=0
> >>
> >> # Add connections here
> >>
> >> # sample VPN connections, see /etc/ipsec.d/examples/
> >> conn gib
> >>         #
> >>         #local
> >>         #
> >>         left=%defaultroute
> >>         #leftsubnet=192.168.1.0/24
> >>         #leftnexthop=%defaultroute
> >>         leftid=@myuserid
> >>         #
> >>         #destination
> >>         #
> >>         right=195.x.x.x
> >>         rightsubnet=10.x.x.x/16
> >>         auto=start
> >>         type=tunnel
> >>         authby=secret
> >>         ike=3des-md5
> >>         keyexchange=ike
> >>         pfs=no
> >>         esp=3des-md5
> >>         rekey=yes
> >> #Disable Opportunistic Encryption
> >> include /etc/ipsec.d/examples/no_oe.conf
> >>
> >> ipsec verify gives me the following
> >>
> >> Checking your system to see if IPsec got installed and
> >> started correctly:
> >> Version check and ipsec on-path                            
>      [OK]
> >> Linux Openswan U2.4.6/K2.6.22-14-generic (netkey)
> >> Checking for IPsec support in kernel                       
>      [OK]
> >> NETKEY detected, testing for disabled ICMP send_redirects  
>      [OK]
> >> NETKEY detected, testing for disabled ICMP 
> accept_redirects     [OK]
> >> Checking for RSA private key (/etc/ipsec.secrets)
> >>   [DISABLED]
> >>   ipsec showhostkey: no default key in "/etc/ipsec.secrets"
> >> Checking that pluto is running                             
>      [OK]
> >> Two or more interfaces found, checking IP forwarding       
>      [OK]
> >> Checking NAT and MASQUERADEing                             
>      [OK]
> >> Checking for 'ip' command                                  
>      [OK]
> >> Checking for 'iptables' command                            
>      [OK]
> >> Opportunistic Encryption Support
> >>   [DISABLED]
> >>
> >>
> >> Starting openswan (ipsec setup start) gives me the following
> >>
> >>
> >> Dec 17 22:02:26 stormbringer kernel: [ 5643.674916] NET:
> >> Registered protocol family 15
> >> Dec 17 22:02:26 stormbringer kernel: [ 5643.741055]
> >> Initializing XFRM netlink socket
> >> Dec 17 22:02:27 stormbringer ipsec_setup: KLIPS ipsec0 on
> >> eth1 192.168.1.69/255.255.255.0 broadcast 192.168.1.255
> >> Dec 17 22:02:27 stormbringer ipsec_setup: ...Openswan IPsec started
> >> Dec 17 22:02:27 stormbringer ipsec_setup: Starting Openswan
> >> IPsec 2.4.6...
> >> Dec 17 22:02:27 stormbringer ipsec_setup: insmod
> >> /lib/modules/2.6.22-14-generic/kernel/net/key/af_key.ko
> >> Dec 17 22:02:27 stormbringer ipsec_setup: insmod
> >> /lib/modules/2.6.22-14-generic/kernel/net/ipv4/xfrm4_tunnel.ko
> >> Dec 17 22:02:27 stormbringer ipsec_setup: insmod
> >> /lib/modules/2.6.22-14-generic/kernel/net/xfrm/xfrm_user.ko
> >> Dec 17 22:02:28 stormbringer ipsec__plutorun: 104 "gib" #1:
> >> STATE_MAIN_I1: initiate
> >> Dec 17 22:02:28 stormbringer ipsec__plutorun: ...could not
> >> start conn "gib"
> >>
> >> Can anyone shed some light on this?
> >>
> >> Thank you,
> >>
> >> Yiannis
> >>
> >> _______________________________________________
> >> Users at openswan.org
> >> http://lists.openswan.org/mailman/listinfo/users
> >> Building and Integrating Virtual Private Networks with Openswan:
> >> http://www.amazon.com/gp/product/1904811256/104-3099591-294632
> >> 7?n=283155
> 
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan: 
> http://www.amazon.com/gp/product/1904811256/104-3099591-294632
> 7?n=283155



More information about the Users mailing list