[Openswan Users] Juniper Openswan config issues

Ioannis Mavroukakis imavroukakis at gameaccount.com
Thu Dec 27 17:38:32 EST 2007


Finally getting somewhere, for completeness sake here is the config as it stands now

---ipsec.conf
version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        interfaces=%defaultroute
        nat_traversal=yes
        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
        #
        # enable this if you see "failed to find any available worker"
        #nhelpers=0

# sample VPN connections, see /etc/ipsec.d/examples/
conn databaseGib
        #
        #local
        #
        left=%defaultroute
        leftid=@someuserid
        #
        #destination
        #
        right=195.x.x.x
        rightsubnet=10.186.0.0/16
        auto=start
        type=tunnel
        authby=secret
        pfs=no
        aggrmode=yes
        keyexchange=ike
        auth=esp
        esp=3des-md5
        ike=3des-md5-modp1024
#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf

---ipsec.secrets
195.x.x.x @someuserid : PSK "ourPSK"


The relevant log

Dec 27 22:33:44 stormbringer ipsec__plutorun: Starting Pluto subsystem...
Dec 27 22:33:44 stormbringer pluto[12216]: Starting Pluto (Openswan Version 2.4.6 X.509-1.5.4 LDAP_V3 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID OElLO]RdWNRD)
Dec 27 22:33:44 stormbringer pluto[12216]: Setting NAT-Traversal port-4500 floating to on
Dec 27 22:33:44 stormbringer pluto[12216]:    port floating activation criteria nat_t=1/port_fload=1
Dec 27 22:33:44 stormbringer pluto[12216]:   including NAT-Traversal patch (Version 0.6c)
Dec 27 22:33:44 stormbringer pluto[12216]: WARNING: Open of /dev/hw_random failed in init_rnd_pool(), trying alternate sources of random
Dec 27 22:33:44 stormbringer pluto[12216]: WARNING: Using /dev/urandom as the source of random
Dec 27 22:33:44 stormbringer pluto[12216]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Dec 27 22:33:44 stormbringer pluto[12216]: starting up 1 cryptographic helpers
Dec 27 22:33:44 stormbringer pluto[12216]: started helper pid=12217 (fd:6)
Dec 27 22:33:44 stormbringer pluto[12216]: Using Linux 2.6 IPsec interface code on 2.6.22-14-generic
Dec 27 22:33:45 stormbringer pluto[12216]: Changing to directory '/etc/ipsec.d/cacerts'
Dec 27 22:33:45 stormbringer pluto[12216]: Changing to directory '/etc/ipsec.d/aacerts'
Dec 27 22:33:45 stormbringer pluto[12216]: Changing to directory '/etc/ipsec.d/ocspcerts'
Dec 27 22:33:45 stormbringer pluto[12216]: Changing to directory '/etc/ipsec.d/crls'
Dec 27 22:33:45 stormbringer pluto[12216]:   Warning: empty directory
Dec 27 22:33:45 stormbringer pluto[12217]: WARNING: Open of /dev/hw_random failed in init_rnd_pool(), trying alternate sources of random
Dec 27 22:33:45 stormbringer pluto[12217]: WARNING: Using /dev/urandom as the source of random
Dec 27 22:33:45 stormbringer pluto[12216]: added connection description "databaseGib"
Dec 27 22:33:45 stormbringer pluto[12216]: listening for IKE messages
Dec 27 22:33:45 stormbringer pluto[12216]: adding interface eth1/eth1 192.168.1.69:500
Dec 27 22:33:45 stormbringer pluto[12216]: adding interface eth1/eth1 192.168.1.69:4500
Dec 27 22:33:45 stormbringer pluto[12216]: adding interface lo/lo 127.0.0.1:500
Dec 27 22:33:45 stormbringer pluto[12216]: adding interface lo/lo 127.0.0.1:4500
Dec 27 22:33:45 stormbringer pluto[12216]: loading secrets from "/etc/ipsec.secrets"
Dec 27 22:33:45 stormbringer pluto[12216]: "databaseGib" #1: initiating Aggressive Mode #1, connection "databaseGib"
Dec 27 22:33:46 stormbringer pluto[12216]: "databaseGib" #1: ignoring unknown Vendor ID payload [166f932d55eb64d8e4df4fd37e2313f0d0fd84510000000000000000]
Dec 27 22:33:46 stormbringer pluto[12216]: "databaseGib" #1: received Vendor ID payload [Dead Peer Detection]
Dec 27 22:33:46 stormbringer pluto[12216]: "databaseGib" #1: ignoring Vendor ID payload [HeartBeat Notify 386b0100]
Dec 27 22:33:46 stormbringer pluto[12216]: "databaseGib" #1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106 
Dec 27 22:33:46 stormbringer pluto[12216]: "databaseGib" #1: Aggressive mode peer ID is ID_IPV4_ADDR: '195.x.x.x'
Dec 27 22:33:46 stormbringer pluto[12216]: "databaseGib" #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: i am NATed
Dec 27 22:33:46 stormbringer pluto[12216]: "databaseGib" #1: Aggressive mode peer ID is ID_IPV4_ADDR: '195.x.x.x'
Dec 27 22:33:46 stormbringer pluto[12216]: "databaseGib" #1: transition from state STATE_AGGR_I1 to state STATE_AGGR_I2
Dec 27 22:33:46 stormbringer pluto[12216]: "databaseGib" #1: STATE_AGGR_I2: sent AI2, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1024}
Dec 27 22:33:46 stormbringer pluto[12216]: "databaseGib" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP+AGGRESSIVE {using isakmp#1}
Dec 27 22:34:56 stormbringer pluto[12216]: "databaseGib" #2: max number of retransmissions (2) reached STATE_QUICK_I1.  No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
Dec 27 22:34:56 stormbringer pluto[12216]: "databaseGib" #2: starting keying attempt 2 of an unlimited number
Dec 27 22:34:56 stormbringer pluto[12216]: "databaseGib" #3: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP+AGGRESSIVE to replace #2 {using isakmp#1}

and that's about it!

Any suggestions?

Thank you!



More information about the Users mailing list