[Openswan Users] openswan to Instagate
ACasella
antony.casella at sand.com
Fri Jun 1 13:38:08 EDT 2007
Here are the requested Openswan ipsec command ouputs. Looks like I have
some errors even though I can create an openswan to openswan connection:
ipsec --version
Linux Openswan U2.4.5/K2.6.20-1.2948.fc6 (netkey)
See `ipsec --copyright' for copyright information.
ipsec verify
Checking your system to see if IPsec got installed and started
correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.4.5/K2.6.20-1.2948.fc6 (netkey)
Checking for IPsec support in kernel [OK]
NETKEY detected, testing for disabled ICMP send_redirects [FAILED]
Please disable /proc/sys/net/ipv4/conf/*/send_redirects
or NETKEY will cause the sending of bogus ICMP redirects!
NETKEY detected, testing for disabled ICMP accept_redirects [FAILED]
Please disable /proc/sys/net/ipv4/conf/*/accept_redirects
or NETKEY will accept bogus ICMP redirects!
Checking for RSA private key (/etc/ipsec.secrets) [OK]
Checking that pluto is running [OK]
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support
[DISABLED]
Here are the pluto logs after a restart and debug = none:
/var/log/messages:Jun 1 11:59:29 secure ipsec__plutorun: 003
"/etc/ipsec.secrets" line 4: premature end of RSA key
/var/log/messages:Jun 1 12:02:18 secure ipsec__plutorun: 003
"/etc/ipsec.secrets" line 4: premature end of RSA key
/var/log/secure:Jun 1 11:57:06 secure pluto[14860]: shutting down
/var/log/secure:Jun 1 11:57:06 secure pluto[14860]: forgetting secrets
/var/log/secure:Jun 1 11:57:06 secure pluto[14860]: "host-to-host":
deleting connection
/var/log/secure:Jun 1 11:57:06 secure pluto[14860]: "host-to-host"
#101: deleting state (STATE_MAIN_I1)
/var/log/secure:Jun 1 11:57:06 secure pluto[14860]: "net-to-host":
deleting connection
/var/log/secure:Jun 1 11:57:06 secure pluto[14860]: shutting down
interface lo/lo ::1:500
/var/log/secure:Jun 1 11:57:06 secure pluto[14860]: shutting down
interface lo/lo 127.0.0.1:4500
/var/log/secure:Jun 1 11:57:06 secure pluto[14860]: shutting down
interface lo/lo 127.0.0.1:500
/var/log/secure:Jun 1 11:57:06 secure pluto[14860]: shutting down
interface eth0/eth0 72.55.xxx.xxx:4500
/var/log/secure:Jun 1 11:57:06 secure pluto[14860]: shutting down
interface eth0/eth0 72.55.xxx.xxx:500
/var/log/secure:Jun 1 11:57:06 secure pluto[14860]: shutting down
interface eth0:1/eth0:1 192.168.1.1:4500
/var/log/secure:Jun 1 11:57:06 secure pluto[14860]: shutting down
interface eth0:1/eth0:1 192.168.1.1:500
/var/log/secure:Jun 1 11:59:28 secure ipsec__plutorun: Starting Pluto
subsystem...
/var/log/secure:Jun 1 11:59:28 secure pluto[19958]: Starting Pluto
(Openswan Version 2.4.5 X.509-1.5.4 PLUTO_SENDS_VENDORID
PLUTO_USES_KEYRR; Vendor ID OEnMCu\177xOp at c)
/var/log/secure:Jun 1 11:59:28 secure pluto[19958]: Setting
NAT-Traversal port-4500 floating to on
/var/log/secure:Jun 1 11:59:28 secure pluto[19958]: port floating
activation criteria nat_t=1/port_fload=1
/var/log/secure:Jun 1 11:59:28 secure pluto[19958]: including
NAT-Traversal patch (Version 0.6c)
/var/log/secure:Jun 1 11:59:28 secure pluto[19958]:
ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
/var/log/secure:Jun 1 11:59:28 secure pluto[19958]: starting up 1
cryptographic helpers
/var/log/secure:Jun 1 11:59:28 secure pluto[19958]: started helper
pid=19959 (fd:6)
/var/log/secure:Jun 1 11:59:28 secure pluto[19958]: Using Linux 2.6
IPsec interface code on 2.6.20-1.2948.fc6
/var/log/secure:Jun 1 11:59:29 secure pluto[19958]: Could not change to
directory '/etc/ipsec.d/cacerts'
/var/log/secure:Jun 1 11:59:29 secure pluto[19958]: Could not change to
directory '/etc/ipsec.d/aacerts'
/var/log/secure:Jun 1 11:59:29 secure pluto[19958]: Could not change to
directory '/etc/ipsec.d/ocspcerts'
/var/log/secure:Jun 1 11:59:29 secure pluto[19958]: Could not change to
directory '/etc/ipsec.d/crls'
/var/log/secure:Jun 1 11:59:29 secure pluto[19958]: added connection
description "net-to-host"
/var/log/secure:Jun 1 11:59:29 secure pluto[19958]: added connection
description "host-to-host"
/var/log/secure:Jun 1 11:59:29 secure pluto[19958]: listening for IKE
messages
/var/log/secure:Jun 1 11:59:29 secure pluto[19958]: adding interface
eth0:1/eth0:1 192.168.1.1:500
/var/log/secure:Jun 1 11:59:29 secure pluto[19958]: adding interface
eth0:1/eth0:1 192.168.1.1:4500
/var/log/secure:Jun 1 11:59:29 secure pluto[19958]: adding interface
eth0/eth0 72.55.xxx.xxx:500
/var/log/secure:Jun 1 11:59:29 secure pluto[19958]: adding interface
eth0/eth0 72.55.xxx.xxx:4500
/var/log/secure:Jun 1 11:59:29 secure pluto[19958]: adding interface
lo/lo 127.0.0.1:500
/var/log/secure:Jun 1 11:59:29 secure pluto[19958]: adding interface
lo/lo 127.0.0.1:4500
/var/log/secure:Jun 1 11:59:29 secure pluto[19958]: adding interface
lo/lo ::1:500
/var/log/secure:Jun 1 11:59:29 secure pluto[19958]: loading secrets
from "/etc/ipsec.secrets"
/var/log/secure:Jun 1 11:59:29 secure pluto[19958]:
"/etc/ipsec.secrets" line 4: premature end of RSA key
/var/log/secure:Jun 1 12:02:16 secure pluto[19958]: shutting down
/var/log/secure:Jun 1 12:02:16 secure pluto[19958]: forgetting secrets
/var/log/secure:Jun 1 12:02:16 secure pluto[19958]: "host-to-host":
deleting connection
/var/log/secure:Jun 1 12:02:16 secure pluto[19958]: "net-to-host":
deleting connection
/var/log/secure:Jun 1 12:02:16 secure pluto[19958]: shutting down
interface lo/lo ::1:500
/var/log/secure:Jun 1 12:02:16 secure pluto[19958]: shutting down
interface lo/lo 127.0.0.1:4500
/var/log/secure:Jun 1 12:02:16 secure pluto[19958]: shutting down
interface lo/lo 127.0.0.1:500
/var/log/secure:Jun 1 12:02:16 secure pluto[19958]: shutting down
interface eth0/eth0 72.55.xxx.xxx:4500
/var/log/secure:Jun 1 12:02:16 secure pluto[19958]: shutting down
interface eth0/eth0 72.55.xxx.xxx:500
/var/log/secure:Jun 1 12:02:16 secure pluto[19958]: shutting down
interface eth0:1/eth0:1 192.168.1.1:4500
/var/log/secure:Jun 1 12:02:16 secure pluto[19958]: shutting down
interface eth0:1/eth0:1 192.168.1.1:500
/var/log/secure:Jun 1 12:02:17 secure ipsec__plutorun: Starting Pluto
subsystem...
/var/log/secure:Jun 1 12:02:17 secure pluto[20251]: Starting Pluto
(Openswan Version 2.4.5 X.509-1.5.4 PLUTO_SENDS_VENDORID
PLUTO_USES_KEYRR; Vendor ID OEnMCu\177xOp at c)
/var/log/secure:Jun 1 12:02:17 secure pluto[20251]: Setting
NAT-Traversal port-4500 floating to on
/var/log/secure:Jun 1 12:02:17 secure pluto[20251]: port floating
activation criteria nat_t=1/port_fload=1
/var/log/secure:Jun 1 12:02:17 secure pluto[20251]: including
NAT-Traversal patch (Version 0.6c)
/var/log/secure:Jun 1 12:02:17 secure pluto[20251]:
ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
/var/log/secure:Jun 1 12:02:17 secure pluto[20251]: starting up 1
cryptographic helpers
/var/log/secure:Jun 1 12:02:17 secure pluto[20251]: started helper
pid=20252 (fd:6)
/var/log/secure:Jun 1 12:02:17 secure pluto[20251]: Using Linux 2.6
IPsec interface code on 2.6.20-1.2948.fc6
/var/log/secure:Jun 1 12:02:17 secure pluto[20251]: Could not change to
directory '/etc/ipsec.d/cacerts'
/var/log/secure:Jun 1 12:02:17 secure pluto[20251]: Could not change to
directory '/etc/ipsec.d/aacerts'
/var/log/secure:Jun 1 12:02:17 secure pluto[20251]: Could not change to
directory '/etc/ipsec.d/ocspcerts'
/var/log/secure:Jun 1 12:02:17 secure pluto[20251]: Could not change to
directory '/etc/ipsec.d/crls'
/var/log/secure:Jun 1 12:02:18 secure pluto[20251]: added connection
description "net-to-host"
/var/log/secure:Jun 1 12:02:18 secure pluto[20251]: added connection
description "host-to-host"
/var/log/secure:Jun 1 12:02:18 secure pluto[20251]: listening for IKE
messages
/var/log/secure:Jun 1 12:02:18 secure pluto[20251]: adding interface
eth0:1/eth0:1 192.168.1.1:500
/var/log/secure:Jun 1 12:02:18 secure pluto[20251]: adding interface
eth0:1/eth0:1 192.168.1.1:4500
/var/log/secure:Jun 1 12:02:18 secure pluto[20251]: adding interface
eth0/eth0 72.55.xxx.xxx:500
/var/log/secure:Jun 1 12:02:18 secure pluto[20251]: adding interface
eth0/eth0 72.55.xxx.xxx:4500
/var/log/secure:Jun 1 12:02:18 secure pluto[20251]: adding interface
lo/lo 127.0.0.1:500
/var/log/secure:Jun 1 12:02:18 secure pluto[20251]: adding interface
lo/lo 127.0.0.1:4500
/var/log/secure:Jun 1 12:02:18 secure pluto[20251]: adding interface
lo/lo ::1:500
/var/log/secure:Jun 1 12:02:18 secure pluto[20251]: loading secrets
from "/etc/ipsec.secrets"
/var/log/secure:Jun 1 12:02:18 secure pluto[20251]:
"/etc/ipsec.secrets" line 4: premature end of RSA key
/var/log/secure:Jun 1 12:02:26 secure pluto[20251]: "host-to-host" #1:
initiating Main Mode
/var/log/secure:Jun 1 12:02:26 secure pluto[20251]: packet from
207.61.yyy.yyy:500: ignoring informational payload, type
NO_PROPOSAL_CHOSEN
/var/log/secure:Jun 1 12:02:26 secure pluto[20251]: packet from
207.61.yyy.yyy:500: received and ignored informational message
/var/log/secure:Jun 1 12:02:36 secure pluto[20251]: packet from
207.61.yyy.yyy:500: ignoring informational payload, type
NO_PROPOSAL_CHOSEN
/var/log/secure:Jun 1 12:02:36 secure pluto[20251]: packet from
207.61.yyy.yyy:500: received and ignored informational message
/var/log/secure:Jun 1 12:02:56 secure pluto[20251]: packet from
207.61.yyy.yyy:500: ignoring informational payload, type
NO_PROPOSAL_CHOSEN
/var/log/secure:Jun 1 12:02:56 secure pluto[20251]: packet from
207.61.yyy.yyy:500: received and ignored informational message
/var/log/secure:Jun 1 12:03:36 secure pluto[20251]: packet from
207.61.yyy.yyy:500: ignoring informational payload, type
NO_PROPOSAL_CHOSEN
/var/log/secure:Jun 1 12:03:36 secure pluto[20251]: packet from
207.61.yyy.yyy:500: received and ignored informational message
/var/log/secure:Jun 1 12:04:16 secure pluto[20251]: packet from
207.61.yyy.yyy:500: ignoring informational payload, type
NO_PROPOSAL_CHOSEN
/var/log/secure:Jun 1 12:04:16 secure pluto[20251]: packet from
207.61.yyy.yyy:500: received and ignored informational message
/var/log/secure:Jun 1 12:04:56 secure pluto[20251]: packet from
207.61.yyy.yyy:500: ignoring informational payload, type
NO_PROPOSAL_CHOSEN
/var/log/secure:Jun 1 12:04:56 secure pluto[20251]: packet from
207.61.yyy.yyy:500: received and ignored informational message
/var/log/secure:Jun 1 12:05:36 secure pluto[20251]: packet from
207.61.yyy.yyy:500: ignoring informational payload, type
NO_PROPOSAL_CHOSEN
/var/log/secure:Jun 1 12:05:36 secure pluto[20251]: packet from
207.61.yyy.yyy:500: received and ignored informational message
/var/log/secure:Jun 1 12:06:16 secure pluto[20251]: packet from
207.61.yyy.yyy:500: ignoring informational payload, type
NO_PROPOSAL_CHOSEN
/var/log/secure:Jun 1 12:06:16 secure pluto[20251]: packet from
207.61.yyy.yyy:500: received and ignored informational message
/var/log/secure:Jun 1 12:06:56 secure pluto[20251]: packet from
207.61.yyy.yyy:500: ignoring informational payload, type
NO_PROPOSAL_CHOSEN
/var/log/secure:Jun 1 12:06:56 secure pluto[20251]: packet from
207.61.yyy.yyy:500: received and ignored informational message
/var/log/secure:Jun 1 12:07:36 secure pluto[20251]: packet from
207.61.yyy.yyy:500: ignoring informational payload, type
NO_PROPOSAL_CHOSEN
/var/log/secure:Jun 1 12:07:36 secure pluto[20251]: packet from
207.61.yyy.yyy:500: received and ignored informational message
/var/log/secure:Jun 1 12:08:16 secure pluto[20251]: packet from
207.61.yyy.yyy:500: ignoring informational payload, type
NO_PROPOSAL_CHOSEN
/var/log/secure:Jun 1 12:08:16 secure pluto[20251]: packet from
207.61.yyy.yyy:500: received and ignored informational message
/var/log/secure:Jun 1 12:08:56 secure pluto[20251]: packet from
207.61.yyy.yyy:500: ignoring informational payload, type
NO_PROPOSAL_CHOSEN
/var/log/secure:Jun 1 12:08:56 secure pluto[20251]: packet from
207.61.yyy.yyy:500: received and ignored informational message
/var/log/secure:Jun 1 12:09:36 secure pluto[20251]: packet from
207.61.yyy.yyy:500: ignoring informational payload, type
NO_PROPOSAL_CHOSEN
/var/log/secure:Jun 1 12:09:36 secure pluto[20251]: packet from
207.61.yyy.yyy:500: received and ignored informational message
/var/log/secure:Jun 1 12:10:16 secure pluto[20251]: packet from
207.61.yyy.yyy:500: ignoring informational payload, type
NO_PROPOSAL_CHOSEN
/var/log/secure:Jun 1 12:10:16 secure pluto[20251]: packet from
207.61.yyy.yyy:500: received and ignored informational message
/var/log/secure:Jun 1 12:10:56 secure pluto[20251]: packet from
207.61.yyy.yyy:500: ignoring informational payload, type
NO_PROPOSAL_CHOSEN
/var/log/secure:Jun 1 12:10:56 secure pluto[20251]: packet from
207.61.yyy.yyy:500: received and ignored informational message
/var/log/secure:Jun 1 12:11:36 secure pluto[20251]: packet from
207.61.yyy.yyy:500: ignoring informational payload, type
NO_PROPOSAL_CHOSEN
/var/log/secure:Jun 1 12:11:36 secure pluto[20251]: packet from
207.61.yyy.yyy:500: received and ignored informational message
/var/log/secure:Jun 1 12:12:16 secure pluto[20251]: packet from
207.61.yyy.yyy:500: ignoring informational payload, type
NO_PROPOSAL_CHOSEN
/var/log/secure:Jun 1 12:12:16 secure pluto[20251]: packet from
207.61.yyy.yyy:500: received and ignored informational message
/var/log/secure:Jun 1 12:12:56 secure pluto[20251]: packet from
207.61.yyy.yyy:500: ignoring informational payload, type
NO_PROPOSAL_CHOSEN
/var/log/secure:Jun 1 12:12:56 secure pluto[20251]: packet from
207.61.yyy.yyy:500: received and ignored informational message
/var/log/secure:Jun 1 12:13:36 secure pluto[20251]: packet from
207.61.yyy.yyy:500: ignoring informational payload, type
NO_PROPOSAL_CHOSEN
/var/log/secure:Jun 1 12:13:36 secure pluto[20251]: packet from
207.61.yyy.yyy:500: received and ignored informational message
Thank you
Antony Casella
On Fri, 2007-06-01 at 09:27 -0400, Peter McGill wrote:
> > Date: Thu, 31 May 2007 15:02:59 -0400
> > From: ACasella <antony.casella at sand.com>
> > Subject: Re: [Openswan Users] openswan to Instagate
> > To: users <users at openswan.org>
> >
> > Thank you for your reply. I've tried the suggested configuration and
> > I'm not getting anything different back from the instagate appliance.
> > I've turned on "debug" mode on the instagate and this is the output:
> >
> > Is there any other debugging information that I can provide from the
> > openswan side that might be of help?
>
> On the openswan machine, execute the following and copy the results into
> The message body.
> ipsec --version
> And
> ipsec verify
>
> Also, make sure that plutodebug and klipsdebug are both set to none in conf.
> (Normally there is enouph info in the normal logs, debug options just make
> Longer and harder to read, so leave them off unless asked to set them.)
> Then, restart openswan and attempt to connect again.
> Use the following to find the logs:
> egrep -e 'pluto' /var/log/*
> Send us the full pluto logs for your last restart and connection attempt
> that you just did, in the message body too.
>
> Peter
>
> > On Thu, 2007-05-31 at 14:39 -0400, Peter McGill wrote:
> > > > Date: Thu, 31 May 2007 14:11:46 -0400
> > > > From: ACasella <antony.casella at sand.com>
> > > > Subject: [Openswan Users] openswan to Instagate
> > > > To: users at openswan.org
> > > >
> > > > I'm trying to interconnect a host-to-host connection to
> > an instagate
> > > > firewall appliance (basically it looks like it runs either free or
> > > > openswan on redhat).
> > > >
> > > > I think I am falling short on the IKE/ESP settings on the
> > > > openswan side
> > > > in my configuration as I cannot initiate the connection.
> > > >
> > > > When I initiate an ipsec auto --up host-to-host from my
> > > > openswan server,
> > > > The instagate appliance responds with NO_PROPOSAL_CHOSEN:
> > > >
> > > > The instagate has limited choices for various IKE, DH and SPF.
> > > >
> > > > The defaults are: 3DES enc,SHA-1 auth,DH2
> > > > and : 3DES enc, MD5 auth, DH2
> > > > Strict PFS is disabled.
> > > > Key refresh is 24 hours
> > > > And key management is preshared key.
> > > >
> > > > My conf is
> > > >
> > > > conn host-to-host
> > > > type=tunnel
> > > > authby=secret
> > > > left=207.61.yyy.yyy
> > > > leftid=@yyyy
> > > > leftnexthop=%defaultroute
> > > > right=72.55.xxx.xxx
> > > > rightid=@xxxx
> > > > rightnexthop=%defaultroute
> > > > esp=3des-md5-96,3des-sha1
> > > > keyexchange= ike
> > > > pfs= no
> > > > auto=add
> > >
> > > ike=3des-sha1-modp1024,3des-md5-modp1024
> > > esp=3des-sha1,3des-md5
> > > keyexchange=ike
> > > pfs=no
> > >
> > > Specify the above ike and esp lines, also I'm not sure if
> > > the whitespace after the = on the keyexchange and pfs
> > > lines matters or not so I took it out.
>
More information about the Users
mailing list