[Openswan Users] Problem with ike

D h @ v @ l dhaval4linux at yahoo.com
Mon Jun 25 09:16:54 EDT 2007 

Hi all

    I am making a vpn tunnel Net to Roadworrier. I have problem when I enable ike=des-md5-modp3072 in both ipsec.conf. 

Here is my ipsec.conf file
version 2.0

config setup
        interfaces=%defaultroute
        nat_traversal=yes

conn %default
        keyingtries=1

conn netone
  left=10.10.136.190
  leftsubnet=192.0.0.0/8
  leftrsasigkey=%cert
  leftcert=host.example.com.pem
  right=10.10.136.191
  rightsubnet=11.0.0.0/8
  rightrsasigkey=%cert
  rightcert=clienthost.example.com.pem
  authby=rsasig
  also=policy3
  auto=start

conn policy3
  keyexchange=ike
  aggrmode=no
  ike=des-md5-modp3072
  ikelifetime=1h
  esp=aes128-md5
  pfs=no
  compress=no
  keylife=1h
  failureshunt=passthrough


#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf

This is my output of command: ipsec auto --status
interface lo/lo ::1
000 interface lo/lo 127.0.0.1
000 interface lo/lo 127.0.0.1
000 interface eth0/eth0 10.10.136.191
000 interface eth0/eth0 10.10.136.191
000 interface eth1/eth1 11.11.11.11
000 interface eth1/eth1 11.11.11.11
000 %myid = (none)
000 debug none
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0
000
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,1,36} trans={0,1,336} attrs={0,1,224}
000
000 "netone": 11.0.0.0/8===10.10.136.191[C=US, ST=State, L=City, O=ExampleCo, CN=clienthost.example.com, E=clientuser at example.com]...10.10.136.190[C=US, ST=State, L=City, O=ExampleCo, CN=host.example.com, E=user at example.com]===192.0.0.0/8; prospective erouted; eroute owner: #0
000 "netone":     srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;
000 "netone":   CAs: 'C=US, ST=State, L=City, O=ExampleCo, CN=CA, E=ca at example.com'...'C=US, ST=State, L=City, O=ExampleCo, CN=CA, E=ca at example.com'
000 "netone":   ike_life: 3600s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1
000 "netone":   policy: RSASIG+ENCRYPT+TUNNEL+UP+failurePASS; prio: 8,8; interface: eth0; encap: esp;
000 "netone":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "netone":   IKE algorithms wanted: DES_CBC(1)_000-MD5(1)-MODP3072(15); flags=strict
000 "netone":   IKE algorithms found: DES_CBC(1)_000-MD5(1)-MODP3072(15); flags=strict
000 "netone":   ESP algorithms wanted: AES(12)_128-MD5(1); flags=strict
000 "netone":   ESP algorithms loaded: AES(12)_128-MD5(1); flags=strict
000
000 #1: "netone":500 STATE_MAIN_I1 (sent MI1, expecting MR1); EVENT_RETRANSMIT in 6s; nodpd
000 #1: pending Phase 2 for "netone" replacing #0


Here is my log from /var/log/auth.log

Jun 23 03:48:51 localhost ipsec__plutorun: Starting Pluto subsystem...
Jun 23 03:48:52 localhost pluto[26197]: Starting Pluto (Openswan Version 2.4.8 PLUTO_SENDS_VENDORID PLUTO_USES
_KEYRR; Vendor ID OEtQ at pxNq\177W`)
Jun 23 03:48:52 localhost pluto[26197]: Setting NAT-Traversal port-4500 floating to on
Jun 23 03:48:52 localhost pluto[26197]:    port floating activation criteria nat_t=1/port_fload=1
Jun 23 03:48:52 localhost pluto[26197]:   including NAT-Traversal patch (Version 0.6c)
Jun 23 03:48:52 localhost pluto[26197]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Jun 23 03:48:52 localhost pluto[26197]: starting up 1 cryptographic helpers
Jun 23 03:48:52 localhost pluto[26197]: started helper pid=26200 (fd:6)
Jun 23 03:48:52 localhost pluto[26197]: Using NETKEY IPsec interface code on 2.6.18.1
Jun 23 03:48:52 localhost pluto[26197]: Changing to directory '/etc/ipsec.d/cacerts'
Jun 23 03:48:52 localhost pluto[26197]:   loaded CA cert file 'cacert.pem' (1155 bytes)
Jun 23 03:48:52 localhost pluto[26197]: Changing to directory '/etc/ipsec.d/aacerts'
Jun 23 03:48:52 localhost pluto[26197]: Changing to directory '/etc/ipsec.d/ocspcerts'
Jun 23 03:48:52 localhost pluto[26197]: Changing to directory '/etc/ipsec.d/crls'
Jun 23 03:48:52 localhost pluto[26197]:   loaded crl file 'crl.pem' (467 bytes)
Jun 23 03:48:55 localhost pluto[26197]:   loaded host cert file '/etc/ipsec.d/certs/host.example.com.pem' (348
9 bytes)
Jun 23 03:48:55 localhost pluto[26197]:   loaded host cert file '/etc/ipsec.d/certs/clienthost.example.com.pem
' (3518 bytes)
Jun 23 03:48:55 localhost pluto[26197]: added connection description "netone"
Jun 23 03:48:56 localhost pluto[26197]: listening for IKE messages
Jun 23 03:48:56 localhost pluto[26197]: adding interface eth1/eth1 11.11.11.11:500
Jun 23 03:48:56 localhost pluto[26197]: adding interface eth1/eth1 11.11.11.11:4500
Jun 23 03:48:56 localhost pluto[26197]: adding interface eth0/eth0 10.10.136.191:500
Jun 23 03:48:56 localhost pluto[26197]: adding interface eth0/eth0 10.10.136.191:4500
Jun 23 03:48:56 localhost pluto[26197]: adding interface lo/lo 127.0.0.1:500
Jun 23 03:48:56 localhost pluto[26197]: adding interface lo/lo 127.0.0.1:4500
Jun 23 03:48:56 localhost pluto[26197]: adding interface lo/lo ::1:500
Jun 23 03:48:56 localhost pluto[26197]: loading secrets from "/etc/ipsec.secrets"
Jun 23 03:48:56 localhost pluto[26197]:   loaded private key file '/etc/ipsec.d/private/clienthost.example.com.key' (1659 bytes)
Jun 23 03:48:57 localhost pluto[26197]: "netone" #1: initiating Main Mode
Jun 23 03:48:57 localhost pluto[26197]: | ike_alg_db_new() ike enc ealg=1 not present
Jun 23 03:48:57 localhost pluto[26197]: packet from 10.10.136.190:500: ignoring informational payload, type NO_PROPOSAL_CHOSEN
Jun 23 03:48:57 localhost pluto[26197]: packet from 10.10.136.190:500: received and ignored informational message
Jun 23 03:49:07 localhost pluto[26197]: packet from 10.10.136.190:500: ignoring informational payload, type NO_PROPOSAL_CHOSEN
Jun 23 03:49:07 localhost pluto[26197]: packet from 10.10.136.190:500: received and ignored informational message
Jun 23 03:49:27 localhost pluto[26197]: packet from 10.10.136.190:500: ignoring informational payload, type NO_PROPOSAL_CHOSEN
Jun 23 03:49:27 localhost pluto[26197]: packet from 10.10.136.190:500: received and ignored informational message


If I disable ike=des-md5-modp3072 in both ipsec.conf file then it establish the tunnel. So can any one help me to solve this problem. This problem is same when I establish tunnel with psk and rsa keys. 

If I use other algorithm blowfish in place of des in ike then it also gives the same error.

Any one help out.

       
---------------------------------
Need a vacation? Get great deals to amazing places on Yahoo! Travel. 
       
---------------------------------
Sick sense of humor? Visit Yahoo! TV's Comedy with an Edge to see what's on, when. 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20070625/02783241/attachment-0001.html

More information about the Users mailing list