[Openswan Users] Openswan-3.0.06: `ipsec auto --up ifx` failed.
KokHow.Teh at infineon.com
KokHow.Teh at infineon.com
Thu Nov 8 01:36:22 EST 2007
Hi;
Somehow, I could not manage to bring up my ipsec connection.
What are the specific requirements of the kernel in order to establish
my ipsec connection? What is the minimum required kernel configuration?
`ipsec auto --status` at both ends show `ifx` connection is there but
somehow, the connection cannot be established due to some reasons. Any
insight is appreciated.
Regards,
KH
[root at Danube:~ 2]# ipsec auto --status
000 interface ipsec0/eth0 10.10.10.1
000 %myid = (none)
000 debug none
000
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=64,
keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=128,
keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC,
keysizemin=128, keysizemax=128
000 algorithm IPCOMP compress attr: id=2, name=IPCOMP_DEFLATE
000 algorithm IPCOMP compress attr: id=3, name=IPCOMP_LZS
000
000 algorithm IKE encrypt: id=3, name=OAKLEY_BLOWFISH_CBC, blocksize=8,
keydeflen=128
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
keydeflen=128
000 algorithm IKE encrypt: id=65004, name=OAKLEY_SERPENT_CBC,
blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=65005, name=OAKLEY_TWOFISH_CBC,
blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=65289, name=OAKLEY_TWOFISH_CBC_SSH,
blocksize=16, keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32
000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0}
trans={0,0,0} attrs={0,0,0}
000
000 "ifx": 10.10.10.0/24===10.10.10.1...10.10.10.2===10.10.10.0/24;
unrouted; eroute owner: #0
000 "ifx": srcip=unset; dstip=unset;
000 "ifx": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s;
rekey_fuzz: 100%; keyingtries: 3
000 "ifx": policy: PSK+ENCRYPT+TUNNEL+PFS+lKOD+rKOD; prio: 24,24;
interface: eth0;
000 "ifx": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "ifx": IKE algorithms wanted: AES_CBC(7)_000-MD5(1)-5,
AES_CBC(7)_000-MD5(1)-2, flags=-strict
000 "ifx": IKE algorithms found: AES_CBC(7)_128-MD5(1)_128-5,
AES_CBC(7)_128-MD5(1)_128-2,
000 "ifx": ESP algorithms wanted: MD5(1), flags=-strict
000 "ifx": ESP algorithms loaded: AES(12)_128-MD5(1)_128-NONE
000
000
[root at Danube:~ 3]# ipsec auto --up ifx
104 "ifx" #1: STATE_MAIN_I1: initiate
003 "ifx" #1: received Vendor ID payload [Openswan (this version)
3.0.06GITGITGIT X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR]
003 "ifx" #1: received Vendor ID payload [Dead Peer Detection]
106 "ifx" #1: STATE_MAIN_I2: sent MI2, expecting MR2
108 "ifx" #1: STATE_MAIN_I3: sent MI3, expecting MR3
004 "ifx" #1: STATE_MAIN_I4: ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=aes_128 prf=oakley_md5 group=modp1536}
117 "ifx" #2: STATE_QUICK_I1: initiate
010 "ifx" #2: STATE_QUICK_I1: retransmission; will wait 20s for response
010 "ifx" #2: STATE_QUICK_I1: retransmission; will wait 40s for response
031 "ifx" #2: max number of retransmissions (2) reached STATE_QUICK_I1.
No acceptable response to our first Quick Mode message: perhaps peer
likes no
proposal
000 "ifx" #2: starting keying attempt 2 of at most 3, but releasing
whack
[root at Danube:~ 4]#
[root at Danube:~ 4]#
[root at Danube:~ 4]# ipsec auto --up ifx
117 "ifx" #4: STATE_QUICK_I1: initiate
[root at Danube:~ 5]# ps
PID Uid VSZ Stat Command
1 root 2248 S init
2 root RWN [ksoftirqd/0]
3 root SW [watchdog/0]
4 root SW< [events/0]
5 root SW< [khelper]
6 root SW< [kthread]
64 root SW< [kblockd/0]
67 root SW< [khubd]
82 root SW [pdflush]
83 root SW [pdflush]
84 root SW< [kswapd0]
85 root SW< [aio/0]
86 root SW [crypto]
87 root SW [crypto_ret]
127 root SW [mtdblockd]
156 root SW< [kmmcd]
160 root SW [sdio_init_threa]
180 root 2244 S syslogd -s 0
182 root 2240 S klogd
193 root 2156 S dropbear -r /etc/dropbear_rsa_host_key
194 root 2260 S -sh
285 root 2256 S /bin/sh /usr/local/lib/ipsec/_plutorun --debug
--uni
286 root 2256 S /bin/sh /usr/local/lib/ipsec/_plutorun --debug
--uni
287 root 4996 S /usr/local/libexec/ipsec/pluto --nofork
--secretsfile
288 root 2252 S /bin/sh /usr/local/lib/ipsec/_plutoload --wait
no --p
289 root 2248 S logger -s -p daemon.error -t ipsec__plutorun
301 root 4856 S N pluto helper # 0
302 root 2288 S lwdnsq
335 root 2248 R ps
[root at Danube:~ 6]# ifconfig -a
eth0 Link encap:Ethernet HWaddr 00:E1:93:01:02:41
inet addr:10.10.10.1 Bcast:10.255.255.255 Mask:255.0.0.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:806 errors:0 dropped:0 overruns:0 frame:0
TX packets:20 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:57860 (56.5 KiB) TX bytes:4064 (3.9 KiB)
ipsec0 Link encap:Ethernet HWaddr 00:E1:93:01:02:41
inet addr:10.10.10.1 Mask:255.0.0.0
UP RUNNING NOARP MTU:16260 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
ipsec1 Link encap:UNSPEC HWaddr
00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
NOARP MTU:0 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
teql0 Link encap:UNSPEC HWaddr
00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
NOARP MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
tunl0 Link encap:UNSPEC HWaddr
00-00-00-00-00-00-10-00-00-00-00-00-00-00-00-00
NOARP MTU:1480 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
[root at Danube:~ 7]# ipsec eroute
[root at Danube:~ 8]# route -e
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt
Iface
10.0.0.0 * 255.0.0.0 U 0 0 0
eth0
10.0.0.0 * 255.0.0.0 U 0 0 0
ipsec0
default 10.10.10.2 0.0.0.0 UG 0 0 0
eth0
[root at Danube:~ 9]#
More information about the Users
mailing list