[Openswan Users] Trouble setting up openswan

Phil Wild philwild at gmail.com
Tue Nov 20 00:42:20 EST 2007


Hello openswan users,
I am new to openswan and have been struggling to get my first
connection up and running for the last two days.
I have two hosts running ubuntu, both connected to the internet and
protected by shorewall
The left host is called bravo and the right host is called zulu
Bravo has an ethernet connection while zulu conects via pppoe bridged adsl modem
my configuration file is as follows:
conn bravo-zulu
        left=202.72.167.27
        leftsubnet=192.168.10.0/24
        leftid=@bravo.gastech.com.au
        leftrsasigkey=...DqXTR
        leftnexthop=202.72.167.25
        right=203.161.71.190
        rightsubnet=10.3.0.0/24
        rightid=@zulu
        rightrsasigkey=...+WR
        rightnexthop=203.161.90.1
        authby=rsasig
        auto=start
/etc/ipsec.conf looks like:


# /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.15.2.4 2006/07/11 16:17:53 paul Exp $

# This file:  /usr/share/doc/openswan/ipsec.conf-sample
#
# Manual:     ipsec.conf.5


version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        plutodebug = "all"
        # "raw crypt parsing emitting control klips pfkey natt x509 private"
        # eg:
        # plutodebug="control parsing"
        #
        # Only enable klipsdebug=all if you are a developer
        #
        # NAT-TRAVERSAL support, see README.NAT-Traversal
        nat_traversal=yes
        # virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
        #
        # enable this if you see "failed to find any available worker"
        nhelpers=0

# Add connections here

# sample VPN connections, see /etc/ipsec.d/examples/

#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf
include /etc/ipsec.d/bravo-zulu.conf


ipsec auto --status on zulu returns
root at zulu:/etc/ipsec.d# /etc/init.d/ipsec start
ipsec_setup: Starting Openswan IPsec 2.4.6...
ipsec_setup: insmod /lib/modules/2.6.22-14-server/kernel/net/key/af_key.ko
ipsec_setup: insmod
/lib/modules/2.6.22-14-server/kernel/net/ipv4/xfrm4_tunnel.ko
ipsec_setup: insmod /lib/modules/2.6.22-14-server/kernel/net/xfrm/xfrm_user.ko
root at zulu:/etc/ipsec.d# ipsec auto --status
000 interface lo/lo ::1
000 interface lo/lo 127.0.0.1
000 interface lo/lo 127.0.0.1
000 interface eth1/eth1 10.3.0.3
000 interface eth1/eth1 10.3.0.3
000 interface ppp0/ppp0 203.161.71.190
000 interface ppp0/ppp0 203.161.71.190
000 %myid = (none)
000 debug raw+crypt+parsing+emitting+control+lifecycle+klips+dns+oppo+controlmore+pfkey+nattraversal+x509
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64,
keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8,
keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8,
keysizemin=40, keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0,
keysizemin=0, keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=22, name=(null), ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256,
keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC,
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0
000
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,0,0}
trans={0,0,0} attrs={0,0,0}
000
000 "bravo-zulu":
10.3.0.0/24===203.161.71.190[@zulu]---203.161.90.1...202.72.167.25---202.72.167.27[@bravo.gastech.com.au]===192.168.10.0/24;
prospective erouted; eroute owner: #0
000 "bravo-zulu":     srcip=unset; dstip=unset; srcup=ipsec _updown;
dstup=ipsec _updown;
000 "bravo-zulu":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin:
540s; rekey_fuzz: 100%; keyingtries: 0
000 "bravo-zulu":   policy: RSASIG+ENCRYPT+TUNNEL+PFS+UP; prio: 24,24;
interface: ppp0;
000 "bravo-zulu":   newest ISAKMP SA: #2; newest IPsec SA: #0;
000 "bravo-zulu":   IKE algorithm newest: 3DES_CBC_192-MD5-MODP1536
000
000 #1: "bravo-zulu":500 STATE_MAIN_I2 (sent MI2, expecting MR2);
EVENT_RETRANSMIT in 11s; lastdpd=-1s(seq in:0 out:0)
000 #1: pending Phase 2 for "bravo-zulu" replacing #0
000 #2: "bravo-zulu":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA
established); EVENT_SA_REPLACE in 3324s; newest ISAKMP;
lastdpd=-1s(seq in:0 out:0)
000
and on bravo:
root at bravo:/etc/ipsec.d# ipsec auto --status
000 interface lo/lo ::1
000 interface lo/lo 127.0.0.1
000 interface lo/lo 127.0.0.1
000 interface eth0/eth0 192.168.10.2
000 interface eth0/eth0 192.168.10.2
000 interface eth1/eth1 202.72.167.27
000 interface eth1/eth1 202.72.167.27
000 interface eth1:1/eth1:1 202.72.167.29
000 interface eth1:1/eth1:1 202.72.167.29
000 %myid = (none)
000 debug raw+crypt+parsing+emitting+control+lifecycle+klips+dns+oppo+controlmore+pfkey+nattraversal+x509
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64,
keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8,
keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8,
keysizemin=40, keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0,
keysizemin=0, keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256,
keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC,
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0
000
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,0,0}
trans={0,0,0} attrs={0,0,0}
000
000 "bravo-zulu":
192.168.10.0/24===202.72.167.27[@bravo.gastech.com.au]---202.72.167.25...203.161.90.1---203.161.71.190[@zulu]===10.3.0.0/24;
prospective erouted; eroute owner: #0
000 "bravo-zulu":     srcip=unset; dstip=unset; srcup=ipsec _updown;
dstup=ipsec _updown;
000 "bravo-zulu":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin:
540s; rekey_fuzz: 100%; keyingtries: 0
000 "bravo-zulu":   policy: RSASIG+ENCRYPT+TUNNEL+PFS+UP; prio: 24,24;
interface: eth1;
000 "bravo-zulu":   newest ISAKMP SA: #2; newest IPsec SA: #0;
000 "bravo-zulu":   IKE algorithm newest: 3DES_CBC_192-MD5-MODP1536
000
000 #4: "bravo-zulu":500 STATE_QUICK_R1 (sent QR1, inbound IPsec SA
installed, expecting QI2); EVENT_RETRANSMIT in 7s; lastdpd=-1s(seq
in:0 out:0)
000 #2: "bravo-zulu":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA
established); EVENT_SA_REPLACE in 3281s; newest ISAKMP;
lastdpd=-1s(seq in:0 out:0)
000 #3: "bravo-zulu":500 STATE_QUICK_I1 (sent QI1, expecting QR1);
EVENT_RETRANSMIT in 15s; lastdpd=-1s(seq in:0 out:0)
000 #1: "bravo-zulu":500 STATE_MAIN_I4 (ISAKMP SA established);
EVENT_SA_REPLACE in 2638s; lastdpd=-1s(seq in:0 out:0)
000
daemon.log on zulu contains:
Nov 20 14:24:38 zulu ipsec_setup: KLIPS ipsec0 on ppp0
203.161.71.190/255.255.255.255 pointopoint 203.161.90.1
Nov 20 14:24:38 zulu ipsec_setup: ...Openswan IPsec started
Nov 20 14:24:38 zulu ipsec_setup: Starting Openswan IPsec 2.4.6...
Nov 20 14:24:38 zulu ipsec_setup: insmod
/lib/modules/2.6.22-14-server/kernel/net/key/af_key.ko
Nov 20 14:24:38 zulu ipsec_setup: insmod
/lib/modules/2.6.22-14-server/kernel/net/ipv4/xfrm4_tunnel.ko Nov 20
14:24:38 zulu ipsec_setup: insmod
/lib/modules/2.6.22-14-server/kernel/net/xfrm/xfrm_user.ko
Nov 20 14:24:39 zulu ipsec__plutorun: 104 "bravo-zulu" #1:
STATE_MAIN_I1: initiate
Nov 20 14:24:39 zulu ipsec__plutorun: ...could not start conn "bravo-zulu"

and on bravo:
Nov 20 14:24:57 bravo ipsec_setup: KLIPS ipsec0 on eth1
202.72.167.27/255.255.255.248 broadcast 202.72.167.31
Nov 20 14:24:57 bravo ipsec_setup: ...Openswan IPsec started
Nov 20 14:24:57 bravo ipsec_setup: Starting Openswan IPsec 2.4.6...
Nov 20 14:24:57 bravo ipsec_setup: insmod
/lib/modules/2.6.20-16-generic/kernel/net/key/af_key.ko
Nov 20 14:24:57 bravo ipsec_setup: insmod
/lib/modules/2.6.20-16-generic/kernel/net/ipv4/xfrm4_tunnel.ko
Nov 20 14:24:57 bravo ipsec_setup: insmod
/lib/modules/2.6.20-16-generic/kernel/net/xfrm/xfrm_user.ko
Nov 20 14:25:15 bravo ipsec__plutorun: 104 "bravo-zulu" #1:
STATE_MAIN_I1: initiate
Nov 20 14:25:15 bravo ipsec__plutorun: ...could not start conn "bravo-zulu"
netstat -rn on host zulu shows:

Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
203.161.90.1    0.0.0.0         255.255.255.255 UH        0 0          0 ppp0
10.3.0.0        0.0.0.0         255.255.255.0   U         0 0          0 eth1
192.168.10.0    203.161.90.1    255.255.255.0   UG        0 0          0 ppp0
0.0.0.0         0.0.0.0         0.0.0.0         U         0 0          0 ppp0
and on bravo:
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
202.72.167.24   0.0.0.0         255.255.255.248 U         0 0          0 eth1
10.3.0.0        202.72.167.25   255.255.255.0   UG        0 0          0 eth1
192.168.10.0    0.0.0.0         255.255.255.0   U         0 0          0 eth0
0.0.0.0         202.72.167.25   0.0.0.0         UG        0 0          0 eth1

I have made the following changes to shorewall on each host

Added "vpn ipsec" to the zones file
Added "vpn ipsec+" to the interfaces file
created a tunnels file and added "ipsec net 0.0.0.0/0"
Added the following to the policy file:
  loc vpn ACCEPT
  vpn loc ACCEPT

And to rules, openned up all traffic between the two hosts with the following:

On zulu:
ACCEPT  net:202.72.167.27     all  all
and on bravo
ACCEPT  net:203.161.71.190     all   all

Does anyone have any idea what I am doing wrong?

Many thanks

Phil


More information about the Users mailing list