[Openswan Users] Help required: Trouble setting up openswan

Phil Wild philwild at gmail.com
Mon Nov 26 01:28:55 EST 2007


Hello,

I posted the below to the list about a week ago and did not get any
responses. Does anyone have any ideas what is going wrong with my
configuration as I have not been able to get any further.

Any help would be hugely appreciated.

Cheers

Phil

On 20/11/2007, Phil Wild <philwild at gmail.com> wrote:
> Hello openswan users,
> I am new to openswan and have been struggling to get my first
> connection up and running for the last two days.
> I have two hosts running ubuntu, both connected to the internet and
> protected by shorewall
> The left host is called bravo and the right host is called zulu
> Bravo has an ethernet connection while zulu conects via pppoe bridged adsl modem
> my configuration file is as follows:
> conn bravo-zulu
>        left=202.72.167.27
>        leftsubnet=192.168.10.0/24
>        leftid=@bravo.gastech.com.au
>        leftrsasigkey=...DqXTR
>        leftnexthop=202.72.167.25
>        right=203.161.71.190
>        rightsubnet=10.3.0.0/24
>        rightid=@zulu
>        rightrsasigkey=...+WR
>        rightnexthop=203.161.90.1
>        authby=rsasig
>        auto=start
> /etc/ipsec.conf looks like:
>
>
> # /etc/ipsec.conf - Openswan IPsec configuration file
> # RCSID $Id: ipsec.conf.in,v 1.15.2.4 2006/07/11 16:17:53 paul Exp $
>
> # This file:  /usr/share/doc/openswan/ipsec.conf-sample
> #
> # Manual:     ipsec.conf.5
>
>
> version 2.0     # conforms to second version of ipsec.conf specification
>
> # basic configuration
> config setup
>        plutodebug = "all"
>        # "raw crypt parsing emitting control klips pfkey natt x509 private"
>        # eg:
>        # plutodebug="control parsing"
>        #
>        # Only enable klipsdebug=all if you are a developer
>        #
>        # NAT-TRAVERSAL support, see README.NAT-Traversal
>        nat_traversal=yes
>        # virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
>        #
>        # enable this if you see "failed to find any available worker"
>        nhelpers=0
>
> # Add connections here
>
> # sample VPN connections, see /etc/ipsec.d/examples/
>
> #Disable Opportunistic Encryption
> include /etc/ipsec.d/examples/no_oe.conf
> include /etc/ipsec.d/bravo-zulu.conf
>
>
> ipsec auto --status on zulu returns
> root at zulu:/etc/ipsec.d# /etc/init.d/ipsec start
> ipsec_setup: Starting Openswan IPsec 2.4.6...
> ipsec_setup: insmod /lib/modules/2.6.22-14-server/kernel/net/key/af_key.ko
> ipsec_setup: insmod
> /lib/modules/2.6.22-14-server/kernel/net/ipv4/xfrm4_tunnel.ko
> ipsec_setup: insmod /lib/modules/2.6.22-14-server/kernel/net/xfrm/xfrm_user.ko
> root at zulu:/etc/ipsec.d# ipsec auto --status
> 000 interface lo/lo ::1
> 000 interface lo/lo 127.0.0.1
> 000 interface lo/lo 127.0.0.1
> 000 interface eth1/eth1 10.3.0.3
> 000 interface eth1/eth1 10.3.0.3
> 000 interface ppp0/ppp0 203.161.71.190
> 000 interface ppp0/ppp0 203.161.71.190
> 000 %myid = (none)
> 000 debug raw+crypt+parsing+emitting+control+lifecycle+klips+dns+oppo+controlmore+pfkey+nattraversal+x509
> 000
> 000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64,
> keysizemax=64
> 000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8,
> keysizemin=192, keysizemax=192
> 000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8,
> keysizemin=40, keysizemax=448
> 000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0,
> keysizemin=0, keysizemax=0
> 000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8,
> keysizemin=128, keysizemax=256
> 000 algorithm ESP encrypt: id=22, name=(null), ivlen=8,
> keysizemin=128, keysizemax=256
> 000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8,
> keysizemin=128, keysizemax=256
> 000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8,
> keysizemin=128, keysizemax=256
> 000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
> keysizemin=128, keysizemax=128
> 000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
> keysizemin=160, keysizemax=160
> 000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256,
> keysizemin=256, keysizemax=256
> 000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC,
> keysizemin=128, keysizemax=128
> 000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0
> 000
> 000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
> keydeflen=192
> 000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
> keydeflen=128
> 000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
> 000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
> 000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
> 000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
> 000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
> 000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
> 000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
> 000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
> 000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
> 000
> 000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,0,0}
> trans={0,0,0} attrs={0,0,0}
> 000
> 000 "bravo-zulu":
> 10.3.0.0/24===203.161.71.190[@zulu]---203.161.90.1...202.72.167.25---202.72.167.27[@bravo.gastech.com.au]===192.168.10.0/24;
> prospective erouted; eroute owner: #0
> 000 "bravo-zulu":     srcip=unset; dstip=unset; srcup=ipsec _updown;
> dstup=ipsec _updown;
> 000 "bravo-zulu":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin:
> 540s; rekey_fuzz: 100%; keyingtries: 0
> 000 "bravo-zulu":   policy: RSASIG+ENCRYPT+TUNNEL+PFS+UP; prio: 24,24;
> interface: ppp0;
> 000 "bravo-zulu":   newest ISAKMP SA: #2; newest IPsec SA: #0;
> 000 "bravo-zulu":   IKE algorithm newest: 3DES_CBC_192-MD5-MODP1536
> 000
> 000 #1: "bravo-zulu":500 STATE_MAIN_I2 (sent MI2, expecting MR2);
> EVENT_RETRANSMIT in 11s; lastdpd=-1s(seq in:0 out:0)
> 000 #1: pending Phase 2 for "bravo-zulu" replacing #0
> 000 #2: "bravo-zulu":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA
> established); EVENT_SA_REPLACE in 3324s; newest ISAKMP;
> lastdpd=-1s(seq in:0 out:0)
> 000
> and on bravo:
> root at bravo:/etc/ipsec.d# ipsec auto --status
> 000 interface lo/lo ::1
> 000 interface lo/lo 127.0.0.1
> 000 interface lo/lo 127.0.0.1
> 000 interface eth0/eth0 192.168.10.2
> 000 interface eth0/eth0 192.168.10.2
> 000 interface eth1/eth1 202.72.167.27
> 000 interface eth1/eth1 202.72.167.27
> 000 interface eth1:1/eth1:1 202.72.167.29
> 000 interface eth1:1/eth1:1 202.72.167.29
> 000 %myid = (none)
> 000 debug raw+crypt+parsing+emitting+control+lifecycle+klips+dns+oppo+controlmore+pfkey+nattraversal+x509
> 000
> 000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64,
> keysizemax=64
> 000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8,
> keysizemin=192, keysizemax=192
> 000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8,
> keysizemin=40, keysizemax=448
> 000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0,
> keysizemin=0, keysizemax=0
> 000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8,
> keysizemin=128, keysizemax=256
> 000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8,
> keysizemin=128, keysizemax=256
> 000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8,
> keysizemin=128, keysizemax=256
> 000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
> keysizemin=128, keysizemax=128
> 000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
> keysizemin=160, keysizemax=160
> 000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256,
> keysizemin=256, keysizemax=256
> 000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC,
> keysizemin=128, keysizemax=128
> 000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0
> 000
> 000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
> keydeflen=192
> 000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
> keydeflen=128
> 000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
> 000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
> 000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
> 000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
> 000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
> 000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
> 000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
> 000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
> 000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
> 000
> 000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,0,0}
> trans={0,0,0} attrs={0,0,0}
> 000
> 000 "bravo-zulu":
> 192.168.10.0/24===202.72.167.27[@bravo.gastech.com.au]---202.72.167.25...203.161.90.1---203.161.71.190[@zulu]===10.3.0.0/24;
> prospective erouted; eroute owner: #0
> 000 "bravo-zulu":     srcip=unset; dstip=unset; srcup=ipsec _updown;
> dstup=ipsec _updown;
> 000 "bravo-zulu":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin:
> 540s; rekey_fuzz: 100%; keyingtries: 0
> 000 "bravo-zulu":   policy: RSASIG+ENCRYPT+TUNNEL+PFS+UP; prio: 24,24;
> interface: eth1;
> 000 "bravo-zulu":   newest ISAKMP SA: #2; newest IPsec SA: #0;
> 000 "bravo-zulu":   IKE algorithm newest: 3DES_CBC_192-MD5-MODP1536
> 000
> 000 #4: "bravo-zulu":500 STATE_QUICK_R1 (sent QR1, inbound IPsec SA
> installed, expecting QI2); EVENT_RETRANSMIT in 7s; lastdpd=-1s(seq
> in:0 out:0)
> 000 #2: "bravo-zulu":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA
> established); EVENT_SA_REPLACE in 3281s; newest ISAKMP;
> lastdpd=-1s(seq in:0 out:0)
> 000 #3: "bravo-zulu":500 STATE_QUICK_I1 (sent QI1, expecting QR1);
> EVENT_RETRANSMIT in 15s; lastdpd=-1s(seq in:0 out:0)
> 000 #1: "bravo-zulu":500 STATE_MAIN_I4 (ISAKMP SA established);
> EVENT_SA_REPLACE in 2638s; lastdpd=-1s(seq in:0 out:0)
> 000
> daemon.log on zulu contains:
> Nov 20 14:24:38 zulu ipsec_setup: KLIPS ipsec0 on ppp0
> 203.161.71.190/255.255.255.255 pointopoint 203.161.90.1
> Nov 20 14:24:38 zulu ipsec_setup: ...Openswan IPsec started
> Nov 20 14:24:38 zulu ipsec_setup: Starting Openswan IPsec 2.4.6...
> Nov 20 14:24:38 zulu ipsec_setup: insmod
> /lib/modules/2.6.22-14-server/kernel/net/key/af_key.ko
> Nov 20 14:24:38 zulu ipsec_setup: insmod
> /lib/modules/2.6.22-14-server/kernel/net/ipv4/xfrm4_tunnel.ko Nov 20
> 14:24:38 zulu ipsec_setup: insmod
> /lib/modules/2.6.22-14-server/kernel/net/xfrm/xfrm_user.ko
> Nov 20 14:24:39 zulu ipsec__plutorun: 104 "bravo-zulu" #1:
> STATE_MAIN_I1: initiate
> Nov 20 14:24:39 zulu ipsec__plutorun: ...could not start conn "bravo-zulu"
>
> and on bravo:
> Nov 20 14:24:57 bravo ipsec_setup: KLIPS ipsec0 on eth1
> 202.72.167.27/255.255.255.248 broadcast 202.72.167.31
> Nov 20 14:24:57 bravo ipsec_setup: ...Openswan IPsec started
> Nov 20 14:24:57 bravo ipsec_setup: Starting Openswan IPsec 2.4.6...
> Nov 20 14:24:57 bravo ipsec_setup: insmod
> /lib/modules/2.6.20-16-generic/kernel/net/key/af_key.ko
> Nov 20 14:24:57 bravo ipsec_setup: insmod
> /lib/modules/2.6.20-16-generic/kernel/net/ipv4/xfrm4_tunnel.ko
> Nov 20 14:24:57 bravo ipsec_setup: insmod
> /lib/modules/2.6.20-16-generic/kernel/net/xfrm/xfrm_user.ko
> Nov 20 14:25:15 bravo ipsec__plutorun: 104 "bravo-zulu" #1:
> STATE_MAIN_I1: initiate
> Nov 20 14:25:15 bravo ipsec__plutorun: ...could not start conn "bravo-zulu"
> netstat -rn on host zulu shows:
>
> Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
> 203.161.90.1    0.0.0.0         255.255.255.255 UH        0 0          0 ppp0
> 10.3.0.0        0.0.0.0         255.255.255.0   U         0 0          0 eth1
> 192.168.10.0    203.161.90.1    255.255.255.0   UG        0 0          0 ppp0
> 0.0.0.0         0.0.0.0         0.0.0.0         U         0 0          0 ppp0
> and on bravo:
> Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
> 202.72.167.24   0.0.0.0         255.255.255.248 U         0 0          0 eth1
> 10.3.0.0        202.72.167.25   255.255.255.0   UG        0 0          0 eth1
> 192.168.10.0    0.0.0.0         255.255.255.0   U         0 0          0 eth0
> 0.0.0.0         202.72.167.25   0.0.0.0         UG        0 0          0 eth1
>
> I have made the following changes to shorewall on each host
>
> Added "vpn ipsec" to the zones file
> Added "vpn ipsec+" to the interfaces file
> created a tunnels file and added "ipsec net 0.0.0.0/0"
> Added the following to the policy file:
>  loc vpn ACCEPT
>  vpn loc ACCEPT
>
> And to rules, openned up all traffic between the two hosts with the following:
>
> On zulu:
> ACCEPT  net:202.72.167.27     all  all
> and on bravo
> ACCEPT  net:203.161.71.190     all   all
>
> Does anyone have any idea what I am doing wrong?
>
> Many thanks
>
> Phil
>


-- 
Tel: 0400 466 952
Fax: 0433 123 226
email: philwild at gmail.com


More information about the Users mailing list