[Openswan Users] Help required: Trouble setting up openswan
Peter McGill
petermcgill at goco.net
Mon Nov 26 09:46:35 EST 2007
Well the first thing you should do is turn off plutodebug with plutodebug=none.
The debug options are for developer troubleshooting not user troubleshooting.
They are not helpful in most cases and only flood your logs.
The normal (non debug) logging is usually enough help to find your problem.
>From what I can see it looks like your connecting phase 1, isakmp (udp 500).
But phase 2, esp (protocol 50) is failing possibly it's blocked by your firewalls.
I can't tell you how to configure your shorewall specifically.
But in general terms you need to allow the following at a minimum between your two hosts.
You need to allow these on all firewalls between (and on) the hosts.
Protocol 17 (udp) & port 500 (isakmp)
Protocol 50 (esp), Note this is protocol 50 not port 50, there is a big difference.
And also if you have NAT-T (Network Address Translation Traversal), if your hosts public
IP address gets changed before reaching the other host, then you'll need to allow this also.
Protocol 17 (udp) & port 1500 (NAT-T)
Peter McGill
> -----Original Message-----
> From: users-bounces at openswan.org
> [mailto:users-bounces at openswan.org] On Behalf Of Phil Wild
> Sent: November 26, 2007 1:29 AM
> To: users at openswan.org
> Subject: [Openswan Users] Help required: Trouble setting up openswan
>
> Hello,
>
> I posted the below to the list about a week ago and did not get any
> responses. Does anyone have any ideas what is going wrong with my
> configuration as I have not been able to get any further.
>
> Any help would be hugely appreciated.
>
> Cheers
>
> Phil
>
> On 20/11/2007, Phil Wild <philwild at gmail.com> wrote:
> > Hello openswan users,
> > I am new to openswan and have been struggling to get my first
> > connection up and running for the last two days.
> > I have two hosts running ubuntu, both connected to the internet and
> > protected by shorewall
> > The left host is called bravo and the right host is called zulu
> > Bravo has an ethernet connection while zulu conects via
> pppoe bridged adsl modem
> > my configuration file is as follows:
> > conn bravo-zulu
> > left=202.72.167.27
> > leftsubnet=192.168.10.0/24
> > leftid=@bravo.gastech.com.au
> > leftrsasigkey=...DqXTR
> > leftnexthop=202.72.167.25
> > right=203.161.71.190
> > rightsubnet=10.3.0.0/24
> > rightid=@zulu
> > rightrsasigkey=...+WR
> > rightnexthop=203.161.90.1
> > authby=rsasig
> > auto=start
> > /etc/ipsec.conf looks like:
> >
> >
> > # /etc/ipsec.conf - Openswan IPsec configuration file
> > # RCSID $Id: ipsec.conf.in,v 1.15.2.4 2006/07/11 16:17:53 paul Exp $
> >
> > # This file: /usr/share/doc/openswan/ipsec.conf-sample
> > #
> > # Manual: ipsec.conf.5
> >
> >
> > version 2.0 # conforms to second version of ipsec.conf
> specification
> >
> > # basic configuration
> > config setup
> > plutodebug = "all"
> > # "raw crypt parsing emitting control klips pfkey
> natt x509 private"
> > # eg:
> > # plutodebug="control parsing"
> > #
> > # Only enable klipsdebug=all if you are a developer
> > #
> > # NAT-TRAVERSAL support, see README.NAT-Traversal
> > nat_traversal=yes
> > #
> virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
> > #
> > # enable this if you see "failed to find any
> available worker"
> > nhelpers=0
> >
> > # Add connections here
> >
> > # sample VPN connections, see /etc/ipsec.d/examples/
> >
> > #Disable Opportunistic Encryption
> > include /etc/ipsec.d/examples/no_oe.conf
> > include /etc/ipsec.d/bravo-zulu.conf
> >
> >
> > ipsec auto --status on zulu returns
> > root at zulu:/etc/ipsec.d# /etc/init.d/ipsec start
> > ipsec_setup: Starting Openswan IPsec 2.4.6...
> > ipsec_setup: insmod
> /lib/modules/2.6.22-14-server/kernel/net/key/af_key.ko
> > ipsec_setup: insmod
> > /lib/modules/2.6.22-14-server/kernel/net/ipv4/xfrm4_tunnel.ko
> > ipsec_setup: insmod
> /lib/modules/2.6.22-14-server/kernel/net/xfrm/xfrm_user.ko
> > root at zulu:/etc/ipsec.d# ipsec auto --status
> > 000 interface lo/lo ::1
> > 000 interface lo/lo 127.0.0.1
> > 000 interface lo/lo 127.0.0.1
> > 000 interface eth1/eth1 10.3.0.3
> > 000 interface eth1/eth1 10.3.0.3
> > 000 interface ppp0/ppp0 203.161.71.190
> > 000 interface ppp0/ppp0 203.161.71.190
> > 000 %myid = (none)
> > 000 debug
> raw+crypt+parsing+emitting+control+lifecycle+klips+dns+oppo+co
> ntrolmore+pfkey+nattraversal+x509
> > 000
> > 000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8,
> keysizemin=64,
> > keysizemax=64
> > 000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8,
> > keysizemin=192, keysizemax=192
> > 000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8,
> > keysizemin=40, keysizemax=448
> > 000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0,
> > keysizemin=0, keysizemax=0
> > 000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8,
> > keysizemin=128, keysizemax=256
> > 000 algorithm ESP encrypt: id=22, name=(null), ivlen=8,
> > keysizemin=128, keysizemax=256
> > 000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8,
> > keysizemin=128, keysizemax=256
> > 000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8,
> > keysizemin=128, keysizemax=256
> > 000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
> > keysizemin=128, keysizemax=128
> > 000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
> > keysizemin=160, keysizemax=160
> > 000 algorithm ESP auth attr: id=5,
> name=AUTH_ALGORITHM_HMAC_SHA2_256,
> > keysizemin=256, keysizemax=256
> > 000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC,
> > keysizemin=128, keysizemax=128
> > 000 algorithm ESP auth attr: id=251, name=(null),
> keysizemin=0, keysizemax=0
> > 000
> > 000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
> > keydeflen=192
> > 000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
> > keydeflen=128
> > 000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
> > 000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
> > 000 algorithm IKE dh group: id=2,
> name=OAKLEY_GROUP_MODP1024, bits=1024
> > 000 algorithm IKE dh group: id=5,
> name=OAKLEY_GROUP_MODP1536, bits=1536
> > 000 algorithm IKE dh group: id=14,
> name=OAKLEY_GROUP_MODP2048, bits=2048
> > 000 algorithm IKE dh group: id=15,
> name=OAKLEY_GROUP_MODP3072, bits=3072
> > 000 algorithm IKE dh group: id=16,
> name=OAKLEY_GROUP_MODP4096, bits=4096
> > 000 algorithm IKE dh group: id=17,
> name=OAKLEY_GROUP_MODP6144, bits=6144
> > 000 algorithm IKE dh group: id=18,
> name=OAKLEY_GROUP_MODP8192, bits=8192
> > 000
> > 000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,0,0}
> > trans={0,0,0} attrs={0,0,0}
> > 000
> > 000 "bravo-zulu":
> >
> 10.3.0.0/24===203.161.71.190[@zulu]---203.161.90.1...202.72.16
> 7.25---202.72.167.27[@bravo.gastech.com.au]===192.168.10.0/24;
> > prospective erouted; eroute owner: #0
> > 000 "bravo-zulu": srcip=unset; dstip=unset; srcup=ipsec _updown;
> > dstup=ipsec _updown;
> > 000 "bravo-zulu": ike_life: 3600s; ipsec_life: 28800s;
> rekey_margin:
> > 540s; rekey_fuzz: 100%; keyingtries: 0
> > 000 "bravo-zulu": policy: RSASIG+ENCRYPT+TUNNEL+PFS+UP;
> prio: 24,24;
> > interface: ppp0;
> > 000 "bravo-zulu": newest ISAKMP SA: #2; newest IPsec SA: #0;
> > 000 "bravo-zulu": IKE algorithm newest: 3DES_CBC_192-MD5-MODP1536
> > 000
> > 000 #1: "bravo-zulu":500 STATE_MAIN_I2 (sent MI2, expecting MR2);
> > EVENT_RETRANSMIT in 11s; lastdpd=-1s(seq in:0 out:0)
> > 000 #1: pending Phase 2 for "bravo-zulu" replacing #0
> > 000 #2: "bravo-zulu":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA
> > established); EVENT_SA_REPLACE in 3324s; newest ISAKMP;
> > lastdpd=-1s(seq in:0 out:0)
> > 000
> > and on bravo:
> > root at bravo:/etc/ipsec.d# ipsec auto --status
> > 000 interface lo/lo ::1
> > 000 interface lo/lo 127.0.0.1
> > 000 interface lo/lo 127.0.0.1
> > 000 interface eth0/eth0 192.168.10.2
> > 000 interface eth0/eth0 192.168.10.2
> > 000 interface eth1/eth1 202.72.167.27
> > 000 interface eth1/eth1 202.72.167.27
> > 000 interface eth1:1/eth1:1 202.72.167.29
> > 000 interface eth1:1/eth1:1 202.72.167.29
> > 000 %myid = (none)
> > 000 debug
> raw+crypt+parsing+emitting+control+lifecycle+klips+dns+oppo+co
> ntrolmore+pfkey+nattraversal+x509
> > 000
> > 000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8,
> keysizemin=64,
> > keysizemax=64
> > 000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8,
> > keysizemin=192, keysizemax=192
> > 000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8,
> > keysizemin=40, keysizemax=448
> > 000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0,
> > keysizemin=0, keysizemax=0
> > 000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8,
> > keysizemin=128, keysizemax=256
> > 000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8,
> > keysizemin=128, keysizemax=256
> > 000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8,
> > keysizemin=128, keysizemax=256
> > 000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
> > keysizemin=128, keysizemax=128
> > 000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
> > keysizemin=160, keysizemax=160
> > 000 algorithm ESP auth attr: id=5,
> name=AUTH_ALGORITHM_HMAC_SHA2_256,
> > keysizemin=256, keysizemax=256
> > 000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC,
> > keysizemin=128, keysizemax=128
> > 000 algorithm ESP auth attr: id=251, name=(null),
> keysizemin=0, keysizemax=0
> > 000
> > 000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
> > keydeflen=192
> > 000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
> > keydeflen=128
> > 000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
> > 000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
> > 000 algorithm IKE dh group: id=2,
> name=OAKLEY_GROUP_MODP1024, bits=1024
> > 000 algorithm IKE dh group: id=5,
> name=OAKLEY_GROUP_MODP1536, bits=1536
> > 000 algorithm IKE dh group: id=14,
> name=OAKLEY_GROUP_MODP2048, bits=2048
> > 000 algorithm IKE dh group: id=15,
> name=OAKLEY_GROUP_MODP3072, bits=3072
> > 000 algorithm IKE dh group: id=16,
> name=OAKLEY_GROUP_MODP4096, bits=4096
> > 000 algorithm IKE dh group: id=17,
> name=OAKLEY_GROUP_MODP6144, bits=6144
> > 000 algorithm IKE dh group: id=18,
> name=OAKLEY_GROUP_MODP8192, bits=8192
> > 000
> > 000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,0,0}
> > trans={0,0,0} attrs={0,0,0}
> > 000
> > 000 "bravo-zulu":
> >
> 192.168.10.0/24===202.72.167.27[@bravo.gastech.com.au]---202.7
> 2.167.25...203.161.90.1---203.161.71.190[@zulu]===10.3.0.0/24;
> > prospective erouted; eroute owner: #0
> > 000 "bravo-zulu": srcip=unset; dstip=unset; srcup=ipsec _updown;
> > dstup=ipsec _updown;
> > 000 "bravo-zulu": ike_life: 3600s; ipsec_life: 28800s;
> rekey_margin:
> > 540s; rekey_fuzz: 100%; keyingtries: 0
> > 000 "bravo-zulu": policy: RSASIG+ENCRYPT+TUNNEL+PFS+UP;
> prio: 24,24;
> > interface: eth1;
> > 000 "bravo-zulu": newest ISAKMP SA: #2; newest IPsec SA: #0;
> > 000 "bravo-zulu": IKE algorithm newest: 3DES_CBC_192-MD5-MODP1536
> > 000
> > 000 #4: "bravo-zulu":500 STATE_QUICK_R1 (sent QR1, inbound IPsec SA
> > installed, expecting QI2); EVENT_RETRANSMIT in 7s; lastdpd=-1s(seq
> > in:0 out:0)
> > 000 #2: "bravo-zulu":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA
> > established); EVENT_SA_REPLACE in 3281s; newest ISAKMP;
> > lastdpd=-1s(seq in:0 out:0)
> > 000 #3: "bravo-zulu":500 STATE_QUICK_I1 (sent QI1, expecting QR1);
> > EVENT_RETRANSMIT in 15s; lastdpd=-1s(seq in:0 out:0)
> > 000 #1: "bravo-zulu":500 STATE_MAIN_I4 (ISAKMP SA established);
> > EVENT_SA_REPLACE in 2638s; lastdpd=-1s(seq in:0 out:0)
> > 000
> > daemon.log on zulu contains:
> > Nov 20 14:24:38 zulu ipsec_setup: KLIPS ipsec0 on ppp0
> > 203.161.71.190/255.255.255.255 pointopoint 203.161.90.1
> > Nov 20 14:24:38 zulu ipsec_setup: ...Openswan IPsec started
> > Nov 20 14:24:38 zulu ipsec_setup: Starting Openswan IPsec 2.4.6...
> > Nov 20 14:24:38 zulu ipsec_setup: insmod
> > /lib/modules/2.6.22-14-server/kernel/net/key/af_key.ko
> > Nov 20 14:24:38 zulu ipsec_setup: insmod
> > /lib/modules/2.6.22-14-server/kernel/net/ipv4/xfrm4_tunnel.ko Nov 20
> > 14:24:38 zulu ipsec_setup: insmod
> > /lib/modules/2.6.22-14-server/kernel/net/xfrm/xfrm_user.ko
> > Nov 20 14:24:39 zulu ipsec__plutorun: 104 "bravo-zulu" #1:
> > STATE_MAIN_I1: initiate
> > Nov 20 14:24:39 zulu ipsec__plutorun: ...could not start
> conn "bravo-zulu"
> >
> > and on bravo:
> > Nov 20 14:24:57 bravo ipsec_setup: KLIPS ipsec0 on eth1
> > 202.72.167.27/255.255.255.248 broadcast 202.72.167.31
> > Nov 20 14:24:57 bravo ipsec_setup: ...Openswan IPsec started
> > Nov 20 14:24:57 bravo ipsec_setup: Starting Openswan IPsec 2.4.6...
> > Nov 20 14:24:57 bravo ipsec_setup: insmod
> > /lib/modules/2.6.20-16-generic/kernel/net/key/af_key.ko
> > Nov 20 14:24:57 bravo ipsec_setup: insmod
> > /lib/modules/2.6.20-16-generic/kernel/net/ipv4/xfrm4_tunnel.ko
> > Nov 20 14:24:57 bravo ipsec_setup: insmod
> > /lib/modules/2.6.20-16-generic/kernel/net/xfrm/xfrm_user.ko
> > Nov 20 14:25:15 bravo ipsec__plutorun: 104 "bravo-zulu" #1:
> > STATE_MAIN_I1: initiate
> > Nov 20 14:25:15 bravo ipsec__plutorun: ...could not start
> conn "bravo-zulu"
> > netstat -rn on host zulu shows:
> >
> > Destination Gateway Genmask Flags MSS
> Window irtt Iface
> > 203.161.90.1 0.0.0.0 255.255.255.255 UH 0
> 0 0 ppp0
> > 10.3.0.0 0.0.0.0 255.255.255.0 U 0
> 0 0 eth1
> > 192.168.10.0 203.161.90.1 255.255.255.0 UG 0
> 0 0 ppp0
> > 0.0.0.0 0.0.0.0 0.0.0.0 U 0
> 0 0 ppp0
> > and on bravo:
> > Destination Gateway Genmask Flags MSS
> Window irtt Iface
> > 202.72.167.24 0.0.0.0 255.255.255.248 U 0
> 0 0 eth1
> > 10.3.0.0 202.72.167.25 255.255.255.0 UG 0
> 0 0 eth1
> > 192.168.10.0 0.0.0.0 255.255.255.0 U 0
> 0 0 eth0
> > 0.0.0.0 202.72.167.25 0.0.0.0 UG 0
> 0 0 eth1
> >
> > I have made the following changes to shorewall on each host
> >
> > Added "vpn ipsec" to the zones file
> > Added "vpn ipsec+" to the interfaces file
> > created a tunnels file and added "ipsec net 0.0.0.0/0"
> > Added the following to the policy file:
> > loc vpn ACCEPT
> > vpn loc ACCEPT
> >
> > And to rules, openned up all traffic between the two hosts
> with the following:
> >
> > On zulu:
> > ACCEPT net:202.72.167.27 all all
> > and on bravo
> > ACCEPT net:203.161.71.190 all all
> >
> > Does anyone have any idea what I am doing wrong?
> >
> > Many thanks
> >
> > Phil
> >
>
>
> --
> Tel: 0400 466 952
> Fax: 0433 123 226
> email: philwild at gmail.com
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-294632
> 7?n=283155
More information about the Users
mailing list