[Openswan Users] Openswan configuration problems

Peter McGill petermcgill at goco.net
Thu Oct 4 11:05:27 EDT 2007


Well for starters if your using certs you should remove leftid/rightid
from the conn, cert will automatically set to cert DN.
Why are you using left/rightprotoport=17/1701?
Are you trying to use L2TP on top of IPSec?
Why do that unless connecting to Windows or MAC?
Why not just use IPSec it's simpler?
Again with certs with openswan to openswan it's unneccessary and
Increases connection complexity. The only added benefit I can think
Of for certs vs. default rsasig, is that you can revoke certs and they
Have an expiry time.
Note that you have no CRL files, so there is little advantage to certs then.

Also your logs are incomplete, your only showing the start of the logs,
The end of the logs where it encounters the error and stops the connection
Would be of more help. Show us the pluto logs for everything including and
After initiating Main Mode rather than everything before, before is just the
Daemon startup info, after is the connection info.

For a simple openswan to openswan connection see the following docs in the distribution package:
If not in debian package then download source package from openswan.org/code for the docs.
doc/install.html and doc/config.html
In particular after installing the debain package, you might need to:
ipsec newhostkey ... from install.html.
The see the ipsec.conf conn configuring info in config.html.


Peter McGill
 

> -----Original Message-----
> From: users-bounces at openswan.org 
> [mailto:users-bounces at openswan.org] On Behalf Of José Antonio 
> Olivera Ortega
> Sent: October 4, 2007 6:23 AM
> To: users at openswan.org
> Subject: [Openswan Users] Openswan configuration problems
> 
> Hello,
> 
> I am trying to set up a IPsec tunnel between two Debian boxs 
> and I can't 
> achieve it.
> 
> The well know message I get is " ipsec__plutorun: ...could not start 
> conn "Gateway-Router".
> 
> I post some information to show my configuration and try to 
> find out the 
> problem.
> 
> 1.- Gateway box:
> 
> [/etc/ipsec.conf]
> 
> config setup
>         nat_traversal=yes
>         interfaces=%defaultroute
> 
> # Add connections here
> 
> include /etc/ipsec.d/local/*.conf
> 
> # sample VPN connections, see /etc/ipsec.d/examples/
> 
> #Disable Opportunistic Encryption
> include /etc/ipsec.d/examples/no_oe.conf
> 
> [/etc/ipsec.d/local/Gateway-Router.conf]
> 
> conn Gateway-Router
>         authby=rsasig
>         pfs=no
>         auto=start
>         rekey=no
>         left=192.168.112.72
>         leftid=@Gateway
>         leftnexthop=%defaultroute
>         leftrsasigkey=%cert
>         leftcert=cert.pem
>         leftprotoport=17/1701
>         #
>         # The remote user.
>         #
>         right=192.168.112.71
>         rightid=@Router
>         rightnexthop=%defaultroute
>         rightrsasigkey=%cert
>         rightcert=RouterCert.pem
>         rightprotoport=17/1701
> 
> Also I post some /var/log/syslog information:
> 
> Oct  4 12:09:04 berglek kernel: NET: Registered protocol family 15
> Oct  4 12:09:04 berglek kernel: padlock: VIA PadLock not detected.
> Oct  4 12:09:04 berglek modprobe: FATAL: Error inserting padlock_aes 
> (/lib/modules/2.6.21-2-686/kernel/drivers/crypto/padlock-aes.ko): No 
> such device
> Oct  4 12:09:04 berglek kernel: padlock: VIA PadLock Hash Engine not 
> detected.
> Oct  4 12:09:04 berglek modprobe: FATAL: Error inserting padlock_sha 
> (/lib/modules/2.6.21-2-686/kernel/drivers/crypto/padlock-sha.ko): No 
> such device
> Oct  4 12:09:04 berglek kernel: padlock: VIA PadLock Hash Engine not 
> detected.
> Oct  4 12:09:04 berglek modprobe: FATAL: Error inserting padlock_sha 
> (/lib/modules/2.6.21-2-686/kernel/drivers/crypto/padlock-sha.ko): No 
> such device
> Oct  4 12:09:04 berglek kernel: padlock: No VIA PadLock drivers have 
> been loaded.
> Oct  4 12:09:04 berglek kernel: Initializing XFRM netlink socket
> Oct  4 12:09:04 berglek ipsec_setup: NETKEY on eth1 
> 192.168.112.72/255.255.255.0 broadcast 192.168.112.255
> Oct  4 12:09:04 berglek ipsec_setup: ...Openswan IPsec started
> Oct  4 12:09:04 berglek ipsec_setup: Starting Openswan IPsec 2.4.8...
> Oct  4 12:09:05 berglek ipsec__plutorun: 104 "Gateway-Router" #1: 
> STATE_MAIN_I1: initiate
> Oct  4 12:09:05 berglek ipsec__plutorun: ...could not start conn 
> "Gateway-Router"
> 
> Also I post some /var/log/auth.log information:
> 
> Oct  4 12:09:04 berglek ipsec__plutorun: Starting Pluto subsystem...
> Oct  4 12:09:04 berglek pluto[13523]: Starting Pluto 
> (Openswan Version 
> 2.4.8 LDAP_V3 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor 
> ID OE]bWX`QBruL)
> Oct  4 12:09:04 berglek pluto[13523]: Setting NAT-Traversal port-4500 
> floating to on
> Oct  4 12:09:04 berglek pluto[13523]:    port floating activation 
> criteria nat_t=1/port_fload=1
> Oct  4 12:09:04 berglek pluto[13523]:   including NAT-Traversal patch 
> (Version 0.6c)
> Oct  4 12:09:04 berglek pluto[13523]: ike_alg_register_enc(): 
> Activating 
> OAKLEY_AES_CBC: Ok (ret=0)
> Oct  4 12:09:04 berglek pluto[13523]: starting up 1 
> cryptographic helpers
> Oct  4 12:09:04 berglek pluto[13523]: started helper pid=13559 (fd:6)
> Oct  4 12:09:04 berglek pluto[13523]: Using NETKEY IPsec 
> interface code 
> on 2.6.21-2-686
> Oct  4 12:09:05 berglek pluto[13523]: Changing to directory 
> '/etc/ipsec.d/cacerts'
> Oct  4 12:09:05 berglek pluto[13523]:   loaded CA cert file 
> 'cacert.pem' 
> (1257 bytes)
> Oct  4 12:09:05 berglek pluto[13523]: Changing to directory 
> '/etc/ipsec.d/aacerts'
> Oct  4 12:09:05 berglek pluto[13523]: Changing to directory 
> '/etc/ipsec.d/ocspcerts'
> Oct  4 12:09:05 berglek pluto[13523]: Changing to directory 
> '/etc/ipsec.d/crls'
> Oct  4 12:09:05 berglek pluto[13523]:   Warning: empty directory
> Oct  4 12:09:05 berglek pluto[13523]:   loaded host cert file 
> '/etc/ipsec.d/certs/cert.pem' (3202 bytes)
> Oct  4 12:09:05 berglek pluto[13523]:   no subjectAltName matches ID 
> '@Gateway', replaced by subject DN
> Oct  4 12:09:05 berglek pluto[13523]:   loaded host cert file 
> '/etc/ipsec.d/certs/RouterCert.pem' (3202 bytes)
> Oct  4 12:09:05 berglek pluto[13523]:   no subjectAltName matches ID 
> '@Router', replaced by subject DN
> Oct  4 12:09:05 berglek pluto[13523]: added connection description 
> "Gateway-Router"
> Oct  4 12:09:05 berglek pluto[13523]: listening for IKE messages
> Oct  4 12:09:05 berglek pluto[13523]: adding interface eth1/eth1 
> 192.168.112.72:500
> Oct  4 12:09:05 berglek pluto[13523]: adding interface eth1/eth1 
> 192.168.112.72:4500
> Oct  4 12:09:05 berglek pluto[13523]: adding interface lo/lo 
> 127.0.0.1:500
> Oct  4 12:09:05 berglek pluto[13523]: adding interface lo/lo 
> 127.0.0.1:4500
> Oct  4 12:09:05 berglek pluto[13523]: adding interface lo/lo ::1:500
> Oct  4 12:09:05 berglek pluto[13523]: loading secrets from 
> "/etc/ipsec.secrets"
> Oct  4 12:09:05 berglek pluto[13523]:   loaded private key file 
> '/etc/ipsec.d/private/sslkey.pem' (963 bytes)
> Oct  4 12:09:05 berglek pluto[13523]: "Gateway-Router" #1: initiating 
> Main Mode
> 
> Also I post some /var/log/message information:
> 
> Oct  4 12:09:04 berglek kernel: NET: Registered protocol family 15
> Oct  4 12:09:04 berglek kernel: padlock: No VIA PadLock drivers have 
> been loaded.
> Oct  4 12:09:04 berglek kernel: Initializing XFRM netlink socket
> 
> 2.- Router box:
> 
> [/etc/ipsec.conf]
> 
> The same.
> 
> [/etc/ipsec.d/local/Gateway-Router.conf]
> 
> The same.
> 
> Also I post some /var/log/syslog information:
> 
> Oct  4 14:02:27 stroustrup kernel: NET: Registered protocol family 10
> Oct  4 14:02:27 stroustrup kernel: lo: Disabled Privacy Extensions
> Oct  4 14:02:37 stroustrup kernel: eth0: no IPv6 routers present
> Oct  4 14:08:56 stroustrup kernel: NET: Registered protocol family 15
> Oct  4 14:08:56 stroustrup kernel: padlock: VIA PadLock not detected.
> Oct  4 14:08:56 stroustrup modprobe: FATAL: Error inserting 
> padlock_aes 
> (/lib/modules/2.6.21-2-686/kernel/drivers/crypto/padlock-aes.ko): No 
> such device
> Oct  4 14:08:56 stroustrup kernel: padlock: VIA PadLock Hash 
> Engine not 
> detected.
> Oct  4 14:08:56 stroustrup modprobe: FATAL: Error inserting 
> padlock_sha 
> (/lib/modules/2.6.21-2-686/kernel/drivers/crypto/padlock-sha.ko): No 
> such device
> Oct  4 14:08:56 stroustrup kernel: padlock: VIA PadLock Hash 
> Engine not 
> detected.
> Oct  4 14:08:56 stroustrup modprobe: FATAL: Error inserting 
> padlock_sha 
> (/lib/modules/2.6.21-2-686/kernel/drivers/crypto/padlock-sha.ko): No 
> such device
> Oct  4 14:08:56 stroustrup kernel: padlock: No VIA PadLock 
> drivers have 
> been loaded.
> Oct  4 14:08:56 stroustrup kernel: Initializing XFRM netlink socket
> Oct  4 14:08:56 stroustrup ipsec_setup: NETKEY on eth0 
> 192.168.112.71/255.255.255.0 broadcast 255.255.255.0
> Oct  4 14:08:57 stroustrup ipsec_setup: ...Openswan IPsec started
> Oct  4 14:08:57 stroustrup ipsec_setup: Starting Openswan 
> IPsec 2.4.8...
> Oct  4 14:08:57 stroustrup ipsec__plutorun: 104 "Gateway-Router" #1: 
> STATE_MAIN_I1: initiate
> Oct  4 14:08:57 stroustrup ipsec__plutorun: ...could not start conn 
> "Gateway-Router"
> 
> Also I post some /var/log/auth.log information:
> 
> Oct  4 14:08:56 stroustrup pluto[5860]: Starting Pluto 
> (Openswan Version 
> 2.4.8 LDAP_V3 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor 
> ID OE]bWX`QBruL)
> Oct  4 14:08:56 stroustrup pluto[5860]: Setting NAT-Traversal 
> port-4500 
> floating to on
> Oct  4 14:08:56 stroustrup pluto[5860]:    port floating activation 
> criteria nat_t=1/port_fload=1
> Oct  4 14:08:56 stroustrup pluto[5860]:   including 
> NAT-Traversal patch 
> (Version 0.6c)
> Oct  4 14:08:56 stroustrup pluto[5860]: ike_alg_register_enc(): 
> Activating OAKLEY_AES_CBC: Ok (ret=0)
> Oct  4 14:08:56 stroustrup pluto[5860]: no helpers will be 
> started, all 
> cryptographic operations will be done inline
> Oct  4 14:08:56 stroustrup pluto[5860]: Using NETKEY IPsec interface 
> code on 2.6.21-2-686
> Oct  4 14:08:57 stroustrup pluto[5860]: Changing to directory 
> '/etc/ipsec.d/cacerts'
> Oct  4 14:08:57 stroustrup pluto[5860]:   loaded CA cert file 
> 'cacert.pem' (1257 bytes)
> Oct  4 14:08:57 stroustrup pluto[5860]: Changing to directory 
> '/etc/ipsec.d/aacerts'
> Oct  4 14:08:57 stroustrup pluto[5860]: Changing to directory 
> '/etc/ipsec.d/ocspcerts'
> Oct  4 14:08:57 stroustrup pluto[5860]: Changing to directory 
> '/etc/ipsec.d/crls'
> Oct  4 14:08:57 stroustrup pluto[5860]:   Warning: empty directory
> Oct  4 14:08:57 stroustrup pluto[5860]:   loaded host cert file 
> '/etc/ipsec.d/certs/cert.pem' (3202 bytes)
> Oct  4 14:08:57 stroustrup pluto[5860]:   no subjectAltName 
> matches ID 
> '@Gateway', replaced by subject DN
> Oct  4 14:08:57 stroustrup pluto[5860]:   loaded host cert file 
> '/etc/ipsec.d/certs/RouterCert.pem' (3202 bytes)
> Oct  4 14:08:57 stroustrup pluto[5860]:   no subjectAltName 
> matches ID 
> '@Router', replaced by subject DN
> Oct  4 14:08:57 stroustrup pluto[5860]: added connection description 
> "Gateway-Router"
> Oct  4 14:08:57 stroustrup pluto[5860]: listening for IKE messages
> Oct  4 14:08:57 stroustrup pluto[5860]: adding interface eth0/eth0 
> 192.168.112.71:500
> Oct  4 14:08:57 stroustrup pluto[5860]: adding interface eth0/eth0 
> 192.168.112.71:4500
> Oct  4 14:08:57 stroustrup pluto[5860]: adding interface 
> lo/lo 127.0.0.1:500
> Oct  4 14:08:57 stroustrup pluto[5860]: adding interface lo/lo 
> 127.0.0.1:4500
> Oct  4 14:08:57 stroustrup pluto[5860]: adding interface lo/lo ::1:500
> Oct  4 14:08:57 stroustrup pluto[5860]: loading secrets from 
> "/etc/ipsec.secrets"
> Oct  4 14:08:57 stroustrup pluto[5860]:   loaded private key file 
> '/etc/ipsec.d/private/sslkey.pem' (951 bytes)
> Oct  4 14:08:57 stroustrup pluto[5860]: "Gateway-Router" #1: 
> initiating 
> Main Mode
> 
> Also I post some /var/log/message information:
> 
> Oct  4 14:08:56 stroustrup kernel: NET: Registered protocol family 15
> Oct  4 14:08:56 stroustrup kernel: padlock: No VIA PadLock 
> drivers have 
> been loaded.
> Oct  4 14:08:56 stroustrup kernel: Initializing XFRM netlink socket
> 
> The file /etc/ipsec.d/cacerts/cacert.pem is the same in both box.
> The files /etc/ipsec.d/private/sslkey.pem are different in each box.
> The files /etc/ipsec.d/certs/cert.pem and 
> /etc/ipsec.d/certs/RouterCert.pem are different, of course.
> 
> Can anybody help me?
> 
> Thanks in advance.
> 
> Respectfully,
> 
> Jose A. Olivera.
> 
> -- 
> José Antonio Olivera Ortega
> Automóvil Conectado - Telefónica I+D 
> 
> Teléfono: 913340330 Ext. 1000
> Email: jaoo62 at tid.es
> --
> 
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan: 
> http://www.amazon.com/gp/product/1904811256/104-3099591-294632
> 7?n=283155



More information about the Users mailing list