[Openswan Users] L2TP response unencrypted

BUI18 lbui18 at yahoo.com
Mon Apr 7 14:11:13 EDT 2008 

Jacco -

I made some progress based on your suggestion, but not completely there.

Here's the new ipsec.conf

# basic configuration
config setup
        # plutodebug / klipsdebug = "all", "none" or a combation from below:
        # "raw crypt parsing emitting control klips pfkey natt x509 private"
        # eg:
        # plutodebug="control parsing"
        #
        # Only enable klipsdebug=all if you are a developer
        #
        # NAT-TRAVERSAL support, see README.NAT-Traversal
        nat_traversal=yes
        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%4:172.16.0.0/12,%v4:!192.168.23.0/24
        interfaces=%defaultroute
        klipsdebug=none
        plutodebug=all
# Add connections here
conn DIR130-JON
        # Left security gateway, subnet behind it, nexthop toward right.
        #left=66.27.a.b
        left=192.168.23.23
        leftsubnet=192.168.23.0/24
        #leftnexthop=24.25.c.d
        leftnexthop=66.27.a.b
        # Right security gateway, subnet behind it, nexthop toward left.
        right=66.27.f.g
        rightsubnet=192.168.99.0/24
        #rightnexthop=66.27.e.1
        keyexchange=ike
        ikelifetime=480m
        keylife=3600s
        pfs=yes
        compress=no
        authby=secret
        keyingtries=0
        auto=start

Here's "ipsec auto --status"

000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0} 
000  
000 "DIR130-JON": 192.168.23.0/24===192.168.23.23---66.27.82.147...66.27.113.46===192.168.99.0/24; prospective erouted; eroute owner: #0
000 "DIR130-JON":     srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;
000 "DIR130-JON":   ike_life: 28800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "DIR130-JON":   policy: PSK+ENCRYPT+TUNNEL+PFS+UP; prio: 24,24; interface: eth0; 
000 "DIR130-JON":   newest ISAKMP SA: #0; newest IPsec SA: #0; 
000  
000 #1: "DIR130-JON":500 STATE_MAIN_I1 (sent MI1, expecting MR1); none in -1s; lastdpd=-1s(seq in:0 out:0)
000 #1: pending Phase 2 for "DIR130-JON" replacing #0
000

You can see that it made it through Phase 1, but choking on Phase 2.

Here's auth.log output:

 started looking for secret for 192.168.23.23->66.27.f.g of kind PPK_PSK
Apr  7 10:57:19 localhost pluto[23888]: | actually looking for secret for 192.168.23.23->66.27.f.g of kind PPK_PSK
Apr  7 10:57:19 localhost pluto[23888]: | 1: compared PSK 66.27.f.g to 192.168.23.23 / 66.27.f.g -> 2
Apr  7 10:57:19 localhost pluto[23888]: | 2: compared PSK 66.27.a.b to 192.168.23.23 / 66.27.f.g -> 2
Apr  7 10:57:19 localhost pluto[23888]: | concluding with best_match=0 best=(nil) (lineno=-1)
Apr  7 10:57:19 localhost pluto[23888]: "DIR130-JON" #1: Can't authenticate: no preshared key found for `192.168.23.23' and `66.27.f.g'.  Attribute OAKLEY_AUTHENTICATION_METHOD
Apr  7 10:57:19 localhost pluto[23888]: "DIR130-JON" #1: no acceptable Oakley Transform
Apr  7 10:57:19 localhost pluto[23888]: | complete state transition with (null)
Apr  7 10:57:19 localhost pluto[23888]: "DIR130-JON" #1: sending notification NO_PROPOSAL_CHOSEN to 66.27.113.46:500
Apr  7 10:57:19 localhost pluto[23888]: | **emit ISAKMP Message:
Apr  7 10:57:19 localhost pluto[23888]: |    initiator cookie:
Apr  7 10:57:19 localhost pluto[23888]: |   0c c5 00 e5  e4 aa 6c ff
Apr  7 10:57:19 localhost pluto[23888]: |    responder cookie:
Apr  7 10:57:19 localhost pluto[23888]: |   00 00 00 00  00 00 00 00
Apr  7 10:57:19 localhost pluto[23888]: |    next payload type: ISAKMP_NEXT_N
Apr  7 10:57:19 localhost pluto[23888]: |    ISAKMP version: ISAKMP Version 1.0
Apr  7 10:57:19 localhost pluto[23888]: |    exchange type: ISAKMP_XCHG_INFO
Apr  7 10:57:19 localhost pluto[23888]: |    flags: none
Apr  7 10:57:19 localhost pluto[23888]: |    message ID:  00 00 00 00
Apr  7 10:57:19 localhost pluto[23888]: | ***emit ISAKMP Notification Payload:
Apr  7 10:57:19 localhost pluto[23888]: |    next payload type: ISAKMP_NEXT_NONE
Apr  7 10:57:19 localhost pluto[23888]: |    DOI: ISAKMP_DOI_IPSEC
Apr  7 10:57:19 localhost pluto[23888]: |    protocol ID: 1
Apr  7 10:57:19 localhost pluto[23888]: |    SPI size: 0
Apr  7 10:57:19 localhost pluto[23888]: |    Notify Message Type: NO_PROPOSAL_CHOSEN
Apr  7 10:57:19 localhost pluto[23888]: | emitting length of ISAKMP Notification Payload: 12
Apr  7 10:57:19 localhost pluto[23888]: | emitting length of ISAKMP Message: 40
Apr  7 10:57:19 localhost pluto[23888]: | sending 40 bytes for notification packet through eth0:500 to 66.27.f.g:500:
Apr  7 10:57:19 localhost pluto[23888]: |   0c c5 00 e5  e4 aa 6c ff  00 00 00 00  00 00 00 00
Apr  7 10:57:19 localhost pluto[23888]: |   0b 10 05 00  00 00 00 00  00 00 00 28  00 00 00 0c
Apr  7 10:57:19 localhost pluto[23888]: |   00 00 00 01  01 00 00 0e
Apr  7 10:57:19 localhost pluto[23888]: | state transition function for STATE_MAIN_I1 failed: NO_PROPOSAL_CHOSEN
Apr  7 10:57:19 localhost pluto[23888]: | next event EVENT_PENDING_PHASE2 in 103 seconds

Not sure what's happening here...something about the authentication, any ideas?

thx
----- Original Message ----
From: Jacco de Leeuw <jacco2 at dds.nl>
To: users at openswan.org
Sent: Monday, April 7, 2008 10:47:22 AM
Subject: Re: [Openswan Users] L2TP response unencrypted

Peter Laczko wrote:

> At the bottom of the message I pasted the log. It shows the starting of
> openswan, a connection attempt, and eventually the time-out and
> disconnection from the client side.

Does the problem also occur with Openswan 2.4.12?

> What is an 'ipsec barf'?

man ipsec_barf

In short, it dumps everything except for the key material to a text file
for further inspection. E.g. run 'ipsec barf > output.txt'

Jacco
-- 
Jacco de Leeuw                        mailto:jacco2 at dds.nl
Zaandam, The Netherlands          http://www.jacco2.dds.nl
_______________________________________________
Users at openswan.org
http://lists.openswan.org/mailman/listinfo/users
Building and Integrating Virtual Private Networks with Openswan: 
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155


      ____________________________________________________________________________________
You rock. That's why Blockbuster's offering you one month of Blockbuster Total Access, No Cost.  
http://tc.deals.yahoo.com/tc/blockbuster/text5.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20080407/7af624c8/attachment-0001.html

More information about the Users mailing list