[Openswan Users] IPSec SA established , but not able to ping or get IP

Thu Apr 24 05:00:33 EDT 2008


Hi All
   I am trying to do ipsec with psk  for road warrior
. I do not want to use l2tpd 
    My Gateway had the following IP 
	eth0	192.168.21.215
	eth1	10.20.20.1

   my road-warrior has info 
	eth0	10.20.20.2

  After I run ipsec ,I get the message IPSec SA
established , but from the road warrior I cannot 
(1) Did not get another interface or IP from
192.168.21.X
(2) Cannot ping to any IP from the other
subnet(192.168.21.X)

I  am adding ipsec.conf of both GW and RoadWarrior ,
also some part of ipsec barf from the road warrior
              Advice requested on how to trouble shoot
further so that my road warrior can ping to the other
host


##########
(1) ipsec.conf  of  Gateway 
##
conn %default
        keyingtries=1
        compress=yes
        authby=secret


conn road
        left=10.20.20.1  	           # Gateways
Information
	leftsubnet=192.168.21.0/24	#
        #leftid=@road.example.com       # Local
information
        #leftrsasigkey=0sAQPIPN9uI...   #
        right=10.20.20.2               # Remote
information
        #rightid=@xy.example.com        #
        #rightrsasigkey=0sAQOnwiBPt...  #
        auto=add                       # authorizes
but doesn't start this
        authby=secret                           #
connection at startup


conn block
        auto=ignore

conn private
        auto=ignore

conn private-or-clear
        auto=ignore

conn clear-or-private
        auto=ignore

conn clear
        auto=ignore

conn packetdefault
        auto=ignore

###############
ipsec.conf of road warrior
###
conn %default
        keyingtries=1
        compress=yes
        authby=secret


conn road
        left=%defaultroute             # Picks up our
dynamic IP
        #leftid=@road.example.com       # Local
information
        #leftrsasigkey=0sAQPIPN9uI...   #
        right=10.20.20.1               # Remote
information
        rightsubnet=192.168.21.0/24        #
        #rightid=@xy.example.com        #
        #rightrsasigkey=0sAQOnwiBPt...  #
        auto=add                       # authorizes
but doesn't start this
        authby=secret                           #
connection at startup


conn block
        auto=ignore

conn private
        auto=ignore

conn private-or-clear
        auto=ignore

conn clear-or-private
        auto=ignore

conn clear
        auto=ignore

conn packetdefault
        auto=ignore

########################
part of ipsec barf

##########

_________________________ ipsec/status
+ ipsec auto --status
000 interface lo/lo ::1
000 interface lo/lo 127.0.0.1
000 interface lo/lo 127.0.0.1
000 interface eth0/eth0 10.20.20.2
000 interface eth0/eth0 10.20.20.2
000 %myid = (none)
000 debug none
000  
000 algorithm ESP encrypt: id=2, name=ESP_DES,
ivlen=8, keysizemin=64, keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES,
ivlen=8, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH,
ivlen=8, keysizemin=40, keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL,
ivlen=0, keysizemin=0, keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES,
ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT,
ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH,
ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1,
name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128,
keysizemax=128
000 algorithm ESP auth attr: id=2,
name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160,
keysizemax=160
000 algorithm ESP auth attr: id=5,
name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256,
keysizemax=256
000 algorithm ESP auth attr: id=251, name=(null),
keysizemin=0, keysizemax=0
000  
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC,
blocksize=8, keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC,
blocksize=16, keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5,
hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1,
hashsize=20
000 algorithm IKE dh group: id=2,
name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5,
name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14,
name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15,
name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16,
name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17,
name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18,
name=OAKLEY_GROUP_MODP8192, bits=8192
000  
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz}
:context={0,0,0} trans={0,0,0} attrs={0,0,0} 
000  
000 "road": 10.20.20.2...10.20.20.1===192.168.21.0/24;
erouted; eroute owner: #2
000 "road":     srcip=unset; dstip=unset; srcup=ipsec
_updown; dstup=ipsec _updown;
000 "road":   ike_life: 3600s; ipsec_life: 28800s;
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1
000 "road":   policy:
PSK+ENCRYPT+COMPRESS+TUNNEL+PFS+UP; prio: 32,24;
interface: eth0; 
000 "road":   newest ISAKMP SA: #1; newest IPsec SA:
#2; 
000 "road":   IKE algorithm newest:
3DES_CBC_192-MD5-MODP1536
000  
000 #2: "road":500 STATE_QUICK_I2 (sent QI2, IPsec SA
established); EVENT_SA_REPLACE in 27852s; newest
IPSEC; eroute owner
000 #2: "road" esp.c82d0ce7 at 10.20.20.1
esp.9bfa9de8 at 10.20.20.2 comp.2b25 at 10.20.20.1
comp.b9c at 10.20.20.2 tun.0 at 10.20.20.1 tun.0 at 10.20.20.2
000 #1: "road":500 STATE_MAIN_I4 (ISAKMP SA
established); EVENT_SA_REPLACE in 2868s; newest
ISAKMP; lastdpd=-1s(seq in:0 out:0)
000  
+ 

####################

+ _________________________ ip-route-list
+ ip route list
192.168.21.0/24 dev eth0  scope link 
10.20.20.0/24 dev eth0  proto kernel  scope link  src
10.20.20.2 
169.254.0.0/16 dev eth0  scope link 
default via 10.20.20.1 dev eth0 
+ _________________________ ip-rule-list
+ ip rule list
0:	from all lookup local 
32766:	from all lookup main 
32767:	from all lookup default 
###############################

IPSEC.conf for the road warrior
ipsec.conf.5
#
# Please place your own config files in /etc/ipsec.d/
ending in .conf

version	2.0	# conforms to second version of ipsec.conf
specification

# basic configuration
config setup
	# Debug-logging controls:  "none" for (almost) none,
"all" for lots.
	# klipsdebug=none
	# plutodebug="control parsing"
	nat_traversal=yes

#include /etc/ipsec.d/*.conf

#< /etc/ipsec.d/examples/ipsec-client.conf 1
conn %default
        keyingtries=1
        compress=yes
        authby=secret


conn road
        left=%defaultroute             # Picks up our
dynamic IP
        #leftid=@road.example.com       # Local
information
        #leftrsasigkey=[keyid AQPIPN9uI]
        right=10.20.20.1               # Remote
information
        rightsubnet=192.168.21.0/24        #
        #rightid=@xy.example.com        #
        #rightrsasigkey=[keyid AQOnwiBPt]
        auto=add                       # authorizes
but doesn't start this
        authby=secret                           #
connection at startup


conn block
        auto=ignore

conn private
        auto=ignore

conn private-or-clear
        auto=ignore

conn clear-or-private
        auto=ignore

conn clear
        auto=ignore

conn packetdefault
        auto=ignore


#####################################################

contents of /var/log/message and /var/log/secure


Apr 24 09:51:41 VPN-10-20 ipsec: Starting Openswan
IPsec 2.4.5...
Apr 24 09:51:42 VPN-10-20 ipsec: insmod
/lib/modules/2.6.9-42.EL/kernel/net/key/af_key.ko 
Apr 24 09:51:42 VPN-10-20 ipsec: insmod
/lib/modules/2.6.9-42.EL/kernel/net/ipv4/xfrm4_tunnel.ko

Apr 24 09:51:42 VPN-10-20 ipsec: insmod
/lib/modules/2.6.9-42.EL/kernel/drivers/char/hw_random.ko

Apr 24 09:51:42 VPN-10-20 ipsec: FATAL: Error
inserting hw_random
(/lib/modules/2.6.9-42.EL/kernel/drivers/char/hw_random.ko):
No such device
Apr 24 09:51:42 VPN-10-20 ipsec_setup: KLIPS ipsec0 on
eth0 10.20.20.2/255.255.255.0 broadcast 10.20.20.255 
Apr 24 09:51:42 VPN-10-20 ipsec_setup: ...Openswan
IPsec started
Apr 24 09:51:42 VPN-10-20 ipsec: Starting IPsec: 
succeeded
+ _________________________ plog
+ sed -n '664,$p' /var/log/secure
+ case "$1" in
+ cat
+ egrep -i pluto
Apr 24 09:51:42 VPN-10-20 ipsec__plutorun: Starting
Pluto subsystem...
Apr 24 09:51:42 VPN-10-20 pluto[3860]: Starting Pluto
(Openswan Version 2.4.5 X.509-1.5.4
PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID
OEnMCu\177xOp at c)
Apr 24 09:51:42 VPN-10-20 pluto[3860]: Setting
NAT-Traversal port-4500 floating to on
Apr 24 09:51:42 VPN-10-20 pluto[3860]:    port
floating activation criteria nat_t=1/port_fload=1
Apr 24 09:51:42 VPN-10-20 pluto[3860]:   including
NAT-Traversal patch (Version 0.6c)
Apr 24 09:51:42 VPN-10-20 pluto[3860]:
ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok
(ret=0)
Apr 24 09:51:42 VPN-10-20 pluto[3860]: starting up 1
cryptographic helpers
Apr 24 09:51:42 VPN-10-20 pluto[3860]: started helper
pid=3865 (fd:6)
Apr 24 09:51:42 VPN-10-20 pluto[3860]: Using Linux 2.6
IPsec interface code on 2.6.9-42.EL
Apr 24 09:51:43 VPN-10-20 pluto[3860]: Changing to
directory '/etc/ipsec.d/cacerts'
Apr 24 09:51:43 VPN-10-20 pluto[3860]: Could not
change to directory '/etc/ipsec.d/aacerts'
Apr 24 09:51:43 VPN-10-20 pluto[3860]: Changing to
directory '/etc/ipsec.d/ocspcerts'
Apr 24 09:51:43 VPN-10-20 pluto[3860]: Changing to
directory '/etc/ipsec.d/crls'
Apr 24 09:51:43 VPN-10-20 pluto[3860]:   Warning:
empty directory
Apr 24 09:51:43 VPN-10-20 pluto[3860]: added
connection description "road"
Apr 24 09:51:43 VPN-10-20 pluto[3860]: listening for
IKE messages
Apr 24 09:51:43 VPN-10-20 pluto[3860]: adding
interface eth0/eth0 10.20.20.2:500
Apr 24 09:51:43 VPN-10-20 pluto[3860]: adding
interface eth0/eth0 10.20.20.2:4500
Apr 24 09:51:43 VPN-10-20 pluto[3860]: adding
interface lo/lo 127.0.0.1:500
Apr 24 09:51:43 VPN-10-20 pluto[3860]: adding
interface lo/lo 127.0.0.1:4500
Apr 24 09:51:43 VPN-10-20 pluto[3860]: adding
interface lo/lo ::1:500
Apr 24 09:51:43 VPN-10-20 pluto[3860]: loading secrets
from "/etc/ipsec.secrets"
Apr 24 09:51:43 VPN-10-20 pluto[3860]: loading secrets
from "/etc/ipsec.d/hostkey.secrets"
Apr 24 09:51:43 VPN-10-20 pluto[3860]: loading secrets
from "/etc/ipsec.d/ipsec.secrets"
Apr 24 09:52:45 VPN-10-20 pluto[3860]: "road" #1:
initiating Main Mode
Apr 24 09:52:45 VPN-10-20 pluto[3860]: "road" #1:
received Vendor ID payload [Openswan (this version)
2.4.5  X.509-1.5.4 PLUTO_SENDS_VENDORID
PLUTO_USES_KEYRR]
Apr 24 09:52:45 VPN-10-20 pluto[3860]: "road" #1:
received Vendor ID payload [Dead Peer Detection]
Apr 24 09:52:45 VPN-10-20 pluto[3860]: "road" #1:
received Vendor ID payload [RFC 3947] method set
to=110 
Apr 24 09:52:45 VPN-10-20 pluto[3860]: "road" #1:
enabling possible NAT-traversal with method 3
Apr 24 09:52:45 VPN-10-20 pluto[3860]: "road" #1:
transition from state STATE_MAIN_I1 to state
STATE_MAIN_I2
Apr 24 09:52:45 VPN-10-20 pluto[3860]: "road" #1:
STATE_MAIN_I2: sent MI2, expecting MR2
Apr 24 09:52:45 VPN-10-20 pluto[3860]: "road" #1: I
did not send a certificate because I do not have one.
Apr 24 09:52:45 VPN-10-20 pluto[3860]: "road" #1:
NAT-Traversal: Result using 3: no NAT detected
Apr 24 09:52:45 VPN-10-20 pluto[3860]: "road" #1:
transition from state STATE_MAIN_I2 to state
STATE_MAIN_I3
Apr 24 09:52:45 VPN-10-20 pluto[3860]: "road" #1:
STATE_MAIN_I3: sent MI3, expecting MR3
Apr 24 09:52:45 VPN-10-20 pluto[3860]: "road" #1: Main
mode peer ID is ID_IPV4_ADDR: '10.20.20.1'
Apr 24 09:52:45 VPN-10-20 pluto[3860]: "road" #1:
transition from state STATE_MAIN_I3 to state
STATE_MAIN_I4
Apr 24 09:52:45 VPN-10-20 pluto[3860]: "road" #1:
STATE_MAIN_I4: ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192
prf=oakley_md5 group=modp1536}
Apr 24 09:52:45 VPN-10-20 pluto[3860]: "road" #2:
initiating Quick Mode
PSK+ENCRYPT+COMPRESS+TUNNEL+PFS+UP {using isakmp#1}
Apr 24 09:52:46 VPN-10-20 pluto[3860]: "road" #2:
transition from state STATE_QUICK_I1 to state
STATE_QUICK_I2
Apr 24 09:52:46 VPN-10-20 pluto[3860]: "road" #2:
STATE_QUICK_I2: sent QI2, IPsec SA established
{ESP=>0xc82d0ce7 <0x9bfa9de8 xfrm=AES_0-HMAC_SHA1
IPCOMP=>0x00002b25 <0x00000b9c NATD=none DPD=none}
+ _________________________ date
+ date
Thu Apr 24 09:53:19 GST 2008


      ___________________________________________________________ 
Yahoo! For Good. Give and get cool things for free, reduce waste and help our planet. Plus find hidden Yahoo! treasure 

http://green.yahoo.com/uk/earth-day/