[Openswan Users] Users Digest, Vol 53, Issue 45
Mohamed Mydeen.A
mohamedmydeen.a at jasmin-infotech.com
Fri Apr 25 00:45:13 EDT 2008
I think NAT-T has not yet been enabled even if you added nat_traversal = yes
in your ipsec.conf.
Check the other end of your tunnel for NAT-T. Both end should have NAT-T.
Once the IPsec Established message you got, you will find NATD=somepublicip
or gatewayip. If NAT-T is not enabled, then you will get NATD=none. See
your logs below. Hope, this should be the problem in your case.
------------------------------------------------------------------------
Apr 24 09:52:46 VPN-10-20 pluto[3860]: "road" #2:
STATE_QUICK_I2: sent QI2, IPsec SA established
{ESP=>0xc82d0ce7 <0x9bfa9de8 xfrm=AES_0-HMAC_SHA1
IPCOMP=>0x00002b25 <0x00000b9c NATD=none DPD=none}
+ _________________________ date
+ date
Thu Apr 24 09:53:19 GST
------------------------------------------------------------------------
Regards,
Mohamed Mydeen A
-----Original Message-----
From: users-bounces at openswan.org [mailto:users-bounces at openswan.org] On
Behalf Of users-request at openswan.org
Sent: Thursday, April 24, 2008 9:30 PM
To: users at openswan.org
Subject: Users Digest, Vol 53, Issue 45
Send Users mailing list submissions to
users at openswan.org
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.openswan.org/mailman/listinfo/users
or, via email, send a message with subject or body 'help' to
users-request at openswan.org
You can reach the person managing the list at
users-owner at openswan.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Users digest..."
Today's Topics:
1. IPSec SA established , but not able to ping or get IP
(John Joseph)
----------------------------------------------------------------------
Message: 1
Date: Thu, 24 Apr 2008 10:00:33 +0100 (BST)
From: John Joseph <jjk_saji at yahoo.com>
Subject: [Openswan Users] IPSec SA established , but not able to ping
or get IP
To: users at openswan.org
Message-ID: <158554.58595.qm at web55507.mail.re4.yahoo.com>
Content-Type: text/plain; charset=iso-8859-1
Hi All
I am trying to do ipsec with psk for road warrior
. I do not want to use l2tpd
My Gateway had the following IP
eth0 192.168.21.215
eth1 10.20.20.1
my road-warrior has info
eth0 10.20.20.2
After I run ipsec ,I get the message IPSec SA
established , but from the road warrior I cannot
(1) Did not get another interface or IP from
192.168.21.X
(2) Cannot ping to any IP from the other
subnet(192.168.21.X)
I am adding ipsec.conf of both GW and RoadWarrior ,
also some part of ipsec barf from the road warrior
Advice requested on how to trouble shoot
further so that my road warrior can ping to the other
host
##########
(1) ipsec.conf of Gateway
##
conn %default
keyingtries=1
compress=yes
authby=secret
conn road
left=10.20.20.1 # Gateways
Information
leftsubnet=192.168.21.0/24 #
#leftid=@road.example.com # Local
information
#leftrsasigkey=0sAQPIPN9uI... #
right=10.20.20.2 # Remote
information
#rightid=@xy.example.com #
#rightrsasigkey=0sAQOnwiBPt... #
auto=add # authorizes
but doesn't start this
authby=secret #
connection at startup
conn block
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear-or-private
auto=ignore
conn clear
auto=ignore
conn packetdefault
auto=ignore
###############
ipsec.conf of road warrior
###
conn %default
keyingtries=1
compress=yes
authby=secret
conn road
left=%defaultroute # Picks up our
dynamic IP
#leftid=@road.example.com # Local
information
#leftrsasigkey=0sAQPIPN9uI... #
right=10.20.20.1 # Remote
information
rightsubnet=192.168.21.0/24 #
#rightid=@xy.example.com #
#rightrsasigkey=0sAQOnwiBPt... #
auto=add # authorizes
but doesn't start this
authby=secret #
connection at startup
conn block
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear-or-private
auto=ignore
conn clear
auto=ignore
conn packetdefault
auto=ignore
########################
part of ipsec barf
##########
_________________________ ipsec/status
+ ipsec auto --status
000 interface lo/lo ::1
000 interface lo/lo 127.0.0.1
000 interface lo/lo 127.0.0.1
000 interface eth0/eth0 10.20.20.2
000 interface eth0/eth0 10.20.20.2
000 %myid = (none)
000 debug none
000
000 algorithm ESP encrypt: id=2, name=ESP_DES,
ivlen=8, keysizemin=64, keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES,
ivlen=8, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH,
ivlen=8, keysizemin=40, keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL,
ivlen=0, keysizemin=0, keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES,
ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT,
ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH,
ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1,
name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128,
keysizemax=128
000 algorithm ESP auth attr: id=2,
name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160,
keysizemax=160
000 algorithm ESP auth attr: id=5,
name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256,
keysizemax=256
000 algorithm ESP auth attr: id=251, name=(null),
keysizemin=0, keysizemax=0
000
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC,
blocksize=8, keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC,
blocksize=16, keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5,
hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1,
hashsize=20
000 algorithm IKE dh group: id=2,
name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5,
name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14,
name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15,
name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16,
name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17,
name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18,
name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz}
:context={0,0,0} trans={0,0,0} attrs={0,0,0}
000
000 "road": 10.20.20.2...10.20.20.1===192.168.21.0/24;
erouted; eroute owner: #2
000 "road": srcip=unset; dstip=unset; srcup=ipsec
_updown; dstup=ipsec _updown;
000 "road": ike_life: 3600s; ipsec_life: 28800s;
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1
000 "road": policy:
PSK+ENCRYPT+COMPRESS+TUNNEL+PFS+UP; prio: 32,24;
interface: eth0;
000 "road": newest ISAKMP SA: #1; newest IPsec SA:
#2;
000 "road": IKE algorithm newest:
3DES_CBC_192-MD5-MODP1536
000
000 #2: "road":500 STATE_QUICK_I2 (sent QI2, IPsec SA
established); EVENT_SA_REPLACE in 27852s; newest
IPSEC; eroute owner
000 #2: "road" esp.c82d0ce7 at 10.20.20.1
esp.9bfa9de8 at 10.20.20.2 comp.2b25 at 10.20.20.1
comp.b9c at 10.20.20.2 tun.0 at 10.20.20.1 tun.0 at 10.20.20.2
000 #1: "road":500 STATE_MAIN_I4 (ISAKMP SA
established); EVENT_SA_REPLACE in 2868s; newest
ISAKMP; lastdpd=-1s(seq in:0 out:0)
000
+
####################
+ _________________________ ip-route-list
+ ip route list
192.168.21.0/24 dev eth0 scope link
10.20.20.0/24 dev eth0 proto kernel scope link src
10.20.20.2
169.254.0.0/16 dev eth0 scope link
default via 10.20.20.1 dev eth0
+ _________________________ ip-rule-list
+ ip rule list
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
###############################
IPSEC.conf for the road warrior
ipsec.conf.5
#
# Please place your own config files in /etc/ipsec.d/
ending in .conf
version 2.0 # conforms to second version of ipsec.conf
specification
# basic configuration
config setup
# Debug-logging controls: "none" for (almost) none,
"all" for lots.
# klipsdebug=none
# plutodebug="control parsing"
nat_traversal=yes
#include /etc/ipsec.d/*.conf
#< /etc/ipsec.d/examples/ipsec-client.conf 1
conn %default
keyingtries=1
compress=yes
authby=secret
conn road
left=%defaultroute # Picks up our
dynamic IP
#leftid=@road.example.com # Local
information
#leftrsasigkey=[keyid AQPIPN9uI]
right=10.20.20.1 # Remote
information
rightsubnet=192.168.21.0/24 #
#rightid=@xy.example.com #
#rightrsasigkey=[keyid AQOnwiBPt]
auto=add # authorizes
but doesn't start this
authby=secret #
connection at startup
conn block
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear-or-private
auto=ignore
conn clear
auto=ignore
conn packetdefault
auto=ignore
#####################################################
contents of /var/log/message and /var/log/secure
Apr 24 09:51:41 VPN-10-20 ipsec: Starting Openswan
IPsec 2.4.5...
Apr 24 09:51:42 VPN-10-20 ipsec: insmod
/lib/modules/2.6.9-42.EL/kernel/net/key/af_key.ko
Apr 24 09:51:42 VPN-10-20 ipsec: insmod
/lib/modules/2.6.9-42.EL/kernel/net/ipv4/xfrm4_tunnel.ko
Apr 24 09:51:42 VPN-10-20 ipsec: insmod
/lib/modules/2.6.9-42.EL/kernel/drivers/char/hw_random.ko
Apr 24 09:51:42 VPN-10-20 ipsec: FATAL: Error
inserting hw_random
(/lib/modules/2.6.9-42.EL/kernel/drivers/char/hw_random.ko):
No such device
Apr 24 09:51:42 VPN-10-20 ipsec_setup: KLIPS ipsec0 on
eth0 10.20.20.2/255.255.255.0 broadcast 10.20.20.255
Apr 24 09:51:42 VPN-10-20 ipsec_setup: ...Openswan
IPsec started
Apr 24 09:51:42 VPN-10-20 ipsec: Starting IPsec:
succeeded
+ _________________________ plog
+ sed -n '664,$p' /var/log/secure
+ case "$1" in
+ cat
+ egrep -i pluto
Apr 24 09:51:42 VPN-10-20 ipsec__plutorun: Starting
Pluto subsystem...
Apr 24 09:51:42 VPN-10-20 pluto[3860]: Starting Pluto
(Openswan Version 2.4.5 X.509-1.5.4
PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID
OEnMCu\177xOp at c)
Apr 24 09:51:42 VPN-10-20 pluto[3860]: Setting
NAT-Traversal port-4500 floating to on
Apr 24 09:51:42 VPN-10-20 pluto[3860]: port
floating activation criteria nat_t=1/port_fload=1
Apr 24 09:51:42 VPN-10-20 pluto[3860]: including
NAT-Traversal patch (Version 0.6c)
Apr 24 09:51:42 VPN-10-20 pluto[3860]:
ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok
(ret=0)
Apr 24 09:51:42 VPN-10-20 pluto[3860]: starting up 1
cryptographic helpers
Apr 24 09:51:42 VPN-10-20 pluto[3860]: started helper
pid=3865 (fd:6)
Apr 24 09:51:42 VPN-10-20 pluto[3860]: Using Linux 2.6
IPsec interface code on 2.6.9-42.EL
Apr 24 09:51:43 VPN-10-20 pluto[3860]: Changing to
directory '/etc/ipsec.d/cacerts'
Apr 24 09:51:43 VPN-10-20 pluto[3860]: Could not
change to directory '/etc/ipsec.d/aacerts'
Apr 24 09:51:43 VPN-10-20 pluto[3860]: Changing to
directory '/etc/ipsec.d/ocspcerts'
Apr 24 09:51:43 VPN-10-20 pluto[3860]: Changing to
directory '/etc/ipsec.d/crls'
Apr 24 09:51:43 VPN-10-20 pluto[3860]: Warning:
empty directory
Apr 24 09:51:43 VPN-10-20 pluto[3860]: added
connection description "road"
Apr 24 09:51:43 VPN-10-20 pluto[3860]: listening for
IKE messages
Apr 24 09:51:43 VPN-10-20 pluto[3860]: adding
interface eth0/eth0 10.20.20.2:500
Apr 24 09:51:43 VPN-10-20 pluto[3860]: adding
interface eth0/eth0 10.20.20.2:4500
Apr 24 09:51:43 VPN-10-20 pluto[3860]: adding
interface lo/lo 127.0.0.1:500
Apr 24 09:51:43 VPN-10-20 pluto[3860]: adding
interface lo/lo 127.0.0.1:4500
Apr 24 09:51:43 VPN-10-20 pluto[3860]: adding
interface lo/lo ::1:500
Apr 24 09:51:43 VPN-10-20 pluto[3860]: loading secrets
from "/etc/ipsec.secrets"
Apr 24 09:51:43 VPN-10-20 pluto[3860]: loading secrets
from "/etc/ipsec.d/hostkey.secrets"
Apr 24 09:51:43 VPN-10-20 pluto[3860]: loading secrets
from "/etc/ipsec.d/ipsec.secrets"
Apr 24 09:52:45 VPN-10-20 pluto[3860]: "road" #1:
initiating Main Mode
Apr 24 09:52:45 VPN-10-20 pluto[3860]: "road" #1:
received Vendor ID payload [Openswan (this version)
2.4.5 X.509-1.5.4 PLUTO_SENDS_VENDORID
PLUTO_USES_KEYRR]
Apr 24 09:52:45 VPN-10-20 pluto[3860]: "road" #1:
received Vendor ID payload [Dead Peer Detection]
Apr 24 09:52:45 VPN-10-20 pluto[3860]: "road" #1:
received Vendor ID payload [RFC 3947] method set
to=110
Apr 24 09:52:45 VPN-10-20 pluto[3860]: "road" #1:
enabling possible NAT-traversal with method 3
Apr 24 09:52:45 VPN-10-20 pluto[3860]: "road" #1:
transition from state STATE_MAIN_I1 to state
STATE_MAIN_I2
Apr 24 09:52:45 VPN-10-20 pluto[3860]: "road" #1:
STATE_MAIN_I2: sent MI2, expecting MR2
Apr 24 09:52:45 VPN-10-20 pluto[3860]: "road" #1: I
did not send a certificate because I do not have one.
Apr 24 09:52:45 VPN-10-20 pluto[3860]: "road" #1:
NAT-Traversal: Result using 3: no NAT detected
Apr 24 09:52:45 VPN-10-20 pluto[3860]: "road" #1:
transition from state STATE_MAIN_I2 to state
STATE_MAIN_I3
Apr 24 09:52:45 VPN-10-20 pluto[3860]: "road" #1:
STATE_MAIN_I3: sent MI3, expecting MR3
Apr 24 09:52:45 VPN-10-20 pluto[3860]: "road" #1: Main
mode peer ID is ID_IPV4_ADDR: '10.20.20.1'
Apr 24 09:52:45 VPN-10-20 pluto[3860]: "road" #1:
transition from state STATE_MAIN_I3 to state
STATE_MAIN_I4
Apr 24 09:52:45 VPN-10-20 pluto[3860]: "road" #1:
STATE_MAIN_I4: ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192
prf=oakley_md5 group=modp1536}
Apr 24 09:52:45 VPN-10-20 pluto[3860]: "road" #2:
initiating Quick Mode
PSK+ENCRYPT+COMPRESS+TUNNEL+PFS+UP {using isakmp#1}
Apr 24 09:52:46 VPN-10-20 pluto[3860]: "road" #2:
transition from state STATE_QUICK_I1 to state
STATE_QUICK_I2
Apr 24 09:52:46 VPN-10-20 pluto[3860]: "road" #2:
STATE_QUICK_I2: sent QI2, IPsec SA established
{ESP=>0xc82d0ce7 <0x9bfa9de8 xfrm=AES_0-HMAC_SHA1
IPCOMP=>0x00002b25 <0x00000b9c NATD=none DPD=none}
+ _________________________ date
+ date
Thu Apr 24 09:53:19 GST 2008
___________________________________________________________
Yahoo! For Good. Give and get cool things for free, reduce waste and help
our planet. Plus find hidden Yahoo! treasure
http://green.yahoo.com/uk/earth-day/
------------------------------
_______________________________________________
Users mailing list
Users at openswan.org
http://lists.openswan.org/mailman/listinfo/users
End of Users Digest, Vol 53, Issue 45
*************************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20080425/135539d4/attachment-0001.html
More information about the Users
mailing list