[Openswan Users] Users Digest, Vol 53, Issue 45

Mohamed Mydeen.A mohamedmydeen.a at jasmin-infotech.com
Fri Apr 25 00:45:13 EDT 2008


I think NAT-T has not yet been enabled even if you added nat_traversal = yes
in your ipsec.conf.

 

Check the other end of your tunnel for NAT-T.  Both end should have NAT-T.
Once the IPsec Established message you got, you will find NATD=somepublicip
or gatewayip. If NAT-T is not enabled, then you will get NATD=none.  See
your logs below.  Hope, this should be the problem in your case.

------------------------------------------------------------------------

Apr 24 09:52:46 VPN-10-20 pluto[3860]: "road" #2:

STATE_QUICK_I2: sent QI2, IPsec SA established

{ESP=>0xc82d0ce7 <0x9bfa9de8 xfrm=AES_0-HMAC_SHA1

IPCOMP=>0x00002b25 <0x00000b9c NATD=none DPD=none}

+ _________________________ date

+ date

Thu Apr 24 09:53:19 GST

------------------------------------------------------------------------

Regards,

 

Mohamed Mydeen A

-----Original Message-----
From: users-bounces at openswan.org [mailto:users-bounces at openswan.org] On
Behalf Of users-request at openswan.org
Sent: Thursday, April 24, 2008 9:30 PM
To: users at openswan.org
Subject: Users Digest, Vol 53, Issue 45

 

Send Users mailing list submissions to

      users at openswan.org

 

To subscribe or unsubscribe via the World Wide Web, visit

      http://lists.openswan.org/mailman/listinfo/users

or, via email, send a message with subject or body 'help' to

      users-request at openswan.org

 

You can reach the person managing the list at

      users-owner at openswan.org

 

When replying, please edit your Subject line so it is more specific

than "Re: Contents of Users digest..."

 

 

Today's Topics:

 

   1. IPSec SA established ,  but not able to ping or get IP

      (John Joseph)

 

 

----------------------------------------------------------------------

 

Message: 1

Date: Thu, 24 Apr 2008 10:00:33 +0100 (BST)

From: John Joseph <jjk_saji at yahoo.com>

Subject: [Openswan Users] IPSec SA established ,      but not able to ping

      or get IP

To: users at openswan.org

Message-ID: <158554.58595.qm at web55507.mail.re4.yahoo.com>

Content-Type: text/plain; charset=iso-8859-1

 

 

 

Hi All

   I am trying to do ipsec with psk  for road warrior

. I do not want to use l2tpd 

    My Gateway had the following IP 

      eth0  192.168.21.215

      eth1  10.20.20.1

 

   my road-warrior has info 

      eth0  10.20.20.2

 

  After I run ipsec ,I get the message IPSec SA

established , but from the road warrior I cannot 

(1) Did not get another interface or IP from

192.168.21.X

(2) Cannot ping to any IP from the other

subnet(192.168.21.X)

 

I  am adding ipsec.conf of both GW and RoadWarrior ,

also some part of ipsec barf from the road warrior

              Advice requested on how to trouble shoot

further so that my road warrior can ping to the other

host

 

 

 

 

##########

(1) ipsec.conf  of  Gateway 

##

conn %default

        keyingtries=1

        compress=yes

        authby=secret

 

 

 

 

conn road

        left=10.20.20.1                  # Gateways

Information

      leftsubnet=192.168.21.0/24    #

        #leftid=@road.example.com       # Local

information

        #leftrsasigkey=0sAQPIPN9uI...   #

        right=10.20.20.2               # Remote

information

        #rightid=@xy.example.com        #

        #rightrsasigkey=0sAQOnwiBPt...  #

        auto=add                       # authorizes

but doesn't start this

        authby=secret                           #

connection at startup

 

 

conn block

        auto=ignore

 

conn private

        auto=ignore

 

conn private-or-clear

        auto=ignore

 

conn clear-or-private

        auto=ignore

 

conn clear

        auto=ignore

 

conn packetdefault

        auto=ignore

 

###############

ipsec.conf of road warrior

###

conn %default

        keyingtries=1

        compress=yes

        authby=secret

 

 

 

 

conn road

        left=%defaultroute             # Picks up our

dynamic IP

        #leftid=@road.example.com       # Local

information

        #leftrsasigkey=0sAQPIPN9uI...   #

        right=10.20.20.1               # Remote

information

        rightsubnet=192.168.21.0/24        #

        #rightid=@xy.example.com        #

        #rightrsasigkey=0sAQOnwiBPt...  #

        auto=add                       # authorizes

but doesn't start this

        authby=secret                           #

connection at startup

 

 

conn block

        auto=ignore

 

conn private

        auto=ignore

 

conn private-or-clear

        auto=ignore

 

conn clear-or-private

        auto=ignore

 

conn clear

        auto=ignore

 

conn packetdefault

        auto=ignore

 

########################

part of ipsec barf

 

##########

 

_________________________ ipsec/status

+ ipsec auto --status

000 interface lo/lo ::1

000 interface lo/lo 127.0.0.1

000 interface lo/lo 127.0.0.1

000 interface eth0/eth0 10.20.20.2

000 interface eth0/eth0 10.20.20.2

000 %myid = (none)

000 debug none

000  

000 algorithm ESP encrypt: id=2, name=ESP_DES,

ivlen=8, keysizemin=64, keysizemax=64

000 algorithm ESP encrypt: id=3, name=ESP_3DES,

ivlen=8, keysizemin=192, keysizemax=192

000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH,

ivlen=8, keysizemin=40, keysizemax=448

000 algorithm ESP encrypt: id=11, name=ESP_NULL,

ivlen=0, keysizemin=0, keysizemax=0

000 algorithm ESP encrypt: id=12, name=ESP_AES,

ivlen=8, keysizemin=128, keysizemax=256

000 algorithm ESP encrypt: id=252, name=ESP_SERPENT,

ivlen=8, keysizemin=128, keysizemax=256

000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH,

ivlen=8, keysizemin=128, keysizemax=256

000 algorithm ESP auth attr: id=1,

name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128,

keysizemax=128

000 algorithm ESP auth attr: id=2,

name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160,

keysizemax=160

000 algorithm ESP auth attr: id=5,

name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256,

keysizemax=256

000 algorithm ESP auth attr: id=251, name=(null),

keysizemin=0, keysizemax=0

000  

000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC,

blocksize=8, keydeflen=192

000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC,

blocksize=16, keydeflen=128

000 algorithm IKE hash: id=1, name=OAKLEY_MD5,

hashsize=16

000 algorithm IKE hash: id=2, name=OAKLEY_SHA1,

hashsize=20

000 algorithm IKE dh group: id=2,

name=OAKLEY_GROUP_MODP1024, bits=1024

000 algorithm IKE dh group: id=5,

name=OAKLEY_GROUP_MODP1536, bits=1536

000 algorithm IKE dh group: id=14,

name=OAKLEY_GROUP_MODP2048, bits=2048

000 algorithm IKE dh group: id=15,

name=OAKLEY_GROUP_MODP3072, bits=3072

000 algorithm IKE dh group: id=16,

name=OAKLEY_GROUP_MODP4096, bits=4096

000 algorithm IKE dh group: id=17,

name=OAKLEY_GROUP_MODP6144, bits=6144

000 algorithm IKE dh group: id=18,

name=OAKLEY_GROUP_MODP8192, bits=8192

000  

000 stats db_ops.c: {curr_cnt, total_cnt, maxsz}

:context={0,0,0} trans={0,0,0} attrs={0,0,0} 

000  

000 "road": 10.20.20.2...10.20.20.1===192.168.21.0/24;

erouted; eroute owner: #2

000 "road":     srcip=unset; dstip=unset; srcup=ipsec

_updown; dstup=ipsec _updown;

000 "road":   ike_life: 3600s; ipsec_life: 28800s;

rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1

000 "road":   policy:

PSK+ENCRYPT+COMPRESS+TUNNEL+PFS+UP; prio: 32,24;

interface: eth0; 

000 "road":   newest ISAKMP SA: #1; newest IPsec SA:

#2; 

000 "road":   IKE algorithm newest:

3DES_CBC_192-MD5-MODP1536

000  

000 #2: "road":500 STATE_QUICK_I2 (sent QI2, IPsec SA

established); EVENT_SA_REPLACE in 27852s; newest

IPSEC; eroute owner

000 #2: "road" esp.c82d0ce7 at 10.20.20.1

esp.9bfa9de8 at 10.20.20.2 comp.2b25 at 10.20.20.1

comp.b9c at 10.20.20.2 tun.0 at 10.20.20.1 tun.0 at 10.20.20.2

000 #1: "road":500 STATE_MAIN_I4 (ISAKMP SA

established); EVENT_SA_REPLACE in 2868s; newest

ISAKMP; lastdpd=-1s(seq in:0 out:0)

000  

+ 

 

####################

 

+ _________________________ ip-route-list

+ ip route list

192.168.21.0/24 dev eth0  scope link 

10.20.20.0/24 dev eth0  proto kernel  scope link  src

10.20.20.2 

169.254.0.0/16 dev eth0  scope link 

default via 10.20.20.1 dev eth0 

+ _________________________ ip-rule-list

+ ip rule list

0:    from all lookup local 

32766:      from all lookup main 

32767:      from all lookup default 

###############################

 

IPSEC.conf for the road warrior

ipsec.conf.5

#

# Please place your own config files in /etc/ipsec.d/

ending in .conf

 

version     2.0   # conforms to second version of ipsec.conf

specification

 

# basic configuration

config setup

      # Debug-logging controls:  "none" for (almost) none,

"all" for lots.

      # klipsdebug=none

      # plutodebug="control parsing"

      nat_traversal=yes

 

#include /etc/ipsec.d/*.conf

 

#< /etc/ipsec.d/examples/ipsec-client.conf 1

conn %default

        keyingtries=1

        compress=yes

        authby=secret

 

 

 

 

conn road

        left=%defaultroute             # Picks up our

dynamic IP

        #leftid=@road.example.com       # Local

information

        #leftrsasigkey=[keyid AQPIPN9uI]

        right=10.20.20.1               # Remote

information

        rightsubnet=192.168.21.0/24        #

        #rightid=@xy.example.com        #

        #rightrsasigkey=[keyid AQOnwiBPt]

        auto=add                       # authorizes

but doesn't start this

        authby=secret                           #

connection at startup

 

 

conn block

        auto=ignore

 

conn private

        auto=ignore

 

conn private-or-clear

        auto=ignore

 

conn clear-or-private

        auto=ignore

 

conn clear

        auto=ignore

 

conn packetdefault

        auto=ignore

 

 

#####################################################

 

contents of /var/log/message and /var/log/secure

 

 

Apr 24 09:51:41 VPN-10-20 ipsec: Starting Openswan

IPsec 2.4.5...

Apr 24 09:51:42 VPN-10-20 ipsec: insmod

/lib/modules/2.6.9-42.EL/kernel/net/key/af_key.ko 

Apr 24 09:51:42 VPN-10-20 ipsec: insmod

/lib/modules/2.6.9-42.EL/kernel/net/ipv4/xfrm4_tunnel.ko

 

Apr 24 09:51:42 VPN-10-20 ipsec: insmod

/lib/modules/2.6.9-42.EL/kernel/drivers/char/hw_random.ko

 

Apr 24 09:51:42 VPN-10-20 ipsec: FATAL: Error

inserting hw_random

(/lib/modules/2.6.9-42.EL/kernel/drivers/char/hw_random.ko):

No such device

Apr 24 09:51:42 VPN-10-20 ipsec_setup: KLIPS ipsec0 on

eth0 10.20.20.2/255.255.255.0 broadcast 10.20.20.255 

Apr 24 09:51:42 VPN-10-20 ipsec_setup: ...Openswan

IPsec started

Apr 24 09:51:42 VPN-10-20 ipsec: Starting IPsec: 

succeeded

+ _________________________ plog

+ sed -n '664,$p' /var/log/secure

+ case "$1" in

+ cat

+ egrep -i pluto

Apr 24 09:51:42 VPN-10-20 ipsec__plutorun: Starting

Pluto subsystem...

Apr 24 09:51:42 VPN-10-20 pluto[3860]: Starting Pluto

(Openswan Version 2.4.5 X.509-1.5.4

PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID

OEnMCu\177xOp at c)

Apr 24 09:51:42 VPN-10-20 pluto[3860]: Setting

NAT-Traversal port-4500 floating to on

Apr 24 09:51:42 VPN-10-20 pluto[3860]:    port

floating activation criteria nat_t=1/port_fload=1

Apr 24 09:51:42 VPN-10-20 pluto[3860]:   including

NAT-Traversal patch (Version 0.6c)

Apr 24 09:51:42 VPN-10-20 pluto[3860]:

ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok

(ret=0)

Apr 24 09:51:42 VPN-10-20 pluto[3860]: starting up 1

cryptographic helpers

Apr 24 09:51:42 VPN-10-20 pluto[3860]: started helper

pid=3865 (fd:6)

Apr 24 09:51:42 VPN-10-20 pluto[3860]: Using Linux 2.6

IPsec interface code on 2.6.9-42.EL

Apr 24 09:51:43 VPN-10-20 pluto[3860]: Changing to

directory '/etc/ipsec.d/cacerts'

Apr 24 09:51:43 VPN-10-20 pluto[3860]: Could not

change to directory '/etc/ipsec.d/aacerts'

Apr 24 09:51:43 VPN-10-20 pluto[3860]: Changing to

directory '/etc/ipsec.d/ocspcerts'

Apr 24 09:51:43 VPN-10-20 pluto[3860]: Changing to

directory '/etc/ipsec.d/crls'

Apr 24 09:51:43 VPN-10-20 pluto[3860]:   Warning:

empty directory

Apr 24 09:51:43 VPN-10-20 pluto[3860]: added

connection description "road"

Apr 24 09:51:43 VPN-10-20 pluto[3860]: listening for

IKE messages

Apr 24 09:51:43 VPN-10-20 pluto[3860]: adding

interface eth0/eth0 10.20.20.2:500

Apr 24 09:51:43 VPN-10-20 pluto[3860]: adding

interface eth0/eth0 10.20.20.2:4500

Apr 24 09:51:43 VPN-10-20 pluto[3860]: adding

interface lo/lo 127.0.0.1:500

Apr 24 09:51:43 VPN-10-20 pluto[3860]: adding

interface lo/lo 127.0.0.1:4500

Apr 24 09:51:43 VPN-10-20 pluto[3860]: adding

interface lo/lo ::1:500

Apr 24 09:51:43 VPN-10-20 pluto[3860]: loading secrets

from "/etc/ipsec.secrets"

Apr 24 09:51:43 VPN-10-20 pluto[3860]: loading secrets

from "/etc/ipsec.d/hostkey.secrets"

Apr 24 09:51:43 VPN-10-20 pluto[3860]: loading secrets

from "/etc/ipsec.d/ipsec.secrets"

Apr 24 09:52:45 VPN-10-20 pluto[3860]: "road" #1:

initiating Main Mode

Apr 24 09:52:45 VPN-10-20 pluto[3860]: "road" #1:

received Vendor ID payload [Openswan (this version)

2.4.5  X.509-1.5.4 PLUTO_SENDS_VENDORID

PLUTO_USES_KEYRR]

Apr 24 09:52:45 VPN-10-20 pluto[3860]: "road" #1:

received Vendor ID payload [Dead Peer Detection]

Apr 24 09:52:45 VPN-10-20 pluto[3860]: "road" #1:

received Vendor ID payload [RFC 3947] method set

to=110 

Apr 24 09:52:45 VPN-10-20 pluto[3860]: "road" #1:

enabling possible NAT-traversal with method 3

Apr 24 09:52:45 VPN-10-20 pluto[3860]: "road" #1:

transition from state STATE_MAIN_I1 to state

STATE_MAIN_I2

Apr 24 09:52:45 VPN-10-20 pluto[3860]: "road" #1:

STATE_MAIN_I2: sent MI2, expecting MR2

Apr 24 09:52:45 VPN-10-20 pluto[3860]: "road" #1: I

did not send a certificate because I do not have one.

Apr 24 09:52:45 VPN-10-20 pluto[3860]: "road" #1:

NAT-Traversal: Result using 3: no NAT detected

Apr 24 09:52:45 VPN-10-20 pluto[3860]: "road" #1:

transition from state STATE_MAIN_I2 to state

STATE_MAIN_I3

Apr 24 09:52:45 VPN-10-20 pluto[3860]: "road" #1:

STATE_MAIN_I3: sent MI3, expecting MR3

Apr 24 09:52:45 VPN-10-20 pluto[3860]: "road" #1: Main

mode peer ID is ID_IPV4_ADDR: '10.20.20.1'

Apr 24 09:52:45 VPN-10-20 pluto[3860]: "road" #1:

transition from state STATE_MAIN_I3 to state

STATE_MAIN_I4

Apr 24 09:52:45 VPN-10-20 pluto[3860]: "road" #1:

STATE_MAIN_I4: ISAKMP SA established

{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192

prf=oakley_md5 group=modp1536}

Apr 24 09:52:45 VPN-10-20 pluto[3860]: "road" #2:

initiating Quick Mode

PSK+ENCRYPT+COMPRESS+TUNNEL+PFS+UP {using isakmp#1}

Apr 24 09:52:46 VPN-10-20 pluto[3860]: "road" #2:

transition from state STATE_QUICK_I1 to state

STATE_QUICK_I2

Apr 24 09:52:46 VPN-10-20 pluto[3860]: "road" #2:

STATE_QUICK_I2: sent QI2, IPsec SA established

{ESP=>0xc82d0ce7 <0x9bfa9de8 xfrm=AES_0-HMAC_SHA1

IPCOMP=>0x00002b25 <0x00000b9c NATD=none DPD=none}

+ _________________________ date

+ date

Thu Apr 24 09:53:19 GST 2008

 

 

 

 

 

 

      ___________________________________________________________ 

Yahoo! For Good. Give and get cool things for free, reduce waste and help
our planet. Plus find hidden Yahoo! treasure 

 

http://green.yahoo.com/uk/earth-day/

 

 

------------------------------

 

_______________________________________________

Users mailing list

Users at openswan.org

http://lists.openswan.org/mailman/listinfo/users

 

 

End of Users Digest, Vol 53, Issue 45

*************************************

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20080425/135539d4/attachment-0001.html 


More information about the Users mailing list