[Openswan Users] IPSec SA established , but not able to ping or get IP

Mohamed Mydeen.A mohamedmydeen.a at jasmin-infotech.com
Fri Apr 25 08:31:55 EDT 2008


In my case, I am using NETKEY not KLIPS. I have used PSK only for my case. I
could ping from either side well and transferred files very well. 

Regards,

Mohamed Mydeen A
Engineer - DSP Software
Jasmin Infotech Private Limited
Plot No. 119, Velacherry Tambaram Road,
Opposite to NIOT
Pallikkaranai
Chennai 
India - 600 100.
Tel. : +91-44-3061 9600
Mail: mohamedmydeen.a at jasmin-infotech.com
##################################Disclaimer#############################
Information contained in this E-MAIL being proprietary to Jasmin Infotech
Pvt. Ltd.
is 'privileged' and 'confidential' and intended for use only by the
individual or entity 
to which it is addressed. You are notified that any use, copying or
dissemination of
the information contained in the E-MAIL in any manner whatsoever is strictly
prohibited.
########################################################################


-----Original Message-----
From: John Joseph [mailto:jjk_saji at yahoo.com] 
Sent: Friday, April 25, 2008 5:52 PM
To: John Joseph; users at openswan.org; mohamedmydeen.a at jasmin-infotech.com
Subject: Re: [Openswan Users] IPSec SA established , but not able to ping or
get IP

Hi Mohammed  
   Thanks for the reply 
  I had enabled nat-t in my ipsec and now I get the
following message

002 "road" #2: transition from state STATE_QUICK_I1 to
state STATE_QUICK_I2
004 "road" #2: STATE_QUICK_I2: sent QI2, IPsec SA
established {ESP/NAT=>0xad499dcc <0xc5c53f1d
xfrm=AES_0-HMAC_SHA1 IPCOMP=>0x0000d6a4 <0x0000a332
NATD=10.20.20.1:4500 DPD=none}

>From the link 
http://www.jacco2.dds.nl/networking/freeswan-l2tp.html#NAT
I  read that 

"The NAT-T patch for KLIPS currently does not support
connections that authenticate through Preshared Keys
(PSKs). If you use a Preshared Key with KLIPS and
NAT-T, Openswan will not authorise the connection
because the sender's port is not 500 and the NAT-T
patch fails to support this."

In my case I am using only PSK key to autheticate .
And it is getting authenticated and connection
established but not able to access the other side of
the gw 

	 Advice requested 
                  Thanks 
                      Joseph John
  




--- John Joseph <jjk_saji at yahoo.com> wrote:

> 
> 
> Hi All
>    I am trying to do ipsec with psk  for road
> warrior
> . I do not want to use l2tpd 
>     My Gateway had the following IP 
> 	eth0	192.168.21.215
> 	eth1	10.20.20.1
> 
>    my road-warrior has info 
> 	eth0	10.20.20.2
> 
>   After I run ipsec ,I get the message IPSec SA
> established , but from the road warrior I cannot 
> (1) Did not get another interface or IP from
> 192.168.21.X
> (2) Cannot ping to any IP from the other
> subnet(192.168.21.X)
> 
> I  am adding ipsec.conf of both GW and RoadWarrior ,
> also some part of ipsec barf from the road warrior
>               Advice requested on how to trouble
> shoot
> further so that my road warrior can ping to the
> other
> host
> 
> 
> 
> 
> ##########
> (1) ipsec.conf  of  Gateway 
> ##
> conn %default
>         keyingtries=1
>         compress=yes
>         authby=secret
> 
> 
> 
> 
> conn road
>         left=10.20.20.1  	           # Gateways
> Information
> 	leftsubnet=192.168.21.0/24	#
>         #leftid=@road.example.com       # Local
> information
>         #leftrsasigkey=0sAQPIPN9uI...   #
>         right=10.20.20.2               # Remote
> information
>         #rightid=@xy.example.com        #
>         #rightrsasigkey=0sAQOnwiBPt...  #
>         auto=add                       # authorizes
> but doesn't start this
>         authby=secret                           #
> connection at startup
> 
> 
> conn block
>         auto=ignore
> 
> conn private
>         auto=ignore
> 
> conn private-or-clear
>         auto=ignore
> 
> conn clear-or-private
>         auto=ignore
> 
> conn clear
>         auto=ignore
> 
> conn packetdefault
>         auto=ignore
> 
> ###############
> ipsec.conf of road warrior
> ###
> conn %default
>         keyingtries=1
>         compress=yes
>         authby=secret
> 
> 
> 
> 
> conn road
>         left=%defaultroute             # Picks up
> our
> dynamic IP
>         #leftid=@road.example.com       # Local
> information
>         #leftrsasigkey=0sAQPIPN9uI...   #
>         right=10.20.20.1               # Remote
> information
>         rightsubnet=192.168.21.0/24        #
>         #rightid=@xy.example.com        #
>         #rightrsasigkey=0sAQOnwiBPt...  #
>         auto=add                       # authorizes
> but doesn't start this
>         authby=secret                           #
> connection at startup
> 
> 
> conn block
>         auto=ignore
> 
> conn private
>         auto=ignore
> 
> conn private-or-clear
>         auto=ignore
> 
> conn clear-or-private
>         auto=ignore
> 
> conn clear
>         auto=ignore
> 
> conn packetdefault
>         auto=ignore
> 
> ########################
> part of ipsec barf
> 
> ##########
> 
> _________________________ ipsec/status
> + ipsec auto --status
> 000 interface lo/lo ::1
> 000 interface lo/lo 127.0.0.1
> 000 interface lo/lo 127.0.0.1
> 000 interface eth0/eth0 10.20.20.2
> 000 interface eth0/eth0 10.20.20.2
> 000 %myid = (none)
> 000 debug none
> 000  
> 000 algorithm ESP encrypt: id=2, name=ESP_DES,
> ivlen=8, keysizemin=64, keysizemax=64
> 000 algorithm ESP encrypt: id=3, name=ESP_3DES,
> ivlen=8, keysizemin=192, keysizemax=192
> 000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH,
> ivlen=8, keysizemin=40, keysizemax=448
> 000 algorithm ESP encrypt: id=11, name=ESP_NULL,
> ivlen=0, keysizemin=0, keysizemax=0
> 000 algorithm ESP encrypt: id=12, name=ESP_AES,
> ivlen=8, keysizemin=128, keysizemax=256
> 000 algorithm ESP encrypt: id=252, name=ESP_SERPENT,
> ivlen=8, keysizemin=128, keysizemax=256
> 000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH,
> ivlen=8, keysizemin=128, keysizemax=256
> 000 algorithm ESP auth attr: id=1,
> name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128,
> keysizemax=128
> 000 algorithm ESP auth attr: id=2,
> name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160,
> keysizemax=160
> 000 algorithm ESP auth attr: id=5,
> name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256,
> keysizemax=256
> 000 algorithm ESP auth attr: id=251, name=(null),
> keysizemin=0, keysizemax=0
> 000  
> 000 algorithm IKE encrypt: id=5,
> name=OAKLEY_3DES_CBC,
> blocksize=8, keydeflen=192
> 000 algorithm IKE encrypt: id=7,
> name=OAKLEY_AES_CBC,
> blocksize=16, keydeflen=128
> 000 algorithm IKE hash: id=1, name=OAKLEY_MD5,
> hashsize=16
> 000 algorithm IKE hash: id=2, name=OAKLEY_SHA1,
> hashsize=20
> 000 algorithm IKE dh group: id=2,
> name=OAKLEY_GROUP_MODP1024, bits=1024
> 000 algorithm IKE dh group: id=5,
> name=OAKLEY_GROUP_MODP1536, bits=1536
> 000 algorithm IKE dh group: id=14,
> name=OAKLEY_GROUP_MODP2048, bits=2048
> 000 algorithm IKE dh group: id=15,
> name=OAKLEY_GROUP_MODP3072, bits=3072
> 000 algorithm IKE dh group: id=16,
> name=OAKLEY_GROUP_MODP4096, bits=4096
> 000 algorithm IKE dh group: id=17,
> name=OAKLEY_GROUP_MODP6144, bits=6144
> 000 algorithm IKE dh group: id=18,
> name=OAKLEY_GROUP_MODP8192, bits=8192
> 000  
> 000 stats db_ops.c: {curr_cnt, total_cnt, maxsz}
> :context={0,0,0} trans={0,0,0} attrs={0,0,0} 
> 000  
> 000 "road":
> 10.20.20.2...10.20.20.1===192.168.21.0/24;
> erouted; eroute owner: #2
> 000 "road":     srcip=unset; dstip=unset;
> srcup=ipsec
> _updown; dstup=ipsec _updown;
> 000 "road":   ike_life: 3600s; ipsec_life: 28800s;
> rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1
> 
=== message truncated ===



      __________________________________________________________
Sent from Yahoo! Mail.
A Smarter Email http://uk.docs.yahoo.com/nowyoucan.html




More information about the Users mailing list