[Openswan Users] [configuration] pending Phase 2 for "xxx" replacing #0

MM.ST jfendrody at mm.st
Tue Aug 26 02:17:50 EDT 2008 

Dear Openswan experts,

 

I am brand new to openswan (and VPN in generals) and have been googling with
no success for 2 days trying to fix my problem.

Any help from the community would be most welcome.

 

I am trying to connect 1 server to a network protected by a Fortigate
firewall through a VPN.

I managed to get openswan running on linux (Ubuntu) --at least I guess so...

But I cannot get the VPN up and running...

 

Ok here comes the technical details. 

 

 

>> Let's start with the Fortigate configuration:

Phase 1:

  - remote IP 1.2.3.4

  - pre-shared key : "key"

  - Encryption : 3DES

  - Authentication : SHA1

  - Key lifetime : 28800 seconds

Phase 2:

  - Encryption : 3DES

  - Authentication : SHA1

  - Key lifetime : 1800 seconds

 

>> Now the openswan configuration:

/etc/ipsec.conf:

  config setup

    interfaces="ipsec0=eth0"

    nat_traversal=yes

    virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:!192.168.254.0/24

  conn innov2demain

   left=1.2.3.4

   right=99.98.97.96

   rightsubnet=192.168.254.0/24

   keyexchange=ike

   auto=start

   authby=secret

   esp=3des

   compress=yes

   ikelifetime=1800

  # Disable Opportunistic Encryption

  include /etc/ipsec.d/examples/no_oe.conf

 

/etc/ipsec.secrets

  1.2.3.4 99.98.97.96 : PSK "test"

 

>> Here come the logs :

 

root at ks2228:/proc/sys/net/ipv4/conf# ipsec verify

  Checking your system to see if IPsec got installed and started

  correctly:

  Version check and ipsec on-path                                 [OK]

  Linux Openswan U2.4.6/K2.6.24.2-xxxx-std-ipv4-32 (netkey)

  Checking for IPsec support in kernel                            [OK]

  NETKEY detected, testing for disabled ICMP send_redirects       [OK]

  NETKEY detected, testing for disabled ICMP accept_redirects     [OK]

  Checking for RSA private key (/etc/ipsec.secrets)              

  [DISABLED]

    ipsec showhostkey: no default key in "/etc/ipsec.secrets"

  Checking that pluto is running                                  [OK]

  Two or more interfaces found, checking IP forwarding            [OK]

  Checking NAT and MASQUERADEing                                  [OK]

  Checking for 'ip' command                                       [OK]

  Checking for 'iptables' command                                 [OK]

  Opportunistic Encryption Support                               

  [DISABLED]

 

root at ks2228:/proc/sys/net/ipv4/conf# /etc/init.d/ipsec status

  IPsec running  - pluto pid: 22136

  pluto pid 22136

  No tunnels up

 

root at ks2228:/var/log# ipsec auto --verbose --up innov2demain

  I have no feedback at all. Nothing happens ...

 

root at ks2228:/proc/sys/net/ipv4/conf# ipsec auto --status

  000 interface lo/lo 127.0.0.1

  000 interface lo/lo 127.0.0.1

  000 interface eth0/eth0 1.2.3.4

  000 interface eth0/eth0 1.2.3.4

  000 %myid = (none)

  000 debug none

  000

  000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64,
keysizemax=64

  000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192,
keysizemax=192

  000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
keysizemin=128, keysizemax=128

  000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
keysizemin=160, keysizemax=160

  000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256,
keysizemin=256, keysizemax=256

  000

  000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
keydeflen=192

  000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
keydeflen=128

  000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16

  000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20

  000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024

  000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536

  000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048

  000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072

  000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096

  000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144

  000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192

  000

  000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,3,36}
trans={0,3,72} attrs={0,3,48}

  000

  000 "innov2demain": 1.2.3.4...8199.98.97.96===192.168.254.0/24;
prospective erouted; eroute owner: #0

  000 "innov2demain":     srcip=unset; dstip=unset; srcup=ipsec _updown;
dstup=ipsec _updown;

  000 "innov2demain":   ike_life: 1800s; ipsec_life: 28800s; rekey_margin:
540s; rekey_fuzz: 100%; keyingtries: 0

  000 "innov2demain":   policy: PSK+ENCRYPT+COMPRESS+TUNNEL+PFS+UP; prio:
32,24; interface: eth0;

  000 "innov2demain":   newest ISAKMP SA: #0; newest IPsec SA: #0;

  000 "innov2demain":   ESP algorithms wanted: 3_000-1, 3_000-2,
flags=strict

  000 "innov2demain":   ESP algorithms loaded: 3_000-1, 3_000-2,
flags=strict

  000

  000 #41: "innov2demain":500 STATE_MAIN_I1 (sent MI1, expecting MR1);
EVENT_RETRANSMIT in 2s; nodpd

  000 #41: pending Phase 2 for "innov2demain" replacing #0

  000 #41: pending Phase 2 for "innov2demain" replacing #0

  000 #41: pending Phase 2 for "innov2demain" replacing #0

  000

 

root at ks2228:/proc/sys/net/ipv4/conf# tail -n 1000 /var/log/syslog | grep -i
ipsec

  Aug 26 08:01:16 ks2228 ipsec_setup: ...Openswan IPsec stopped

  Aug 26 08:01:16 ks2228 ipsec_setup: Stopping Openswan IPsec...

  Aug 26 08:01:24 ks2228 ipsec_setup: KLIPS ipsec0 on eth0
1.2.3.4/255.255.255.0 broadcast 1.2.3.255

  Aug 26 08:01:24 ks2228 ipsec_setup: ...Openswan IPsec started

  Aug 26 08:01:24 ks2228 ipsec_setup: Starting Openswan IPsec
U2.4.6/K2.6.24.2-xxxx-std-ipv4-32...

  Aug 26 08:01:25 ks2228 ipsec__plutorun: 104 "innov2demain" #1:
STATE_MAIN_I1: initiate

  Aug 26 08:01:25 ks2228 ipsec__plutorun: ...could not start conn
"innov2demain"

  

root at ks2228:~# tail -n 100000 /var/log/auth.log | grep -i pluto

  Aug 26 08:01:15 ks2228 pluto[22836]: shutting down

  Aug 26 08:01:15 ks2228 pluto[22836]: forgetting secrets

  Aug 26 08:01:15 ks2228 pluto[22836]: "innov2demain": deleting connection

  Aug 26 08:01:15 ks2228 pluto[22836]: "innov2demain" #42: deleting state
(STATE_MAIN_I1)

  Aug 26 08:01:15 ks2228 pluto[22836]: shutting down interface lo/lo
127.0.0.1:4500

  Aug 26 08:01:15 ks2228 pluto[22836]: shutting down interface lo/lo
127.0.0.1:500

  Aug 26 08:01:15 ks2228 pluto[22836]: shutting down interface eth0/eth0
1.2.3.4:4500

  Aug 26 08:01:15 ks2228 pluto[22836]: shutting down interface eth0/eth0
1.2.3.4:500

  Aug 26 08:01:24 ks2228 ipsec__plutorun: Starting Pluto subsystem...

  Aug 26 08:01:24 ks2228 pluto[27748]: Starting Pluto (Openswan Version
2.4.6 X.509-1.5.4 LDAP_V3 PLUTO_SENDS_VENDORID   PLUTO_USES_KEYRR; Vendor ID
OElLO]RdWNRD)

  Aug 26 08:01:24 ks2228 pluto[27748]: Setting NAT-Traversal port-4500
floating to on

  Aug 26 08:01:24 ks2228 pluto[27748]:    port floating activation criteria
nat_t=1/port_fload=1

  Aug 26 08:01:24 ks2228 pluto[27748]:   including NAT-Traversal patch
(Version 0.6c)

  Aug 26 08:01:24 ks2228 pluto[27748]: WARNING: Open of /dev/hw_random
failed in init_rnd_pool(), trying alternate sources of random

  Aug 26 08:01:24 ks2228 pluto[27748]: WARNING: Using /dev/urandom as the
source of random

  Aug 26 08:01:24 ks2228 pluto[27748]: ike_alg_register_enc(): Activating
OAKLEY_AES_CBC: Ok (ret=0)

  Aug 26 08:01:24 ks2228 pluto[27748]: starting up 1 cryptographic helpers

  Aug 26 08:01:24 ks2228 pluto[27764]: WARNING: Open of /dev/hw_random
failed in init_rnd_pool(), trying alternate sources of random

  Aug 26 08:01:24 ks2228 pluto[27764]: WARNING: Using /dev/urandom as the
source of random

  Aug 26 08:01:24 ks2228 pluto[27748]: started helper pid=27764 (fd:6)

  Aug 26 08:01:24 ks2228 pluto[27748]: Using Linux 2.6 IPsec interface code
on 2.6.24.2-xxxx-std-ipv4-32

  Aug 26 08:01:25 ks2228 pluto[27748]: Changing to directory
'/etc/ipsec.d/cacerts'

  Aug 26 08:01:25 ks2228 pluto[27748]: Changing to directory
'/etc/ipsec.d/aacerts'

  Aug 26 08:01:25 ks2228 pluto[27748]: Changing to directory
'/etc/ipsec.d/ocspcerts'

  Aug 26 08:01:25 ks2228 pluto[27748]: Changing to directory
'/etc/ipsec.d/crls'

  Aug 26 08:01:25 ks2228 pluto[27748]:   Warning: empty directory

  Aug 26 08:01:25 ks2228 pluto[27748]: added connection description
"innov2demain"

  Aug 26 08:01:25 ks2228 pluto[27748]: listening for IKE messages

  Aug 26 08:01:25 ks2228 pluto[27748]: adding interface eth0/eth0
1.2.3.4:500

  Aug 26 08:01:25 ks2228 pluto[27748]: adding interface eth0/eth0
1.2.3.4:4500

  Aug 26 08:01:25 ks2228 pluto[27748]: adding interface lo/lo 127.0.0.1:500

  Aug 26 08:01:25 ks2228 pluto[27748]: adding interface lo/lo 127.0.0.1:4500

  Aug 26 08:01:25 ks2228 pluto[27748]: loading secrets from
"/etc/ipsec.secrets"

  Aug 26 08:01:25 ks2228 pluto[27748]: "innov2demain" #1: initiating Main
Mode

 

 

I probably missed something around 3DES, SHA1 and the likes but I can't
figure out what's wrong ... 

Any clue ??

 

 

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20080826/194ae378/attachment-0001.html

More information about the Users mailing list