[Openswan Users] [configuration] pending Phase 2 for "xxx" replacing #0

Mehran Toreihi vpnbook at gmail.com
Tue Aug 26 05:48:13 EDT 2008


Hi,
First of all check that your PSKs (Pre shared keys) are the same. In the
configuration that you have already sent they are NOT. (one is key and the
other is test).
I have no idea for inter operating between Fortigate and Openswan.
Also check Fortigate for PFS (Perfect forward Secracy) support.
Hope you got it. Let me know.

Mehran Toreihi.







On Tue, Aug 26, 2008 at 10:47 AM, MM.ST <jfendrody at mm.st> wrote:

>  Dear Openswan experts,
>
>
>
> I am brand new to openswan (and VPN in generals) and have been googling
> with no success for 2 days trying to fix my problem.
>
> Any help from the community would be most welcome.
>
>
>
> I am trying to connect 1 server to a network protected by a Fortigate
> firewall through a VPN.
>
> I managed to get openswan running on linux (Ubuntu) --at least I guess
> so...
>
> But I cannot get the VPN up and running...
>
>
>
> Ok here comes the technical details.
>
>
>
>
>
> >> Let's start with the Fortigate configuration:
>
> Phase 1:
>
>   - remote IP 1.2.3.4
>
>   - pre-shared key : "key"
>
>   - Encryption : 3DES
>
>   - Authentication : SHA1
>
>   - Key lifetime : 28800 seconds
>
> Phase 2:
>
>   - Encryption : 3DES
>
>   - Authentication : SHA1
>
>   - Key lifetime : 1800 seconds
>
>
>
> >> Now the openswan configuration:
>
> /etc/ipsec.conf:
>
>   config setup
>
>     interfaces="ipsec0=eth0"
>
>     nat_traversal=yes
>
>     virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:!192.168.254.0/24<http://10.0.0.0/8,%v4:172.16.0.0/12,%v4:%21192.168.254.0/24>
>
>   conn innov2demain
>
>    left=1.2.3.4
>
>    right=99.98.97.96
>
>    rightsubnet=192.168.254.0/24
>
>    keyexchange=ike
>
>    auto=start
>
>    authby=secret
>
>    esp=3des
>
>    compress=yes
>
>    ikelifetime=1800
>
>   # Disable Opportunistic Encryption
>
>   include /etc/ipsec.d/examples/no_oe.conf
>
>
>
> /etc/ipsec.secrets
>
>   1.2.3.4 99.98.97.96 : PSK "test"
>
>
>
> >> Here come the logs :
>
>
>
> root at ks2228:/proc/sys/net/ipv4/conf# ipsec verify
>
>   Checking your system to see if IPsec got installed and started
>
>   correctly:
>
>   Version check and ipsec on-path                                 [OK]
>
>   Linux Openswan U2.4.6/K2.6.24.2-xxxx-std-ipv4-32 (netkey)
>
>   Checking for IPsec support in kernel                            [OK]
>
>   NETKEY detected, testing for disabled ICMP send_redirects       [OK]
>
>   NETKEY detected, testing for disabled ICMP accept_redirects     [OK]
>
>   Checking for RSA private key (/etc/ipsec.secrets)
>
>   [DISABLED]
>
>     ipsec showhostkey: no default key in "/etc/ipsec.secrets"
>
>   Checking that pluto is running                                  [OK]
>
>   Two or more interfaces found, checking IP forwarding            [OK]
>
>   Checking NAT and MASQUERADEing                                  [OK]
>
>   Checking for 'ip' command                                       [OK]
>
>   Checking for 'iptables' command                                 [OK]
>
>   Opportunistic Encryption Support
>
>   [DISABLED]
>
>
>
> root at ks2228:/proc/sys/net/ipv4/conf# /etc/init.d/ipsec status
>
>   IPsec running  - pluto pid: 22136
>
>   pluto pid 22136
>
>   No tunnels up
>
>
>
> root at ks2228:/var/log# ipsec auto --verbose --up innov2demain
>
>   I have no feedback at all. Nothing happens ...
>
>
>
> root at ks2228:/proc/sys/net/ipv4/conf# ipsec auto --status
>
>   000 interface lo/lo 127.0.0.1
>
>   000 interface lo/lo 127.0.0.1
>
>   000 interface eth0/eth0 1.2.3.4
>
>   000 interface eth0/eth0 1.2.3.4
>
>   000 %myid = (none)
>
>   000 debug none
>
>   000
>
>   000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64,
> keysizemax=64
>
>   000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192,
> keysizemax=192
>
>   000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
> keysizemin=128, keysizemax=128
>
>   000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
> keysizemin=160, keysizemax=160
>
>   000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256,
> keysizemin=256, keysizemax=256
>
>   000
>
>   000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
> keydeflen=192
>
>   000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
> keydeflen=128
>
>   000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
>
>   000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
>
>   000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
>
>   000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
>
>   000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
>
>   000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
>
>   000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
>
>   000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
>
>   000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
>
>   000
>
>   000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,3,36}
> trans={0,3,72} attrs={0,3,48}
>
>   000
>
>   000 "innov2demain": 1.2.3.4...8199.98.97.96===192.168.254.0/24;
> prospective erouted; eroute owner: #0
>
>   000 "innov2demain":     srcip=unset; dstip=unset; srcup=ipsec _updown;
> dstup=ipsec _updown;
>
>   000 "innov2demain":   ike_life: 1800s; ipsec_life: 28800s; rekey_margin:
> 540s; rekey_fuzz: 100%; keyingtries: 0
>
>   000 "innov2demain":   policy: PSK+ENCRYPT+COMPRESS+TUNNEL+PFS+UP; prio:
> 32,24; interface: eth0;
>
>   000 "innov2demain":   newest ISAKMP SA: #0; newest IPsec SA: #0;
>
>   000 "innov2demain":   ESP algorithms wanted: 3_000-1, 3_000-2,
> flags=strict
>
>   000 "innov2demain":   ESP algorithms loaded: 3_000-1, 3_000-2,
> flags=strict
>
>   000
>
>   000 #41: "innov2demain":500 STATE_MAIN_I1 (sent MI1, expecting MR1);
> EVENT_RETRANSMIT in 2s; nodpd
>
>   000 #41: pending Phase 2 for "innov2demain" replacing #0
>
>   000 #41: pending Phase 2 for "innov2demain" replacing #0
>
>   000 #41: pending Phase 2 for "innov2demain" replacing #0
>
>   000
>
>
>
> root at ks2228:/proc/sys/net/ipv4/conf# tail -n 1000 /var/log/syslog | grep
> -i ipsec
>
>   Aug 26 08:01:16 ks2228 ipsec_setup: ...Openswan IPsec stopped
>
>   Aug 26 08:01:16 ks2228 ipsec_setup: Stopping Openswan IPsec...
>
>   Aug 26 08:01:24 ks2228 ipsec_setup: KLIPS ipsec0 on eth0
> 1.2.3.4/255.255.255.0 broadcast 1.2.3.255
>
>   Aug 26 08:01:24 ks2228 ipsec_setup: ...Openswan IPsec started
>
>   Aug 26 08:01:24 ks2228 ipsec_setup: Starting Openswan IPsec
> U2.4.6/K2.6.24.2-xxxx-std-ipv4-32...
>
>   Aug 26 08:01:25 ks2228 ipsec__plutorun: 104 "innov2demain" #1:
> STATE_MAIN_I1: initiate
>
>   Aug 26 08:01:25 ks2228 ipsec__plutorun: ...could not start conn
> "innov2demain"
>
>
>
> root at ks2228:~# tail -n 100000 /var/log/auth.log | grep -i pluto
>
>   Aug 26 08:01:15 ks2228 pluto[22836]: shutting down
>
>   Aug 26 08:01:15 ks2228 pluto[22836]: forgetting secrets
>
>   Aug 26 08:01:15 ks2228 pluto[22836]: "innov2demain": deleting connection
>
>   Aug 26 08:01:15 ks2228 pluto[22836]: "innov2demain" #42: deleting state
> (STATE_MAIN_I1)
>
>   Aug 26 08:01:15 ks2228 pluto[22836]: shutting down interface lo/lo
> 127.0.0.1:4500
>
>   Aug 26 08:01:15 ks2228 pluto[22836]: shutting down interface lo/lo
> 127.0.0.1:500
>
>   Aug 26 08:01:15 ks2228 pluto[22836]: shutting down interface eth0/eth0
> 1.2.3.4:4500
>
>   Aug 26 08:01:15 ks2228 pluto[22836]: shutting down interface eth0/eth0
> 1.2.3.4:500
>
>   Aug 26 08:01:24 ks2228 ipsec__plutorun: Starting Pluto subsystem...
>
>   Aug 26 08:01:24 ks2228 pluto[27748]: Starting Pluto (Openswan Version
> 2.4.6 X.509-1.5.4 LDAP_V3 PLUTO_SENDS_VENDORID   PLUTO_USES_KEYRR; Vendor ID
> OElLO]RdWNRD)
>
>   Aug 26 08:01:24 ks2228 pluto[27748]: Setting NAT-Traversal port-4500
> floating to on
>
>   Aug 26 08:01:24 ks2228 pluto[27748]:    port floating activation criteria
> nat_t=1/port_fload=1
>
>   Aug 26 08:01:24 ks2228 pluto[27748]:   including NAT-Traversal patch
> (Version 0.6c)
>
>   Aug 26 08:01:24 ks2228 pluto[27748]: WARNING: Open of /dev/hw_random
> failed in init_rnd_pool(), trying alternate sources of random
>
>   Aug 26 08:01:24 ks2228 pluto[27748]: WARNING: Using /dev/urandom as the
> source of random
>
>   Aug 26 08:01:24 ks2228 pluto[27748]: ike_alg_register_enc(): Activating
> OAKLEY_AES_CBC: Ok (ret=0)
>
>   Aug 26 08:01:24 ks2228 pluto[27748]: starting up 1 cryptographic helpers
>
>   Aug 26 08:01:24 ks2228 pluto[27764]: WARNING: Open of /dev/hw_random
> failed in init_rnd_pool(), trying alternate sources of random
>
>   Aug 26 08:01:24 ks2228 pluto[27764]: WARNING: Using /dev/urandom as the
> source of random
>
>   Aug 26 08:01:24 ks2228 pluto[27748]: started helper pid=27764 (fd:6)
>
>   Aug 26 08:01:24 ks2228 pluto[27748]: Using Linux 2.6 IPsec interface code
> on 2.6.24.2-xxxx-std-ipv4-32
>
>   Aug 26 08:01:25 ks2228 pluto[27748]: Changing to directory
> '/etc/ipsec.d/cacerts'
>
>   Aug 26 08:01:25 ks2228 pluto[27748]: Changing to directory
> '/etc/ipsec.d/aacerts'
>
>   Aug 26 08:01:25 ks2228 pluto[27748]: Changing to directory
> '/etc/ipsec.d/ocspcerts'
>
>   Aug 26 08:01:25 ks2228 pluto[27748]: Changing to directory
> '/etc/ipsec.d/crls'
>
>   Aug 26 08:01:25 ks2228 pluto[27748]:   Warning: empty directory
>
>   Aug 26 08:01:25 ks2228 pluto[27748]: added connection description
> "innov2demain"
>
>   Aug 26 08:01:25 ks2228 pluto[27748]: listening for IKE messages
>
>   Aug 26 08:01:25 ks2228 pluto[27748]: adding interface eth0/eth0
> 1.2.3.4:500
>
>   Aug 26 08:01:25 ks2228 pluto[27748]: adding interface eth0/eth0
> 1.2.3.4:4500
>
>   Aug 26 08:01:25 ks2228 pluto[27748]: adding interface lo/lo
> 127.0.0.1:500
>
>   Aug 26 08:01:25 ks2228 pluto[27748]: adding interface lo/lo
> 127.0.0.1:4500
>
>   Aug 26 08:01:25 ks2228 pluto[27748]: loading secrets from
> "/etc/ipsec.secrets"
>
>   Aug 26 08:01:25 ks2228 pluto[27748]: "innov2demain" #1: initiating Main
> Mode
>
>
>
>
>
> I probably missed something around 3DES, SHA1 and the likes but I can't
> figure out what's wrong ...
>
> Any clue ??
>
>
>
>
>
>
>
>
>
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20080826/2b1315be/attachment-0001.html 


More information about the Users mailing list