[Openswan Users] [configuration] pending Phase 2 for "xxx" replacing #0
MM.ST
jfendrody at mm.st
Tue Aug 26 08:50:54 EDT 2008
Hi Mehran,
Thanks for the quick feedback, much appreciated !
Keys are (unfortunately) the same on both ends. My mistake when I faked IPs
and keys, sorry about that.
As far as PFS is concerned, PFS is ON on the fortigate.
I understand default for Openswan is ON too, so that should match
Is there any way to get more detailed and useful logs (other than tcpdump
and the likes) ?
Regards,
Jeff
De : Mehran Toreihi [mailto:vpnbook at gmail.com]
Envoyé : mardi 26 août 2008 11:48
À : MM.ST
Cc : users at openswan.org
Objet : Re: [Openswan Users] [configuration] pending Phase 2 for "xxx"
replacing #0
Hi,
First of all check that your PSKs (Pre shared keys) are the same. In the
configuration that you have already sent they are NOT. (one is key and the
other is test).
I have no idea for inter operating between Fortigate and Openswan.
Also check Fortigate for PFS (Perfect forward Secracy) support.
Hope you got it. Let me know.
Mehran Toreihi.
On Tue, Aug 26, 2008 at 10:47 AM, MM.ST <jfendrody at mm.st> wrote:
Dear Openswan experts,
I am brand new to openswan (and VPN in generals) and have been googling with
no success for 2 days trying to fix my problem.
Any help from the community would be most welcome.
I am trying to connect 1 server to a network protected by a Fortigate
firewall through a VPN.
I managed to get openswan running on linux (Ubuntu) --at least I guess so...
But I cannot get the VPN up and running...
Ok here comes the technical details.
>> Let's start with the Fortigate configuration:
Phase 1:
- remote IP 1.2.3.4
- pre-shared key : "key"
- Encryption : 3DES
- Authentication : SHA1
- Key lifetime : 28800 seconds
Phase 2:
- Encryption : 3DES
- Authentication : SHA1
- Key lifetime : 1800 seconds
>> Now the openswan configuration:
/etc/ipsec.conf:
config setup
interfaces="ipsec0=eth0"
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:!192.168.254.0/24
<http://10.0.0.0/8,%25v4:172.16.0.0/12,%25v4:%21192.168.254.0/24>
conn innov2demain
left=1.2.3.4
right=99.98.97.96
rightsubnet=192.168.254.0/24
keyexchange=ike
auto=start
authby=secret
esp=3des
compress=yes
ikelifetime=1800
# Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf
/etc/ipsec.secrets
1.2.3.4 99.98.97.96 : PSK "test"
>> Here come the logs :
root at ks2228:/proc/sys/net/ipv4/conf# ipsec verify
Checking your system to see if IPsec got installed and started
correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.4.6/K2.6.24.2-xxxx-std-ipv4-32 (netkey)
Checking for IPsec support in kernel [OK]
NETKEY detected, testing for disabled ICMP send_redirects [OK]
NETKEY detected, testing for disabled ICMP accept_redirects [OK]
Checking for RSA private key (/etc/ipsec.secrets)
[DISABLED]
ipsec showhostkey: no default key in "/etc/ipsec.secrets"
Checking that pluto is running [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing [OK]
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support
[DISABLED]
root at ks2228:/proc/sys/net/ipv4/conf# /etc/init.d/ipsec status
IPsec running - pluto pid: 22136
pluto pid 22136
No tunnels up
root at ks2228:/var/log# ipsec auto --verbose --up innov2demain
I have no feedback at all. Nothing happens ...
root at ks2228:/proc/sys/net/ipv4/conf# ipsec auto --status
000 interface lo/lo 127.0.0.1
000 interface lo/lo 127.0.0.1
000 interface eth0/eth0 1.2.3.4
000 interface eth0/eth0 1.2.3.4
000 %myid = (none)
000 debug none
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64,
keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192,
keysizemax=192
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256,
keysizemin=256, keysizemax=256
000
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,3,36}
trans={0,3,72} attrs={0,3,48}
000
000 "innov2demain": 1.2.3.4...8199.98.97.96===192.168.254.0/24;
prospective erouted; eroute owner: #0
000 "innov2demain": srcip=unset; dstip=unset; srcup=ipsec _updown;
dstup=ipsec _updown;
000 "innov2demain": ike_life: 1800s; ipsec_life: 28800s; rekey_margin:
540s; rekey_fuzz: 100%; keyingtries: 0
000 "innov2demain": policy: PSK+ENCRYPT+COMPRESS+TUNNEL+PFS+UP; prio:
32,24; interface: eth0;
000 "innov2demain": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "innov2demain": ESP algorithms wanted: 3_000-1, 3_000-2,
flags=strict
000 "innov2demain": ESP algorithms loaded: 3_000-1, 3_000-2,
flags=strict
000
000 #41: "innov2demain":500 STATE_MAIN_I1 (sent MI1, expecting MR1);
EVENT_RETRANSMIT in 2s; nodpd
000 #41: pending Phase 2 for "innov2demain" replacing #0
000 #41: pending Phase 2 for "innov2demain" replacing #0
000 #41: pending Phase 2 for "innov2demain" replacing #0
000
root at ks2228:/proc/sys/net/ipv4/conf# tail -n 1000 /var/log/syslog | grep -i
ipsec
Aug 26 08:01:16 ks2228 ipsec_setup: ...Openswan IPsec stopped
Aug 26 08:01:16 ks2228 ipsec_setup: Stopping Openswan IPsec...
Aug 26 08:01:24 ks2228 ipsec_setup: KLIPS ipsec0 on eth0
1.2.3.4/255.255.255.0 broadcast 1.2.3.255
Aug 26 08:01:24 ks2228 ipsec_setup: ...Openswan IPsec started
Aug 26 08:01:24 ks2228 ipsec_setup: Starting Openswan IPsec
U2.4.6/K2.6.24.2-xxxx-std-ipv4-32...
Aug 26 08:01:25 ks2228 ipsec__plutorun: 104 "innov2demain" #1:
STATE_MAIN_I1: initiate
Aug 26 08:01:25 ks2228 ipsec__plutorun: ...could not start conn
"innov2demain"
root at ks2228:~# tail -n 100000 /var/log/auth.log | grep -i pluto
Aug 26 08:01:15 ks2228 pluto[22836]: shutting down
Aug 26 08:01:15 ks2228 pluto[22836]: forgetting secrets
Aug 26 08:01:15 ks2228 pluto[22836]: "innov2demain": deleting connection
Aug 26 08:01:15 ks2228 pluto[22836]: "innov2demain" #42: deleting state
(STATE_MAIN_I1)
Aug 26 08:01:15 ks2228 pluto[22836]: shutting down interface lo/lo
127.0.0.1:4500
Aug 26 08:01:15 ks2228 pluto[22836]: shutting down interface lo/lo
127.0.0.1:500
Aug 26 08:01:15 ks2228 pluto[22836]: shutting down interface eth0/eth0
1.2.3.4:4500
Aug 26 08:01:15 ks2228 pluto[22836]: shutting down interface eth0/eth0
1.2.3.4:500
Aug 26 08:01:24 ks2228 ipsec__plutorun: Starting Pluto subsystem...
Aug 26 08:01:24 ks2228 pluto[27748]: Starting Pluto (Openswan Version
2.4.6 X.509-1.5.4 LDAP_V3 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID
OElLO]RdWNRD)
Aug 26 08:01:24 ks2228 pluto[27748]: Setting NAT-Traversal port-4500
floating to on
Aug 26 08:01:24 ks2228 pluto[27748]: port floating activation criteria
nat_t=1/port_fload=1
Aug 26 08:01:24 ks2228 pluto[27748]: including NAT-Traversal patch
(Version 0.6c)
Aug 26 08:01:24 ks2228 pluto[27748]: WARNING: Open of /dev/hw_random
failed in init_rnd_pool(), trying alternate sources of random
Aug 26 08:01:24 ks2228 pluto[27748]: WARNING: Using /dev/urandom as the
source of random
Aug 26 08:01:24 ks2228 pluto[27748]: ike_alg_register_enc(): Activating
OAKLEY_AES_CBC: Ok (ret=0)
Aug 26 08:01:24 ks2228 pluto[27748]: starting up 1 cryptographic helpers
Aug 26 08:01:24 ks2228 pluto[27764]: WARNING: Open of /dev/hw_random
failed in init_rnd_pool(), trying alternate sources of random
Aug 26 08:01:24 ks2228 pluto[27764]: WARNING: Using /dev/urandom as the
source of random
Aug 26 08:01:24 ks2228 pluto[27748]: started helper pid=27764 (fd:6)
Aug 26 08:01:24 ks2228 pluto[27748]: Using Linux 2.6 IPsec interface code
on 2.6.24.2-xxxx-std-ipv4-32
Aug 26 08:01:25 ks2228 pluto[27748]: Changing to directory
'/etc/ipsec.d/cacerts'
Aug 26 08:01:25 ks2228 pluto[27748]: Changing to directory
'/etc/ipsec.d/aacerts'
Aug 26 08:01:25 ks2228 pluto[27748]: Changing to directory
'/etc/ipsec.d/ocspcerts'
Aug 26 08:01:25 ks2228 pluto[27748]: Changing to directory
'/etc/ipsec.d/crls'
Aug 26 08:01:25 ks2228 pluto[27748]: Warning: empty directory
Aug 26 08:01:25 ks2228 pluto[27748]: added connection description
"innov2demain"
Aug 26 08:01:25 ks2228 pluto[27748]: listening for IKE messages
Aug 26 08:01:25 ks2228 pluto[27748]: adding interface eth0/eth0
1.2.3.4:500
Aug 26 08:01:25 ks2228 pluto[27748]: adding interface eth0/eth0
1.2.3.4:4500
Aug 26 08:01:25 ks2228 pluto[27748]: adding interface lo/lo 127.0.0.1:500
Aug 26 08:01:25 ks2228 pluto[27748]: adding interface lo/lo 127.0.0.1:4500
Aug 26 08:01:25 ks2228 pluto[27748]: loading secrets from
"/etc/ipsec.secrets"
Aug 26 08:01:25 ks2228 pluto[27748]: "innov2demain" #1: initiating Main
Mode
I probably missed something around 3DES, SHA1 and the likes but I can't
figure out what's wrong ...
Any clue ??
_______________________________________________
Users at openswan.org
http://lists.openswan.org/mailman/listinfo/users
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20080826/0dab08fc/attachment-0001.html
More information about the Users
mailing list