[Openswan Users] [configuration] pending Phase 2 for "xxx" replacing #0

Peter McGill petermcgill at goco.net
Tue Aug 26 10:31:58 EDT 2008


At this point it looks like the two endpoints are not communicating,
let alone connecting.

Do your Fortigate logs say anything?

Did you permit IPSec and tunneled traffic to pass through the firewall 
without masquerading it?

Can you verify that the packets are being sent/received by packet sniffing?

Are your real left/right ip's public internet addresses?
They should be if possible, otherwise you will need NAT-T.
Note even with NAT-T the Fortigate will need a public ip.

Your trying to connect just one computer to the Fortigate lan correct?
This is what your ipsec.conf would indicate.

The following are not likely the cause, but may cause you future 
problems, so addressing them now won't hurt.

What Diffie-Hellman (DH) Groups does the Fortigate allow?
DH Group 1 is insecure and Openswan will refuse to use it,
make sure the Fortigate is using Group 2 or 5. (1024 or 1536 bit)

You can further match the DH group with Openswan as follows:
	ike=3des-sha1;modp1024
	esp=3des-sha1

Try with compress=no first, compression sometimes does not work.

Make sure the Fortigate is using Main mode not Aggressive mode.

Note your keylifes do not match, ike is phase 1. This will not
prevent connection but may prematurely end it.
	ikelifetime=28800
	keylife=1800

If none of this helps you, you may need to send an ipsec barf > 
ipsec_barf.txt, which should contain most necessary information
to fix the problem. Don't worry it will not contain your keys.

Peter


MM.ST wrote:
> Dear Openswan experts,
> 
>  
> 
> I am brand new to openswan (and VPN in generals) and have been googling 
> with no success for 2 days trying to fix my problem.
> 
> Any help from the community would be most welcome.
> 
>  
> 
> I am trying to connect 1 server to a network protected by a Fortigate 
> firewall through a VPN.
> 
> I managed to get openswan running on linux (Ubuntu) --at least I guess so...
> 
> But I cannot get the VPN up and running...
> 
>  
> 
> Ok here comes the technical details.
> 
>  
> 
>  
> 
>> > Let's start with the Fortigate configuration:
> 
> Phase 1:
> 
>   - remote IP 1.2.3.4
> 
>   - pre-shared key : "key"
> 
>   - Encryption : 3DES
> 
>   - Authentication : SHA1
> 
>   - Key lifetime : 28800 seconds
> 
> Phase 2:
> 
>   - Encryption : 3DES
> 
>   - Authentication : SHA1
> 
>   - Key lifetime : 1800 seconds
> 
>  
> 
>> > Now the openswan configuration:
> 
> /etc/ipsec.conf:
> 
>   config setup
> 
>     interfaces="ipsec0=eth0"
> 
>     nat_traversal=yes
> 
>     virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:!192.168.254.0/24
> 
>   conn innov2demain
> 
>    left=1.2.3.4
> 
>    right=99.98.97.96
> 
>    rightsubnet=192.168.254.0/24
> 
>    keyexchange=ike
> 
>    auto=start
> 
>    authby=secret
> 
>    esp=3des
> 
>    compress=yes
> 
>    ikelifetime=1800
> 
>   # Disable Opportunistic Encryption
> 
>   include /etc/ipsec.d/examples/no_oe.conf
> 
>  
> 
> /etc/ipsec.secrets
> 
>   1.2.3.4 99.98.97.96 : PSK "test"
> 
>  
> 
>> > Here come the logs :
> 
>  
> 
> root at ks2228:/proc/sys/net/ipv4/conf# ipsec verify
> 
>   Checking your system to see if IPsec got installed and started
> 
>   correctly:
> 
>   Version check and ipsec on-path                                 [OK]
> 
>   Linux Openswan U2.4.6/K2.6.24.2-xxxx-std-ipv4-32 (netkey)
> 
>   Checking for IPsec support in kernel                            [OK]
> 
>   NETKEY detected, testing for disabled ICMP send_redirects       [OK]
> 
>   NETKEY detected, testing for disabled ICMP accept_redirects     [OK]
> 
>   Checking for RSA private key (/etc/ipsec.secrets)             
> 
>   [DISABLED]
> 
>     ipsec showhostkey: no default key in "/etc/ipsec.secrets"
> 
>   Checking that pluto is running                                  [OK]
> 
>   Two or more interfaces found, checking IP forwarding            [OK]
> 
>   Checking NAT and MASQUERADEing                                  [OK]
> 
>   Checking for 'ip' command                                       [OK]
> 
>   Checking for 'iptables' command                                 [OK]
> 
>   Opportunistic Encryption Support                              
> 
>   [DISABLED]
> 
>  
> 
> root at ks2228:/proc/sys/net/ipv4/conf# /etc/init.d/ipsec status
> 
>   IPsec running  - pluto pid: 22136
> 
>   pluto pid 22136
> 
>   No tunnels up
> 
>  
> 
> root at ks2228:/var/log# ipsec auto --verbose --up innov2demain
> 
>   I have no feedback at all. Nothing happens ...
> 
>  
> 
> root at ks2228:/proc/sys/net/ipv4/conf# ipsec auto --status
> 
>   000 interface lo/lo 127.0.0.1
> 
>   000 interface lo/lo 127.0.0.1
> 
>   000 interface eth0/eth0 1.2.3.4
> 
>   000 interface eth0/eth0 1.2.3.4
> 
>   000 %myid = (none)
> 
>   000 debug none
> 
>   000
> 
>   000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, 
> keysizemax=64
> 
>   000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, 
> keysizemin=192, keysizemax=192
> 
>   000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, 
> keysizemin=128, keysizemax=128
> 
>   000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, 
> keysizemin=160, keysizemax=160
> 
>   000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, 
> keysizemin=256, keysizemax=256
> 
>   000
> 
>   000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, 
> keydeflen=192
> 
>   000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, 
> keydeflen=128
> 
>   000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
> 
>   000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
> 
>   000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
> 
>   000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
> 
>   000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
> 
>   000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
> 
>   000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
> 
>   000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
> 
>   000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
> 
>   000
> 
>   000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,3,36} 
> trans={0,3,72} attrs={0,3,48}
> 
>   000
> 
>   000 "innov2demain": 1.2.3.4...8199.98.97.96===192.168.254.0/24; 
> prospective erouted; eroute owner: #0
> 
>   000 "innov2demain":     srcip=unset; dstip=unset; srcup=ipsec _updown; 
> dstup=ipsec _updown;
> 
>   000 "innov2demain":   ike_life: 1800s; ipsec_life: 28800s; 
> rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
> 
>   000 "innov2demain":   policy: PSK+ENCRYPT+COMPRESS+TUNNEL+PFS+UP; 
> prio: 32,24; interface: eth0;
> 
>   000 "innov2demain":   newest ISAKMP SA: #0; newest IPsec SA: #0;
> 
>   000 "innov2demain":   ESP algorithms wanted: 3_000-1, 3_000-2, 
> flags=strict
> 
>   000 "innov2demain":   ESP algorithms loaded: 3_000-1, 3_000-2, 
> flags=strict
> 
>   000
> 
>   000 #41: "innov2demain":500 STATE_MAIN_I1 (sent MI1, expecting MR1); 
> EVENT_RETRANSMIT in 2s; nodpd
> 
>   000 #41: pending Phase 2 for "innov2demain" replacing #0
> 
>   000 #41: pending Phase 2 for "innov2demain" replacing #0
> 
>   000 #41: pending Phase 2 for "innov2demain" replacing #0
> 
>   000
> 
>  
> 
> root at ks2228:/proc/sys/net/ipv4/conf# tail -n 1000 /var/log/syslog | grep 
> -i ipsec
> 
>   Aug 26 08:01:16 ks2228 ipsec_setup: ...Openswan IPsec stopped
> 
>   Aug 26 08:01:16 ks2228 ipsec_setup: Stopping Openswan IPsec...
> 
>   Aug 26 08:01:24 ks2228 ipsec_setup: KLIPS ipsec0 on eth0 
> 1.2.3.4/255.255.255.0 broadcast 1.2.3.255
> 
>   Aug 26 08:01:24 ks2228 ipsec_setup: ...Openswan IPsec started
> 
>   Aug 26 08:01:24 ks2228 ipsec_setup: Starting Openswan IPsec 
> U2.4.6/K2.6.24.2-xxxx-std-ipv4-32...
> 
>   Aug 26 08:01:25 ks2228 ipsec__plutorun: 104 "innov2demain" #1: 
> STATE_MAIN_I1: initiate
> 
>   Aug 26 08:01:25 ks2228 ipsec__plutorun: ...could not start conn 
> "innov2demain"
> 
>  
> 
> root at ks2228:~# tail -n 100000 /var/log/auth.log | grep -i pluto
> 
>   Aug 26 08:01:15 ks2228 pluto[22836]: shutting down
> 
>   Aug 26 08:01:15 ks2228 pluto[22836]: forgetting secrets
> 
>   Aug 26 08:01:15 ks2228 pluto[22836]: "innov2demain": deleting connection
> 
>   Aug 26 08:01:15 ks2228 pluto[22836]: "innov2demain" #42: deleting 
> state (STATE_MAIN_I1)
> 
>   Aug 26 08:01:15 ks2228 pluto[22836]: shutting down interface lo/lo 
> 127.0.0.1:4500
> 
>   Aug 26 08:01:15 ks2228 pluto[22836]: shutting down interface lo/lo 
> 127.0.0.1:500
> 
>   Aug 26 08:01:15 ks2228 pluto[22836]: shutting down interface eth0/eth0 
> 1.2.3.4:4500
> 
>   Aug 26 08:01:15 ks2228 pluto[22836]: shutting down interface eth0/eth0 
> 1.2.3.4:500
> 
>   Aug 26 08:01:24 ks2228 ipsec__plutorun: Starting Pluto subsystem...
> 
>   Aug 26 08:01:24 ks2228 pluto[27748]: Starting Pluto (Openswan Version 
> 2.4.6 X.509-1.5.4 LDAP_V3 PLUTO_SENDS_VENDORID   PLUTO_USES_KEYRR; 
> Vendor ID OElLO]RdWNRD)
> 
>   Aug 26 08:01:24 ks2228 pluto[27748]: Setting NAT-Traversal port-4500 
> floating to on
> 
>   Aug 26 08:01:24 ks2228 pluto[27748]:    port floating activation 
> criteria nat_t=1/port_fload=1
> 
>   Aug 26 08:01:24 ks2228 pluto[27748]:   including NAT-Traversal patch 
> (Version 0.6c)
> 
>   Aug 26 08:01:24 ks2228 pluto[27748]: WARNING: Open of /dev/hw_random 
> failed in init_rnd_pool(), trying alternate sources of random
> 
>   Aug 26 08:01:24 ks2228 pluto[27748]: WARNING: Using /dev/urandom as 
> the source of random
> 
>   Aug 26 08:01:24 ks2228 pluto[27748]: ike_alg_register_enc(): 
> Activating OAKLEY_AES_CBC: Ok (ret=0)
> 
>   Aug 26 08:01:24 ks2228 pluto[27748]: starting up 1 cryptographic helpers
> 
>   Aug 26 08:01:24 ks2228 pluto[27764]: WARNING: Open of /dev/hw_random 
> failed in init_rnd_pool(), trying alternate sources of random
> 
>   Aug 26 08:01:24 ks2228 pluto[27764]: WARNING: Using /dev/urandom as 
> the source of random
> 
>   Aug 26 08:01:24 ks2228 pluto[27748]: started helper pid=27764 (fd:6)
> 
>   Aug 26 08:01:24 ks2228 pluto[27748]: Using Linux 2.6 IPsec interface 
> code on 2.6.24.2-xxxx-std-ipv4-32
> 
>   Aug 26 08:01:25 ks2228 pluto[27748]: Changing to directory 
> '/etc/ipsec.d/cacerts'
> 
>   Aug 26 08:01:25 ks2228 pluto[27748]: Changing to directory 
> '/etc/ipsec.d/aacerts'
> 
>   Aug 26 08:01:25 ks2228 pluto[27748]: Changing to directory 
> '/etc/ipsec.d/ocspcerts'
> 
>   Aug 26 08:01:25 ks2228 pluto[27748]: Changing to directory 
> '/etc/ipsec.d/crls'
> 
>   Aug 26 08:01:25 ks2228 pluto[27748]:   Warning: empty directory
> 
>   Aug 26 08:01:25 ks2228 pluto[27748]: added connection description 
> "innov2demain"
> 
>   Aug 26 08:01:25 ks2228 pluto[27748]: listening for IKE messages
> 
>   Aug 26 08:01:25 ks2228 pluto[27748]: adding interface eth0/eth0 
> 1.2.3.4:500
> 
>   Aug 26 08:01:25 ks2228 pluto[27748]: adding interface eth0/eth0 
> 1.2.3.4:4500
> 
>   Aug 26 08:01:25 ks2228 pluto[27748]: adding interface lo/lo 127.0.0.1:500
> 
>   Aug 26 08:01:25 ks2228 pluto[27748]: adding interface lo/lo 127.0.0.1:4500
> 
>   Aug 26 08:01:25 ks2228 pluto[27748]: loading secrets from 
> "/etc/ipsec.secrets"
> 
>   Aug 26 08:01:25 ks2228 pluto[27748]: "innov2demain" #1: initiating 
> Main Mode
> 
>  
> 
>  
> 
> I probably missed something around 3DES, SHA1 and the likes but I can't 
> figure out what's wrong ...
> 
> Any clue ??
> 
>  
> 
>  
> 
>  
> 
>  
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan: 
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155


More information about the Users mailing list