[Openswan Users] [configuration] pending Phase 2 for "xxx" replacing #0
MM.ST
jfendrody at mm.st
Tue Aug 26 18:50:28 EDT 2008
Hi Peter,
Thanks for the help.
My answers in your email.
Jeff
-----Message d'origine-----
De : Peter McGill [mailto:petermcgill at goco.net]
Envoyé : mardi 26 août 2008 16:32
À : MM.ST
Cc : users at openswan.org
Objet : Re: [Openswan Users] [configuration] pending Phase 2 for "xxx"
replacing #0
At this point it looks like the two endpoints are not communicating,
let alone connecting.
Do your Fortigate logs say anything?
JFE>> Fortigate is not very helpful in terms of logs. I cannot get anything
useful from it.
Did you permit IPSec and tunneled traffic to pass through the firewall
without masquerading it?
JFE>> Left side is connected directly to the internet, no firewall. Right
end FW is ok.
Can you verify that the packets are being sent/received by packet sniffing?
JFE>> I did not yet but I could. I will let you know.
Are your real left/right ip's public internet addresses?
They should be if possible, otherwise you will need NAT-T.
Note even with NAT-T the Fortigate will need a public ip.
JFE>> Yes they are public internet addresses.
Your trying to connect just one computer to the Fortigate lan correct?
This is what your ipsec.conf would indicate.
JFE>> Yes. Left end is just one single computer.
The following are not likely the cause, but may cause you future
problems, so addressing them now won't hurt.
What Diffie-Hellman (DH) Groups does the Fortigate allow?
DH Group 1 is insecure and Openswan will refuse to use it,
make sure the Fortigate is using Group 2 or 5. (1024 or 1536 bit)
JFE>> For Phase 1, Fortigate allows DH group 1, 2 and 5.
JFE>> For Phase 2, Foritgate allows DH group 2 only.
You can further match the DH group with Openswan as follows:
ike=3des-sha1;modp1024
esp=3des-sha1
JFE>> Updated. I had to change "ike=3des-sha1;modp1024" to "
ike=3des-sha1-modp1024"
JFE>> Don't know if that matters.
Try with compress=no first, compression sometimes does not work.
JFE>> Ok, I change ipsec.conf accordingly.
Make sure the Fortigate is using Main mode not Aggressive mode.
JFE>> It is configured in Main mode.
Note your keylifes do not match, ike is phase 1. This will not
prevent connection but may prematurely end it.
ikelifetime=28800
keylife=1800
JFE>> Updated.
If none of this helps you, you may need to send an ipsec barf >
ipsec_barf.txt, which should contain most necessary information
to fix the problem. Don't worry it will not contain your keys.
JFE>> I ran the command. The ouput is quite impressive.
JFE>> As I do not know what's useful in there and I do not want to copy the
whole in the email
JFE>> I created a dedicated web page with the full content.
JFE>> I also added print screens of the fortigate config.
JFE>> you can find it here : http://www.innovinfo.fr/openswan/index.html
JFE>> Thanks again for the support !
Peter
MM.ST wrote:
> Dear Openswan experts,
>
>
>
> I am brand new to openswan (and VPN in generals) and have been googling
> with no success for 2 days trying to fix my problem.
>
> Any help from the community would be most welcome.
>
>
>
> I am trying to connect 1 server to a network protected by a Fortigate
> firewall through a VPN.
>
> I managed to get openswan running on linux (Ubuntu) --at least I guess
so...
>
> But I cannot get the VPN up and running...
>
>
>
> Ok here comes the technical details.
>
>
>
>
>
>> > Let's start with the Fortigate configuration:
>
> Phase 1:
>
> - remote IP 1.2.3.4
>
> - pre-shared key : "key"
>
> - Encryption : 3DES
>
> - Authentication : SHA1
>
> - Key lifetime : 28800 seconds
>
> Phase 2:
>
> - Encryption : 3DES
>
> - Authentication : SHA1
>
> - Key lifetime : 1800 seconds
>
>
>
>> > Now the openswan configuration:
>
> /etc/ipsec.conf:
>
> config setup
>
> interfaces="ipsec0=eth0"
>
> nat_traversal=yes
>
> virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:!192.168.254.0/24
>
> conn innov2demain
>
> left=1.2.3.4
>
> right=99.98.97.96
>
> rightsubnet=192.168.254.0/24
>
> keyexchange=ike
>
> auto=start
>
> authby=secret
>
> esp=3des
>
> compress=yes
>
> ikelifetime=1800
>
> # Disable Opportunistic Encryption
>
> include /etc/ipsec.d/examples/no_oe.conf
>
>
>
> /etc/ipsec.secrets
>
> 1.2.3.4 99.98.97.96 : PSK "test"
>
>
>
>> > Here come the logs :
>
>
>
> root at ks2228:/proc/sys/net/ipv4/conf# ipsec verify
>
> Checking your system to see if IPsec got installed and started
>
> correctly:
>
> Version check and ipsec on-path [OK]
>
> Linux Openswan U2.4.6/K2.6.24.2-xxxx-std-ipv4-32 (netkey)
>
> Checking for IPsec support in kernel [OK]
>
> NETKEY detected, testing for disabled ICMP send_redirects [OK]
>
> NETKEY detected, testing for disabled ICMP accept_redirects [OK]
>
> Checking for RSA private key (/etc/ipsec.secrets)
>
> [DISABLED]
>
> ipsec showhostkey: no default key in "/etc/ipsec.secrets"
>
> Checking that pluto is running [OK]
>
> Two or more interfaces found, checking IP forwarding [OK]
>
> Checking NAT and MASQUERADEing [OK]
>
> Checking for 'ip' command [OK]
>
> Checking for 'iptables' command [OK]
>
> Opportunistic Encryption Support
>
> [DISABLED]
>
>
>
> root at ks2228:/proc/sys/net/ipv4/conf# /etc/init.d/ipsec status
>
> IPsec running - pluto pid: 22136
>
> pluto pid 22136
>
> No tunnels up
>
>
>
> root at ks2228:/var/log# ipsec auto --verbose --up innov2demain
>
> I have no feedback at all. Nothing happens ...
>
>
>
> root at ks2228:/proc/sys/net/ipv4/conf# ipsec auto --status
>
> 000 interface lo/lo 127.0.0.1
>
> 000 interface lo/lo 127.0.0.1
>
> 000 interface eth0/eth0 1.2.3.4
>
> 000 interface eth0/eth0 1.2.3.4
>
> 000 %myid = (none)
>
> 000 debug none
>
> 000
>
> 000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64,
> keysizemax=64
>
> 000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8,
> keysizemin=192, keysizemax=192
>
> 000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
> keysizemin=128, keysizemax=128
>
> 000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
> keysizemin=160, keysizemax=160
>
> 000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256,
> keysizemin=256, keysizemax=256
>
> 000
>
> 000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
> keydeflen=192
>
> 000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
> keydeflen=128
>
> 000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
>
> 000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
>
> 000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
>
> 000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
>
> 000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
>
> 000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
>
> 000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
>
> 000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
>
> 000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
>
> 000
>
> 000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,3,36}
> trans={0,3,72} attrs={0,3,48}
>
> 000
>
> 000 "innov2demain": 1.2.3.4...8199.98.97.96===192.168.254.0/24;
> prospective erouted; eroute owner: #0
>
> 000 "innov2demain": srcip=unset; dstip=unset; srcup=ipsec _updown;
> dstup=ipsec _updown;
>
> 000 "innov2demain": ike_life: 1800s; ipsec_life: 28800s;
> rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
>
> 000 "innov2demain": policy: PSK+ENCRYPT+COMPRESS+TUNNEL+PFS+UP;
> prio: 32,24; interface: eth0;
>
> 000 "innov2demain": newest ISAKMP SA: #0; newest IPsec SA: #0;
>
> 000 "innov2demain": ESP algorithms wanted: 3_000-1, 3_000-2,
> flags=strict
>
> 000 "innov2demain": ESP algorithms loaded: 3_000-1, 3_000-2,
> flags=strict
>
> 000
>
> 000 #41: "innov2demain":500 STATE_MAIN_I1 (sent MI1, expecting MR1);
> EVENT_RETRANSMIT in 2s; nodpd
>
> 000 #41: pending Phase 2 for "innov2demain" replacing #0
>
> 000 #41: pending Phase 2 for "innov2demain" replacing #0
>
> 000 #41: pending Phase 2 for "innov2demain" replacing #0
>
> 000
>
>
>
> root at ks2228:/proc/sys/net/ipv4/conf# tail -n 1000 /var/log/syslog | grep
> -i ipsec
>
> Aug 26 08:01:16 ks2228 ipsec_setup: ...Openswan IPsec stopped
>
> Aug 26 08:01:16 ks2228 ipsec_setup: Stopping Openswan IPsec...
>
> Aug 26 08:01:24 ks2228 ipsec_setup: KLIPS ipsec0 on eth0
> 1.2.3.4/255.255.255.0 broadcast 1.2.3.255
>
> Aug 26 08:01:24 ks2228 ipsec_setup: ...Openswan IPsec started
>
> Aug 26 08:01:24 ks2228 ipsec_setup: Starting Openswan IPsec
> U2.4.6/K2.6.24.2-xxxx-std-ipv4-32...
>
> Aug 26 08:01:25 ks2228 ipsec__plutorun: 104 "innov2demain" #1:
> STATE_MAIN_I1: initiate
>
> Aug 26 08:01:25 ks2228 ipsec__plutorun: ...could not start conn
> "innov2demain"
>
>
>
> root at ks2228:~# tail -n 100000 /var/log/auth.log | grep -i pluto
>
> Aug 26 08:01:15 ks2228 pluto[22836]: shutting down
>
> Aug 26 08:01:15 ks2228 pluto[22836]: forgetting secrets
>
> Aug 26 08:01:15 ks2228 pluto[22836]: "innov2demain": deleting connection
>
> Aug 26 08:01:15 ks2228 pluto[22836]: "innov2demain" #42: deleting
> state (STATE_MAIN_I1)
>
> Aug 26 08:01:15 ks2228 pluto[22836]: shutting down interface lo/lo
> 127.0.0.1:4500
>
> Aug 26 08:01:15 ks2228 pluto[22836]: shutting down interface lo/lo
> 127.0.0.1:500
>
> Aug 26 08:01:15 ks2228 pluto[22836]: shutting down interface eth0/eth0
> 1.2.3.4:4500
>
> Aug 26 08:01:15 ks2228 pluto[22836]: shutting down interface eth0/eth0
> 1.2.3.4:500
>
> Aug 26 08:01:24 ks2228 ipsec__plutorun: Starting Pluto subsystem...
>
> Aug 26 08:01:24 ks2228 pluto[27748]: Starting Pluto (Openswan Version
> 2.4.6 X.509-1.5.4 LDAP_V3 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR;
> Vendor ID OElLO]RdWNRD)
>
> Aug 26 08:01:24 ks2228 pluto[27748]: Setting NAT-Traversal port-4500
> floating to on
>
> Aug 26 08:01:24 ks2228 pluto[27748]: port floating activation
> criteria nat_t=1/port_fload=1
>
> Aug 26 08:01:24 ks2228 pluto[27748]: including NAT-Traversal patch
> (Version 0.6c)
>
> Aug 26 08:01:24 ks2228 pluto[27748]: WARNING: Open of /dev/hw_random
> failed in init_rnd_pool(), trying alternate sources of random
>
> Aug 26 08:01:24 ks2228 pluto[27748]: WARNING: Using /dev/urandom as
> the source of random
>
> Aug 26 08:01:24 ks2228 pluto[27748]: ike_alg_register_enc():
> Activating OAKLEY_AES_CBC: Ok (ret=0)
>
> Aug 26 08:01:24 ks2228 pluto[27748]: starting up 1 cryptographic helpers
>
> Aug 26 08:01:24 ks2228 pluto[27764]: WARNING: Open of /dev/hw_random
> failed in init_rnd_pool(), trying alternate sources of random
>
> Aug 26 08:01:24 ks2228 pluto[27764]: WARNING: Using /dev/urandom as
> the source of random
>
> Aug 26 08:01:24 ks2228 pluto[27748]: started helper pid=27764 (fd:6)
>
> Aug 26 08:01:24 ks2228 pluto[27748]: Using Linux 2.6 IPsec interface
> code on 2.6.24.2-xxxx-std-ipv4-32
>
> Aug 26 08:01:25 ks2228 pluto[27748]: Changing to directory
> '/etc/ipsec.d/cacerts'
>
> Aug 26 08:01:25 ks2228 pluto[27748]: Changing to directory
> '/etc/ipsec.d/aacerts'
>
> Aug 26 08:01:25 ks2228 pluto[27748]: Changing to directory
> '/etc/ipsec.d/ocspcerts'
>
> Aug 26 08:01:25 ks2228 pluto[27748]: Changing to directory
> '/etc/ipsec.d/crls'
>
> Aug 26 08:01:25 ks2228 pluto[27748]: Warning: empty directory
>
> Aug 26 08:01:25 ks2228 pluto[27748]: added connection description
> "innov2demain"
>
> Aug 26 08:01:25 ks2228 pluto[27748]: listening for IKE messages
>
> Aug 26 08:01:25 ks2228 pluto[27748]: adding interface eth0/eth0
> 1.2.3.4:500
>
> Aug 26 08:01:25 ks2228 pluto[27748]: adding interface eth0/eth0
> 1.2.3.4:4500
>
> Aug 26 08:01:25 ks2228 pluto[27748]: adding interface lo/lo
127.0.0.1:500
>
> Aug 26 08:01:25 ks2228 pluto[27748]: adding interface lo/lo
127.0.0.1:4500
>
> Aug 26 08:01:25 ks2228 pluto[27748]: loading secrets from
> "/etc/ipsec.secrets"
>
> Aug 26 08:01:25 ks2228 pluto[27748]: "innov2demain" #1: initiating
> Main Mode
>
>
>
>
>
> I probably missed something around 3DES, SHA1 and the likes but I can't
> figure out what's wrong ...
>
> Any clue ??
>
>
>
>
>
>
>
>
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
More information about the Users
mailing list