[Openswan Users] [configuration] pending Phase 2 for "xxx" replacing #0

Peter McGill petermcgill at goco.net
Wed Aug 27 10:12:40 EDT 2008


Jeff,

One more thought just occurred to me, I suggest to try this first.
Change the Quick Mode selector on the Fortigate as follows:
(Note if this doesn't work try switching Source and Dest)
Source Address: 1.2.3.40
Destination Address: 192.168.254.0/24

Peter

Peter McGill wrote:
> Jeff,
> 
> The problem is not obvious to me, if someone else
> can offer Jeff some help, please do so.
> 
> Summary:
> Openswan appears to be installed correctly,
> you have no firewall rules or masquerade rules.
> Your Openswan and Fortigate configs match.
> Yet it gets stuck on STATE_MAIN_I1.
> 
> Can you ping the Fortigate via the internet without encryption?
> 
> You could try adding one of the following to your conn:
>     leftnexthop=%defaultroute
>     leftnexthop=1.2.3.254
> 
> I'm not sure it will help, but you could disable DH Group 1 & 5
> on the Fortigate, so that it's only using 2 same as Openswan,
> disable NAT-T support on both sides, since you don't need it,
> and upgrade to a newer version of Openswan, 2.4.6 is very old.
> http://openswan.org/code/
> 
> Peter
> 
> MM.ST wrote:
>> Hi Peter,
>>
>> Thanks for the help.
>> My answers in your email.
>>
>> Jeff
>>
>> -----Message d'origine-----
>> De : Peter McGill [mailto:petermcgill at goco.net] Envoyé : mardi 26 août 
>> 2008 16:32
>> À : MM.ST
>> Cc : users at openswan.org
>> Objet : Re: [Openswan Users] [configuration] pending Phase 2 for "xxx"
>> replacing #0
>>
>> At this point it looks like the two endpoints are not communicating,
>> let alone connecting.
>>
>> Do your Fortigate logs say anything?
>>
>> JFE>> Fortigate is not very helpful in terms of logs. I cannot get 
>> anything
>> useful from it.
>>
>> Did you permit IPSec and tunneled traffic to pass through the firewall 
>> without masquerading it?
>>
>> JFE>> Left side is connected directly to the internet, no firewall. Right
>> end FW is ok.
>>
>> Can you verify that the packets are being sent/received by packet 
>> sniffing?
>>
>> JFE>> I did not yet but I could. I will let you know.
>>
>> Are your real left/right ip's public internet addresses?
>> They should be if possible, otherwise you will need NAT-T.
>> Note even with NAT-T the Fortigate will need a public ip.
>>
>> JFE>> Yes they are public internet addresses.
>>
>> Your trying to connect just one computer to the Fortigate lan correct?
>> This is what your ipsec.conf would indicate.
>>
>> JFE>> Yes. Left end is just one single computer.
>>
>> The following are not likely the cause, but may cause you future 
>> problems, so addressing them now won't hurt.
>>
>> What Diffie-Hellman (DH) Groups does the Fortigate allow?
>> DH Group 1 is insecure and Openswan will refuse to use it,
>> make sure the Fortigate is using Group 2 or 5. (1024 or 1536 bit)
>>
>> JFE>> For Phase 1, Fortigate allows DH group 1, 2 and 5.
>> JFE>> For Phase 2, Foritgate allows DH group 2 only.
>>
>> You can further match the DH group with Openswan as follows:
>>     ike=3des-sha1;modp1024
>>     esp=3des-sha1
>>
>> JFE>> Updated. I had to change "ike=3des-sha1;modp1024" to "
>> ike=3des-sha1-modp1024"
>> JFE>> Don't know if that matters.
>>
>> Try with compress=no first, compression sometimes does not work.
>>
>> JFE>> Ok, I change ipsec.conf accordingly.
>>
>> Make sure the Fortigate is using Main mode not Aggressive mode.
>>
>> JFE>> It is configured in Main mode.
>>
>> Note your keylifes do not match, ike is phase 1. This will not
>> prevent connection but may prematurely end it.
>>     ikelifetime=28800
>>     keylife=1800
>>
>> JFE>> Updated.
>>
>> If none of this helps you, you may need to send an ipsec barf > 
>> ipsec_barf.txt, which should contain most necessary information
>> to fix the problem. Don't worry it will not contain your keys.
>>
>> JFE>> I ran the command. The ouput is quite impressive.
>> JFE>> As I do not know what's useful in there and I do not want to 
>> copy the
>> whole in the email
>> JFE>> I created a dedicated web page with the full content.
>> JFE>> I also added print screens of the fortigate config.
>> JFE>> you can find it here : http://www.innovinfo.fr/openswan/index.html
>>
>> JFE>> Thanks again for the support !
>>
>> Peter
>>
>>
>> MM.ST wrote:
>>> Dear Openswan experts,
>>>
>>>  
>>>
>>> I am brand new to openswan (and VPN in generals) and have been 
>>> googling with no success for 2 days trying to fix my problem.
>>>
>>> Any help from the community would be most welcome.
>>>
>>>  
>>>
>>> I am trying to connect 1 server to a network protected by a Fortigate 
>>> firewall through a VPN.
>>>
>>> I managed to get openswan running on linux (Ubuntu) --at least I guess
>> so...
>>> But I cannot get the VPN up and running...
>>>
>>>  
>>>
>>> Ok here comes the technical details.
>>>
>>>  
>>>
>>>  
>>>
>>>>> Let's start with the Fortigate configuration:
>>> Phase 1:
>>>
>>>   - remote IP 1.2.3.4
>>>
>>>   - pre-shared key : "key"
>>>
>>>   - Encryption : 3DES
>>>
>>>   - Authentication : SHA1
>>>
>>>   - Key lifetime : 28800 seconds
>>>
>>> Phase 2:
>>>
>>>   - Encryption : 3DES
>>>
>>>   - Authentication : SHA1
>>>
>>>   - Key lifetime : 1800 seconds
>>>
>>>  
>>>
>>>>> Now the openswan configuration:
>>> /etc/ipsec.conf:
>>>
>>>   config setup
>>>
>>>     interfaces="ipsec0=eth0"
>>>
>>>     nat_traversal=yes
>>>
>>>     
>>> virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:!192.168.254.0/24
>>>
>>>   conn innov2demain
>>>
>>>    left=1.2.3.4
>>>
>>>    right=99.98.97.96
>>>
>>>    rightsubnet=192.168.254.0/24
>>>
>>>    keyexchange=ike
>>>
>>>    auto=start
>>>
>>>    authby=secret
>>>
>>>    esp=3des
>>>
>>>    compress=yes
>>>
>>>    ikelifetime=1800
>>>
>>>   # Disable Opportunistic Encryption
>>>
>>>   include /etc/ipsec.d/examples/no_oe.conf
>>>
>>>  
>>>
>>> /etc/ipsec.secrets
>>>
>>>   1.2.3.4 99.98.97.96 : PSK "test"
>>>
>>>  
>>>
>>>>> Here come the logs :
>>>  
>>>
>>> root at ks2228:/proc/sys/net/ipv4/conf# ipsec verify
>>>
>>>   Checking your system to see if IPsec got installed and started
>>>
>>>   correctly:
>>>
>>>   Version check and ipsec on-path                                 [OK]
>>>
>>>   Linux Openswan U2.4.6/K2.6.24.2-xxxx-std-ipv4-32 (netkey)
>>>
>>>   Checking for IPsec support in kernel                            [OK]
>>>
>>>   NETKEY detected, testing for disabled ICMP send_redirects       [OK]
>>>
>>>   NETKEY detected, testing for disabled ICMP accept_redirects     [OK]
>>>
>>>   Checking for RSA private key (/etc/ipsec.secrets)            
>>>   [DISABLED]
>>>
>>>     ipsec showhostkey: no default key in "/etc/ipsec.secrets"
>>>
>>>   Checking that pluto is running                                  [OK]
>>>
>>>   Two or more interfaces found, checking IP forwarding            [OK]
>>>
>>>   Checking NAT and MASQUERADEing                                  [OK]
>>>
>>>   Checking for 'ip' command                                       [OK]
>>>
>>>   Checking for 'iptables' command                                 [OK]
>>>
>>>   Opportunistic Encryption Support                             
>>>   [DISABLED]
>>>
>>>  
>>>
>>> root at ks2228:/proc/sys/net/ipv4/conf# /etc/init.d/ipsec status
>>>
>>>   IPsec running  - pluto pid: 22136
>>>
>>>   pluto pid 22136
>>>
>>>   No tunnels up
>>>
>>>  
>>>
>>> root at ks2228:/var/log# ipsec auto --verbose --up innov2demain
>>>
>>>   I have no feedback at all. Nothing happens ...
>>>
>>>  
>>>
>>> root at ks2228:/proc/sys/net/ipv4/conf# ipsec auto --status
>>>
>>>   000 interface lo/lo 127.0.0.1
>>>
>>>   000 interface lo/lo 127.0.0.1
>>>
>>>   000 interface eth0/eth0 1.2.3.4
>>>
>>>   000 interface eth0/eth0 1.2.3.4
>>>
>>>   000 %myid = (none)
>>>
>>>   000 debug none
>>>
>>>   000
>>>
>>>   000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, 
>>> keysizemin=64, keysizemax=64
>>>
>>>   000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, 
>>> keysizemin=192, keysizemax=192
>>>
>>>   000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, 
>>> keysizemin=128, keysizemax=128
>>>
>>>   000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, 
>>> keysizemin=160, keysizemax=160
>>>
>>>   000 algorithm ESP auth attr: id=5, 
>>> name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256
>>>
>>>   000
>>>
>>>   000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, 
>>> keydeflen=192
>>>
>>>   000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, 
>>> keydeflen=128
>>>
>>>   000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
>>>
>>>   000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
>>>
>>>   000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, 
>>> bits=1024
>>>
>>>   000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, 
>>> bits=1536
>>>
>>>   000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, 
>>> bits=2048
>>>
>>>   000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, 
>>> bits=3072
>>>
>>>   000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, 
>>> bits=4096
>>>
>>>   000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, 
>>> bits=6144
>>>
>>>   000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, 
>>> bits=8192
>>>
>>>   000
>>>
>>>   000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,3,36} 
>>> trans={0,3,72} attrs={0,3,48}
>>>
>>>   000
>>>
>>>   000 "innov2demain": 1.2.3.4...8199.98.97.96===192.168.254.0/24; 
>>> prospective erouted; eroute owner: #0
>>>
>>>   000 "innov2demain":     srcip=unset; dstip=unset; srcup=ipsec 
>>> _updown; dstup=ipsec _updown;
>>>
>>>   000 "innov2demain":   ike_life: 1800s; ipsec_life: 28800s; 
>>> rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
>>>
>>>   000 "innov2demain":   policy: PSK+ENCRYPT+COMPRESS+TUNNEL+PFS+UP; 
>>> prio: 32,24; interface: eth0;
>>>
>>>   000 "innov2demain":   newest ISAKMP SA: #0; newest IPsec SA: #0;
>>>
>>>   000 "innov2demain":   ESP algorithms wanted: 3_000-1, 3_000-2, 
>>> flags=strict
>>>
>>>   000 "innov2demain":   ESP algorithms loaded: 3_000-1, 3_000-2, 
>>> flags=strict
>>>
>>>   000
>>>
>>>   000 #41: "innov2demain":500 STATE_MAIN_I1 (sent MI1, expecting 
>>> MR1); EVENT_RETRANSMIT in 2s; nodpd
>>>
>>>   000 #41: pending Phase 2 for "innov2demain" replacing #0
>>>
>>>   000 #41: pending Phase 2 for "innov2demain" replacing #0
>>>
>>>   000 #41: pending Phase 2 for "innov2demain" replacing #0
>>>
>>>   000
>>>
>>>  
>>>
>>> root at ks2228:/proc/sys/net/ipv4/conf# tail -n 1000 /var/log/syslog | 
>>> grep -i ipsec
>>>
>>>   Aug 26 08:01:16 ks2228 ipsec_setup: ...Openswan IPsec stopped
>>>
>>>   Aug 26 08:01:16 ks2228 ipsec_setup: Stopping Openswan IPsec...
>>>
>>>   Aug 26 08:01:24 ks2228 ipsec_setup: KLIPS ipsec0 on eth0 
>>> 1.2.3.4/255.255.255.0 broadcast 1.2.3.255
>>>
>>>   Aug 26 08:01:24 ks2228 ipsec_setup: ...Openswan IPsec started
>>>
>>>   Aug 26 08:01:24 ks2228 ipsec_setup: Starting Openswan IPsec 
>>> U2.4.6/K2.6.24.2-xxxx-std-ipv4-32...
>>>
>>>   Aug 26 08:01:25 ks2228 ipsec__plutorun: 104 "innov2demain" #1: 
>>> STATE_MAIN_I1: initiate
>>>
>>>   Aug 26 08:01:25 ks2228 ipsec__plutorun: ...could not start conn 
>>> "innov2demain"
>>>
>>>  
>>>
>>> root at ks2228:~# tail -n 100000 /var/log/auth.log | grep -i pluto
>>>
>>>   Aug 26 08:01:15 ks2228 pluto[22836]: shutting down
>>>
>>>   Aug 26 08:01:15 ks2228 pluto[22836]: forgetting secrets
>>>
>>>   Aug 26 08:01:15 ks2228 pluto[22836]: "innov2demain": deleting 
>>> connection
>>>
>>>   Aug 26 08:01:15 ks2228 pluto[22836]: "innov2demain" #42: deleting 
>>> state (STATE_MAIN_I1)
>>>
>>>   Aug 26 08:01:15 ks2228 pluto[22836]: shutting down interface lo/lo 
>>> 127.0.0.1:4500
>>>
>>>   Aug 26 08:01:15 ks2228 pluto[22836]: shutting down interface lo/lo 
>>> 127.0.0.1:500
>>>
>>>   Aug 26 08:01:15 ks2228 pluto[22836]: shutting down interface 
>>> eth0/eth0 1.2.3.4:4500
>>>
>>>   Aug 26 08:01:15 ks2228 pluto[22836]: shutting down interface 
>>> eth0/eth0 1.2.3.4:500
>>>
>>>   Aug 26 08:01:24 ks2228 ipsec__plutorun: Starting Pluto subsystem...
>>>
>>>   Aug 26 08:01:24 ks2228 pluto[27748]: Starting Pluto (Openswan 
>>> Version 2.4.6 X.509-1.5.4 LDAP_V3 PLUTO_SENDS_VENDORID   
>>> PLUTO_USES_KEYRR; Vendor ID OElLO]RdWNRD)
>>>
>>>   Aug 26 08:01:24 ks2228 pluto[27748]: Setting NAT-Traversal 
>>> port-4500 floating to on
>>>
>>>   Aug 26 08:01:24 ks2228 pluto[27748]:    port floating activation 
>>> criteria nat_t=1/port_fload=1
>>>
>>>   Aug 26 08:01:24 ks2228 pluto[27748]:   including NAT-Traversal 
>>> patch (Version 0.6c)
>>>
>>>   Aug 26 08:01:24 ks2228 pluto[27748]: WARNING: Open of 
>>> /dev/hw_random failed in init_rnd_pool(), trying alternate sources of 
>>> random
>>>
>>>   Aug 26 08:01:24 ks2228 pluto[27748]: WARNING: Using /dev/urandom as 
>>> the source of random
>>>
>>>   Aug 26 08:01:24 ks2228 pluto[27748]: ike_alg_register_enc(): 
>>> Activating OAKLEY_AES_CBC: Ok (ret=0)
>>>
>>>   Aug 26 08:01:24 ks2228 pluto[27748]: starting up 1 cryptographic 
>>> helpers
>>>
>>>   Aug 26 08:01:24 ks2228 pluto[27764]: WARNING: Open of 
>>> /dev/hw_random failed in init_rnd_pool(), trying alternate sources of 
>>> random
>>>
>>>   Aug 26 08:01:24 ks2228 pluto[27764]: WARNING: Using /dev/urandom as 
>>> the source of random
>>>
>>>   Aug 26 08:01:24 ks2228 pluto[27748]: started helper pid=27764 (fd:6)
>>>
>>>   Aug 26 08:01:24 ks2228 pluto[27748]: Using Linux 2.6 IPsec 
>>> interface code on 2.6.24.2-xxxx-std-ipv4-32
>>>
>>>   Aug 26 08:01:25 ks2228 pluto[27748]: Changing to directory 
>>> '/etc/ipsec.d/cacerts'
>>>
>>>   Aug 26 08:01:25 ks2228 pluto[27748]: Changing to directory 
>>> '/etc/ipsec.d/aacerts'
>>>
>>>   Aug 26 08:01:25 ks2228 pluto[27748]: Changing to directory 
>>> '/etc/ipsec.d/ocspcerts'
>>>
>>>   Aug 26 08:01:25 ks2228 pluto[27748]: Changing to directory 
>>> '/etc/ipsec.d/crls'
>>>
>>>   Aug 26 08:01:25 ks2228 pluto[27748]:   Warning: empty directory
>>>
>>>   Aug 26 08:01:25 ks2228 pluto[27748]: added connection description 
>>> "innov2demain"
>>>
>>>   Aug 26 08:01:25 ks2228 pluto[27748]: listening for IKE messages
>>>
>>>   Aug 26 08:01:25 ks2228 pluto[27748]: adding interface eth0/eth0 
>>> 1.2.3.4:500
>>>
>>>   Aug 26 08:01:25 ks2228 pluto[27748]: adding interface eth0/eth0 
>>> 1.2.3.4:4500
>>>
>>>   Aug 26 08:01:25 ks2228 pluto[27748]: adding interface lo/lo
>> 127.0.0.1:500
>>>   Aug 26 08:01:25 ks2228 pluto[27748]: adding interface lo/lo
>> 127.0.0.1:4500
>>>   Aug 26 08:01:25 ks2228 pluto[27748]: loading secrets from 
>>> "/etc/ipsec.secrets"
>>>
>>>   Aug 26 08:01:25 ks2228 pluto[27748]: "innov2demain" #1: initiating 
>>> Main Mode
>>>
>>>  
>>>
>>>  
>>>
>>> I probably missed something around 3DES, SHA1 and the likes but I 
>>> can't figure out what's wrong ...
>>>
>>> Any clue ??
>>>
>>>  
>>>
>>>  
>>>
>>>  
>>>
>>>  
>>>
>>>
>>> ------------------------------------------------------------------------
>>>
>>> _______________________________________________
>>> Users at openswan.org
>>> http://lists.openswan.org/mailman/listinfo/users
>>> Building and Integrating Virtual Private Networks with Openswan: 
>>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>>
>>
> 


More information about the Users mailing list