[Openswan Users] Only one side of tunnel completing initiation?

[Dan Brown]

I have been struggling to figure out an ipsec config for the last couple of
days.  To me it looks as though it's working but only one tunnel ever comes
up.  On one side is the OpenSwan (2.4.13) gateway/host which connects to a
Nortel CES 2600 VPN gateway on the other.  We're trying to setup a
pre-shared-key connection.

I can see ESP packets from my host to their gateway but never receive
anything in return.  I do however get the isakmp icmp packets.  I'm not sure
if my (left) end of tunnel doesn't come up properly or if it's the remote
end.  The only apparent error on the Nortel end is this:

12/18/2008 16:54:44 0 ISAKMP [13] Invalid cookie in message from
209.167.162.84

Connectivity tests appear to pass OK.

When the connection is initiated from the other end I get (I've deleted
timestamps, hostname, process info from the /var/log/secure log):

#1: received Delete SA payload: replace IPSEC State #2 in 10 seconds
#1: received and ignored informational message
#1: received Delete SA payload: deleting ISAKMP State #1
: packet from 207.236.235.99:500: received and ignored informational message
: packet from 207.236.235.99:500: ignoring unknown Vendor ID payload
[424e455300000009]
: packet from 207.236.235.99:500: received Vendor ID payload [Dead Peer
Detection]
#3: responding to Main Mode
#3: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
#3: STATE_MAIN_R1: sent MR1, expecting MI2
#3: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
#3: STATE_MAIN_R2: sent MR2, expecting MI3
#3: ignoring informational payload, type IPSEC_INITIAL_CONTACT
#3: Main mode peer ID is ID_IPV4_ADDR: '207.236.235.99'
#3: I did not send a certificate because I do not have one.
#3: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
#3: STATE_MAIN_R3: sent MR3, ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha
group=modp1024}
#4: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+DONTREKEY+UP to replace #2
{using isakmp#3}
#4: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
#4: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x4084e667
<0x1f27833f xfrm=3DES_0-HMAC_SHA1 NATD=none DPD=none}
#3: received Delete SA payload: replace IPSEC State #4 in 10 seconds
#3: received and ignored informational message
#3: received Delete SA payload: deleting ISAKMP State #3
: packet from 207.236.235.99:500: received and ignored informational message
#5: initiating Main Mode
#5: ignoring unknown Vendor ID payload [424e455300000009]
#5: received Vendor ID payload [Dead Peer Detection]
#5: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
#5: STATE_MAIN_I2: sent MI2, expecting MR2
#5: I did not send a certificate because I do not have one.
#5: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
#5: STATE_MAIN_I3: sent MI3, expecting MR3
#5: ignoring informational payload, type IPSEC_INITIAL_CONTACT
#5: Main mode peer ID is ID_IPV4_ADDR: '207.236.235.99'
#5: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
#5: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
#6: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+DONTREKEY+UP {using
isakmp#5}
#6: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
#6: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x0f4b0fbd
<0x0a663e00 xfrm=3DES_0-HMAC_SHA1 NATD=none DPD=none}




When restarting the connection from my end it also looks like it connects
(again from /var/log/secure):

#1: initiating Main Mode
#1: ignoring unknown Vendor ID payload [424e455300000009]
#1: received Vendor ID payload [Dead Peer Detection]
#1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
#1: STATE_MAIN_I2: sent MI2, expecting MR2
#1: I did not send a certificate because I do not have one.
#1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
#1: STATE_MAIN_I3: sent MI3, expecting MR3
#1: ignoring informational payload, type IPSEC_INITIAL_CONTACT
#1: Main mode peer ID is ID_IPV4_ADDR: '207.236.235.99'
#1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
#1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
#2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1}
#2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
#2: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0xfe516ebd
<0x169858db xfrm=3DES_0-HMAC_SHA1 NATD=none DPD=none}




When pinging their peer address I see no response but that's okay.  It looks
like a typical packet:

15:53:37.284256 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], proto 1,
length: 84) 209.167.162.84 > 207.236.235.99: icmp 64: echo request seq 0

When I ping a host thru the tunnel I see:

15:55:03.156650 IP (tos 0x0, ttl  64, id 25888, offset 0, flags [DF], proto
50, length: 136) 209.167.162.84 > 207.236.235.99:
ESP(spi=0xfe516ebd,seq=0x6)

But again no response (the tech on the other end says this is due to their
firewall).

[root at blackhawk etc]# /etc/init.d/ipsec status
IPsec running  - pluto pid: 20448
pluto pid 20448
1 tunnels up
some eroutes exist

Using lynx to access an internal website on their end it just sits there
waiting for a response until I ctrl-C out of it.



My config looks like this:
# basic configuration
config setup
        plutoopts="--perpeerlog"
        nat_traversal=no
        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%4:172.16.0.0/12
        #oe=off < - not available in openswan 2.4, see include below
        protostack=netkey

include /etc/ipsec.d/no_oe.conf

# Add connections here
include /etc/ipsec.d/ipsec.gof.conf

# /etc/ipsec.d/ipsec.gof.conf
conn p2p
        authby=secret
        pfs=yes
        auto=add
        keyexchange=ike
        keyingtries=3
        rekey=yes
        ike=3des-sha1-modp1024,aes128-sha1-modp1024
        ikelifetime=8h
        compress=no
        keylife=8h
        type=tunnel
        left=209.167.162.84
        leftnexthop=209.167.162.81
        leftsubnet=209.167.162.80/28
        right=207.236.235.99
        rightsubnet=199.43.146.0/24


_____________________
Dan Brown
danb at zu.com