[Openswan Users] Only one side of tunnel completing initiation?
Peter McGill
petermcgill at goco.net
Fri Dec 19 09:03:44 EST 2008
Dan Brown wrote:
> I have been struggling to figure out an ipsec config for the last couple of
> days. To me it looks as though it's working but only one tunnel ever comes
> up. On one side is the OpenSwan (2.4.13) gateway/host which connects to a
> Nortel CES 2600 VPN gateway on the other. We're trying to setup a
> pre-shared-key connection.
>
> I can see ESP packets from my host to their gateway but never receive
> anything in return. I do however get the isakmp icmp packets. I'm not sure
> if my (left) end of tunnel doesn't come up properly or if it's the remote
> end. The only apparent error on the Nortel end is this:
>
> 12/18/2008 16:54:44 0 ISAKMP [13] Invalid cookie in message from
> 209.167.162.84
>
> Connectivity tests appear to pass OK.
>
> When the connection is initiated from the other end I get (I've deleted
> timestamps, hostname, process info from the /var/log/secure log):
>
> #1: received Delete SA payload: replace IPSEC State #2 in 10 seconds
> #1: received and ignored informational message
> #1: received Delete SA payload: deleting ISAKMP State #1
> : packet from 207.236.235.99:500: received and ignored informational message
> : packet from 207.236.235.99:500: ignoring unknown Vendor ID payload
> [424e455300000009]
> : packet from 207.236.235.99:500: received Vendor ID payload [Dead Peer
> Detection]
> #3: responding to Main Mode
> #3: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
> #3: STATE_MAIN_R1: sent MR1, expecting MI2
> #3: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
> #3: STATE_MAIN_R2: sent MR2, expecting MI3
> #3: ignoring informational payload, type IPSEC_INITIAL_CONTACT
> #3: Main mode peer ID is ID_IPV4_ADDR: '207.236.235.99'
> #3: I did not send a certificate because I do not have one.
> #3: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
> #3: STATE_MAIN_R3: sent MR3, ISAKMP SA established
> {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha
> group=modp1024}
> #4: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+DONTREKEY+UP to replace #2
> {using isakmp#3}
> #4: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
> #4: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x4084e667
> <0x1f27833f xfrm=3DES_0-HMAC_SHA1 NATD=none DPD=none}
> #3: received Delete SA payload: replace IPSEC State #4 in 10 seconds
> #3: received and ignored informational message
> #3: received Delete SA payload: deleting ISAKMP State #3
> : packet from 207.236.235.99:500: received and ignored informational message
> #5: initiating Main Mode
> #5: ignoring unknown Vendor ID payload [424e455300000009]
> #5: received Vendor ID payload [Dead Peer Detection]
> #5: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
> #5: STATE_MAIN_I2: sent MI2, expecting MR2
> #5: I did not send a certificate because I do not have one.
> #5: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
> #5: STATE_MAIN_I3: sent MI3, expecting MR3
> #5: ignoring informational payload, type IPSEC_INITIAL_CONTACT
> #5: Main mode peer ID is ID_IPV4_ADDR: '207.236.235.99'
> #5: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
> #5: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
> cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
> #6: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+DONTREKEY+UP {using
> isakmp#5}
> #6: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
> #6: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x0f4b0fbd
> <0x0a663e00 xfrm=3DES_0-HMAC_SHA1 NATD=none DPD=none}
Why are you getting Delete requests from the Nortel?
Timestamps may have explained the output better.
> When restarting the connection from my end it also looks like it connects
> (again from /var/log/secure):
>
> #1: initiating Main Mode
> #1: ignoring unknown Vendor ID payload [424e455300000009]
> #1: received Vendor ID payload [Dead Peer Detection]
> #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
> #1: STATE_MAIN_I2: sent MI2, expecting MR2
> #1: I did not send a certificate because I do not have one.
> #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
> #1: STATE_MAIN_I3: sent MI3, expecting MR3
> #1: ignoring informational payload, type IPSEC_INITIAL_CONTACT
> #1: Main mode peer ID is ID_IPV4_ADDR: '207.236.235.99'
> #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
> #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
> cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
> #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1}
> #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
> #2: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0xfe516ebd
> <0x169858db xfrm=3DES_0-HMAC_SHA1 NATD=none DPD=none}
You do appear to be connecting properly here.
> When pinging their peer address I see no response but that's okay. It looks
> like a typical packet:
>
> 15:53:37.284256 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto 1,
> length: 84) 209.167.162.84 > 207.236.235.99: icmp 64: echo request seq 0
>
> When I ping a host thru the tunnel I see:
>
> 15:55:03.156650 IP (tos 0x0, ttl 64, id 25888, offset 0, flags [DF], proto
> 50, length: 136) 209.167.162.84 > 207.236.235.99:
> ESP(spi=0xfe516ebd,seq=0x6)
>
> But again no response (the tech on the other end says this is due to their
> firewall).
This is probable, the other admin must add a firewall rule to allow
traffic between 209.167.162.80/28 and 199.43.146.0/24.
> [root at blackhawk etc]# /etc/init.d/ipsec status
> IPsec running - pluto pid: 20448
> pluto pid 20448
> 1 tunnels up
> some eroutes exist
>
> Using lynx to access an internal website on their end it just sits there
> waiting for a response until I ctrl-C out of it.
>
> My config looks like this:
> # basic configuration
> config setup
> plutoopts="--perpeerlog"
> nat_traversal=no
> virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%4:172.16.0.0/12
> #oe=off < - not available in openswan 2.4, see include below
> protostack=netkey
>
> include /etc/ipsec.d/no_oe.conf
>
> # Add connections here
> include /etc/ipsec.d/ipsec.gof.conf
>
> # /etc/ipsec.d/ipsec.gof.conf
> conn p2p
> authby=secret
> pfs=yes
> auto=add
> keyexchange=ike
> keyingtries=3
> rekey=yes
> ike=3des-sha1-modp1024,aes128-sha1-modp1024
> ikelifetime=8h
> compress=no
> keylife=8h
> type=tunnel
> left=209.167.162.84
> leftnexthop=209.167.162.81
> leftsubnet=209.167.162.80/28
> right=207.236.235.99
> rightsubnet=199.43.146.0/24
> _____________________
> Dan Brown
> danb at zu.com
Peter McGill
More information about the Users
mailing list