[Openswan Users] Only one side of tunnel completing initiation?

Peter McGill petermcgill at goco.net
Fri Dec 19 09:03:44 EST 2008 

Dan Brown wrote:
> I have been struggling to figure out an ipsec config for the last couple of
> days.  To me it looks as though it's working but only one tunnel ever comes
> up.  On one side is the OpenSwan (2.4.13) gateway/host which connects to a
> Nortel CES 2600 VPN gateway on the other.  We're trying to setup a
> pre-shared-key connection.
> 
> I can see ESP packets from my host to their gateway but never receive
> anything in return.  I do however get the isakmp icmp packets.  I'm not sure
> if my (left) end of tunnel doesn't come up properly or if it's the remote
> end.  The only apparent error on the Nortel end is this:
> 
> 12/18/2008 16:54:44 0 ISAKMP [13] Invalid cookie in message from
> 209.167.162.84
> 
> Connectivity tests appear to pass OK.
> 
> When the connection is initiated from the other end I get (I've deleted
> timestamps, hostname, process info from the /var/log/secure log):
> 
> #1: received Delete SA payload: replace IPSEC State #2 in 10 seconds
> #1: received and ignored informational message
> #1: received Delete SA payload: deleting ISAKMP State #1
> : packet from 207.236.235.99:500: received and ignored informational message
> : packet from 207.236.235.99:500: ignoring unknown Vendor ID payload
> [424e455300000009]
> : packet from 207.236.235.99:500: received Vendor ID payload [Dead Peer
> Detection]
> #3: responding to Main Mode
> #3: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
> #3: STATE_MAIN_R1: sent MR1, expecting MI2
> #3: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
> #3: STATE_MAIN_R2: sent MR2, expecting MI3
> #3: ignoring informational payload, type IPSEC_INITIAL_CONTACT
> #3: Main mode peer ID is ID_IPV4_ADDR: '207.236.235.99'
> #3: I did not send a certificate because I do not have one.
> #3: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
> #3: STATE_MAIN_R3: sent MR3, ISAKMP SA established
> {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha
> group=modp1024}
> #4: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+DONTREKEY+UP to replace #2
> {using isakmp#3}
> #4: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
> #4: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x4084e667
> <0x1f27833f xfrm=3DES_0-HMAC_SHA1 NATD=none DPD=none}
> #3: received Delete SA payload: replace IPSEC State #4 in 10 seconds
> #3: received and ignored informational message
> #3: received Delete SA payload: deleting ISAKMP State #3
> : packet from 207.236.235.99:500: received and ignored informational message
> #5: initiating Main Mode
> #5: ignoring unknown Vendor ID payload [424e455300000009]
> #5: received Vendor ID payload [Dead Peer Detection]
> #5: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
> #5: STATE_MAIN_I2: sent MI2, expecting MR2
> #5: I did not send a certificate because I do not have one.
> #5: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
> #5: STATE_MAIN_I3: sent MI3, expecting MR3
> #5: ignoring informational payload, type IPSEC_INITIAL_CONTACT
> #5: Main mode peer ID is ID_IPV4_ADDR: '207.236.235.99'
> #5: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
> #5: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
> cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
> #6: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+DONTREKEY+UP {using
> isakmp#5}
> #6: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
> #6: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x0f4b0fbd
> <0x0a663e00 xfrm=3DES_0-HMAC_SHA1 NATD=none DPD=none}

Why are you getting Delete requests from the Nortel?
Timestamps may have explained the output better.

> When restarting the connection from my end it also looks like it connects
> (again from /var/log/secure):
> 
> #1: initiating Main Mode
> #1: ignoring unknown Vendor ID payload [424e455300000009]
> #1: received Vendor ID payload [Dead Peer Detection]
> #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
> #1: STATE_MAIN_I2: sent MI2, expecting MR2
> #1: I did not send a certificate because I do not have one.
> #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
> #1: STATE_MAIN_I3: sent MI3, expecting MR3
> #1: ignoring informational payload, type IPSEC_INITIAL_CONTACT
> #1: Main mode peer ID is ID_IPV4_ADDR: '207.236.235.99'
> #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
> #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
> cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
> #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1}
> #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
> #2: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0xfe516ebd
> <0x169858db xfrm=3DES_0-HMAC_SHA1 NATD=none DPD=none}

You do appear to be connecting properly here.

> When pinging their peer address I see no response but that's okay.  It looks
> like a typical packet:
> 
> 15:53:37.284256 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], proto 1,
> length: 84) 209.167.162.84 > 207.236.235.99: icmp 64: echo request seq 0
> 
> When I ping a host thru the tunnel I see:
> 
> 15:55:03.156650 IP (tos 0x0, ttl  64, id 25888, offset 0, flags [DF], proto
> 50, length: 136) 209.167.162.84 > 207.236.235.99:
> ESP(spi=0xfe516ebd,seq=0x6)
> 
> But again no response (the tech on the other end says this is due to their
> firewall).

This is probable, the other admin must add a firewall rule to allow 
traffic between 209.167.162.80/28 and 199.43.146.0/24.

> [root at blackhawk etc]# /etc/init.d/ipsec status
> IPsec running  - pluto pid: 20448
> pluto pid 20448
> 1 tunnels up
> some eroutes exist
> 
> Using lynx to access an internal website on their end it just sits there
> waiting for a response until I ctrl-C out of it.
> 
> My config looks like this:
> # basic configuration
> config setup
>         plutoopts="--perpeerlog"
>         nat_traversal=no
>         virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%4:172.16.0.0/12
>         #oe=off < - not available in openswan 2.4, see include below
>         protostack=netkey
> 
> include /etc/ipsec.d/no_oe.conf
> 
> # Add connections here
> include /etc/ipsec.d/ipsec.gof.conf
> 
> # /etc/ipsec.d/ipsec.gof.conf
> conn p2p
>         authby=secret
>         pfs=yes
>         auto=add
>         keyexchange=ike
>         keyingtries=3
>         rekey=yes
>         ike=3des-sha1-modp1024,aes128-sha1-modp1024
>         ikelifetime=8h
>         compress=no
>         keylife=8h
>         type=tunnel
>         left=209.167.162.84
>         leftnexthop=209.167.162.81
>         leftsubnet=209.167.162.80/28
>         right=207.236.235.99
>         rightsubnet=199.43.146.0/24
> _____________________
> Dan Brown
> danb at zu.com

Peter McGill

More information about the Users mailing list