[Openswan Users] shorewall and openswan
Andrew Tolboe
tolboe at reaction-eng.com
Sat Feb 2 15:31:07 EST 2008
I can't seam to connect to the vpn I have setup. The vpn runs on a
gateway along with a shorewall firewall, I used the l2tp-certs.conf
example and setup the x509 keys using the same ca for both the client
and the server certs. In the logs when openswan is started it shows
that it loads the private, public, and the ca certificate files. But
when I try to connect from windows I get a dun Error 786, which is
specified a certificate error..
In the auth logs on the server I get the following
Feb 2 13:15:50 firewall pluto[22696]: packet from 155.97.239.238:500:
ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Feb 2 13:15:50 firewall pluto[22696]: packet from 155.97.239.238:500:
ignoring Vendor ID payload [FRAGMENTATION]
Feb 2 13:15:50 firewall pluto[22696]: packet from 155.97.239.238:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set
to=106
Feb 2 13:15:50 firewall pluto[22696]: packet from 155.97.239.238:500:
ignoring Vendor ID payload [Vid-Initial-Contact]
Feb 2 13:15:50 firewall pluto[22696]: "l2tp-X.509"[1] 155.97.239.238
#1: responding to Main Mode from unknown peer 155.97.239.238
Feb 2 13:15:50 firewall pluto[22696]: "l2tp-X.509"[1] 155.97.239.238
#1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Feb 2 13:15:50 firewall pluto[22696]: "l2tp-X.509"[1] 155.97.239.238
#1: STATE_MAIN_R1: sent MR1, expecting MI2
Feb 2 13:15:51 firewall pluto[22696]: "l2tp-X.509"[1] 155.97.239.238
#1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer
is NATed
Feb 2 13:15:51 firewall pluto[22696]: "l2tp-X.509"[1] 155.97.239.238
#1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Feb 2 13:15:51 firewall pluto[22696]: "l2tp-X.509"[1] 155.97.239.238
#1: STATE_MAIN_R2: sent MR2, expecting MI3
Feb 2 13:15:52 firewall pluto[22696]: "l2tp-X.509"[1] 155.97.239.238
#1: next payload type of ISAKMP Hash Payload has an unknown value: 155
Feb 2 13:15:52 firewall pluto[22696]: "l2tp-X.509"[1] 155.97.239.238
#1: malformed payload in packet
Feb 2 13:15:52 firewall pluto[22696]: "l2tp-X.509"[1] 155.97.239.238
#1: sending notification PAYLOAD_MALFORMED to 155.97.239.238:500
Feb 2 13:15:52 firewall pluto[22696]: "l2tp-X.509"[1] 155.97.239.238
#1: byte 2 of ISAKMP Hash Payload must be zero, but is not
Feb 2 13:15:52 firewall pluto[22696]: "l2tp-X.509"[1] 155.97.239.238
#1: malformed payload in packet
so reading this post
http://lists.openswan.org/pipermail/users/2007-November/013409.html it
looks like it can caused by a firewall, however from looking at my
iptables (here is the section of a list that shows net to firewall), esp
is open from the internet to the firewall and so is udp 4500, and udp
500 (isakmp).
Chain net2fw (1 references)
target prot opt source destination
reject icmp -- anywhere anywhere icmp
echo-request
ACCEPT esp -- anywhere anywhere
ACCEPT ah -- anywhere anywhere
ACCEPT udp -- anywhere anywhere udp
dpt:isakmp state NEW
ACCEPT udp -- anywhere anywhere udp
dpt:4500 state NEW
Drop 0 -- anywhere anywhere
LOG 0 -- anywhere anywhere LOG level
info prefix `Shorewall:net2fw:DROP:'
DROP 0 -- anywhere anywhere
Here is what my openswan config looks like
# /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.15.2.4 2006/07/11 16:17:53 paul Exp $
# This file: /usr/share/doc/openswan/ipsec.conf-sample
#
# Manual: ipsec.conf.5
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
# plutodebug / klipsdebug = "all", "none" or a combation from below:
# "raw crypt parsing emitting control klips pfkey natt x509 private"
# eg:
# plutodebug="control parsing"
#
# Only enable klipsdebug=all if you are a developer
#
# NAT-TRAVERSAL support, see README.NAT-Traversal
nat_traversal=yes
#
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
#
# enable this if you see "failed to find any available worker"
nhelpers=0
# Add connections here
# sample VPN connections, see /etc/ipsec.d/examples/
include /etc/ipsec.d/examples/l2tp-cert.conf
#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf
here is the l2tp-cerg.conf
conn l2tp-X.509
#
# Configuration for one user with any type of IPsec/L2TP client
# including the updated Windows 2000/XP (MS KB Q818043), but
# excluding the non-updated Windows 2000/XP.
#
#
# Use a certificate. Disable Perfect Forward Secrecy.
#
authby=rsasig
pfs=no
auto=add
# we cannot rekey for %any, let client rekey
rekey=no
# Do not enable the line below. It is implicitely used, and
# specifying it will currently break when using nat-t.
# type=transport. See http://bugs.xelerance.com/view.php?id=466
#
left=%defaultroute
# or you can use: left=YourIPAddress
leftrsasigkey=%cert
leftcert=/etc/ipsec.d/certs/xxxxx.reaction-eng.com.pem
# For updated Windows 2000/XP clients,
# to support old clients as well, use leftprotoport=17/%any
leftprotoport=17/1701
#
# The remote user.
#
right=%any
rightca=%same
rightrsasigkey=%cert
rightprotoport=17/1701
rightsubnet=vhost:%priv,%no
and my ipsec.secrets file
: RSA /etc/ipsec.d/private/xxxxx.reaction-eng.com.key ""
and here is output of openswan starting
Feb 2 13:14:46 firewall ipsec__plutorun: Starting Pluto subsystem...
Feb 2 13:14:46 firewall pluto[22696]: Starting Pluto (Openswan Version
2.4.6 X.509-1.5.4 LDAP_V3 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor
ID OElLO]RdWNRD)
Feb 2 13:14:46 firewall pluto[22696]: Setting NAT-Traversal port-4500
floating to on
Feb 2 13:14:46 firewall pluto[22696]: port floating activation
criteria nat_t=1/port_fload=1
Feb 2 13:14:46 firewall pluto[22696]: including NAT-Traversal patch
(Version 0.6c)
Feb 2 13:14:46 firewall pluto[22696]: WARNING: Open of /dev/hw_random
failed in init_rnd_pool(), trying alternate sources of random
Feb 2 13:14:46 firewall pluto[22696]: WARNING: Using /dev/urandom as
the source of random
Feb 2 13:14:46 firewall pluto[22696]: ike_alg_register_enc():
Activating OAKLEY_AES_CBC: Ok (ret=0)
Feb 2 13:14:46 firewall pluto[22696]: no helpers will be started, all
cryptographic operations will be done inline
Feb 2 13:14:46 firewall pluto[22696]: Using Linux 2.6 IPsec interface
code on 2.6.18-5-686
Feb 2 13:14:47 firewall pluto[22696]: Changing to directory
'/etc/ipsec.d/cacerts'
Feb 2 13:14:47 firewall pluto[22696]: loaded CA cert file
'cacert.pem' (1505 bytes)
Feb 2 13:14:47 firewall pluto[22696]: Changing to directory
'/etc/ipsec.d/aacerts'
Feb 2 13:14:47 firewall pluto[22696]: Changing to directory
'/etc/ipsec.d/ocspcerts'
Feb 2 13:14:47 firewall pluto[22696]: Changing to directory
'/etc/ipsec.d/crls'
Feb 2 13:14:47 firewall pluto[22696]: Warning: empty directory
Feb 2 13:14:47 firewall pluto[22696]: loaded host cert file
'/etc/ipsec.d/certs/xxxxx.reaction-eng.com.pem' (1046 bytes)
Feb 2 13:14:47 firewall pluto[22696]: added connection description
"l2tp-X.509"
Feb 2 13:14:47 firewall pluto[22696]: listening for IKE messages
Feb 2 13:14:47 firewall pluto[22696]: adding interface br0/br0
xxx.xxx.xxx.xxx:500
Feb 2 13:14:47 firewall pluto[22696]: adding interface br0/br0
xxx.xxx.xxx.xxx:4500
Feb 2 13:14:47 firewall pluto[22696]: adding interface
bond0.103/bond0.103 192.168.1.1:500
Feb 2 13:14:47 firewall pluto[22696]: adding interface
bond0.103/bond0.103 192.168.1.1:4500
Feb 2 13:14:47 firewall pluto[22696]: adding interface
bond0.101/bond0.101 192.168.2.1:500
Feb 2 13:14:47 firewall pluto[22696]: adding interface
bond0.101/bond0.101 192.168.2.1:4500
Feb 2 13:14:47 firewall pluto[22696]: adding interface
bond0.100/bond0.100 192.168.0.1:500
Feb 2 13:14:47 firewall pluto[22696]: adding interface
bond0.100/bond0.100 192.168.0.1:4500
Feb 2 13:14:47 firewall pluto[22696]: adding interface lo/lo 127.0.0.1:500
Feb 2 13:14:47 firewall pluto[22696]: adding interface lo/lo 127.0.0.1:4500
Feb 2 13:14:47 firewall pluto[22696]: adding interface lo/lo ::1:500
Feb 2 13:14:47 firewall pluto[22696]: loading secrets from
"/etc/ipsec.secrets"
Feb 2 13:14:47 firewall pluto[22696]: loaded private key file
'/etc/ipsec.d/private/xxxxx.reaction-eng.com.key' (887 bytes)
Thanks for your time
-Andrew
More information about the Users
mailing list