[Openswan Users] Installation/setup issues...

Peter McGill petermcgill at goco.net
Tue Mar 4 12:03:43 EST 2008 

Yes there is more info, it goes into the syslog as pluto.
You can usually find it with: grep 'pluto' /var/log/*
However, because you have plutodebug=all, which makes it
difficult to read the logs (too much information.)
plutodebug is for development debugging not average connection
troubleshooting, for that use plutodebug=none. There is enough
info inserted into the logs by default without debug info.

In your case it may be a firewall issue. Does your office server
have nat_traversal enabled? You'll need to allow protocol 50 (esp)
and protocol 17 (udp) port 4500 (nat-traversal) in your firewall(s).

{Also protocol 17 (udp) port 500 (isakmp), however that is probably
allowed already since your phase 1 is working.}

Also, do your office require you to use l2tp in addition to ipsec?
Because your left/rightprotoport entries are for use with l2tp,
which is an additional protocol which runs on top of ipsec in some
(microsoft) implementations. You'll need xl2tpd installed for that.
But it's easier (and just as secure) to use plain ipsec (openswan).

Peter McGill
 

> -----Original Message-----
> From: users-bounces at openswan.org 
> [mailto:users-bounces at openswan.org] On Behalf Of Mark Williams
> Sent: March 4, 2008 9:51 AM
> To: users at openswan.org
> Subject: [Openswan Users] Installation/setup issues...
> 
> Greetings all,
> 
> First, while im a long time Linux user, this is my first time setting
> up a VPN client.
> 
> Im trying to connect to my companies VPN which is also 
> running openswan.
> The linux box im trying to connect to the VPN server with is behind a
> DSL router (does NAT).
> Im using NETKEY with the latest 2.6.24 kernel.
> 
> My conf file looks like.........
> 
> config setup
>     plutodebug=all
>     nat_traversal=yes
>     
> #virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%4:172.16.0.0/12
>     OE=off
> 
> conn cf
>     type=transport
>     keyingtries=3
>     rekey=yes
>     pfs=no
>     authby=secret
>     left=<my-lan-ip>
>     leftnexthop=<my-inet-ip>
>     leftprotoport=17/1701
>     right=<vpn-servers-ip>
>     rightprotoport=17/1701
>     auto=add
> 
> Starting pluto i got in the sys logs....
> 
> Mar  5 00:18:20 linux ipsec_setup: ...Openswan IPsec started
> Mar  5 00:18:20 linux ipsec_setup: Starting Openswan IPsec 
> U2.5.17/K2.6.24.3...
> Mar  5 00:18:20 linux ipsec_setup: WARNING: interfaces= is ignored
> when using the NETKEY stack
> Mar  5 00:18:20 linux ipsec_setup: Trying hardware random, this may
> fail, which is okay.
> Mar  5 00:18:20 linux ipsec_setup: Trying to load all NETKEY
> modules:xfrm6_tunnel xfrm6_mode_tunnel xfrm6_mode_beet xfrm6_mode_ro
> xfrm6_mode_transport xfrm4_mode_transport xfrm4_mode_tunnel
> xfrm4_tunnel xfrm4_mode_beet esp4 esp6 ah4 ah6 ipcomp ipcomp6 af_key
> Mar  5 00:18:20 linux ipsec_setup: Trying VIA padlock driver, this may
> fail, which is okay.
> Mar  5 00:18:20 linux ipsec_setup: Trying to load Crypto API modules,
> some may fail, which is okay.
> Mar  5 00:18:20 linux ipsec_setup: aes-x86_64 aes des sha512 sha256
> md5 cbc xcbc ecb twofish blowfish serpent
> Mar  5 00:18:20 linux ipsec__plutorun: 002 added connection 
> description "cf"
> 
> On trying to connect i get............
> 
> [root at linux sbin]# ./ipsec auto --up cf
> 104 "cf" #1: STATE_MAIN_I1: initiate
> 003 "cf" #1: ignoring unknown Vendor ID payload 
> [4f457a7d4646466667725f65]
> 003 "cf" #1: received Vendor ID payload [Dead Peer Detection]
> 003 "cf" #1: received Vendor ID payload [RFC 3947] method set to=109
> 106 "cf" #1: STATE_MAIN_I2: sent MI2, expecting MR2
> 003 "cf" #1: NAT-Traversal: Result using RFC 3947 
> (NAT-Traversal): i am NATed
> 108 "cf" #1: STATE_MAIN_I3: sent MI3, expecting MR3
> 004 "cf" #1: STATE_MAIN_I4: ISAKMP SA established
> {auth=OAKLEY_PRESHARED_KEY cipher=aes_128 prf=oakley_sha
> group=modp1536}
> 117 "cf" #2: STATE_QUICK_I1: initiate
> 010 "cf" #2: STATE_QUICK_I1: retransmission; will wait 20s 
> for response
> 010 "cf" #2: STATE_QUICK_I1: retransmission; will wait 40s 
> for response
> 031 "cf" #2: max number of retransmissions (2) reached STATE_QUICK_I1.
>  No acceptable response to our first Quick Mode message: perhaps peer
> likes no proposal
> 000 "cf" #2: starting keying attempt 2 of at most 3, but 
> releasing whack
> [root at linux sbin]#
> 
> Is there anything obviously wrong here?
> Where does the rest of the debugging info (i assume there is more
> detailed message somewhere) get spat out to?
> 
> Thanks for any help!
> Mark W.
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan: 
> http://www.amazon.com/gp/product/1904811256/104-3099591-294632
> 7?n=283155

More information about the Users mailing list