[Openswan Users] Getting there....

Chris Thomas cthomas at harkinsbuilders.com
Fri Mar 14 14:19:12 EDT 2008


Sorry about that.  Here's the info:

 

When I run the command you gave me below, I get this:

 

root at gatekeeper:/home/administrator# iptables -t filter -L -n -v

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source
destination 

 

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source
destination 

 

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source
destination 

root at gatekeeper:/home/administrator# iptables -t nat -L -n -v

Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source
destination 

 

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source
destination 

 

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source
destination 

root at gatekeeper:/home/administrator# iptables -t mangle -L -n -v

Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source
destination 

 

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source
destination 

 

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source
destination 

 

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source
destination 

 

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source
destination 

root at gatekeeper:/home/administrator#

 

I guess this is telling me that nothing is blocked and there are no
rules?

 

I am connecting through the internet.  My company is actually the ISP
for other companies in our building and the building next to us, so I am
using a separate IP space outside of our network to put the Linksys box
and set up my test remote site.  My Linux server is using an IP in the
same subnet as my Check Point firewall, but it is going "around" the
firewall.  To help explain all of this, I have thrown together a quick
diagram of everything.  You can access it here:
http://www.imagehosting.com/show.php/1630007_OpenSwanDiagram.jpg.html.
If I have left something out, please let me know.

 

The Ubuntu server and the Linksys router do indeed have their own
external IP addresses.  Here is my Linksys config:
http://www.imagehosting.com/show.php/1630052_linksyscfgPage1.jpg.html
and
http://www.imagehosting.com/show.php/1630053_linksyscfgPage2.jpg.html.  

 

I am hoping these pics look OK.  If you need me to provide additional
information, please let me know.

 

Thanks again for all of your help.

-Chris

 

From: Peter McGill [mailto:petermcgill at goco.net] 
Sent: Friday, March 14, 2008 12:50 PM
To: Chris Thomas; users at openswan.org
Subject: RE: [Openswan Users] Getting there....

 

Firewall was merely a place to check, not guaranteed to be the problem.

If you can get a console on your Ubuntu, you can check firewall with...

iptables -t filter -L -n -v

iptables -t nat -L -n -v

iptables -t mangle -L -n -v

 

Are you connecting through the internet, or are you testing internally?

Do both the Ubuntu server and linksys router have public internet ip
addresses?

(Not 172.16...172.32... or 10... or 192.168..., etc...)

I cannot tell as you completely edited them from your posts.

Next time try just masking the end like: 66.11.x.x

Testing internally sometimes needs different settings than production
internet.

 

Is linksys using DES or 3DES? Should be 3DES & MD5 matching your
openswan.

Can you show us your linksys ipsec configuration?

 

Peter McGill

 

	 

	
________________________________


	From: users-bounces at openswan.org
[mailto:users-bounces at openswan.org] On Behalf Of Chris Thomas
	Sent: March 14, 2008 12:19 PM
	To: users at openswan.org
	Subject: Re: [Openswan Users] Getting there....

	OK, I have hit a brick wall here and it's getting a bit
frustrating.  I have disabled the Linux firewall and the Shoreline
firewall on my server and I'm still getting the same error below when I
attempt to establish the tunnel.  Is this absolutely positively due to a
firewall issue or is it possible that I've got something else
incorrectly configured somewhere?  I am fairly new to Linux so I am
administering my Ubuntu server with Webmin.  That is what I am using to
verify that the firewall(s) are turned off.  

	 

	I have also disabled the firewall on the Linksys box and have
examined it's logs.  This is what shows up after I hit "connect" to
initiate the tunnel:

	 

	Mar 14 09:33:34 - [VPN Log]: "pax_square" #2: initiating Main
Mode

	Mar 14 09:33:43 - [VPN Log]: initiate on demand from
192.168.36.100:0 to 192.168.0.30:0 proto=0 state: fos_start because:
acquire

	Mar 14 09:34:44 - [VPN Log]: "pax_square" #2: max number of
retransmissions (2) reached STATE_MAIN_I1. No response (or no acceptable
response) to our first IKE message

	Mar 14 10:08:54 - [VPN Log]: "pax_square" #3: initiating Main
Mode

	Mar 14 10:10:04 - [VPN Log]: "pax_square" #3: max number of
retransmissions (2) reached STATE_MAIN_I1. No response (or no acceptable
response) to our first IKE message

	Mar 14 10:53:58 - [VPN Log]: "pax_square" #4: initiating Main
Mode

	Mar 14 10:55:08 - [VPN Log]: "pax_square" #4: max number of
retransmissions (2) reached STATE_MAIN_I1. No response (or no acceptable
response) to our first IKE message

	 

	If it helps, this is my ipsec.conf file on the Ubuntu server
running OpenSwan:

	 

	version   2.0          # conforms to second version of
ipsec.conf specification

	 

	config setup

	        interfaces=%defaultroute

	        uniqueids=yes

	 

	include /etc/ipsec.d/examples/no_oe.conf

	 

	conn pax_square

	        also=central-site

	        right=%any

	        rightid=@pax_square

	        rightsubnet=192.168.36.0/24

	        also=linksys-policy

	        auto=add 

	 

	conn central-site

	        left=(external IP of Linux server)

	        leftsubnet=192.168.0.0/24

	        leftsourceip=192.168.0.20

	 

	conn linksys-policy

	        ike=3des-md5-modp1024 

	        esp=3des-md5                

	        compress=no

	        authby=secret 

	 

	 

	If it's definitely the firewall, I'll go back to the drawing
board and see what I can see.

	 

	As before, I appreciate the help and patience.

	Thanks

	-Chris

	 

	 

	 

	 

	From: Peter McGill [mailto:petermcgill at goco.net] 
	Sent: Thursday, March 13, 2008 4:14 PM
	To: Chris Thomas; users at openswan.org
	Subject: RE: [Openswan Users] Getting there....

	 

	Check your firewall(s) on both ends, and check the linksys logs.

	You must allow ipsec (and ipsec encapsulated traffic) in your
firewalls.

	protocol    port    description

	17            500    udp:isakmp

	50                     esp

	You must allow the above inbound and outbound on your internet
interfaces.

	You must also allow the subnet-to-subnet traffic.

	 

	Peter McGill

	 

		 

		
________________________________


		From: users-bounces at openswan.org
[mailto:users-bounces at openswan.org] On Behalf Of Chris Thomas
		Sent: March 13, 2008 4:06 PM
		To: users at openswan.org
		Subject: Re: [Openswan Users] Getting there....

		OK, I changed my Linksys box to 1024 bit and I now have
this:

		 

		Mar 13 16:01:48 gatekeeper pluto[11850]: packet from
(remote site IP):500: ignoring unknown Vendor ID payload
[4f4540454371496d7a684644]

		Mar 13 16:01:48 gatekeeper pluto[11850]: packet from
(remote site IP):500: received Vendor ID payload [Dead Peer Detection]

		Mar 13 16:01:48 gatekeeper pluto[11850]: packet from
(remote site IP):500: received Vendor ID payload [RFC 3947] meth=110,
but port floating is off

		Mar 13 16:01:48 gatekeeper pluto[11850]: packet from
(remote site IP):500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-03] meth=108, but port floating is off

		Mar 13 16:01:48 gatekeeper pluto[11850]: packet from
(remote site IP):500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02] meth=107, but port floating is off

		Mar 13 16:01:48 gatekeeper pluto[11850]: packet from
(remote site IP):500: ignoring Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-00]

		Mar 13 16:01:48 gatekeeper pluto[11850]: "pax_square"[5]
(remote site IP) #9: responding to Main Mode from unknown peer (remote
site IP)

		Mar 13 16:01:48 gatekeeper pluto[11850]: "pax_square"[5]
(remote site IP) #9: transition from state STATE_MAIN_R0 to state
STATE_MAIN_R1

		Mar 13 16:01:48 gatekeeper pluto[11850]: "pax_square"[5]
(remote site IP) #9: STATE_MAIN_R1: sent MR1, expecting MI2

		Mar 13 16:02:28 gatekeeper pluto[11850]: "pax_square"[5]
(remote site IP) #7: max number of retransmissions (2) reached
STATE_MAIN_R1

		 

		Thanks

		-Chris

		 

		 

		From: Peter McGill [mailto:petermcgill at goco.net] 
		Sent: Thursday, March 13, 2008 3:50 PM
		To: Chris Thomas; users at openswan.org
		Subject: RE: [Openswan Users] Getting there....

		 

		There is a mismatch in your options, specifically your
DH/modp Group.

		Diffie-Hellman (DH) Group needs to match openswan's
ike=*-modp????

		I'm guessing that your linksys is sending Diffie-Hellmen
(DH) Group 1 (768-bit).

		Openswan will not allow this because it's too weak of
security.

		If you have ike=3des-md5-modp1024 or
ike=aes-sha1-modp1024 as I suggested,

		then change your linksys to use Group 2 (1024-bit) to
match it.

		 

		Peter McGill

		 

			 

			
________________________________


			From: users-bounces at openswan.org
[mailto:users-bounces at openswan.org] On Behalf Of Chris Thomas
			Sent: March 13, 2008 3:40 PM
			To: users at openswan.org
			Subject: [Openswan Users] Getting there....

			Hello again, everyone.  I have configured my
Linksys box to connect to my Ubuntu server running OpenSwan, but when I
attempt to initiate the connection, my logs on the server at HQ get full
of this stuff:

			 

			 

			Mar 13 15:31:54 gatekeeper pluto[11850]: packet
from (remote site external IP):500: ignoring unknown Vendor ID payload
[4f4540454371496d7a684644]

			Mar 13 15:31:54 gatekeeper pluto[11850]: packet
from (remote site external IP):500: received Vendor ID payload [Dead
Peer Detection]

			Mar 13 15:31:54 gatekeeper pluto[11850]: packet
from (remote site external IP):500: received Vendor ID payload [RFC
3947] meth=110, but port floating is off

			Mar 13 15:31:54 gatekeeper pluto[11850]: packet
from (remote site external IP):500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-03] meth=108, but port floating is off

			Mar 13 15:31:54 gatekeeper pluto[11850]: packet
from (remote site external IP):500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02] meth=107, but port floating is off

			Mar 13 15:31:54 gatekeeper pluto[11850]: packet
from (remote site external IP):500: ignoring Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-00]

			Mar 13 15:31:54 gatekeeper pluto[11850]:
"pax_square"[1] (remote site external IP) #1: responding to Main Mode
from unknown peer (remote site external IP)

			Mar 13 15:31:54 gatekeeper pluto[11850]:
"pax_square"[1] (remote site external IP) #1: only OAKLEY_GROUP_MODP1024
and OAKLEY_GROUP_MODP1536 supported.  Attribute OAKLEY_GROUP_DESCRIPTION

			Mar 13 15:31:54 gatekeeper pluto[11850]:
"pax_square"[1] (remote site external IP) #1: no acceptable Oakley
Transform

			Mar 13 15:31:54 gatekeeper pluto[11850]:
"pax_square"[1] (remote site external IP) #1: sending notification
NO_PROPOSAL_CHOSEN to (remote site external IP):500

			Mar 13 15:31:54 gatekeeper pluto[11850]:
"pax_square"[1] (remote site external IP): deleting connection
"pax_square" instance with peer (remote site external IP)
{isakmp=#0/ipsec=#0}

			 

			I am assuming that it has something to do with
the Preshared key that I am using, but I am not too sure how to go about
fixing it.  I do not want to be a nuisance, but can anyone give me a
(another) push in the right direction?  

			 

			I appreciate your patience.

			-Chris

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20080314/0141f06f/attachment-0001.html 


More information about the Users mailing list