[Openswan Users] Getting there....

Peter McGill petermcgill at goco.net
Fri Mar 14 15:54:27 EDT 2008


Hmm, I see that your lan (10.5..), not your wan (66.225..)
is your default route. Since leftnexthop defaults to your
default route, this might be your problem.
I suggest setting the following in ipsec.conf
conn central-site
        left=66.225.Ubuntu
+        leftnexthop=66.225.Cisco2950
        leftsubnet=192.168.0.0/24
        leftsourceip=192.168.0.20


Peter McGill
 

> -----Original Message-----
> From: Chris Thomas [mailto:cthomas at harkinsbuilders.com] 
> Sent: March 14, 2008 3:43 PM
> To: petermcgill at goco.net; users at openswan.org
> Subject: RE: [Openswan Users] Getting there....
> 
> Good to hear my configs are OK, although I guess it would 
> have been better if there was something wrong, so it would be 
> easier to diagnose this.  
> 
> Yeah, my key is specified in that format and no, my Cisco 
> router isn't NAT'ing or filtering any traffic.  I'm stumped.
> 
> My ipsec barf is attached, if anyone out there wants to 
> really help me out.  I really do appreciate the assistance 
> here.  Hopefully I (we) can get this up and running soon.
> 
> Thanks very much, and have a great weekend.
> -Chris
> 
> From: Peter McGill [mailto:petermcgill at goco.net] 
> Sent: Friday, March 14, 2008 3:17 PM
> To: Chris Thomas; users at openswan.org
> Subject: RE: [Openswan Users] Getting there....
> 
> I cannot find anything wrong with your setup.
>  
> Yes your correct the Ubuntu firewall is blocking/altering nothing.
> (This is as it should be if you turned it off.)
> When you get things working you should be able to turn the firewall
> back on, so long as it allows -p 50 and -p 17 -d 500 inbound/outbound,
> and excludes your remote subnet from NAT MASQUERADE/SNAT.
> iptables -t nat -I POSTROUTING -d 192.168.36.0/24 -j ACCEPT
>  
> The pictures cleared a few questions up.
> Your linksys configs look just fine to me.
>  
> You put your key in the Ubuntu in /etc/ipsec.secrets, like this right?
> 66.225.UbuntuIP : PSK "my secret text key"
>  
> Your Cisco 2950 Series isn't by any chance firewall filtering or
> network address translating the IPSec traffic, or trying to 
> intercept it?
>  
> My only other suggestion is to do an ipsec barf and post it's output
> to the list, in an attachment.
> Maybe someone else can see what your problem is.
> Best to post in plain text, not everyone can read html mail, and
> the list digests strip out html mail to links... which I never used to
> bother to read, others might do the same.
>  
> Peter McGill
>  
> 
> ________________________________________
> From: Chris Thomas [mailto:cthomas at harkinsbuilders.com] 
> Sent: March 14, 2008 2:19 PM
> To: users at openswan.org; petermcgill at goco.net
> Subject: RE: [Openswan Users] Getting there....
> Sorry about that.  Here's the info:
> 
> When I run the command you gave me below, I get this:
> 
> root at gatekeeper:/home/administrator# iptables -t filter -L -n -v
> Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
>  pkts bytes target     prot opt in     out     source         
>       destination 
> 
> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
>  pkts bytes target     prot opt in     out     source         
>       destination 
> 
> Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
>  pkts bytes target     prot opt in     out     source         
>       destination 
> root at gatekeeper:/home/administrator# iptables -t nat -L -n -v
> Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
>  pkts bytes target     prot opt in     out     source         
>       destination 
> 
> Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
>  pkts bytes target     prot opt in     out     source         
>       destination 
> 
> Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
>  pkts bytes target     prot opt in     out     source         
>       destination 
> root at gatekeeper:/home/administrator# iptables -t mangle -L -n -v
> Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
>  pkts bytes target     prot opt in     out     source         
>       destination 
> 
> Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
>  pkts bytes target     prot opt in     out     source         
>       destination 
> 
> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
>  pkts bytes target     prot opt in     out     source         
>       destination 
> 
> Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
>  pkts bytes target     prot opt in     out     source         
>       destination 
> 
> Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
>  pkts bytes target     prot opt in     out     source         
>       destination 
> root at gatekeeper:/home/administrator#
> 
> I guess this is telling me that nothing is blocked and there 
> are no rules?
> 
> I am connecting through the internet.  My company is actually 
> the ISP for other companies in our building and the building 
> next to us, so I am using a separate IP space outside of our 
> network to put the Linksys box and set up my test remote 
> site.  My Linux server is using an IP in the same subnet as 
> my Check Point firewall, but it is going "around" the 
> firewall.  To help explain all of this, I have thrown 
> together a quick diagram of everything.  You can access it 
> here:  
> http://www.imagehosting.com/show.php/1630007_OpenSwanDiagram.j
> pg.html.  If I have left something out, please let me know.
> 
> The Ubuntu server and the Linksys router do indeed have their 
> own external IP addresses.  Here is my Linksys config:  
> http://www.imagehosting.com/show.php/1630052_linksyscfgPage1.j
> pg.html and 
> http://www.imagehosting.com/show.php/1630053_linksyscfgPage2.j
> pg.html.  
> 
> I am hoping these pics look OK.  If you need me to provide 
> additional information, please let me know.
> 
> Thanks again for all of your help.
> -Chris
> 
> From: Peter McGill [mailto:petermcgill at goco.net] 
> Sent: Friday, March 14, 2008 12:50 PM
> To: Chris Thomas; users at openswan.org
> Subject: RE: [Openswan Users] Getting there....
> 
> Firewall was merely a place to check, not guaranteed to be 
> the problem.
> If you can get a console on your Ubuntu, you can check 
> firewall with...
> iptables -t filter -L -n -v
> iptables -t nat -L -n -v
> iptables -t mangle -L -n -v
>  
> Are you connecting through the internet, or are you testing 
> internally?
> Do both the Ubuntu server and linksys router have public 
> internet ip addresses?
> (Not 172.16...172.32... or 10... or 192.168..., etc...)
> I cannot tell as you completely edited them from your posts.
> Next time try just masking the end like: 66.11.x.x
> Testing internally sometimes needs different settings than 
> production internet.
>  
> Is linksys using DES or 3DES? Should be 3DES & MD5 matching 
> your openswan.
> Can you show us your linksys ipsec configuration?
>  
> Peter McGill
>  
> 
> ________________________________________
> From: users-bounces at openswan.org 
> [mailto:users-bounces at openswan.org] On Behalf Of Chris Thomas
> Sent: March 14, 2008 12:19 PM
> To: users at openswan.org
> Subject: Re: [Openswan Users] Getting there....
> OK, I have hit a brick wall here and it's getting a bit 
> frustrating.  I have disabled the Linux firewall and the 
> Shoreline firewall on my server and I'm still getting the 
> same error below when I attempt to establish the tunnel.  Is 
> this absolutely positively due to a firewall issue or is it 
> possible that I've got something else incorrectly configured 
> somewhere?  I am fairly new to Linux so I am administering my 
> Ubuntu server with Webmin.  That is what I am using to verify 
> that the firewall(s) are turned off.  
> 
> I have also disabled the firewall on the Linksys box and have 
> examined it's logs.  This is what shows up after I hit 
> "connect" to initiate the tunnel:
> 
> Mar 14 09:33:34 - [VPN Log]: "pax_square" #2: initiating Main Mode
> Mar 14 09:33:43 - [VPN Log]: initiate on demand from 
> 192.168.36.100:0 to 192.168.0.30:0 proto=0 state: fos_start 
> because: acquire
> Mar 14 09:34:44 - [VPN Log]: "pax_square" #2: max number of 
> retransmissions (2) reached STATE_MAIN_I1. No response (or no 
> acceptable response) to our first IKE message
> Mar 14 10:08:54 - [VPN Log]: "pax_square" #3: initiating Main Mode
> Mar 14 10:10:04 - [VPN Log]: "pax_square" #3: max number of 
> retransmissions (2) reached STATE_MAIN_I1. No response (or no 
> acceptable response) to our first IKE message
> Mar 14 10:53:58 - [VPN Log]: "pax_square" #4: initiating Main Mode
> Mar 14 10:55:08 - [VPN Log]: "pax_square" #4: max number of 
> retransmissions (2) reached STATE_MAIN_I1. No response (or no 
> acceptable response) to our first IKE message
> 
> If it helps, this is my ipsec.conf file on the Ubuntu server 
> running OpenSwan:
> 
> version   2.0          # conforms to second version of 
> ipsec.conf specification
> 
> config setup
>         interfaces=%defaultroute
>         uniqueids=yes
>  
> include /etc/ipsec.d/examples/no_oe.conf
>  
> conn pax_square
>         also=central-site
>         right=%any
>         rightid=@pax_square
>         rightsubnet=192.168.36.0/24
>         also=linksys-policy
>         auto=add 
>  
> conn central-site
>         left=(external IP of Linux server)
>         leftsubnet=192.168.0.0/24
>         leftsourceip=192.168.0.20
> 
> conn linksys-policy
>         ike=3des-md5-modp1024 
>         esp=3des-md5                
>         compress=no
>         authby=secret 
> 
> 
> If it's definitely the firewall, I'll go back to the drawing 
> board and see what I can see.
> 
> As before, I appreciate the help and patience.
> Thanks
> -Chris
> 
> 
> 
> 
> From: Peter McGill [mailto:petermcgill at goco.net] 
> Sent: Thursday, March 13, 2008 4:14 PM
> To: Chris Thomas; users at openswan.org
> Subject: RE: [Openswan Users] Getting there....
> 
> Check your firewall(s) on both ends, and check the linksys logs.
> You must allow ipsec (and ipsec encapsulated traffic) in your 
> firewalls.
> protocol    port    description
> 17            500    udp:isakmp
> 50                     esp
> You must allow the above inbound and outbound on your 
> internet interfaces.
> You must also allow the subnet-to-subnet traffic.
>  
> Peter McGill
>  
> 
> ________________________________________
> From: users-bounces at openswan.org 
> [mailto:users-bounces at openswan.org] On Behalf Of Chris Thomas
> Sent: March 13, 2008 4:06 PM
> To: users at openswan.org
> Subject: Re: [Openswan Users] Getting there....
> OK, I changed my Linksys box to 1024 bit and I now have this:
> 
> Mar 13 16:01:48 gatekeeper pluto[11850]: packet from (remote 
> site IP):500: ignoring unknown Vendor ID payload 
> [4f4540454371496d7a684644]
> Mar 13 16:01:48 gatekeeper pluto[11850]: packet from (remote 
> site IP):500: received Vendor ID payload [Dead Peer Detection]
> Mar 13 16:01:48 gatekeeper pluto[11850]: packet from (remote 
> site IP):500: received Vendor ID payload [RFC 3947] meth=110, 
> but port floating is off
> Mar 13 16:01:48 gatekeeper pluto[11850]: packet from (remote 
> site IP):500: received Vendor ID payload 
> [draft-ietf-ipsec-nat-t-ike-03] meth=108, but port floating is off
> Mar 13 16:01:48 gatekeeper pluto[11850]: packet from (remote 
> site IP):500: received Vendor ID payload 
> [draft-ietf-ipsec-nat-t-ike-02] meth=107, but port floating is off
> Mar 13 16:01:48 gatekeeper pluto[11850]: packet from (remote 
> site IP):500: ignoring Vendor ID payload 
> [draft-ietf-ipsec-nat-t-ike-00]
> Mar 13 16:01:48 gatekeeper pluto[11850]: "pax_square"[5] 
> (remote site IP) #9: responding to Main Mode from unknown 
> peer (remote site IP)
> Mar 13 16:01:48 gatekeeper pluto[11850]: "pax_square"[5] 
> (remote site IP) #9: transition from state STATE_MAIN_R0 to 
> state STATE_MAIN_R1
> Mar 13 16:01:48 gatekeeper pluto[11850]: "pax_square"[5] 
> (remote site IP) #9: STATE_MAIN_R1: sent MR1, expecting MI2
> Mar 13 16:02:28 gatekeeper pluto[11850]: "pax_square"[5] 
> (remote site IP) #7: max number of retransmissions (2) 
> reached STATE_MAIN_R1
> 
> Thanks
> -Chris
> 
> 
> From: Peter McGill [mailto:petermcgill at goco.net] 
> Sent: Thursday, March 13, 2008 3:50 PM
> To: Chris Thomas; users at openswan.org
> Subject: RE: [Openswan Users] Getting there....
> 
> There is a mismatch in your options, specifically your DH/modp Group.
> Diffie-Hellman (DH) Group needs to match openswan's ike=*-modp????
> I'm guessing that your linksys is sending Diffie-Hellmen (DH) 
> Group 1 (768-bit).
> Openswan will not allow this because it's too weak of security.
> If you have ike=3des-md5-modp1024 or ike=aes-sha1-modp1024 as 
> I suggested,
> then change your linksys to use Group 2 (1024-bit) to match it.
>  
> Peter McGill
>  
> 
> ________________________________________
> From: users-bounces at openswan.org 
> [mailto:users-bounces at openswan.org] On Behalf Of Chris Thomas
> Sent: March 13, 2008 3:40 PM
> To: users at openswan.org
> Subject: [Openswan Users] Getting there....
> Hello again, everyone.  I have configured my Linksys box to 
> connect to my Ubuntu server running OpenSwan, but when I 
> attempt to initiate the connection, my logs on the server at 
> HQ get full of this stuff:
> 
> 
> Mar 13 15:31:54 gatekeeper pluto[11850]: packet from (remote 
> site external IP):500: ignoring unknown Vendor ID payload 
> [4f4540454371496d7a684644]
> Mar 13 15:31:54 gatekeeper pluto[11850]: packet from (remote 
> site external IP):500: received Vendor ID payload [Dead Peer 
> Detection]
> Mar 13 15:31:54 gatekeeper pluto[11850]: packet from (remote 
> site external IP):500: received Vendor ID payload [RFC 3947] 
> meth=110, but port floating is off
> Mar 13 15:31:54 gatekeeper pluto[11850]: packet from (remote 
> site external IP):500: received Vendor ID payload 
> [draft-ietf-ipsec-nat-t-ike-03] meth=108, but port floating is off
> Mar 13 15:31:54 gatekeeper pluto[11850]: packet from (remote 
> site external IP):500: received Vendor ID payload 
> [draft-ietf-ipsec-nat-t-ike-02] meth=107, but port floating is off
> Mar 13 15:31:54 gatekeeper pluto[11850]: packet from (remote 
> site external IP):500: ignoring Vendor ID payload 
> [draft-ietf-ipsec-nat-t-ike-00]
> Mar 13 15:31:54 gatekeeper pluto[11850]: "pax_square"[1] 
> (remote site external IP) #1: responding to Main Mode from 
> unknown peer (remote site external IP)
> Mar 13 15:31:54 gatekeeper pluto[11850]: "pax_square"[1] 
> (remote site external IP) #1: only OAKLEY_GROUP_MODP1024 and 
> OAKLEY_GROUP_MODP1536 supported.  Attribute OAKLEY_GROUP_DESCRIPTION
> Mar 13 15:31:54 gatekeeper pluto[11850]: "pax_square"[1] 
> (remote site external IP) #1: no acceptable Oakley Transform
> Mar 13 15:31:54 gatekeeper pluto[11850]: "pax_square"[1] 
> (remote site external IP) #1: sending notification 
> NO_PROPOSAL_CHOSEN to (remote site external IP):500
> Mar 13 15:31:54 gatekeeper pluto[11850]: "pax_square"[1] 
> (remote site external IP): deleting connection "pax_square" 
> instance with peer (remote site external IP) {isakmp=#0/ipsec=#0}
> 
> I am assuming that it has something to do with the Preshared 
> key that I am using, but I am not too sure how to go about 
> fixing it.  I do not want to be a nuisance, but can anyone 
> give me a (another) push in the right direction?  
> 
> I appreciate your patience.
> -Chris
> 



More information about the Users mailing list