[Openswan Users] ASSERTION FAILED Request for Help

David Klann dxklann at gmail.com
Mon Mar 17 14:33:46 EDT 2008 

On Sun, 9 Mar 2008 02:33:13 +0000
Eray Aslan <eray.aslan at caf.com.tr> wrote:

> Attached is the config.gz file for the machine running 2.4.11 on
> kernel 2.6.23-gentoo-r8.  gcc is 3.4.6.  We also have another machine
> running same openswan and kernel versions with gcc 4.1.2 with no
> problems.
>

Thanks for the configuration file Eray. I managed to pare my kernel
configuration down to something that resembled yours. I think it
helped to remove my IPV6 configuration from the kernel. Anyway, I've
got gentoo-sources-2.6.24-r3 running with openswan-2.4.11 (both
unchanged from portage). But it's still not working as I'd hoped it
would.

Now on to the next issue.

Running "/etc/init.d/ipsec start" seems to make good progress, but I'm
unable to actually see any remote network(s). I've included logs and
configuration information below. If anyone has any thoughts on why
this doesn't seem to be working I'd love to hear it. Here's my
configuration in a simple drawing:

office       office                       DSL       Linksys     laptop
private  --- firewall  --- Internet ---  modem ---  Router  --- with
network     (FortiGate)                              (NAT)      openswan

The Linksys router at my location (on the right above) is running
Sveasoft Talisman/Basic V1.3.1 with "IPSec Passthrough" enabled
"Security->VPN->VPN Passthrough", and no other ports forwarded to the
laptop. I've also tried the IPSec software with the laptop directly
connected to the DSL modem (without the NAT router in place). It seems
to make no difference.

After starting Openswan, I see a new routing table entry
(10.62.23.0/24 is the new route, 10.1.1.0/24 is my private home
network; the remote end does not have a 10.1.1.0/24):

% ip route show
10.62.23.0/24 dev eth0  scope link 
10.1.1.0/24 dev eth0  proto kernel  scope link  src 10.1.1.110 
127.0.0.0/8 dev lo  scope link 
default via 10.1.1.1 dev eth0 

Here are log entries for the "daemon" log entries:

Mar 17 13:00:50 host ipsec_setup: Starting Openswan IPsec U2.4.11/K2.6.24-gentoo-r3...
Mar 17 13:00:50 host ipsec_setup: NETKEY on eth0 10.1.1.110/255.255.255.0 broadcast 10.1.1.255 
Mar 17 13:00:50 host ipsec_setup: ...Openswan IPsec started
Mar 17 13:00:51 host ipsec__plutorun: 104 "win" #1: STATE_MAIN_I1: initiate
Mar 17 13:00:51 host ipsec__plutorun: ...could not start conn "win"

And here are the "authpriv" log entries:

Mar 17 13:00:50 host ipsec__plutorun: Starting Pluto subsystem...
Mar 17 13:00:50 host ipsec__plutorun: Unknown default RSA hostkey scheme, not generating a default hostkey
Mar 17 13:00:50 host pluto[15521]: Starting Pluto (Openswan Version 2.4.11 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID OE{dD^fJcUvk)
Mar 17 13:00:50 host pluto[15521]: Setting NAT-Traversal port-4500 floating to on
Mar 17 13:00:50 host pluto[15521]:    port floating activation criteria nat_t=1/port_fload=1
Mar 17 13:00:50 host pluto[15521]:   including NAT-Traversal patch (Version 0.6c)
Mar 17 13:00:50 host pluto[15521]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Mar 17 13:00:50 host pluto[15521]: no helpers will be started, all cryptographic operations will be done inline
Mar 17 13:00:50 host pluto[15521]: Using NETKEY IPsec interface code on 2.6.24-gentoo-r3
Mar 17 13:00:51 host pluto[15521]: Changing to directory '/etc/ipsec/ipsec.d/cacerts'
Mar 17 13:00:51 host pluto[15521]: Changing to directory '/etc/ipsec/ipsec.d/aacerts'
Mar 17 13:00:51 host pluto[15521]: Changing to directory '/etc/ipsec/ipsec.d/ocspcerts'
Mar 17 13:00:51 host pluto[15521]: Changing to directory '/etc/ipsec/ipsec.d/crls'
Mar 17 13:00:51 host pluto[15521]:   Warning: empty directory
Mar 17 13:00:51 host pluto[15521]: loading secrets from "/etc/ipsec/ipsec.secrets"
Mar 17 13:00:51 host pluto[15521]: added connection description "win"
Mar 17 13:00:51 host pluto[15521]: listening for IKE messages
Mar 17 13:00:51 host pluto[15521]: adding interface eth0/eth0 10.1.1.110:500
Mar 17 13:00:51 host pluto[15521]: adding interface eth0/eth0 10.1.1.110:4500
Mar 17 13:00:51 host pluto[15521]: adding interface lo/lo 127.0.0.1:500
Mar 17 13:00:51 host pluto[15521]: adding interface lo/lo 127.0.0.1:4500
Mar 17 13:00:51 host pluto[15521]: forgetting secrets
Mar 17 13:00:51 host pluto[15521]: loading secrets from "/etc/ipsec/ipsec.secrets"
Mar 17 13:00:51 host pluto[15521]: "win" #1: initiating Main Mode
Mar 17 13:00:51 host pluto[15521]: "win" #1: received Vendor ID payload [Dead Peer Detection]
Mar 17 13:00:51 host pluto[15521]: "win" #1: ignoring unknown Vendor ID payload [afca071368a1f1c96b8696fc77570100]
Mar 17 13:00:51 host pluto[15521]: "win" #1: ignoring unknown Vendor ID payload [5062b335bc20db32c0d54465a2f70100]
Mar 17 13:00:51 host pluto[15521]: "win" #1: ignoring unknown Vendor ID payload [1d6e178f6c2c0be284985465450fe9d4]
Mar 17 13:00:51 host pluto[15521]: "win" #1: received Vendor ID payload [RFC 3947] method set to=109 
Mar 17 13:00:51 host pluto[15521]: "win" #1: enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal)
Mar 17 13:00:51 host pluto[15521]: "win" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
Mar 17 13:00:51 host pluto[15521]: "win" #1: STATE_MAIN_I2: sent MI2, expecting MR2
Mar 17 13:00:51 host pluto[15521]: "win" #1: I did not send a certificate because I do not have one.
Mar 17 13:00:51 host pluto[15521]: "win" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): i am NATed
Mar 17 13:00:51 host pluto[15521]: "win" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Mar 17 13:00:51 host pluto[15521]: "win" #1: STATE_MAIN_I3: sent MI3, expecting MR3
Mar 17 13:00:51 host pluto[15521]: "win" #1: Main mode peer ID is ID_IPV4_ADDR: '64.33.XX.YY'
Mar 17 13:00:51 host pluto[15521]: "win" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
Mar 17 13:00:51 host pluto[15521]: "win" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1536}
Mar 17 13:00:51 host pluto[15521]: "win" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1}
Mar 17 13:00:52 host pluto[15521]: "win" #2: ignoring informational payload, type IPSEC_RESPONDER_LIFETIME
Mar 17 13:00:52 host pluto[15521]: "win" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Mar 17 13:00:52 host pluto[15521]: "win" #2: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x711ad9a1 <0x47006a23 xfrm=3DES_0-HMAC_SHA1 NATD=64.33.XX.YY:4500 DPD=none}
Mar 17 13:06:16 host pluto[15521]: "win" #1: DPD: Warning: received old or duplicate R_U_THERE
Mar 17 13:06:21 host pluto[15521]: "win" #1: DPD: Warning: received old or duplicate R_U_THERE
Mar 17 13:06:26 host pluto[15521]: "win" #1: received Delete SA payload: replace IPSEC State #2 in 10 seconds
Mar 17 13:06:26 host pluto[15521]: "win" #1: received and ignored informational message
Mar 17 13:06:26 host pluto[15521]: "win" #1: received Delete SA payload: deleting ISAKMP State #1
Mar 17 13:06:26 host pluto[15521]: packet from 64.33.XX.YY:4500: received and ignored informational message
Mar 17 13:06:36 host pluto[15521]: "win" #3: initiating Main Mode
Mar 17 13:06:36 host pluto[15521]: "win" #3: received Vendor ID payload [Dead Peer Detection]
Mar 17 13:06:36 host pluto[15521]: "win" #3: ignoring unknown Vendor ID payload [afca071368a1f1c96b8696fc77570100]
Mar 17 13:06:36 host pluto[15521]: "win" #3: ignoring unknown Vendor ID payload [5062b335bc20db32c0d54465a2f70100]
Mar 17 13:06:36 host pluto[15521]: "win" #3: ignoring unknown Vendor ID payload [1d6e178f6c2c0be284985465450fe9d4]
Mar 17 13:06:36 host pluto[15521]: "win" #3: received Vendor ID payload [RFC 3947] method set to=109 
Mar 17 13:06:36 host pluto[15521]: "win" #3: enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal)
Mar 17 13:06:36 host pluto[15521]: "win" #3: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
Mar 17 13:06:36 host pluto[15521]: "win" #3: STATE_MAIN_I2: sent MI2, expecting MR2
Mar 17 13:06:37 host pluto[15521]: "win" #3: I did not send a certificate because I do not have one.
Mar 17 13:06:37 host pluto[15521]: "win" #3: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): i am NATed
Mar 17 13:06:37 host pluto[15521]: "win" #3: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Mar 17 13:06:37 host pluto[15521]: "win" #3: STATE_MAIN_I3: sent MI3, expecting MR3
Mar 17 13:06:37 host pluto[15521]: "win" #3: Main mode peer ID is ID_IPV4_ADDR: '64.33.XX.YY'
Mar 17 13:06:37 host pluto[15521]: "win" #3: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
Mar 17 13:06:37 host pluto[15521]: "win" #3: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1536}
Mar 17 13:06:37 host pluto[15521]: "win" #4: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#3}
Mar 17 13:06:37 host pluto[15521]: "win" #4: ignoring informational payload, type IPSEC_RESPONDER_LIFETIME
Mar 17 13:06:37 host pluto[15521]: "win" #4: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Mar 17 13:06:37 host pluto[15521]: "win" #4: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x711ad9a2 <0x966b791f xfrm=3DES_0-HMAC_SHA1 NATD=64.33.XX.YY:4500 DPD=none}

I've attached output of "ipsec barf" to this message for further
information.

Anyone have thoughts about why this seems to be working, but also
seems to be not completely working?

Thanks Eray and Paul for the help thus far!!

 -David Klann
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ipsec-barf-2008-03-17.gz
Type: application/x-gzip
Size: 9744 bytes
Desc: not available
Url : http://lists.openswan.org/pipermail/users/attachments/20080317/8f328474/attachment.gz

More information about the Users mailing list