[Openswan Users] Trying to use linux as VPN client

Sebastiaan van Erk sebster at sebster.com
Thu Nov 20 16:07:36 EST 2008 

Hi,

Just one more thing I've discovered which might be problematic; first 
ipsec verify shows me:

root at blauwoor(:0j:586:130):~$ ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan 2.6.18 (klips)
Checking for IPsec support in kernel                            [OK]
KLIPS detected, checking for NAT Traversal support              [FAILED]
Checking for RSA private key (/etc/ipsec.secrets)               [OK]
Checking that pluto is running                                  [OK]
Two or more interfaces found, checking IP forwarding            [OK]
Checking NAT and MASQUERADEing
Checking for 'ip' command                                       [OK]
Checking for 'iptables' command                                 [OK]
Opportunistic Encryption Support                                [DISABLED]

I configured GTA mobile client to have NAT-T disabled; tunnel setup 
works fine, but connections don't work afterwards. With NAT-T on "force" 
it does work, so NAT-T seems to be required. This leads me to guess that 
it's not causing problems right now (since tunnel setup worked without 
NAT-T), but it will be a problem once I get a step futher....

Regards,
Sebastiaan

Sebastiaan van Erk wrote:
> Hi,
> 
> Thanks for the answers! I think you're right that I don't want L2TP. 
> I've been reading the man page and trying stuff, but I'm still stuck 
> though I feel I'm making some progress now. I've taken your suggestion 
> and modified my connection file to:
> 
> conn relate
>         authby=secret
>         pfs=yes
>         rekey=yes
>         keyingtries=3
>         type=tunnel
>         aggrmode=yes
>         left=%defaultroute
>         leftid="sebster at sebster.com"
>         right=111.111.111.111
>         rightsubnet=10.31.5/24
>         ike=aes192-sha1-modp1024
>         phase2alg=aes192-sha1
>         auto=add
> 
> Things I'm not sure about are the leftid (should it be prefixed with 
> E=?). Also I don't know how to specify my IP address on the VPN subnet 
> (10.31.13.5). Which I also find kind of strange considering it's not 
> even on the rightsubnet (I copied these settings from GTA mobile client, 
> and there it really says "address type: subnet, 10.31.5.0/255.255.255.0" 
> with VPN client address 10.31.13.5). The GTA client settings were 
> provided to me by the sysadmin of the VPN server.
> 
> Another thing that I don't understand is the phase2alg: guessing from 
> the GTA mobile client config and the man page it should be:
> 
>     phase2alg=aes192-sha1-modp1024
> 
> [The format for ESP is ENC-AUTH followed by an optional PFSgroup. For 
> instance, "3des-md5" or "aes256-sha1-modp2048". --- the man page]
> 
> However when I try this pluto starts to complain:
> 
> Nov 20 21:23:28 blauwoor pluto[29887]: esp string error: Non initial 
> digit found for auth keylen, just after "aes192-sha1-" 
> (old_state=ST_AA_END)
> 
> It then kills the "relate" connection, and I can't even attempt to 
> connect. On the other hand, when I don't add the modp1024 then I get 
> this in the log:
> 
> Nov 20 21:25:27 blauwoor pluto[30146]: "relate" #1: STATE_AGGR_I2: sent 
> AI2, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_192 
> prf=oakley_sha group=modp1024}
> Nov 20 21:25:27 blauwoor pluto[30146]: "relate" #2: initiating Quick 
> Mode PSK+ENCRYPT+TUNNEL+PFS+UP+AGGRESSIVE+IKEv2ALLOW {using isakmp#1 
> msgid:c60f69e7 proposal=AES(12)_192-SHA1(2)_160 
> pfsgroup=OAKLEY_GROUP_MODP1024}
> Nov 20 21:26:36 blauwoor pluto[30146]: "relate" #2: max number of 
> retransmissions (2) reached STATE_QUICK_I1.  No acceptable response to 
> our first Quick Mode message: perhaps peer likes no proposal
> 
> It actually looks ok from what I can see: aes192, sha1, and PFS group 
> DH1024.
> 
> I have the feeling I'm getting close but I'm still missing something. 
> I'm pretty sure that I need to do something with my VPN client IP and 
> I'm wondering about the format for the email id.
> 
> Regards,
> Sebastiaan
> 
> 
> Peter McGill wrote:
>> Sebastiaan,
>>
>> Nothing here indicates that your using l2tp.
>> You should only have left/rightprotoport lines with l2tp.
>> And yes, type/mode should be tunnel, unless using l2tp.
>>
>> Peter McGill
>> IT Systems Analyst
>> Gra Ham Energy Limited
>>> -----Original Message-----
>>> From: users-bounces at openswan.org [mailto:users-bounces at openswan.org] 
>>> On Behalf Of Sebastiaan van Erk
>>> Sent: November 20, 2008 1:34 PM
>>> To: users at openswan.org
>>> Subject: Re: [Openswan Users] Trying to use linux as VPN client
>>>
>>> Hi,
>>>
>>> Thanks for the answer, and I figured as much, however I don't know what
>>> part of the proposal the other end does not like... Also, I'm a bit of a
>>> newbie, so I don't know what the STATE_QUICK_I1 means; does it mean that
>>>    something succeeded (the STATE_AGGR_I2 stuff)? It already took me a
>>> couple hours to actually get it that far, at first that was failing 
>>> too...
>>>
>>> In GTA client I have the following settings under "Phase 1
>>> (Authentication) (other than my preshared key and remote gateway):
>>>
>>> IKE:
>>> Encryption AES192, Authentication: SHA, Key Group: DH1024.
>>>
>>> Under "Advanced" it has:
>>> Aggressive mode enabled, NAT-T: Automatic (vs Disabled)
>>> Local id: Type: email, value: sebster at sebster.com
>>> Remote id: Type IP, value: the ipsec gateway
>>>
>>> In GTA client I have the following settings under "Phase 2 (IPSec
>>> Configuration):
>>>
>>> ESP
>>> Encryption: AES192, Authentication: SHA, Mode: Tunnel (oops, in my
>>> config file I had mode transport, so I guess that's wrong, fixed it now
>>> and put it on mode tunnel, but it still gives the same output).
>>>
>>> PFS is checked, Group DH1024
>>>
>>> Those are all the options available.
>>>
>>> Is there a good way to debug this? I guess it's part of the security
>>> that the other hand just plain says nothing instead of saying what's 
>>> wrong.
>>>
>>> Regards,
>>> Sebastiaan
>>>
>>>
>>>
>>>
>>> Paul Wouters wrote:
>>>> On Thu, 20 Nov 2008, Sebastiaan van Erk wrote:
>>>>
>>>>> $ ipsec auto --up relate
>>>>> 112 "relate" #1: STATE_AGGR_I1: initiate
>>>>> 003 "relate" #1: received Vendor ID payload [Dead Peer Detection]
>>>>> 004 "relate" #1: STATE_AGGR_I2: sent AI2, ISAKMP SA established
>>>>> {auth=OAKLEY_PRESHARED_KEY cipher=aes_192 prf=oakley_sha 
>>> group=modp1024}
>>>>> 117 "relate" #2: STATE_QUICK_I1: initiate
>>>>> 010 "relate" #2: STATE_QUICK_I1: retransmission; will wait 
>>> 20s for response
>>>>> 010 "relate" #2: STATE_QUICK_I1: retransmission; will wait 
>>> 40s for response
>>>> The other end does not like your proposal. You need to 
>>> figure out what it is
>>>> expecting from you.
>>>>
>>>> Paul
>>
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan: 
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3315 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.openswan.org/pipermail/users/attachments/20081120/6961a3d5/attachment-0001.bin

More information about the Users mailing list