[Openswan Users] Don't ping to subnet.
André João Telöcken
andre at telocken.com.br
Sun Sep 21 21:09:38 EDT 2008
I configure a openswan VPN with Windows xp (SP 3) and had this situacion:
1) TOPOLOGY:
192.168.1.0/24 <--> Linux FC2 Kernel 2.6.8-1.521 with Openswan IPsec 2.6.16
<--> Internet <--> DSL Router (192.168.254.254/255.255.255.248) <-->
Windows XP SP3 ( 192.168.254.250/255.255.255.248)
2) Openswan ipsec.conf :
protostack=netkey
#Configuração http://www.natecarlson.com/linux/ipsec-x509.php#changelog
interfaces=%defaultroute
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:!192.168.0.0/16,%v4:!172.16.0.0/12
#klipsdebug=all
#plutoopts="--debug-all"
#plutodebug=controlmore
conn %default
keyingtries=1
compress=yes
disablearrivalcheck=no
authby=rsasig
leftrsasigkey=%cert
rightrsasigkey=%cert
#conn roadwarrior-all
# leftsubnet=0.0.0.0/0
# also=roadwarrior
conn roadwarrior
left=%defaultroute
leftcert=host.linuxcom.br.pem
right=%any
#rightsubnet=vhost:%no,%priv
rightsubnet=vhost:%priv,%no,%v4:192.168.0.0/16
auto=add
pfs=yes
conn roadwarrior-net
leftsubnet=192.168.1.0/24
also=roadwarrior
3) Windows XP IPSec : ipsec.conf:
conn roadwarrior
left=%any
right=200.xxx.xxx.xxx
rightca="C=BR, S=Santa Catarina, L=Chapeco, O=Transportes CoName Ltda,
OU=CoName, CN=srvName, E={email}"
network=auto
auto=start
pfs=yes
conn roadwarrior-net
left=%any
right=200.xxx.xxx.xxx
rightsubnet=192.168.1.0/24
rightca="C=BR, S=Santa Catarina, L=Chapeco, O=Transportes CoName Ltda,
OU=CoName, CN=srvName, E={email}"
network=auto
auto=start
pfs=yes
4) Messages on /var/log/secure on Linux:
Sep 21 20:39:11 srvName pluto[14022]: packet from 189.73.104.254:500:
ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Sep 21 20:39:11 srvName pluto[14022]: packet from 189.73.104.254:500:
ignoring Vendor ID payload [FRAGMENTATION]
Sep 21 20:39:11 srvName pluto[14022]: packet from 189.73.104.254:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set
to=106
Sep 21 20:39:11 srvName pluto[14022]: packet from 189.73.104.254:500:
ignoring Vendor ID payload [Vid-Initial-Contact]
Sep 21 20:39:11 srvName pluto[14022]: "roadwarrior"[1] 189.73.104.254 #1:
responding to Main Mode from unknown peer 189.73.104.254
Sep 21 20:39:11 srvName pluto[14022]: "roadwarrior"[1] 189.73.104.254 #1:
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Sep 21 20:39:11 srvName pluto[14022]: "roadwarrior"[1] 189.73.104.254 #1:
STATE_MAIN_R1: sent MR1, expecting MI2
Sep 21 20:39:11 srvName pluto[14022]: "roadwarrior"[1] 189.73.104.254 #1:
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed
Sep 21 20:39:11 srvName pluto[14022]: "roadwarrior"[1] 189.73.104.254 #1:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Sep 21 20:39:11 srvName pluto[14022]: "roadwarrior"[1] 189.73.104.254 #1:
STATE_MAIN_R2: sent MR2, expecting MI3
Sep 21 20:39:11 srvName pluto[14022]: "roadwarrior"[1] 189.73.104.254 #1:
Main mode peer ID is ID_DER_ASN1_DN: 'C=BR, ST=Santa Catarina, L=Chapeco,
O=Transportes CoName Ltda, OU=cliName, CN=cliName, E={email}'
Sep 21 20:39:11 srvName pluto[14022]: "roadwarrior"[1] 189.73.104.254 #1:
switched from "roadwarrior" to "roadwarrior"
Sep 21 20:39:11 srvName pluto[14022]: "roadwarrior"[2] 189.73.104.254 #1:
deleting connection "roadwarrior" instance with peer 189.73.104.254
{isakmp=#0/ipsec=#0}
Sep 21 20:39:11 srvName pluto[14022]: "roadwarrior"[2] 189.73.104.254 #1: I
am sending my cert
Sep 21 20:39:11 srvName pluto[14022]: "roadwarrior"[2] 189.73.104.254 #1:
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Sep 21 20:39:11 srvName pluto[14022]: "roadwarrior"[2] 189.73.104.254 #1:
new NAT mapping for #1, was 189.73.104.254:500, now 189.73.104.254:4500
Sep 21 20:39:11 srvName pluto[14022]: "roadwarrior"[2] 189.73.104.254 #1:
STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG
cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
Sep 21 20:39:11 srvName pluto[14022]: "roadwarrior"[2] 189.73.104.254 #1:
the peer proposed: 200.xxx.xxx.xxx/32:0/0 -> 192.168.254.250/32:0/0
Sep 21 20:39:11 srvName pluto[14022]: "roadwarrior"[2] 189.73.104.254 #2:
responding to Quick Mode proposal {msgid:70515ab9}
Sep 21 20:39:11 srvName pluto[14022]: "roadwarrior"[2] 189.73.104.254 #2:
us: 200.xxx.xxx.xxx[C=BR, ST=Santa Catarina, L=Chapeco, O=Transportes CoName
Ltda, OU=CoName, CN=srvName, E={email},+S=C]
Sep 21 20:39:11 srvName pluto[14022]: "roadwarrior"[2] 189.73.104.254 #2:
them: 189.73.104.254[C=BR, ST=Santa Catarina, L=Chapeco, O=Transportes
CoName Ltda, OU=cliName, CN=cliName, E={email},+S=C]===192.168.254.250/32
Sep 21 20:39:12 srvName pluto[14022]: "roadwarrior"[2] 189.73.104.254 #2:
transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Sep 21 20:39:12 srvName pluto[14022]: "roadwarrior"[2] 189.73.104.254 #2:
STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Sep 21 20:39:12 srvName pluto[14022]: "roadwarrior"[2] 189.73.104.254 #2:
byte 2 of ISAKMP Hash Payload must be zero, but is not
Sep 21 20:39:12 srvName pluto[14022]: "roadwarrior"[2] 189.73.104.254 #2:
malformed payload in packet
Sep 21 20:39:12 srvName pluto[14022]: | payload malformed after IV
Sep 21 20:39:12 srvName pluto[14022]: | 20 3a cd 09 23 5d 31 01
Sep 21 20:39:12 srvName pluto[14022]: "roadwarrior"[2] 189.73.104.254 #2:
sending notification PAYLOAD_MALFORMED to 189.73.104.254:4500
Sep 21 20:39:12 srvName pluto[14022]: "roadwarrior"[2] 189.73.104.254 #2:
transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Sep 21 20:39:12 srvName pluto[14022]: "roadwarrior"[2] 189.73.104.254 #2:
STATE_QUICK_R2: IPsec SA established tunnel mode {ESP=>0xfca13310
<0x2fe017a4 xfrm=3DES_0-HMAC_MD5 NATOA=none NATD=189.73.104.254:4500
DPD=none}
5) Ping to openswan server (200.xxx.xxx.xxx):
C:\Documentos\Desenvto\IPSec\IPSec>ping 200.xxx.xxx.xxx
Disparando contra 200.xxx.xxx.xxx com 32 bytes de dados:
Negociando segurança IP.
Negociando segurança IP.
Negociando segurança IP.
Negociando segurança IP.
Estatísticas do Ping para 200.xxx.xxx.xxx:
Pacotes: Enviados = 4, Recebidos = 0, Perdidos = 4 (100% de perda),
C:\Documentos\Desenvto\IPSec\IPSec>ping 200.xxx.xxx.xxx
Disparando contra 200.xxx.xxx.xxx com 32 bytes de dados:
Resposta de 200.xxx.xxx.xxx: bytes=32 tempo=60ms TTL=64
Resposta de 200.xxx.xxx.xxx: bytes=32 tempo=59ms TTL=64
Resposta de 200.xxx.xxx.xxx: bytes=32 tempo=62ms TTL=64
Resposta de 200.xxx.xxx.xxx: bytes=32 tempo=62ms TTL=64
Estatísticas do Ping para 200.xxx.xxx.xxx:
Pacotes: Enviados = 4, Recebidos = 4, Perdidos = 0 (0% de perda),
Aproximar um número redondo de vezes em milissegundos:
Mínimo = 59ms, Máximo = 62ms, Média = 60ms
C:\Documentos\Desenvto\IPSec\IPSec>
6) Ping to subnet on openswan Server (192.168.1.254):
C:\Documentos\Desenvto\IPSec\IPSec>ping 192.168.1.254
Disparando contra 192.168.1.254 com 32 bytes de dados:
Esgotado o tempo limite do pedido.
Esgotado o tempo limite do pedido.
Esgotado o tempo limite do pedido.
Esgotado o tempo limite do pedido.
Estatísticas do Ping para 192.168.1.254:
Pacotes: Enviados = 4, Recebidos = 0, Perdidos = 4 (100% de perda),
7) What’s happend?
Thank You!!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20080921/3bac2f39/attachment-0001.html
More information about the Users
mailing list