[Openswan Users] Net to Net VPN almost configured - but no tunnel established

Jorge Quirós jorge.quiros at wanadoo.es
Fri Sep 26 04:59:04 EDT 2008 

Hi Everyone,

 

I’m experiencing problems to connect to networks using openswan on two
DEBIAN Servers both with two network interfaces, iptables firewall and NAT
rules. 

 

VPN connection starts but I’ve got the following message on Firewall B:

packet from 212.170.202.XXX:500: initial Main Mode message received on
192.168.3.2:500 but no connection has been authorized

 

Please, any suggestion?

 

Thanks in advance.

Jorge Quiros

 

 

Networks topology:

 

SUBNET A 

192.168.0.0/24

        |

FIREWALL A (NAT ENABLED)

192.168.0.5(eth3)|192.168.1.2(eth4)

        |

ADSL ROUTER A (STATIC PUBLIC IP)

 192.168.1.1 (212.170.202.XXX)

        |

        |

        |

INTERNET

        |

        |

        |

ADSL ROUTER B (STATIC PUBLIC IP)

192.168.3.1 (88.2.182.XXX)

        |

FIREWALL B (NAT ENABLED)

 192.168.3.2(eth0)|192.168.1.3(eth1)

        |

SUBNET B 

 192.168.1.0/24

 

/etc/ipsec.conf:

 

# basic configuration

config setup

        forwardcontrol=no

        nat_traversal=yes

        nhelpers=0

        plutodebug=none

        klipsdebug=all

        syslog=auth.debug

 

# Add connections here

 

# sample VPN connections, see /etc/ipsec.d/examples/

 

#Disable Opportunistic Encryption

include /etc/ipsec.d/examples/no_oe.conf

 

conn A-B

        left=192.168.2.2

        leftsubnet=192.168.0.0/24

        leftid=@a.conA-B.es

        leftrsasigkey=0sAQOaU3oaT1wSGWCzD0yfmYE0QI1toL/baZfy1RGiIdnceM
.

        leftnexthop=212.170.202.XXX

        right=88.2.182.XXX

        rightsubnet=192.168.1.0/24

        rightid=@b.conA-B.es

        rightrsasigkey=0sAQPBm59puhrn6MUGY3ZbNX8ovBWK4uNuwRyrTHIdk


        rightnexthop=192.168.3.2

        auto=add

 

 

Firewall A:

# Generated by iptables-save v1.3.6 on Fri May  9 19:24:55 2008

*nat

:PREROUTING ACCEPT [0:0]

:OUTPUT ACCEPT [0:0]

:POSTROUTING ACCEPT [0:0]

# Escritorio Remoto

-A PREROUTING -p tcp -m tcp -s YYY.YYY.YYY.YYY-i eth4 --dport 3389 -j DNAT
--to-destination 192.168.0.2

-A POSTROUTING -s 192.168.0.0/24 ! -d 192.168.1.0/24 -o eth3 -j MASQUERADE

-A POSTROUTING -s 192.168.0.0/24 ! -d 192.168.1.0/24 -o eth4 -j MASQUERADE

COMMIT

# Completed on Fri May  9 19:24:55 2008

# Generated by iptables-save v1.3.6 on Fri May  9 19:24:55 2008

*mangle

:PREROUTING ACCEPT [25:1951]

:INPUT ACCEPT [24:1911]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [21:6351]

:POSTROUTING ACCEPT [21:6351]

COMMIT

# Completed on Fri May  9 19:24:55 2008

# Generated by iptables-save v1.3.6 on Fri May  9 19:24:55 2008

*filter

:FORWARD ACCEPT [0:0]

:INPUT DROP [0:0]

:OUTPUT ACCEPT [0:0]

:LOG_ACCEPT - [0:0]

-A INPUT -p icmp -j ACCEPT

-A INPUT -s 127.0.0.1/8 -j ACCEPT

-A INPUT -s 88.2.182.XXX -j ACCEPT

-A INPUT -s 192.168.0.0/24 -j ACCEPT

-A INPUT -s 192.168.1.0/24 -j ACCEPT

-A INPUT -s 192.168.3.0/24 -j ACCEPT

-A INPUT -p tcp -m tcp -i eth4 --dport 80 -j ACCEPT

-A INPUT -p esp -j ACCEPT

-A INPUT -p ah -j ACCEPT

-A INPUT -p udp -m udp -m multiport --ports 500 -j ACCEPT

-A INPUT -p udp -m udp -m multiport --ports 4500 -j ACCEPT

-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

-A LOG_ACCEPT -j LOG  --log-prefix "LOG_ACCEPT " --log-level 4
--log-ip-options --log-tcp-options --log-tcp-sequence

-A LOG_ACCEPT -j ACCEPT

-A OUTPUT ! -p icmp -j ACCEPT

-A OUTPUT -p esp -j LOG_ACCEPT

-A OUTPUT -p ah -j LOG_ACCEPT

-A OUTPUT -p udp -m udp --sport 500 -j LOG_ACCEPT

-A OUTPUT -p udp -m udp --sport 4500 -j LOG_ACCEPT

COMMIT

# Completed on Fri May  9 19:24:55 2008

 

Firewall B:

# Generated by iptables-save v1.3.6 on Tue Aug 26 15:57:57 2008

*nat

:PREROUTING ACCEPT [0:0]

:OUTPUT ACCEPT [0:0]

:POSTROUTING ACCEPT [0:0]

-A POSTROUTING -s 192.168.1.0/24 ! -d 192.168.0.0/24 -o eth0 -j MASQUERADE

-A POSTROUTING -s 192.168.1.0/24 ! -d 192.168.0.0/24 -o eth1 -j MASQUERADE

COMMIT

# Completed on Tue Aug 26 15:57:57 2008

# Generated by iptables-save v1.3.6 on Tue Aug 26 15:57:57 2008

*mangle

:PREROUTING ACCEPT [11:1820]

:INPUT ACCEPT [11:1820]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [10:3637]

:POSTROUTING ACCEPT [10:3637]

COMMIT

# Completed on Tue Aug 26 15:57:57 2008

# Generated by iptables-save v1.3.6 on Tue Aug 26 15:57:57 2008

*filter

:FORWARD ACCEPT [0:0]

:INPUT DROP [0:0]

:OUTPUT ACCEPT [0:0]

:LOG_ACCEPT - [0:0]

-A INPUT -p icmp -j ACCEPT

-A INPUT -s 127.0.0.1/18 -j ACCEPT

-A INPUT -s 212.170.202.150 -j LOG_ACCEPT

-A INPUT -s 192.168.2.0/24 -j LOG_ACCEPT

-A INPUT -s 192.168.0.0/24 -j LOG_ACCEPT

-A INPUT -p udp -m udp -m multiport -s 212.170.202.XXX --ports 500 -j ACCEPT

-A INPUT -p tcp -m tcp -i eth0 --dport 80 -j ACCEPT

-A INPUT -p esp -j ACCEPT

-A OUTPUT -p esp -j ACCEPT

-A OUTPUT -p ah -j ACCEPT

-A LOG_ACCEPT -j LOG  --log-prefix "LOG_ACCEPT " --log-level 4
--log-ip-options --log-tcp-options --log-tcp-sequence

-A LOG_ACCEPT -j ACCEPT

-A INPUT -p ah -j ACCEPT

-A INPUT -p udp -m udp --dport 4500 -j LOG_ACCEPT

-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

COMMIT

# Completed on Tue Aug 26 15:57:57 2008

 

A’s auth.log:

Sep 26 10:14:52 bastion ipsec_setup: KLIPS ipsec0 on eth4
192.168.2.2/255.255.255.0 broadcast 192.168.2.255 

Sep 26 10:14:52 bastion ipsec__plutorun: Starting Pluto subsystem...

Sep 26 10:14:52 bastion pluto[4554]: Starting Pluto (Openswan Version 2.4.6
X.509-1.5.4 LDAP_V3 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID
OElLO]RdWNRD)

Sep 26 10:14:52 bastion pluto[4554]: Setting NAT-Traversal port-4500
floating to on

Sep 26 10:14:52 bastion pluto[4554]:    port floating activation criteria
nat_t=1/port_fload=1

Sep 26 10:14:52 bastion pluto[4554]:   including NAT-Traversal patch
(Version 0.6c)

Sep 26 10:14:52 bastion pluto[4554]: WARNING: Open of /dev/hw_random failed
in init_rnd_pool(), trying alternate sources of random

Sep 26 10:14:52 bastion pluto[4554]: WARNING: Using /dev/urandom as the
source of random

Sep 26 10:14:52 bastion pluto[4554]: ike_alg_register_enc(): Activating
OAKLEY_AES_CBC: Ok (ret=0)

Sep 26 10:14:52 bastion pluto[4554]: no helpers will be started, all
cryptographic operations will be done inline

Sep 26 10:14:52 bastion pluto[4554]: Using Linux 2.6 IPsec interface code on
2.6.18-6-686

Sep 26 10:14:52 bastion pluto[4554]: Changing to directory
'/etc/ipsec.d/cacerts'

Sep 26 10:14:52 bastion pluto[4554]: Changing to directory
'/etc/ipsec.d/aacerts'

Sep 26 10:14:52 bastion pluto[4554]: Changing to directory
'/etc/ipsec.d/ocspcerts'

Sep 26 10:14:52 bastion pluto[4554]: Changing to directory
'/etc/ipsec.d/crls'

Sep 26 10:14:52 bastion pluto[4554]:   Warning: empty directory

Sep 26 10:14:52 bastion ipsec_setup: ...Openswan IPsec started

Sep 26 10:14:52 bastion ipsec_setup: Starting Openswan IPsec 2.4.6...

Sep 26 10:14:52 bastion ipsec_setup: insmod
/lib/modules/2.6.18-6-686/kernel/net/key/af_key.ko 

Sep 26 10:14:52 bastion ipsec_setup: insmod
/lib/modules/2.6.18-6-686/kernel/net/ipv4/xfrm4_tunnel.ko 

Sep 26 10:14:52 bastion ipsec_setup: insmod
/lib/modules/2.6.18-6-686/kernel/net/xfrm/xfrm_user.ko 

Sep 26 10:14:52 bastion pluto[4554]: added connection description "A-B"

Sep 26 10:14:52 bastion pluto[4554]: listening for IKE messages

Sep 26 10:14:52 bastion pluto[4554]: adding interface eth3/eth3
192.168.0.5:500

Sep 26 10:14:52 bastion pluto[4554]: adding interface eth3/eth3
192.168.0.5:4500

Sep 26 10:14:52 bastion pluto[4554]: adding interface eth4/eth4
192.168.2.2:500

Sep 26 10:14:52 bastion pluto[4554]: adding interface eth4/eth4
192.168.2.2:4500

Sep 26 10:14:52 bastion pluto[4554]: adding interface lo/lo 127.0.0.1:500

Sep 26 10:14:52 bastion pluto[4554]: adding interface lo/lo 127.0.0.1:4500

Sep 26 10:14:52 bastion pluto[4554]: adding interface lo/lo ::1:500

Sep 26 10:14:52 bastion pluto[4554]: loading secrets from
"/etc/ipsec.secrets"

 

B’s auth.log:

Sep 26 10:14:04 bastion2 ipsec_setup: KLIPS ipsec0 on eth0
192.168.3.2/255.255.255.0 broadcast 192.168.3.255 

Sep 26 10:14:04 bastion2 ipsec__plutorun: Starting Pluto subsystem...

Sep 26 10:14:04 bastion2 pluto[23887]: Starting Pluto (Openswan Version
2.4.6 X.509-1.5.4 LDAP_V3 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID
OElLO]RdWNRD)

Sep 26 10:14:05 bastion2 pluto[23887]: Setting NAT-Traversal port-4500
floating to on

Sep 26 10:14:05 bastion2 pluto[23887]:    port floating activation criteria
nat_t=1/port_fload=1

Sep 26 10:14:05 bastion2 pluto[23887]:   including NAT-Traversal patch
(Version 0.6c)

Sep 26 10:14:05 bastion2 pluto[23887]: WARNING: Open of /dev/hw_random
failed in init_rnd_pool(), trying alternate sources of random

Sep 26 10:14:05 bastion2 pluto[23887]: WARNING: Using /dev/urandom as the
source of random

Sep 26 10:14:05 bastion2 pluto[23887]: ike_alg_register_enc(): Activating
OAKLEY_AES_CBC: Ok (ret=0)

Sep 26 10:14:05 bastion2 pluto[23887]: no helpers will be started, all
cryptographic operations will be done inline

Sep 26 10:14:05 bastion2 pluto[23887]: Using Linux 2.6 IPsec interface code
on 2.6.18-6-686

Sep 26 10:14:05 bastion2 ipsec_setup: ...Openswan IPsec started

Sep 26 10:14:05 bastion2 ipsec_setup: Starting Openswan IPsec 2.4.6...

Sep 26 10:14:05 bastion2 ipsec_setup: insmod
/lib/modules/2.6.18-6-686/kernel/net/key/af_key.ko 

Sep 26 10:14:05 bastion2 ipsec_setup: insmod
/lib/modules/2.6.18-6-686/kernel/net/ipv4/xfrm4_tunnel.ko 

Sep 26 10:14:05 bastion2 ipsec_setup: insmod
/lib/modules/2.6.18-6-686/kernel/net/xfrm/xfrm_user.ko 

Sep 26 10:14:05 bastion2 pluto[23887]: Changing to directory
'/etc/ipsec.d/cacerts'

Sep 26 10:14:05 bastion2 pluto[23887]: Changing to directory
'/etc/ipsec.d/aacerts'

Sep 26 10:14:05 bastion2 pluto[23887]: Changing to directory
'/etc/ipsec.d/ocspcerts'

Sep 26 10:14:05 bastion2 pluto[23887]: Changing to directory
'/etc/ipsec.d/crls'

Sep 26 10:14:05 bastion2 pluto[23887]:   Warning: empty directory

Sep 26 10:14:05 bastion2 pluto[23887]: added connection description "A-B"

Sep 26 10:14:05 bastion2 pluto[23887]: listening for IKE messages

Sep 26 10:14:05 bastion2 pluto[23887]: adding interface eth0/eth0
192.168.3.2:500

Sep 26 10:14:05 bastion2 pluto[23887]: adding interface eth0/eth0
192.168.3.2:4500

Sep 26 10:14:05 bastion2 pluto[23887]: adding interface eth1/eth1
192.168.1.3:500

Sep 26 10:14:05 bastion2 pluto[23887]: adding interface eth1/eth1
192.168.1.3:4500

Sep 26 10:14:05 bastion2 pluto[23887]: adding interface lo/lo 127.0.0.1:500

Sep 26 10:14:05 bastion2 pluto[23887]: adding interface lo/lo 127.0.0.1:4500

Sep 26 10:14:05 bastion2 pluto[23887]: adding interface lo/lo ::1:500

Sep 26 10:14:05 bastion2 pluto[23887]: loading secrets from
"/etc/ipsec.secrets"

Sep 26 10:15:17 bastion2 pluto[23887]: packet from 212.170.202.XXX:500:
received Vendor ID payload [Openswan (this version) 2.4.6  X.509-1.5.4
LDAP_V3 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR]

Sep 26 10:15:17 bastion2 pluto[23887]: packet from 212.170.202.XXX:500:
received Vendor ID payload [Dead Peer Detection]

Sep 26 10:15:17 bastion2 pluto[23887]: packet from 212.170.202.XXX:500:
received Vendor ID payload [RFC 3947] method set to=110 

Sep 26 10:15:17 bastion2 pluto[23887]: packet from 212.170.202.XXX:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but
already using method 110

Sep 26 10:15:17 bastion2 pluto[23887]: packet from 212.170.202.XXX:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but
already using method 110

Sep 26 10:15:17 bastion2 pluto[23887]: packet from 212.170.202.XXX:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but
already using method 110

Sep 26 10:15:17 bastion2 pluto[23887]: packet from 212.170.202.XXX:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]

Sep 26 10:15:17 bastion2 pluto[23887]: packet from 212.170.202.XXX:500:
initial Main Mode message received on 192.168.3.2:500 but no connection has
been authorized

 

That’s all 


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20080926/11d72393/attachment-0001.html

More information about the Users mailing list