[Openswan Users] Trouble figuring out how to connect Openswan client to Cisco VPN

Steven Don shd at earthling.net
Wed Apr 8 13:35:24 EDT 2009 

Hello,

After spending a day and a half trying, digesting loads of howtos, Googling for the 
messages that I get and failing to get it to work, it's become clear to me that I'm going 
to need a bit of help in setting up Openswan for what I need. I hope somebody here 
can give me some useful pointers.

First, let me describe the playing field. Not under my control are:
- There's a Cisco VPN server (can't post the IP address here as instructed by my 
employer, but let's say it's 1.2.3.4)
- group name and PSK (let's pretend it's "users" and "there be dragons here")
- personal username and password (let's say "me" and "secret" -- cliche, I know)

Under my control:
- A Speedtouch ADSL Modem/Router with an externally visible IP address, the usual 
NAT and port forwarding for a few services (http, ssh and imap) to the main server
- Several machines behind that in my home network

On one of those machines, I have the (rather obnoxious) Windows version of Cisco's 
VPN client running and it connects to the external VPN server just fine. Now, I want 
to be able to connect from a Linux box instead. This machine box is running a 
2.6.23.11 kernel. Everything I've read says that I should first set up Openswan to do 
the initial IPSec connection and then l2tpd, but I'm not really getting to the second bit. 
There's plenty of info on setting up Openswan as a server, but quite a lot less on 
setting it up as a client, even less when dealing with Cisco servers and group PSKs.

I've compiled Openswan from source (2.6.21, the latest at the time of writing) and in 
order to get it to even consider starting, I've enabled the following options in my 
kernel:
- in Cryptographic API: MD5, SHA1, SHA256, SHA384/SHA512, Blowfish, Twofish, 
AES, ECB and CBC support
- in Networking options: "Transformation user configuration interface", "PF_KEY 
sockets", "IP: AH|ESP|IPComp transformation" and "IP: IPSec transport|tunnel 
mode"

The contents of /etc/ipsec.conf (comments removed):
---
config setup
        nat_traversal=yes
        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
        OE=off
        protostack=netkey

conn tst
        authby=secret
        pfs=no
        rekey=yes
        keyingtries=3
        type=transport
        left=%defaultroute
        leftprotoport=17/1701
        right=1.2.3.4
        rightprotoport=17/1701
        auto=add
---
(after a log message, I had to change a %4: to %v4: from the Openswan-supplied 
default)

The contents of /etc/ipsec.secrets:
---
%any 1.2.3.4: PSK "there be dragons here"
---
I'm not sure if that is the right thing to do, but the PSK is not bound to my own IP 
address and the client only has a LAN IP: 192.168.0.2 -- more about that later. When 
I used the LAN IP address instead of %any, it complained about not finding a PSK.

Starting Openswan:
---
home:~ # /etc/init.d/ipsec start
ipsec_setup: Starting Openswan IPsec U2.6.21/K2.6.23.11...
home:~ #
---
So far so good...

Results of "ipsec verify":
---
home:~ # ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan U2.6.21/K2.6.23.11 (netkey)
Checking for IPsec support in kernel                            [OK]
NETKEY detected, testing for disabled ICMP send_redirects       [OK]
NETKEY detected, testing for disabled ICMP accept_redirects     [OK]
Checking for RSA private key (/etc/ipsec.secrets)               [OK]
Checking that pluto is running                                  [OK]
Two or more interfaces found, checking IP forwarding            [OK]
Checking NAT and MASQUERADEing                                  [N/A]
Checking for 'ip' command                                       [OK]
Checking for 'iptables' command                                 [OK]

Opportunistic Encryption DNS checks:
   Looking for TXT in forward dns zone: home                    [MISSING]
   Does the machine have at least one non-private address?      [FAILED]
home:~ #
---
I found that last one interesting as I have mentioned above that this machine has only 
a LAN IP address, but opportunistic encryption is disabled anyway (OE=off does that, 
I believe) and the Windows client can connect despite having only a LAN IP address 
as well. Perhaps I might need to change some other config options, such as the 
/etc/ipsec.secrets file or forward some more ports, but I've not been able to find the 
info I need for that. I also don't see where I could enter the "users" Group name to 
match the PSK (maybe leftid?). Just to be sure, I've flushed the iptables prior to 
testing and set default policies to accept (though not on the NAT-ing router).

I'm certain there's something amiss in the configuration I've outlined above, but I'm at 
a loss as to what it might be. Here's what happens when I start the connection:
---
home:~ # ipsec auto --up tst
104 "tst" #1: STATE_MAIN_I1: initiate
003 "tst" #1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set 
to=106
003 "tst" #1: ignoring Vendor ID payload [FRAGMENTATION c0000000]
106 "tst" #1: STATE_MAIN_I2: sent MI2, expecting MR2
010 "tst" #1: STATE_MAIN_I2: retransmission; will wait 20s for response
003 "tst" #1: ignoring informational payload, type INVALID_COOKIE 
msgid=00000000
003 "tst" #1: received and ignored informational message
010 "tst" #1: STATE_MAIN_I2: retransmission; will wait 40s for response
003 "tst" #1: ignoring informational payload, type INVALID_COOKIE 
msgid=00000000
003 "tst" #1: received and ignored informational message
031 "tst" #1: max number of retransmissions (2) reached STATE_MAIN_I2
000 "tst" #1: starting keying attempt 2 of at most 3, but releasing whack
home:~ #
---
which doesn't really mean anything to me, other than "it's not working" :(

/var/log/messages lists the following:
---
ipsec_setup: Starting Openswan IPsec U2.6.21/K2.6.23.11...
ipsec_setup: Using NETKEY(XFRM) stack
ipsec__plutorun: Starting Pluto subsystem...
pluto: adjusting ipsec.d to /etc/ipsec.d
pluto[13849]: Starting Pluto (Openswan Version 2.6.21; Vendor ID 
OE~q\177kZNr}Wk) pid:13849
pluto[13849]: Setting NAT-Traversal port-4500 floating to on
pluto[13849]:    port floating activation criteria nat_t=1/port_float=1
pluto[13849]:    including NAT-Traversal patch (Version 0.6c)
pluto[13849]: using /dev/urandom as source of random entropy
pluto[13849]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC_SSH: Ok 
(ret=0)
pluto[13849]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok 
(ret=0)
pluto[13849]: ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok 
(ret=0)
pluto[13849]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
pluto[13849]: ike_alg_register_enc(): Activating OAKLEY_BLOWFISH_CBC: Ok 
(ret=0)
pluto[13849]: ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)
pluto[13849]: ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)
pluto[13849]: starting up 1 cryptographic helpers
pluto[13850]: using /dev/urandom as source of random entropy
pluto[13849]: started helper pid=13850 (fd:7)
pluto[13849]: Using Linux 2.6 IPsec interface code on 2.6.23.11 (experimental code)
pluto[13849]: ike_alg_register_enc(): WARNING: enc alg=0 not found in 
constants.c:oakley_enc_names  
pluto[13849]: ike_alg_register_enc(): Activating <NULL>: Ok (ret=0)
pluto[13849]: ike_alg_register_enc(): WARNING: enc alg=0 not found in 
constants.c:oakley_enc_names  
pluto[13849]: ike_alg_add(): ERROR: Algorithm already exists
pluto[13849]: ike_alg_register_enc(): Activating <NULL>: FAILED (ret=-17)
pluto[13849]: ike_alg_register_enc(): WARNING: enc alg=0 not found in 
constants.c:oakley_enc_names  
pluto[13849]: ike_alg_add(): ERROR: Algorithm already exists
pluto[13849]: ike_alg_register_enc(): Activating <NULL>: FAILED (ret=-17)
pluto[13849]: ike_alg_register_enc(): WARNING: enc alg=0 not found in 
constants.c:oakley_enc_names  
pluto[13849]: ike_alg_add(): ERROR: Algorithm already exists
pluto[13849]: ike_alg_register_enc(): Activating <NULL>: FAILED (ret=-17)
pluto[13849]: ike_alg_register_enc(): WARNING: enc alg=0 not found in 
constants.c:oakley_enc_names  
pluto[13849]: ike_alg_add(): ERROR: Algorithm already exists
pluto[13849]: ike_alg_register_enc(): Activating <NULL>: FAILED (ret=-17)
pluto[13849]: ike_alg_register_enc(): WARNING: enc alg=0 not found in 
constants.c:oakley_enc_names  
pluto[13849]: ike_alg_add(): ERROR: Algorithm already exists
pluto[13849]: ike_alg_register_enc(): Activating <NULL>: FAILED (ret=-17)
pluto[13849]: Changed path to directory '/etc/ipsec.d/cacerts'
pluto[13849]: Changed path to directory '/etc/ipsec.d/aacerts'
pluto[13849]: Changed path to directory '/etc/ipsec.d/ocspcerts'
pluto[13849]: Changing to directory '/etc/ipsec.d/crls'
pluto[13849]:   Warning: empty directory
ipsec__plutorun: adjusting ipsec.d to /etc/ipsec.d
ipsec_setup: ...Openswan IPsec started
pluto[13849]: added connection description "tst"
ipsec__plutorun: 002 added connection description "tst"
pluto[13849]: listening for IKE messages
pluto[13849]: adding interface lo/lo 127.0.0.1:500
pluto[13849]: adding interface lo/lo 127.0.0.1:4500
pluto[13849]: adding interface eth0/eth0 192.168.0.2:500
pluto[13849]: adding interface eth0/eth0 192.168.0.2:4500
pluto[13849]: adding interface lo/lo ::1:500
pluto[13849]: loading secrets from "/etc/ipsec.secrets"
pluto[13849]: "tst" #1: initiating Main Mode
pluto[13849]: "tst" #1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] 
method set to=106 
pluto[13849]: "tst" #1: ignoring Vendor ID payload [FRAGMENTATION c0000000]
pluto[13849]: "tst" #1: enabling possible NAT-traversal with method draft-ietf-ipsec-
nat-t-ike-05
pluto[13849]: "tst" #1: transition from state STATE_MAIN_I1 to state 
STATE_MAIN_I2
pluto[13849]: "tst" #1: STATE_MAIN_I2: sent MI2, expecting MR2
pluto[13849]: "tst" #1: ignoring informational payload, type INVALID_COOKIE 
msgid=00000000
pluto[13849]: "tst" #1: received and ignored informational message
pluto[13849]: "tst" #1: ignoring informational payload, type INVALID_COOKIE 
msgid=00000000
pluto[13849]: "tst" #1: received and ignored informational message
pluto[13849]: "tst" #1: max number of retransmissions (2) reached STATE_MAIN_I2
pluto[13849]: "tst" #1: starting keying attempt 2 of at most 3, but releasing whack
pluto[13849]: "tst" #2: initiating Main Mode to replace #1
pluto[13849]: "tst" #2: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] 
method set to=106 
pluto[13849]: "tst" #2: ignoring Vendor ID payload [FRAGMENTATION c0000000]
pluto[13849]: "tst" #2: enabling possible NAT-traversal with method draft-ietf-ipsec-
nat-t-ike-05
pluto[13849]: "tst" #2: transition from state STATE_MAIN_I1 to state 
STATE_MAIN_I2
pluto[13849]: "tst" #2: STATE_MAIN_I2: sent MI2, expecting MR2
pluto[13849]: "tst" #2: ignoring informational payload, type INVALID_COOKIE 
msgid=00000000
pluto[13849]: "tst" #2: received and ignored informational message
pluto[13849]: "tst" #2: ignoring informational payload, type INVALID_COOKIE 
msgid=00000000
pluto[13849]: "tst" #2: received and ignored informational message
---
Although Openswan appears to start and it has been suggested on the net that it's 
not important, I'm a bit worried about the WARNING messages and ERROR: 
Algorithm already exists,

What is it that I've done wrong? I can do a full barf if needed, although my gut feeling 
says the above should be enough to get some pointers. Any help would be greatly 
appreciated.

Kind regards,
  Steven Don

More information about the Users mailing list