[Openswan Users] openswan + freeswan config

Aasim Ajaz aasim.ajaz at gmail.com
Wed Apr 15 00:23:00 EDT 2009 

Hello Guys,

I am trying to create IPSEC tunnel between two linux system Suse 8 running
freeswan 1.98  & Suse 10 running openswan 2.4 and so far no success. I have
verified network setting few times and they all look good.

thanks in advance...

this is traffic flow from right to left side...
86: 23:38:48.479208 49.***.29.12.500 > 142.***.208.44.500: udp 212
87: 23:38:58.481145 49.***.29.12.500 > 142.***.208.44.500: udp 212
88: 23:39:18.483480 49.***.29.12.500 > 142.***.208.44.500: udp 212
89: 23:39:23.330823 142.***.208.44.500 > 49.***.29.12.500: udp 176
90: 23:39:23.339673 49.***.29.12.500 > 142.***.208.44.500: udp 116
91: 23:39:33.345563 49.***.29.12.500 > 142.***.208.44.500: udp 116
92: 23:39:33.440742 142.***.208.44.500 > 49.***.29.12.500: udp 176
93: 23:39:33.451896 49.***.29.12.500 > 142.***.208.44.500: udp 116
94: 23:39:43.478490 49.***.29.12.500 > 142.***.208.44.500: udp 116

system2 # tcpdump -vv -ni eth0  host 142.***.208.44
49.***.29.12.500: isakmp 1.0 msgid  cookie ->: phase 1 I ident: [|sa]
00:20:13.087518 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], proto: UDP
(17), length: 144) 49.***.29.12.500 > 142.***.208.44.500: isakmp 1.0 msgid
cookie ->: phase 1 R ident: [|sa]
00:20:22.112828 IP (tos 0x0, ttl  63, id 25805, offset 0, flags [DF], proto:
UDP (17), length: 204) 142.***.208.44.500 > 49.***.29.12.500: isakmp 1.0
msgid  cookie ->: phase 1 I ident: [|sa]
00:20:22.135080 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], proto: UDP
(17), length: 144) 49.***.29.12.500 > 142.***.208.44.500: isakmp 1.0 msgid
cookie ->: phase 1 R ident: [|sa]
00:20:23.143086 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], proto: UDP
(17), length: 144) 49.***.29.12.500 > 142.***.208.44.500: isakmp 1.0 msgid
cookie ->: phase 1 R ident: [|sa]


below are configs from both hosts...

Two System---

RIGHT SIDE
==========
SUSE Linux Enterprise Server 10 (x86_64)
VERSION = 10
PATCHLEVEL = 2
System2:~ # rpm -qa | grep openswan
openswan-2.4.4-18.9
System2:~ # rpm -qa | grep ipsec
ipsec-tools-0.6.5-10.10

# more /etc/ipsec.conf
# /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.15.2.2 2005/11/14 20:10:27 paul Exp $

# This file:  /usr/share/doc/packages/openswan/ipsec.conf-sample
# Manual:     ipsec.conf.5

version 2.0     # conforms to second version of ipsec.conf specification
# basic configuration
config setup
 # THIS SETTING MUST BE CORRECT or almost nothing will work;
        # %defaultroute is okay for most simple cases.
        #interfaces=%defaultroute
        interfaces="ipsec0=eth0"
        forwardcontrol=yes
        klipsdebug=none
        plutodebug=all
        pluto=yes
        uniqueids=yes

conn %default
        keyingtries=0
        disablearrivalcheck=no
        authby=rsasig
        leftrsasigkey=%dnsondemand
        rightrsasigkey=%dnsondemand
include /etc/ipsec.d/examples/no_oe.conf

conn system1-system2
        left=142.***.208.44
        leftnexthop=142.***.208.1
        leftid=@system01.cibg.tdbank.ca

leftrsasigkey=0sAQN105Q2huAvZHceifNlX/iGxyZm8B9IsXJGogIXror1InOB0uLrgdb30C0FvXszAyC6Pgfs1H1Wgr8kITug8mDlN5D3ZpHR
fltEQ5CQElPqqG30l3v/IjyCzgd....
        right=49.***.29.12
        rightnexthop=49.***.29.1
        rightid=@system02.cibg.tdbank.ca

rightrsasigkey=0sAQOYhKIj1Q9+vMLtnVpSDtsiD90FtYhuk5ugUAy3FuBWi7Vj+CYBs3L635QjO4xmbGxxchaZX+idfGkIg00Wv26gGJXfsIp

AFbwpfLsX0Okefhp9zaEMZO4JyruyV70T82ncZKyvc8R51wMOIpgTGb0YK649CZFYKmk...
        auto=add

system02:~ # ipsec auto status
ipsec auto: warning: obsolete command syntax used
000 interface lo/lo ::1
000 interface lo/lo 127.0.0.1
000 interface eth0/eth0 49.***.29.12
000 %myid = (none)
000 debug
raw+crypt+parsing+emitting+control+lifecycle+klips+dns+oppo+controlmore+pfkey+nattraversal+x509
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64,
keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192,
keysizemax=192
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40,
keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0,
keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128,
keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256,
keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC,
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0
000
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,0,0}
trans={0,0,0} attrs={0,0,0}
000
000 "system01-system02":
49.***.29.12[@system1]---49.***.29.1...142.***.208.1---142.***.208.44[@system2];
unrouted; eroute owner: #0
000 "system01-system02":     srcip=unset; dstip=unset; srcup=ipsec _updown;
dstup=ipsec _updown;
000 "system01-system02":   ike_life: 3600s; ipsec_life: 28800s;
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "system01-system02":   policy: RSASIG+ENCRYPT+TUNNEL+PFS; prio: 32,32;
interface: eth0;
000 "system01-system02":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000
000
system02:~ # ipsec auto --verbose --up system1-system2
002 "system01-system02" #3: initiating Main Mode
104 "system01-system02" #3: STATE_MAIN_I1: initiate
010 "system01-system02" #3: STATE_MAIN_I1: retransmission; will wait 20s for
response
010 "system01-system02" #3: STATE_MAIN_I1: retransmission; will wait 20s for
response
010 "system01-system02" #3: STATE_MAIN_I1: retransmission; will wait 40s for
response
010 "system01-system02" #3: STATE_MAIN_I1: retransmission; will wait 40s for
response
010 "system01-system02" #3: STATE_MAIN_I1: retransmission; will wait 40s for
response

....
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,0,0}
trans={0,0,0} attrs={0,0,0}
000
000 "system01-system02":
49.***.29.12[@system1]---49.***.29.1...142.***.208.1---142.***.208.44[@system2];
unrouted; eroute owner: #0
000 "system01-system02":     srcip=unset; dstip=unset; srcup=ipsec _updown;
dstup=ipsec _updown;
000 "system01-system02":   ike_life: 3600s; ipsec_life: 28800s;
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "system01-system02":   policy: RSASIG+ENCRYPT+TUNNEL+PFS+UP; prio:
32,32; interface: eth0;
000 "system01-system02":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000
000 #3: "system01-system02":500 STATE_MAIN_I1 (sent MI1, expecting MR1);
EVENT_RETRANSMIT in 22s; nodpd
000 #3: pending Phase 2 for "system01-system02" replacing #0
000 #6: "system01-system02":500 STATE_MAIN_R1 (sent MR1, expecting MI2);
EVENT_RETRANSMIT in 26s; nodpd
000 #7: "system01-system02":500 STATE_MAIN_R1 (sent MR1, expecting MI2);
EVENT_RETRANSMIT in 7s; nodpd


LEFT SIDE
=============

# more /etc/SuSE-release
SuSE SLES-8 (i386)
VERSION = 8.1
# rpm -qa | grep freeswan
freeswan-1.98_0.9.14-404

# more /etc/ipsec.conf
# /etc/ipsec.conf - FreeS/WAN IPsec configuration file

# More elaborate and more varied sample configurations can be found
# in FreeS/WAN's doc/examples file, and in the HTML documentation.


# basic configuration
config setup
        # THIS SETTING MUST BE CORRECT or almost nothing will work;
        # %defaultroute is okay for most simple cases.
        ##interfaces=%defaultroute
        interfaces="ipsec0=eth0"
        # autoenable forwarding in kernel as needed
        forwardcontrol=yes
        # Debug-logging controls:  "none" for (almost) none, "all" for lots.

        klipsdebug=none
        plutodebug=all
        # Use auto= parameters in conn descriptions to control startup
actions.
        plutoload=%search
        plutostart=%search
        # Close down old connection when new one using same ID shows up.
        uniqueids=yes


# defaults for subsequent connection descriptions
# (these defaults will soon go away)
conn %default
        keyingtries=0
        disablearrivalcheck=no
        authby=rsasig
        leftrsasigkey=%dnsondemand
        rightrsasigkey=%dnsondemand


conn system01-system02
        # Left security gateway, subnet behind it, next hop toward right.
        left=142.***.208.44
        leftnexthop=142.***.208.1
        leftid=@system01

leftrsasigkey=0sAQN105Q2huAvZHceifNlX/iGxyZm8B9IsXJGogIXror1InOB0uLrgdb30C0FvXszAyC6Pgfs1H1Wgr8kITug8mDlN5D3ZpHR

fltEQ5CQElPqqG30l3v/IjyCzgd+...
         # Right security gateway, subnet behind it, next hop toward right.
        right=49.***.29.12
        rightnexthop=49.***.29.1
        rightid=@system02

rightrsasigkey=0sAQOYhKIj1Q9+vMLtnVpSDtsiD90FtYhuk5ugUAy3FuBWi7Vj+CYBs3L635QjO4xmbGxxchaZX+idfGkIg00Wv26gGJXfsIp

AFbwpfLsX0Okefhp9zaEMZO4JyruyV70T82ncZKyvc8R51wMOIpgTGb0YK649CZFYKmk...
        auto=add

# ipsec auto status
ipsec auto: warning: obsolete command syntax used
000 interface ipsec0/eth0 fe80::20b:cdff:feef:27f5
000 interface ipsec0/eth0 142.***.208.44
000
000 "system01-system02": 142.***.208.44[@system01
]---142.***.208.1...49.***.29.1---49.***.29.12[@system02]
000 "system01-system02":   ike_life: 3600s; ipsec_life: 28800s;
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "system01-system02":   policy: RSASIG+ENCRYPT+TUNNEL+PFS; interface:
eth0; unrouted
000 "system01-system02":   newest ISAKMP SA: #0; newest IPsec SA: #0; eroute
owner: #0
000
000 #16: "system01-system02" STATE_MAIN_I1 (sent MI1, expecting MR1);
EVENT_RETRANSMIT in 14s
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20090415/d6f75bed/attachment-0001.html

More information about the Users mailing list