[Openswan Users] openswan + freeswan config

Curu Wong prinbra at gmail.com
Wed Apr 15 21:33:05 EDT 2009


Now that you have used the rsasigkey,maybe there is no need to use
rightid.You may find more diagnostic info from /var/log/secure

2009/4/15 Aasim Ajaz <aasim.ajaz at gmail.com>

> Hello Guys,
>
> I am trying to create IPSEC tunnel between two linux system Suse 8 running
> freeswan 1.98  & Suse 10 running openswan 2.4 and so far no success. I have
> verified network setting few times and they all look good.
>
> thanks in advance...
>
> this is traffic flow from right to left side...
> 86: 23:38:48.479208 49.***.29.12.500 > 142.***.208.44.500: udp 212
> 87: 23:38:58.481145 49.***.29.12.500 > 142.***.208.44.500: udp 212
> 88: 23:39:18.483480 49.***.29.12.500 > 142.***.208.44.500: udp 212
> 89: 23:39:23.330823 142.***.208.44.500 > 49.***.29.12.500: udp 176
> 90: 23:39:23.339673 49.***.29.12.500 > 142.***.208.44.500: udp 116
> 91: 23:39:33.345563 49.***.29.12.500 > 142.***.208.44.500: udp 116
> 92: 23:39:33.440742 142.***.208.44.500 > 49.***.29.12.500: udp 176
> 93: 23:39:33.451896 49.***.29.12.500 > 142.***.208.44.500: udp 116
> 94: 23:39:43.478490 49.***.29.12.500 > 142.***.208.44.500: udp 116
>
> system2 # tcpdump -vv -ni eth0  host 142.***.208.44
> 49.***.29.12.500: isakmp 1.0 msgid  cookie ->: phase 1 I ident: [|sa]
> 00:20:13.087518 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], proto:
> UDP (17), length: 144) 49.***.29.12.500 > 142.***.208.44.500: isakmp 1.0
> msgid  cookie ->: phase 1 R ident: [|sa]
> 00:20:22.112828 IP (tos 0x0, ttl  63, id 25805, offset 0, flags [DF],
> proto: UDP (17), length: 204) 142.***.208.44.500 > 49.***.29.12.500: isakmp
> 1.0 msgid  cookie ->: phase 1 I ident: [|sa]
> 00:20:22.135080 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], proto:
> UDP (17), length: 144) 49.***.29.12.500 > 142.***.208.44.500: isakmp 1.0
> msgid  cookie ->: phase 1 R ident: [|sa]
> 00:20:23.143086 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], proto:
> UDP (17), length: 144) 49.***.29.12.500 > 142.***.208.44.500: isakmp 1.0
> msgid  cookie ->: phase 1 R ident: [|sa]
>
>
> below are configs from both hosts...
>
> Two System---
>
> RIGHT SIDE
> ==========
> SUSE Linux Enterprise Server 10 (x86_64)
> VERSION = 10
> PATCHLEVEL = 2
> System2:~ # rpm -qa | grep openswan
> openswan-2.4.4-18.9
> System2:~ # rpm -qa | grep ipsec
> ipsec-tools-0.6.5-10.10
>
> # more /etc/ipsec.conf
> # /etc/ipsec.conf - Openswan IPsec configuration file
> # RCSID $Id: ipsec.conf.in,v 1.15.2.2 2005/11/14 20:10:27 paul Exp $
>
> # This file:  /usr/share/doc/packages/openswan/ipsec.conf-sample
> # Manual:     ipsec.conf.5
>
> version 2.0     # conforms to second version of ipsec.conf specification
> # basic configuration
> config setup
>  # THIS SETTING MUST BE CORRECT or almost nothing will work;
>         # %defaultroute is okay for most simple cases.
>         #interfaces=%defaultroute
>         interfaces="ipsec0=eth0"
>         forwardcontrol=yes
>         klipsdebug=none
>         plutodebug=all
>         pluto=yes
>         uniqueids=yes
>
> conn %default
>         keyingtries=0
>         disablearrivalcheck=no
>         authby=rsasig
>         leftrsasigkey=%dnsondemand
>         rightrsasigkey=%dnsondemand
> include /etc/ipsec.d/examples/no_oe.conf
>
> conn system1-system2
>         left=142.***.208.44
>         leftnexthop=142.***.208.1
>         leftid=@system01.cibg.tdbank.ca
>
> leftrsasigkey=0sAQN105Q2huAvZHceifNlX/iGxyZm8B9IsXJGogIXror1InOB0uLrgdb30C0FvXszAyC6Pgfs1H1Wgr8kITug8mDlN5D3ZpHR
> fltEQ5CQElPqqG30l3v/IjyCzgd....
>         right=49.***.29.12
>         rightnexthop=49.***.29.1
>         rightid=@system02.cibg.tdbank.ca
>
> rightrsasigkey=0sAQOYhKIj1Q9+vMLtnVpSDtsiD90FtYhuk5ugUAy3FuBWi7Vj+CYBs3L635QjO4xmbGxxchaZX+idfGkIg00Wv26gGJXfsIp
>
> AFbwpfLsX0Okefhp9zaEMZO4JyruyV70T82ncZKyvc8R51wMOIpgTGb0YK649CZFYKmk...
>         auto=add
>
> system02:~ # ipsec auto status
> ipsec auto: warning: obsolete command syntax used
> 000 interface lo/lo ::1
> 000 interface lo/lo 127.0.0.1
> 000 interface eth0/eth0 49.***.29.12
> 000 %myid = (none)
> 000 debug
> raw+crypt+parsing+emitting+control+lifecycle+klips+dns+oppo+controlmore+pfkey+nattraversal+x509
> 000
> 000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64,
> keysizemax=64
> 000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192,
> keysizemax=192
> 000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40,
> keysizemax=448
> 000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0,
> keysizemax=0
> 000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128,
> keysizemax=256
> 000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8,
> keysizemin=128, keysizemax=256
> 000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8,
> keysizemin=128, keysizemax=256
> 000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
> keysizemin=128, keysizemax=128
> 000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
> keysizemin=160, keysizemax=160
> 000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256,
> keysizemin=256, keysizemax=256
> 000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC,
> keysizemin=128, keysizemax=128
> 000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0,
> keysizemax=0
> 000
> 000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
> keydeflen=192
> 000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
> keydeflen=128
> 000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
> 000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
> 000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
> 000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
> 000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
> 000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
> 000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
> 000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
> 000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
> 000
> 000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,0,0}
> trans={0,0,0} attrs={0,0,0}
> 000
> 000 "system01-system02":
> 49.***.29.12[@system1]---49.***.29.1...142.***.208.1---142.***.208.44[@system2];
> unrouted; eroute owner: #0
> 000 "system01-system02":     srcip=unset; dstip=unset; srcup=ipsec _updown;
> dstup=ipsec _updown;
> 000 "system01-system02":   ike_life: 3600s; ipsec_life: 28800s;
> rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
> 000 "system01-system02":   policy: RSASIG+ENCRYPT+TUNNEL+PFS; prio: 32,32;
> interface: eth0;
> 000 "system01-system02":   newest ISAKMP SA: #0; newest IPsec SA: #0;
> 000
> 000
> system02:~ # ipsec auto --verbose --up system1-system2
> 002 "system01-system02" #3: initiating Main Mode
> 104 "system01-system02" #3: STATE_MAIN_I1: initiate
> 010 "system01-system02" #3: STATE_MAIN_I1: retransmission; will wait 20s
> for response
> 010 "system01-system02" #3: STATE_MAIN_I1: retransmission; will wait 20s
> for response
> 010 "system01-system02" #3: STATE_MAIN_I1: retransmission; will wait 40s
> for response
> 010 "system01-system02" #3: STATE_MAIN_I1: retransmission; will wait 40s
> for response
> 010 "system01-system02" #3: STATE_MAIN_I1: retransmission; will wait 40s
> for response
>
> ....
> 000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,0,0}
> trans={0,0,0} attrs={0,0,0}
> 000
> 000 "system01-system02":
> 49.***.29.12[@system1]---49.***.29.1...142.***.208.1---142.***.208.44[@system2];
> unrouted; eroute owner: #0
> 000 "system01-system02":     srcip=unset; dstip=unset; srcup=ipsec _updown;
> dstup=ipsec _updown;
> 000 "system01-system02":   ike_life: 3600s; ipsec_life: 28800s;
> rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
> 000 "system01-system02":   policy: RSASIG+ENCRYPT+TUNNEL+PFS+UP; prio:
> 32,32; interface: eth0;
> 000 "system01-system02":   newest ISAKMP SA: #0; newest IPsec SA: #0;
> 000
> 000 #3: "system01-system02":500 STATE_MAIN_I1 (sent MI1, expecting MR1);
> EVENT_RETRANSMIT in 22s; nodpd
> 000 #3: pending Phase 2 for "system01-system02" replacing #0
> 000 #6: "system01-system02":500 STATE_MAIN_R1 (sent MR1, expecting MI2);
> EVENT_RETRANSMIT in 26s; nodpd
> 000 #7: "system01-system02":500 STATE_MAIN_R1 (sent MR1, expecting MI2);
> EVENT_RETRANSMIT in 7s; nodpd
>
>
> LEFT SIDE
> =============
>
> # more /etc/SuSE-release
> SuSE SLES-8 (i386)
> VERSION = 8.1
> # rpm -qa | grep freeswan
> freeswan-1.98_0.9.14-404
>
> # more /etc/ipsec.conf
> # /etc/ipsec.conf - FreeS/WAN IPsec configuration file
>
> # More elaborate and more varied sample configurations can be found
> # in FreeS/WAN's doc/examples file, and in the HTML documentation.
>
>
> # basic configuration
> config setup
>         # THIS SETTING MUST BE CORRECT or almost nothing will work;
>         # %defaultroute is okay for most simple cases.
>         ##interfaces=%defaultroute
>         interfaces="ipsec0=eth0"
>         # autoenable forwarding in kernel as needed
>         forwardcontrol=yes
>         # Debug-logging controls:  "none" for (almost) none, "all" for
> lots.
>         klipsdebug=none
>         plutodebug=all
>         # Use auto= parameters in conn descriptions to control startup
> actions.
>         plutoload=%search
>         plutostart=%search
>         # Close down old connection when new one using same ID shows up.
>         uniqueids=yes
>
>
> # defaults for subsequent connection descriptions
> # (these defaults will soon go away)
> conn %default
>         keyingtries=0
>         disablearrivalcheck=no
>         authby=rsasig
>         leftrsasigkey=%dnsondemand
>         rightrsasigkey=%dnsondemand
>
>
> conn system01-system02
>         # Left security gateway, subnet behind it, next hop toward right.
>         left=142.***.208.44
>         leftnexthop=142.***.208.1
>         leftid=@system01
>
> leftrsasigkey=0sAQN105Q2huAvZHceifNlX/iGxyZm8B9IsXJGogIXror1InOB0uLrgdb30C0FvXszAyC6Pgfs1H1Wgr8kITug8mDlN5D3ZpHR
>
> fltEQ5CQElPqqG30l3v/IjyCzgd+...
>          # Right security gateway, subnet behind it, next hop toward right.
>
>         right=49.***.29.12
>         rightnexthop=49.***.29.1
>         rightid=@system02
>
> rightrsasigkey=0sAQOYhKIj1Q9+vMLtnVpSDtsiD90FtYhuk5ugUAy3FuBWi7Vj+CYBs3L635QjO4xmbGxxchaZX+idfGkIg00Wv26gGJXfsIp
>
> AFbwpfLsX0Okefhp9zaEMZO4JyruyV70T82ncZKyvc8R51wMOIpgTGb0YK649CZFYKmk...
>         auto=add
>
> # ipsec auto status
> ipsec auto: warning: obsolete command syntax used
> 000 interface ipsec0/eth0 fe80::20b:cdff:feef:27f5
> 000 interface ipsec0/eth0 142.***.208.44
> 000
> 000 "system01-system02": 142.***.208.44[@system01
> ]---142.***.208.1...49.***.29.1---49.***.29.12[@system02]
> 000 "system01-system02":   ike_life: 3600s; ipsec_life: 28800s;
> rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
> 000 "system01-system02":   policy: RSASIG+ENCRYPT+TUNNEL+PFS; interface:
> eth0; unrouted
> 000 "system01-system02":   newest ISAKMP SA: #0; newest IPsec SA: #0;
> eroute owner: #0
> 000
> 000 #16: "system01-system02" STATE_MAIN_I1 (sent MI1, expecting MR1);
> EVENT_RETRANSMIT in 14s
>
>
>
>
>
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20090416/280e2832/attachment.html 


More information about the Users mailing list