[Openswan Users] unable to get phase two
Michael Di Domenico
mdidomenico4 at gmail.com
Thu Apr 23 20:20:16 EDT 2009
i've been battling with openswan for the last few hours and i'm not
sure if i've actually made any progress or not. i've got a window xp
laptop at 192.168.1.4 and a linux machine at 192.168.1.50, which also
has a second nic card in it at 192.168.0.50. I'm trying to connect
the windows laptop via l2tp ipsec to the linux machine and have the
windows laptop show up as a host on the 192.168.0.50 network.
i've followed and read everything i can online, hopefully someone here
can lend a little guidance.
--- config files
--- [root at orange etc]# cat ipsec.conf
version 2.0 # conforms to second version of ipsec.conf specification
config setup
protostack=netkey
nat_traversal=yes
interfaces=%defaultroute
conn client
authby=secret
auto=add
pfs=no
left=192.168.1.50
leftsubnet=192.168.1.50/32
leftprotoport=17/1701
right=%any
rightprotoport=17/1701
--- [root at orange etc]# cat ipsec.secrets
192.168.1.50 192.168.1.4: PSK "toomanysecrets"
192.168.1.50 %any: PSK "toomanysecrets"
--- [root at orange etc]# cat /var/log/secrets
Apr 23 20:13:53 orange pluto[14995]: Starting Pluto (Openswan Version
2.6.14; Vendor ID OEoSJUweaqAX) pid:14995
Apr 23 20:13:53 orange pluto[14995]: Setting NAT-Traversal port-4500
floating to on
Apr 23 20:13:53 orange pluto[14995]: port floating activation
criteria nat_t=1/port_float=1
Apr 23 20:13:53 orange pluto[14995]: including NAT-Traversal patch
(Version 0.6c)
Apr 23 20:13:53 orange pluto[14995]: using /dev/urandom as source of
random entropy
Apr 23 20:13:53 orange pluto[14995]: ike_alg_register_enc():
Activating OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)
Apr 23 20:13:53 orange pluto[14995]: ike_alg_register_enc():
Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)
Apr 23 20:13:53 orange pluto[14995]: ike_alg_register_enc():
Activating OAKLEY_SERPENT_CBC: Ok (ret=0)
Apr 23 20:13:53 orange pluto[14995]: ike_alg_register_enc():
Activating OAKLEY_AES_CBC: Ok (ret=0)
Apr 23 20:13:53 orange pluto[14995]: ike_alg_register_enc():
Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)
Apr 23 20:13:53 orange pluto[14995]: ike_alg_register_hash():
Activating OAKLEY_SHA2_512: Ok (ret=0)
Apr 23 20:13:53 orange pluto[14995]: ike_alg_register_hash():
Activating OAKLEY_SHA2_256: Ok (ret=0)
Apr 23 20:13:53 orange pluto[14995]: starting up 1 cryptographic helpers
Apr 23 20:13:53 orange pluto[14996]: using /dev/urandom as source of
random entropy
Apr 23 20:13:53 orange pluto[14995]: started helper pid=14996 (fd:7)
Apr 23 20:13:53 orange pluto[14995]: Using Linux 2.6 IPsec interface
code on 2.6.18-92.1.17.el5_lustre.1.6.7.1smp (experimental code)
Apr 23 20:13:53 orange pluto[14995]: ike_alg_register_enc(): WARNING:
enc alg=0 not found in constants.c:oakley_enc_names
Apr 23 20:13:53 orange pluto[14995]: ike_alg_register_enc():
Activating <NULL>: Ok (ret=0)
Apr 23 20:13:53 orange pluto[14995]: ike_alg_register_enc(): WARNING:
enc alg=0 not found in constants.c:oakley_enc_names
Apr 23 20:13:53 orange pluto[14995]: ike_alg_add(): ERROR: Algorithm
already exists
Apr 23 20:13:53 orange pluto[14995]: ike_alg_register_enc():
Activating <NULL>: FAILED (ret=-17)
Apr 23 20:13:53 orange pluto[14995]: ike_alg_register_enc(): WARNING:
enc alg=0 not found in constants.c:oakley_enc_names
Apr 23 20:13:53 orange pluto[14995]: ike_alg_add(): ERROR: Algorithm
already exists
Apr 23 20:13:53 orange pluto[14995]: ike_alg_register_enc():
Activating <NULL>: FAILED (ret=-17)
Apr 23 20:13:53 orange pluto[14995]: ike_alg_register_enc(): WARNING:
enc alg=0 not found in constants.c:oakley_enc_names
Apr 23 20:13:53 orange pluto[14995]: ike_alg_add(): ERROR: Algorithm
already exists
Apr 23 20:13:53 orange pluto[14995]: ike_alg_register_enc():
Activating <NULL>: FAILED (ret=-17)
Apr 23 20:13:53 orange pluto[14995]: ike_alg_register_enc(): WARNING:
enc alg=0 not found in constants.c:oakley_enc_names
Apr 23 20:13:53 orange pluto[14995]: ike_alg_add(): ERROR: Algorithm
already exists
Apr 23 20:13:53 orange pluto[14995]: ike_alg_register_enc():
Activating <NULL>: FAILED (ret=-17)
Apr 23 20:13:53 orange pluto[14995]: ike_alg_register_enc(): WARNING:
enc alg=0 not found in constants.c:oakley_enc_names
Apr 23 20:13:53 orange pluto[14995]: ike_alg_add(): ERROR: Algorithm
already exists
Apr 23 20:13:53 orange pluto[14995]: ike_alg_register_enc():
Activating <NULL>: FAILED (ret=-17)
Apr 23 20:13:53 orange pluto[14995]: Changed path to directory
'/etc/ipsec.d/cacerts'
Apr 23 20:13:53 orange pluto[14995]: Changed path to directory
'/etc/ipsec.d/aacerts'
Apr 23 20:13:53 orange pluto[14995]: Changed path to directory
'/etc/ipsec.d/ocspcerts'
Apr 23 20:13:53 orange pluto[14995]: Changing to directory '/etc/ipsec.d/crls'
Apr 23 20:13:53 orange pluto[14995]: Warning: empty directory
Apr 23 20:13:53 orange pluto[14995]: Changing back to directory '/'
failed - (2 No such file or directory)
Apr 23 20:13:53 orange pluto[14995]: Changing back to directory '/'
failed - (2 No such file or directory)
Apr 23 20:13:53 orange pluto[14995]: added connection description "client"
Apr 23 20:13:53 orange pluto[14995]: listening for IKE messages
Apr 23 20:13:53 orange pluto[14995]: adding interface eth0/eth0 192.168.0.50:500
Apr 23 20:13:53 orange pluto[14995]: adding interface eth0/eth0
192.168.0.50:4500
Apr 23 20:13:53 orange pluto[14995]: adding interface eth1/eth1 192.168.1.50:500
Apr 23 20:13:53 orange pluto[14995]: adding interface eth1/eth1
192.168.1.50:4500
Apr 23 20:13:53 orange pluto[14995]: adding interface lo/lo 127.0.0.1:500
Apr 23 20:13:53 orange pluto[14995]: adding interface lo/lo 127.0.0.1:4500
Apr 23 20:13:53 orange pluto[14995]: adding interface lo/lo ::1:500
Apr 23 20:13:53 orange pluto[14995]: loading secrets from "/etc/ipsec.secrets"
Apr 23 20:14:07 orange pluto[14995]: packet from 192.168.1.4:500:
ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Apr 23 20:14:07 orange pluto[14995]: packet from 192.168.1.4:500:
ignoring Vendor ID payload [FRAGMENTATION]
Apr 23 20:14:07 orange pluto[14995]: packet from 192.168.1.4:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method
set to=106
Apr 23 20:14:07 orange pluto[14995]: packet from 192.168.1.4:500:
ignoring Vendor ID payload [Vid-Initial-Contact]
Apr 23 20:14:07 orange pluto[14995]: "client"[1] 192.168.1.4 #1:
responding to Main Mode from unknown peer 192.168.1.4
Apr 23 20:14:07 orange pluto[14995]: "client"[1] 192.168.1.4 #1:
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Apr 23 20:14:07 orange pluto[14995]: "client"[1] 192.168.1.4 #1:
STATE_MAIN_R1: sent MR1, expecting MI2
Apr 23 20:14:07 orange pluto[14995]: "client"[1] 192.168.1.4 #1:
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: no NAT
detected
Apr 23 20:14:07 orange pluto[14995]: "client"[1] 192.168.1.4 #1:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Apr 23 20:14:07 orange pluto[14995]: "client"[1] 192.168.1.4 #1:
STATE_MAIN_R2: sent MR2, expecting MI3
Apr 23 20:14:07 orange pluto[14995]: "client"[1] 192.168.1.4 #1: Main
mode peer ID is ID_IPV4_ADDR: '192.168.1.4'
Apr 23 20:14:07 orange pluto[14995]: "client"[1] 192.168.1.4 #1:
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Apr 23 20:14:07 orange pluto[14995]: "client"[1] 192.168.1.4 #1:
STATE_MAIN_R3: sent MR3, ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha
group=modp2048}
Apr 23 20:14:07 orange pluto[14995]: "client"[1] 192.168.1.4 #1: the
peer proposed: 192.168.1.50/32:17/1701 -> 192.168.1.4/32:17/1701
Apr 23 20:14:07 orange pluto[14995]: "client"[1] 192.168.1.4 #1:
alloc_bytes1() was mistakenly asked to malloc 0 bytes for st_skey_ar
in duplicate_state, please report to dev at openswan.org
Apr 23 20:14:07 orange pluto[14995]: "client"[1] 192.168.1.4 #1:
alloc_bytes1() was mistakenly asked to malloc 0 bytes for st_skey_er
in duplicate_state, please report to dev at openswan.org
Apr 23 20:14:07 orange pluto[14995]: "client"[1] 192.168.1.4 #1:
alloc_bytes1() was mistakenly asked to malloc 0 bytes for st_skey_pi
in duplicate_state, please report to dev at openswan.org
Apr 23 20:14:07 orange pluto[14995]: "client"[1] 192.168.1.4 #1:
alloc_bytes1() was mistakenly asked to malloc 0 bytes for st_skey_pr
in duplicate_state, please report to dev at openswan.org
Apr 23 20:14:07 orange pluto[14995]: "client"[1] 192.168.1.4 #2:
responding to Quick Mode proposal {msgid:937d0d13}
Apr 23 20:14:07 orange pluto[14995]: "client"[1] 192.168.1.4 #2:
us: 192.168.1.50/32===192.168.1.50<192.168.1.50>[+S=C]:17/1701
Apr 23 20:14:07 orange pluto[14995]: "client"[1] 192.168.1.4 #2:
them: 192.168.1.4[+S=C]:17/1701
Apr 23 20:14:07 orange pluto[14995]: "client"[1] 192.168.1.4 #2:
transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Apr 23 20:14:07 orange pluto[14995]: "client"[1] 192.168.1.4 #2:
STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Apr 23 20:14:07 orange pluto[14995]: "client"[1] 192.168.1.4 #2:
transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Apr 23 20:14:07 orange pluto[14995]: "client"[1] 192.168.1.4 #2:
STATE_QUICK_R2: IPsec SA established tunnel mode {ESP=>0x43343cdc
<0x7e376ecc xfrm=3DES_0-HMAC_MD5 NATOA=<invalid>NATD=<invalid>:500
DPD=enabled}
Apr 23 20:14:42 orange pluto[14995]: "client"[1] 192.168.1.4 #1:
received Delete SA(0x43343cdc) payload: deleting IPSEC State #2
Apr 23 20:14:42 orange pluto[14995]: "client"[1] 192.168.1.4 #2:
request to replace with shunt a prospective erouted policy with netkey
kernel --- experimental
Apr 23 20:14:42 orange pluto[14995]: "client"[1] 192.168.1.4 #1:
received and ignored informational message
Apr 23 20:14:42 orange pluto[14995]: "client"[1] 192.168.1.4 #1:
received Delete SA payload: deleting ISAKMP State #1
Apr 23 20:14:42 orange pluto[14995]: "client"[1] 192.168.1.4: deleting
connection "client" instance with peer 192.168.1.4
{isakmp=#0/ipsec=#0}
Apr 23 20:14:42 orange pluto[14995]: "client": request to delete a
unrouted policy with netkey kernel --- experimental
Apr 23 20:14:42 orange pluto[14995]: packet from 192.168.1.4:500:
received and ignored informational message
More information about the Users
mailing list