[Openswan Users] Openswan-2.6.22: while loading 'test': bad addr rightnexthop=%direct [illegal (non-DNS-name) character in name]
Evan Doiron
edoiron at cbnco.com
Mon Aug 17 11:10:42 EDT 2009
Hi all,
I have spent the last few days troubleshooting this problem, and
unfortunately I haven't been able to get very far with it. I am trying
to setup a basic IPSec tunnel depicted below:
soekris
switch soekris
192.168.2.0/24 ===== 172.20.22.66 ------- 172.20.22.60 -------
172.20.22.64 ==== 192.168.1.0/24
I am able to establish the tunnel, but the route to the peer's client
does not come up on either 172.20.22.66 or 172.20.22.64. If I manually
create the routes when ipsec is running I can successfully ping from
192.168.2.2 to 192.168.1.2 (Clients from either end). The problem
happens when i specify the leftnexthop and or rightnexthop in the
ipsec.conf file. I get the error "while loading 'test': bad addr
rightnexthop=%direct [illegal (non-DNS-name) character in name]".
This is my configuration on the right (172.20.22.64) machine:
version 2.0
config setup
nat_traversal=yes
oe=off
protostack=netkey
nhelpers = 0
# Add connections here
conn %default
keyingtries=0
disablearrivalcheck=no
authby=rsasig
leftrsasigkey=%cert
rightrsasigkey=%cert
ike=aes256-sha,aes256-md5
esp=aes256-sha1,aes256-md5
conn test
# Left
left=172.20.22.66
leftsubnet=192.168.2.0/24
leftid="/O=Test Test SC/OU=test/CN=net5501"
leftca=%same
# Right
right=172.20.22.64
rightsubnet=192.168.1.0/24
rightnexthop=%direct
rightid="/O=Test Test SC/OU=test/CN=aqs8322"
rightcert=auto-cert.pem
auto=start
See my log below for more detailed information:
Aug 17 13:51:29 aqs8322 ipsec_starter[645]: while loading 'test': bad
addr rightnexthop=%direct [illegal (non-DNS-name) character in name]
Aug 17 13:51:30 aqs8322 kernel: NET: Registered protocol family 15
Aug 17 13:51:30 aqs8322 ipsec_setup: Starting Openswan IPsec
U2.6.22-gae6a19fd-dirty/K2.6.30...
Aug 17 13:51:30 aqs8322 ipsec_setup: Using NETKEY(XFRM) stack
Aug 17 13:51:32 aqs8322 kernel: Initializing XFRM netlink socket
Aug 17 13:51:34 aqs8322 ipsec_setup: Command line is not complete. Try
option "help"
Aug 17 13:51:34 aqs8322 ipsec_setup: while loading 'test': bad addr
rightnexthop=%direct [illegal (non-DNS-name) character in name]
Aug 17 13:51:34 aqs8322 ipsec_starter[725]: while loading 'test': bad
addr rightnexthop=%direct [illegal (non-DNS-name) character in name]
Aug 17 13:51:34 aqs8322 ipsec__plutorun: Starting Pluto subsystem...
Aug 17 13:51:34 aqs8322 pluto: adjusting ipsec.d to /etc/ipsec.d
Aug 17 13:51:34 aqs8322 pluto[732]: Starting Pluto (Openswan Version
2.6.22-gae6a19fd-dirty; Vendor ID OExL|]SP~GGL) pid:732
Aug 17 13:51:34 aqs8322 pluto[732]: Setting NAT-Traversal port-4500
floating to on
Aug 17 13:51:34 aqs8322 pluto[732]: port floating activation criteria
nat_t=1/port_float=1
Aug 17 13:51:34 aqs8322 pluto[732]: including NAT-Traversal patch
(Version 0.6c)
Aug 17 13:51:34 aqs8322 pluto[732]: using /dev/urandom as source of
random entropy
Aug 17 13:51:34 aqs8322 ipsec__plutorun: adjusting ipsec.d to /etc/ipsec.d
Aug 17 13:51:34 aqs8322 pluto[732]: ike_alg_register_enc(): Activating
OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)
Aug 17 13:51:34 aqs8322 pluto[732]: ike_alg_register_enc(): Activating
OAKLEY_TWOFISH_CBC: Ok (ret=0)
Aug 17 13:51:34 aqs8322 pluto[732]: ike_alg_register_enc(): Activating
OAKLEY_SERPENT_CBC: Ok (ret=0)
Aug 17 13:51:34 aqs8322 pluto[732]: ike_alg_register_enc(): Activating
OAKLEY_AES_CBC: Ok (ret=0)
Aug 17 13:51:34 aqs8322 pluto[732]: ike_alg_register_enc(): Activating
OAKLEY_BLOWFISH_CBC: Ok (ret=0)
Aug 17 13:51:34 aqs8322 pluto[732]: ike_alg_register_hash(): Activating
OAKLEY_SHA2_512: Ok (ret=0)
Aug 17 13:51:34 aqs8322 pluto[732]: ike_alg_register_hash(): Activating
OAKLEY_SHA2_256: Ok (ret=0)
Aug 17 13:51:34 aqs8322 pluto[732]: no helpers will be started, all
cryptographic operations will be done inline
Aug 17 13:51:34 aqs8322 pluto[732]: Using Linux 2.6 IPsec interface code
on 2.6.30 (experimental code)
Aug 17 13:51:34 aqs8322 ipsec_setup: ...Openswan IPsec started
Aug 17 13:51:34 aqs8322 ipsec__plutorun: while loading 'test': bad addr
rightnexthop=%direct [illegal (non-DNS-name) character in name]
Aug 17 13:51:34 aqs8322 ipsec_starter[735]: while loading 'test': bad
addr rightnexthop=%direct [illegal (non-DNS-name) character in name]
Aug 17 13:51:34 aqs8322 ipsec__plutorun: while loading 'test': bad addr
rightnexthop=%direct [illegal (non-DNS-name) character in name]
Aug 17 13:51:34 aqs8322 ipsec_starter[832]: while loading 'test': bad
addr rightnexthop=%direct [illegal (non-DNS-name) character in name]
Aug 17 13:51:34 aqs8322 pluto[732]: ike_alg_register_enc(): WARNING: enc
alg=0 not found in constants.c:oakley_enc_names
Aug 17 13:51:34 aqs8322 pluto[732]: ike_alg_register_enc(): Activating
<NULL>: Ok (ret=0)
Aug 17 13:51:34 aqs8322 pluto[732]: ike_alg_register_enc(): WARNING: enc
alg=0 not found in constants.c:oakley_enc_names
Aug 17 13:51:34 aqs8322 pluto[732]: ike_alg_add(): ERROR: Algorithm
already exists
Aug 17 13:51:34 aqs8322 pluto[732]: ike_alg_register_enc(): Activating
<NULL>: FAILED (ret=-17)
Aug 17 13:51:34 aqs8322 pluto[732]: ike_alg_register_enc(): WARNING: enc
alg=0 not found in constants.c:oakley_enc_names
Aug 17 13:51:34 aqs8322 pluto[732]: ike_alg_add(): ERROR: Algorithm
already exists
Aug 17 13:51:34 aqs8322 pluto[732]: ike_alg_register_enc(): Activating
<NULL>: FAILED (ret=-17)
Aug 17 13:51:34 aqs8322 pluto[732]: ike_alg_register_enc(): WARNING: enc
alg=0 not found in constants.c:oakley_enc_names
Aug 17 13:51:34 aqs8322 pluto[732]: ike_alg_add(): ERROR: Algorithm
already exists
Aug 17 13:51:34 aqs8322 pluto[732]: ike_alg_register_enc(): Activating
<NULL>: FAILED (ret=-17)
Aug 17 13:51:34 aqs8322 pluto[732]: ike_alg_register_enc(): WARNING: enc
alg=0 not found in constants.c:oakley_enc_names
Aug 17 13:51:34 aqs8322 pluto[732]: ike_alg_add(): ERROR: Algorithm
already exists
Aug 17 13:51:34 aqs8322 pluto[732]: ike_alg_register_enc(): Activating
<NULL>: FAILED (ret=-17)
Aug 17 13:51:34 aqs8322 pluto[732]: ike_alg_register_enc(): WARNING: enc
alg=0 not found in constants.c:oakley_enc_names
Aug 17 13:51:34 aqs8322 pluto[732]: ike_alg_add(): ERROR: Algorithm
already exists
Aug 17 13:51:34 aqs8322 pluto[732]: ike_alg_register_enc(): Activating
<NULL>: FAILED (ret=-17)
Aug 17 13:51:35 aqs8322 ipsec__plutorun: while loading 'test': bad addr
rightnexthop=%direct [illegal (non-DNS-name) character in name]
Aug 17 13:51:35 aqs8322 ipsec_starter[902]: while loading 'test': bad
addr rightnexthop=%direct [illegal (non-DNS-name) character in name]
Aug 17 13:51:35 aqs8322 pluto[732]: myid malformed: empty string ""
Aug 17 13:51:35 aqs8322 pluto[732]: Changed path to directory
'/etc/ipsec.d/cacerts'
Aug 17 13:51:35 aqs8322 pluto[732]: loaded CA cert file 'auto-ca.pem'
(981 bytes)
Aug 17 13:51:35 aqs8322 pluto[732]: Changed path to directory
'/etc/ipsec.d/aacerts'
Aug 17 13:51:35 aqs8322 pluto[732]: Changed path to directory
'/etc/ipsec.d/ocspcerts'
Aug 17 13:51:35 aqs8322 pluto[732]: Changing to directory
'/etc/ipsec.d/crls'
Aug 17 13:51:35 aqs8322 pluto[732]: Warning: empty directory
Aug 17 13:51:35 aqs8322 pluto[732]: loading certificate from auto-cert.pem
Aug 17 13:51:35 aqs8322 ipsec__plutorun: 002 loading certificate from
auto-cert.pem
Aug 17 13:51:35 aqs8322 pluto[732]: loaded host cert file
'/etc/ipsec.d/certs/auto-cert.pem' (964 bytes)
Aug 17 13:51:35 aqs8322 ipsec__plutorun: 002 loaded host cert file
'/etc/ipsec.d/certs/auto-cert.pem' (964 bytes)
Aug 17 13:51:35 aqs8322 pluto[732]: added connection description "test"
Aug 17 13:51:35 aqs8322 ipsec__plutorun: 002 added connection
description "test"
Aug 17 13:51:35 aqs8322 pluto[732]: listening for IKE messages
Aug 17 13:51:35 aqs8322 pluto[732]: NAT-Traversal: Trying new style NAT-T
Aug 17 13:51:35 aqs8322 ipsec__plutorun: 003 NAT-Traversal: Trying new
style NAT-T
Aug 17 13:51:35 aqs8322 pluto[732]: NAT-Traversal: ESPINUDP(1) setup
failed for new style NAT-T family IPv4 (errno=19)
Aug 17 13:51:35 aqs8322 pluto[732]: NAT-Traversal: Trying old style NAT-T
Aug 17 13:51:35 aqs8322 pluto[732]: adding interface eth1/eth1
192.168.1.1:500
Aug 17 13:51:35 aqs8322 pluto[732]: adding interface eth1/eth1
192.168.1.1:4500
Aug 17 13:51:35 aqs8322 ipsec__plutorun: 003 NAT-Traversal: ESPINUDP(1)
setup failed for new style NAT-T family IPv4 (errno=19)
Aug 17 13:51:35 aqs8322 ipsec__plutorun: 003 NAT-Traversal: Trying old
style NAT-T
Aug 17 13:51:35 aqs8322 pluto[732]: adding interface eth0/eth0
172.20.22.64:500
Aug 17 13:51:35 aqs8322 pluto[732]: adding interface eth0/eth0
172.20.22.64:4500
Aug 17 13:51:35 aqs8322 pluto[732]: adding interface lo/lo 127.0.0.1:500
Aug 17 13:51:35 aqs8322 pluto[732]: adding interface lo/lo 127.0.0.1:4500
Aug 17 13:51:35 aqs8322 pluto[732]: loading secrets from
"/etc/ipsec.secrets"
Aug 17 13:51:35 aqs8322 pluto[732]: loaded private key file
'/etc/ipsec.d/private/auto-key.key' (887 bytes)
Aug 17 13:51:35 aqs8322 pluto[732]: loaded private key for keyid:
PPK_RSA:AwEAAcuOk
Aug 17 13:51:36 aqs8322 pluto[732]: "test" #1: initiating Main Mode
Aug 17 13:51:36 aqs8322 ipsec__plutorun: 104 "test" #1: STATE_MAIN_I1:
initiate
Aug 17 13:51:36 aqs8322 pluto[732]: "test" #1: ignoring unknown Vendor
ID payload [4f45535c71446c416d7c6c73]
Aug 17 13:51:36 aqs8322 pluto[732]: "test" #1: received Vendor ID
payload [Dead Peer Detection]
Aug 17 13:51:36 aqs8322 pluto[732]: "test" #1: received Vendor ID
payload [RFC 3947] method set to=109
Aug 17 13:51:36 aqs8322 pluto[732]: "test" #1: enabling possible
NAT-traversal with method 4
Aug 17 13:51:36 aqs8322 pluto[732]: "test" #1: transition from state
STATE_MAIN_I1 to state STATE_MAIN_I2
Aug 17 13:51:36 aqs8322 pluto[732]: "test" #1: STATE_MAIN_I2: sent MI2,
expecting MR2
Aug 17 13:51:37 aqs8322 pluto[732]: "test" #1: NAT-Traversal: Result
using RFC 3947 (NAT-Traversal): no NAT detected
Aug 17 13:51:37 aqs8322 pluto[732]: "test" #1: I am sending my cert
Aug 17 13:51:37 aqs8322 pluto[732]: "test" #1: I am sending a
certificate request
Aug 17 13:51:37 aqs8322 pluto[732]: "test" #1: transition from state
STATE_MAIN_I2 to state STATE_MAIN_I3
Aug 17 13:51:37 aqs8322 pluto[732]: "test" #1: STATE_MAIN_I3: sent MI3,
expecting MR3
Aug 17 13:51:37 aqs8322 pluto[732]: "test" #1: received Vendor ID
payload [CAN-IKEv2]
Aug 17 13:51:37 aqs8322 pluto[732]: "test" #1: Main mode peer ID is
ID_DER_ASN1_DN: 'O=Test Test SC, OU=test, CN=net5501'
Aug 17 13:51:37 aqs8322 pluto[732]: "test" #1: no crl from issuer
"O=testcreatea, OU=testcreate, CN=testcreate" found (strict=no)
Aug 17 13:51:37 aqs8322 pluto[732]: "test" #1: transition from state
STATE_MAIN_I3 to state STATE_MAIN_I4
Aug 17 13:51:37 aqs8322 pluto[732]: "test" #1: STATE_MAIN_I4: ISAKMP SA
established {auth=OAKLEY_RSA_SIG cipher=aes_256 prf=oakley_sha
group=modp1536}
Aug 17 13:51:37 aqs8322 pluto[732]: "test" #2: initiating Quick Mode
RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW {using isakmp#1 msgid:0e0447df
proposal=AES(12)_256-SHA1(2)_160, AES(12)_256-MD5(1)_128
pfsgroup=OAKLEY_GROUP_MODP1536}
Aug 17 13:51:39 aqs8322 pluto[732]: "test" #2: transition from state
STATE_QUICK_I1 to state STATE_QUICK_I2
Aug 17 13:51:39 aqs8322 pluto[732]: "test" #2: STATE_QUICK_I2: sent QI2,
IPsec SA established tunnel mode {ESP=>0x170dc92f <0x445beb06
xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=none DPD=none}
Aug 17 13:51:42 aqs8322 pluto[732]: "test" #1: ignoring Delete SA
payload: PROTO_IPSEC_ESP SA(0x99fae13b) not found (maybe expired)
Aug 17 13:51:42 aqs8322 pluto[732]: "test" #1: received and ignored
informational message
Aug 17 13:51:42 aqs8322 pluto[732]: packet from 172.20.22.66:500:
ignoring unknown Vendor ID payload [4f45535c71446c416d7c6c73]
Aug 17 13:51:42 aqs8322 pluto[732]: packet from 172.20.22.66:500:
received Vendor ID payload [Dead Peer Detection]
Aug 17 13:51:42 aqs8322 pluto[732]: packet from 172.20.22.66:500:
received Vendor ID payload [RFC 3947] method set to=109
Aug 17 13:51:42 aqs8322 pluto[732]: packet from 172.20.22.66:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but
already using method 109
Aug 17 13:51:42 aqs8322 pluto[732]: packet from 172.20.22.66:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106,
but already using method 109
Aug 17 13:51:42 aqs8322 pluto[732]: packet from 172.20.22.66:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but
already using method 109
Aug 17 13:51:42 aqs8322 pluto[732]: packet from 172.20.22.66:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Aug 17 13:51:42 aqs8322 pluto[732]: "test" #3: responding to Main Mode
Aug 17 13:51:42 aqs8322 pluto[732]: "test" #3: transition from state
STATE_MAIN_R0 to state STATE_MAIN_R1
Aug 17 13:51:42 aqs8322 pluto[732]: "test" #3: STATE_MAIN_R1: sent MR1,
expecting MI2
Aug 17 13:51:42 aqs8322 pluto[732]: "test" #3: NAT-Traversal: Result
using RFC 3947 (NAT-Traversal): no NAT detected
Aug 17 13:51:43 aqs8322 pluto[732]: "test" #3: transition from state
STATE_MAIN_R1 to state STATE_MAIN_R2
Aug 17 13:51:43 aqs8322 pluto[732]: "test" #3: STATE_MAIN_R2: sent MR2,
expecting MI3
Aug 17 13:51:43 aqs8322 pluto[732]: "test" #3: Main mode peer ID is
ID_DER_ASN1_DN: 'O=Test Test SC, OU=test, CN=net5501'
Aug 17 13:51:43 aqs8322 pluto[732]: "test" #3: no crl from issuer
"O=testcreatea, OU=testcreate, CN=testcreate" found (strict=no)
Aug 17 13:51:43 aqs8322 pluto[732]: "test" #3: I am sending my cert
Aug 17 13:51:43 aqs8322 pluto[732]: "test" #3: transition from state
STATE_MAIN_R2 to state STATE_MAIN_R3
Aug 17 13:51:43 aqs8322 pluto[732]: "test" #3: STATE_MAIN_R3: sent MR3,
ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=aes_256 prf=oakley_sha
group=modp1536}
Aug 17 13:51:43 aqs8322 pluto[732]: "test" #3: the peer proposed:
192.168.1.0/24:0/0 -> 192.168.2.0/24:0/0
Aug 17 13:51:44 aqs8322 pluto[732]: "test" #4: responding to Quick Mode
proposal {msgid:94d8b3aa}
Aug 17 13:51:44 aqs8322 pluto[732]: "test" #4: us:
192.168.1.0/24===172.20.22.64<172.20.22.64>[O=Test Test SC, OU=test,
CN=aqs8322,+S=C]
Aug 17 13:51:44 aqs8322 pluto[732]: "test" #4: them:
172.20.22.66<172.20.22.66>[O=Test Test SC, OU=test,
CN=net5501,+S=C]===192.168.2.0/24
Aug 17 13:51:44 aqs8322 pluto[732]: "test" #4: keeping refhim=4294901761
during rekey
Aug 17 13:51:44 aqs8322 pluto[732]: "test" #4: transition from state
STATE_QUICK_R0 to state STATE_QUICK_R1
Aug 17 13:51:44 aqs8322 pluto[732]: "test" #4: STATE_QUICK_R1: sent QR1,
inbound IPsec SA installed, expecting QI2
Aug 17 13:51:44 aqs8322 pluto[732]: "test" #4: transition from state
STATE_QUICK_R1 to state STATE_QUICK_R2
Aug 17 13:51:44 aqs8322 pluto[732]: "test" #4: STATE_QUICK_R2: IPsec SA
established tunnel mode {ESP=>0x53d9f09d <0x662f0c69
xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=none DPD=none}
Let me know if you need additional information. Thanks,
-Evan
--
Evan Doiron
Software Developer Co-op
Canadian Bank Note Company Limited
edoiron at cbnco.com
More information about the Users
mailing list