[Openswan Users] IPSEC net_to_net connection
amin mosayyebzadeh
siramin056 at gmail.com
Thu Aug 20 12:15:52 EDT 2009
Hi everybody
I work on a project that we need to establish a connection between to
subnets by two gateways that linux 2.6.21 runnig on them.
when we configure ipsec.conf file to establish a connection between
two host, it works properly.
but when we change ipsec.conf file to establish connection between
subnets, an error occurs:
=====================================================================
# ipsec setup restart &
# ipsec_setup: Stopping Openswan IPsec...
pluto[573]: shutting down
pluto[573]: forgetting secrets
pluto[573]: "right_to_leftsubnet": deleting connection
pluto[573]: "right_to_leftsubnet" #5: deleting state (STATE_QUICK_I2)
pluto[573]: "right_to_leftsubnet" #4: deleting state (STATE_MAIN_I4)
pluto[573]: shutting down interface mac5/mac5 192.168.1.87:4500
pluto[573]: shutting down interface mac5/mac5 192.168.1.87:500
pluto[573]: shutting down interface mac0/mac0 40.40.40.1:4500
pluto[573]: shutting down interface mac0/mac0 40.40.40.1:500
pluto[573]: shutting down interface lo/lo 127.0.0.1:4500
pluto[573]: shutting down interface lo/lo 127.0.0.1:500
ipsec_setup: Starting Openswan IPsec U2.6.19/K2.6.21.1...
pluto[899]: Starting Pluto (Openswan Version 2.6.19; Vendor ID
OEkqHLBPOfMD) pid:899
pluto[899]: Setting NAT-Traversal port-4500 floating to on
pluto[899]: port floating activation criteria nat_t=1/port_float=1
pluto[899]: including NAT-Traversal patch (Version 0.6c)
pluto[899]: using /dev/urandom as source of random entropy
pluto[899]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
pluto[899]: starting up 1 cryptographic helpers
pluto[901]: using /dev/urandom as source of random entropy
pluto[899]: started helper pid=901 (fd:6)
pluto[899]: Using Linux 2.6 IPsec interface code on 2.6.21.1 (experimental code)
pluto[899]: ike_alg_register_enc(): WARNING: enc alg=0 not found in
constants.c:oakley_enc_names
pluto[899]: ike_alg_register_enc(): Activating <NULL>: Ok (ret=0)
pluto[899]: ike_alg_register_enc(): WARNING: enc alg=0 not found in
constants.c:oakley_enc_names
pluto[899]: ike_alg_add(): ERROR: Algorithm already exists
pluto[899]: ike_alg_register_enc(): Activating <NULL>: FAILED (ret=-17)
pluto[899]: ike_alg_register_enc(): WARNING: enc alg=0 not found in
constants.c:oakley_enc_names
pluto[899]: ike_alg_add(): ERROR: Algorithm already exists
pluto[899]: ike_alg_register_enc(): Activating <NULL>: FAILED (ret=-17)
pluto[899]: ike_alg_register_enc(): WARNING: enc alg=0 not found in
constants.c:oakley_enc_names
pluto[899]: ike_alg_add(): ERROR: Algorithm already exists
pluto[899]: ike_alg_register_enc(): Activating <NULL>: FAILED (ret=-17)
pluto[899]: ike_alg_register_enc(): WARNING: enc alg=0 not found in
constants.c:oakley_enc_names
pluto[899]: ike_alg_add(): ERROR: Algorithm already exists
pluto[899]: ike_alg_register_enc(): Activating <NULL>: FAILED (ret=-17)
pluto[899]: ike_alg_register_enc(): WARNING: enc alg=0 not found in
constants.c:oakley_enc_names
pluto[899]: ike_alg_add(): ERROR: Algorithm already exists
pluto[899]: ike_alg_register_enc(): Activating <NULL>: FAILED (ret=-17)
pluto[899]: Changed path to directory '/etc/ipsec.d/cacerts'
pluto[899]: Changed path to directory '/etc/ipsec.d/aacerts'
pluto[899]: Changed path to directory '/etc/ipsec.d/ocspcerts'
pluto[899]: Changing to directory '/etc/ipsec.d/crls'
pluto[899]: Warning: empty directory
pluto[899]: Changing back to directory '/home/utils' failed - (29 Illegal seek)
pluto[899]: Changing back to directory '/home/utils' failed - (2 No
such file or directory)
pluto[899]: added connection description "right_to_leftsubnet"
pluto[899]: listening for IKE messages
pluto[899]: adding interface lo/lo 127.0.0.1:500
pluto[899]: adding interface lo/lo 127.0.0.1:4500
pluto[899]: adding interface mac0/mac0 40.40.40.1:500
pluto[899]: adding interface mac0/mac0 40.40.40.1:4500
pluto[899]: adding interface mac5/mac5 192.168.1.87:500
pluto[899]: adding interface mac5/mac5 192.168.1.87:4500
pluto[899]: loading secrets from "/etc/ipsec.secrets"
pluto[899]: loaded private key for keyid: PPK_RSA:AQNsrJS8a
pluto[899]: "right_to_leftsubnet" #1: initiating Main Mode
pluto[899]: "right_to_leftsubnet" #1: received Vendor ID payload
[Openswan (this version) 2.6.19 ]
pluto[899]: "right_to_leftsubnet" #1: received Vendor ID payload [Dead
Peer Detection]
pluto[899]: "right_to_leftsubnet" #1: received Vendor ID payload [RFC
3947] method set to=109
pluto[899]: "right_to_leftsubnet" #1: enabling possible NAT-traversal
with method 4
pluto[899]: "right_to_leftsubnet" #1: transition from state
STATE_MAIN_I1 to state STATE_MAIN_I2
pluto[899]: "right_to_leftsubnet" #1: STATE_MAIN_I2: sent MI2, expecting MR2
pluto[901]: WARNING: calc_dh_shared(): for OAKLEY_GROUP_MODP2048 took
639037 usec
pluto[899]: "right_to_leftsubnet" #1: NAT-Traversal: Result using RFC
3947 (NAT-Traversal): no NAT detected
pluto[899]: "right_to_leftsubnet" #1: transition from state
STATE_MAIN_I2 to state STATE_MAIN_I3
pluto[899]: "right_to_leftsubnet" #1: STATE_MAIN_I3: sent MI3, expecting MR3
pluto[899]: "right_to_leftsubnet" #1: received Vendor ID payload [CAN-IKEv2]
pluto[899]: "right_to_leftsubnet" #1: Main mode peer ID is
ID_IPV4_ADDR: '192.168.1.90'
pluto[899]: "right_to_leftsubnet" #1: transition from state
STATE_MAIN_I3 to state STATE_MAIN_I4
pluto[899]: "right_to_leftsubnet" #1: STATE_MAIN_I4: ISAKMP SA
established {auth=OAKLEY_PRESHARED_KEY cipher=aes_128 prf=oakley_sha
group=modp2048}
pluto[899]: "right_to_leftsubnet" #2: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW {using isakmp#1 msgid:43bb8af1
proposal=defaults pfsgroup=OAKLEY_GROUP_MODP2048}
pluto[901]: WARNING: calc_dh_shared(): for OAKLEY_GROUP_MODP2048 took
639100 usec
pluto[899]: "right_to_leftsubnet" #2: transition from state
STATE_QUICK_I1 to state STATE_QUICK_I2
pluto[899]: "right_to_leftsubnet" #2: STATE_QUICK_I2: sent QI2, IPsec
SA established tunnel mode {ESP=>0x01ec373a <0xcbf46c76
xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=none}
pluto[899]: "right_to_leftsubnet" #2: message ignored because it
contains an unexpected payload type (ISAKMP_NEXT_HASH)
pluto[899]: "right_to_leftsubnet" #2: sending encrypted notification
INVALID_PAYLOAD_TYPE to 192.168.1.90:500
ping: sendto: No route to host
pluto[899]: "right_to_leftsubnet" #2: message ignored because it
contains an unexpected payload type (ISAKMP_NEXT_HASH)
pluto[899]: "right_to_leftsubnet" #2: sending encrypted notification
INVALID_PAYLOAD_TYPE to 192.168.1.90:500
# pluto[899]: "right_to_leftsubnet" #2: message ignored because it
contains an unexpected payload type (ISAKMP_NEXT_HASH)
pluto[899]: "right_to_leftsubnet" #2: sending encrypted notification
INVALID_PAYLOAD_TYPE to 192.168.1.90:500
================================================================
and I can not to ping 30.30.30.3 within 40.40.40.2 . when we stop
ipsec in both sides, and start them again, this error does not occur,
but when we stop one of sides, and start it again, this error occur,
and we can not ping nodes. also when two sides begin at the same time,
this notification is appeared:
64 bytes from 30.30.30.1: seq=373 ttl=64 time=10.170 ms
64 bytes from 30.30.30.1: seq=374 ttl=64 time=10.070 ms
64 bytes from 30.30.30.1: seq=375 ttl=64 time=10.178 ms
pluto[573]: "right_to_leftsubnet" #5: message ignored because it
contains an unexpected payload type (ISAKMP_NEXT_HASH)
pluto[573]: "right_to_leftsubnet" #5: sending encrypted notification
INVALID_PAYLOAD_TYPE to 192.168.1.90:500
64 bytes from 30.30.30.1: seq=376 ttl=64 time=10.087 ms
64 bytes from 30.30.30.1: seq=377 ttl=64 time=10.076 ms
this is my ipsec.conf file:
=================================================
# /etc/ipsec.conf - Openswan IPsec configuration file
#
# Manual: ipsec.conf.5
#
# Please place your own config files in /etc/ipsec.d/ ending in .conf
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
# Debug-logging controls: "none" for (almost) none, "all" for lots.
# klipsdebug=none
#plutodebug="control parsing"
nat_traversal=yes
conn right_to_leftsubnet
left=192.168.1.87
leftsourceip=40.40.40.1
leftsubnet=40.40.40.0/24
right=192.168.1.90
rightsubnet=30.30.30.0/24
rightsourceip=30.30.30.1
type=tunnel
#leftrsasigkey=0sAQNsr.......
#rightrsasigkey=0sAQNsr.....
auto=start
#keylife=2m
#ikelifetime=1m
#rekeymargin=10s
#rekeyfuzz=50%
#keyingtries=0
#rekey=yes
pfs=yes
authby=secret
#include /etc/ipsec.d/*.conf
=================================================
any idea? thanks in advance.
--
sincerely
amin
More information about the Users
mailing list