[Openswan Users] ipsec between openswan & netscreen. Can make SA but can't ping

Hiroyuki Shimizu shimizu at tokyovalley.com
Tue Feb 10 14:01:52 EST 2009 

Hi all,

It's nice to join your mailing list today.

I would like to ask you a question about ipsec.
Now I am testing to communicate in ipsec between openswan and netscreen.
I confirmed SA was generated but ping doesn't succeed to each other.
It would be great if you could give me any help.

The ipsec's conditions are below:
aggressive mode
quick mode
tunnel mode
preshare key


Network diagram is below:
192.168.11.23 (Linux, Fedora core 7, Openswan)
|
192.168.11.56 (Untrust side)
Netscreen 5xp
192.168.1.1 (Trust side)
|
192.168.1.2(PC)

I want to ipsec between netscreen and linux as above.


According to Openswan's /var/log/secure,
Feb  7 18:38:02 localhost pluto[20703]: "netscreen" #65: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x211d6595 <0x5ef31249 xfrm=3DES_0-HMAC_SHA1 NATD=none DPD=none}
According to Netscreen's log,
2009-02-07 19:18:49 system info  00536 IKE<192.168.11.23> Phase 2 msg ID <d0add37f>: Completed negotiations with SPI <211d6595>, tunnel ID <6>, and lifetime <3600> seconds/<0> KB.
ns5xp-> get sa active
Total active sa: 1
total configured sa: 1
HEX ID    Gateway         Port Algorithm     SPI      Life:sec kb Sta   PID vsys
00000006< 192.168.11.23    500 esp:3des/sha1 211d6595  2760 unlim A/-     6 0
00000006> 192.168.11.23    500 esp:3des/sha1 5ef31249  2760 unlim A/-     5 0

So, it seems that SA was generated successfully.


But I tried ping from linux to netscreen's Trust interface but didn't get reply as below:
[root at localhost network-scripts]# ping 192.168.1.1
PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data.

--- 192.168.1.1 ping statistics ---
43 packets transmitted, 0 received, 100% packet loss, time 42001ms


Capturing packets at the same time as above, it seems that only linux is putting out packets.

18:41:43.162671 IP precision > 192.168.1.1: ICMP echo request, id 28515, seq 1, length 64
18:41:43.164141 IP precision > 192.168.11.56: ESP(spi=0x211d6595,seq=0x25), length 100
18:41:44.164000 IP precision > 192.168.1.1: ICMP echo request, id 28515, seq 2, length 64
18:41:45.164000 IP precision > 192.168.1.1: ICMP echo request, id 28515, seq 3, length 64
18:41:46.163999 IP precision > 192.168.1.1: ICMP echo request, id 28515, seq 4, length 64
18:41:47.163998 IP precision > 192.168.1.1: ICMP echo request, id 28515, seq 5, length 64
18:41:48.161933 arp who-has 192.168.11.56 tell precision
18:41:48.163994 IP precision > 192.168.1.1: ICMP echo request, id 28515, seq 6, length 64
18:41:48.164179 IP precision > 192.168.11.56: ESP(spi=0x211d6595,seq=0x26), length 100
18:41:48.164226 arp reply 192.168.11.56 is-at 00:10:db:48:6d:51 (oui Unknown)
18:41:49.163998 IP precision > 192.168.1.1: ICMP echo request, id 28515, seq 7, length 64
18:41:50.163996 IP precision > 192.168.1.1: ICMP echo request, id 28515, seq 8, length 64


When linux pings to netscreen's untrust side, the ping reaches and packets seem to be exchanged.
I'm concerned that ICMP and ESP are mixed in the capture as blow:
[root at localhost network-scripts]# ping 192.168.11.56
64 bytes from 192.168.11.56: icmp_seq=1 ttl=64 time=3.86 ms
64 bytes from 192.168.11.56: icmp_seq=2 ttl=64 time=3.60 ms
64 bytes from 192.168.11.56: icmp_seq=3 ttl=64 time=3.59 ms
[root at precision ~]# tcpdump
18:39:42.500189 IP precision > 192.168.11.56: ESP(spi=0x211d6595,seq=0x1), length 116
18:39:42.501688 IP precision > 192.168.11.56: ESP(spi=0x211d6595,seq=0x2), length 108
18:39:42.503900 IP 192.168.11.56 > precision: ESP(spi=0x5ef31249,seq=0x1), length 116
18:39:42.503900 IP 192.168.11.56 > precision: ICMP echo reply, id 25443, seq 1, length 64
18:39:43.500072 IP precision > 192.168.11.56: ESP(spi=0x211d6595,seq=0x3), length 116
18:39:43.503551 IP 192.168.11.56 > precision: ESP(spi=0x5ef31249,seq=0x2), length 116
18:39:43.503551 IP 192.168.11.56 > precision: ICMP echo reply, id 25443, seq 2, length 64
18:39:44.500071 IP precision > 192.168.11.56: ESP(spi=0x211d6595,seq=0x4), length 116
18:39:44.503538 IP 192.168.11.56 > precision: ESP(spi=0x5ef31249,seq=0x3), length 116
18:39:44.503538 IP 192.168.11.56 > precision: ICMP echo reply, id 25443, seq 3, length 64
18:39:45.500083 IP precision > 192.168.11.56: ESP(spi=0x211d6595,seq=0x5), length 116
18:39:45.503565 IP 192.168.11.56 > precision: ESP(spi=0x5ef31249,seq=0x4), length 116
18:39:45.503565 IP 192.168.11.56 > precision: ICMP echo reply, id 25443, seq 4, length 64


I added the routing on linux to 192.168.1.0 because I thought there is no router or interface such as interface, but the situation is the same. 
[root at localhost network-scripts]# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.1.0     192.168.11.56   255.255.255.0   UG    0      0        0 eth0
192.168.11.0    *               255.255.255.0   U     0      0        0 eth0
default         192.168.11.1    0.0.0.0         UG    0      0        0 eth0
[root at precision network-scripts]# uname -a
Linux precision 2.6.23.17-88.fc7 #1 SMP Thu May 15 00:35:10 EDT 2008 i686 i686 i386 GNU/Linux
[root at precision network-scripts]# ifconfig -a
eth0      Link encap:Ethernet  HWaddr 00:B0:D0:7B:C3:3E  
          inet addr:192.168.11.23  Bcast:192.168.11.255  Mask:255.255.255.0
          inet6 addr: fe80::2b0:d0ff:fe7b:c33e/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:3677897 errors:0 dropped:0 overruns:1 frame:0
          TX packets:1807082 errors:0 dropped:0 overruns:0 carrier:1
          collisions:0 txqueuelen:1000 
          RX bytes:604802735 (576.7 MiB)  TX bytes:130499028 (124.4 MiB)
          Interrupt:18 Base address:0x8c00 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:18802 errors:0 dropped:0 overruns:0 frame:0
          TX packets:18802 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:55093760 (52.5 MiB)  TX bytes:55093760 (52.5 MiB)

sit0      Link encap:IPv6-in-IPv4  
          NOARP  MTU:1480  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)


In my memory, Racoon makes a new interface such as ipsec0. But doesns't Openswan make an interface like that usually?

Thank you very much! 
Hiro Shimizu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20090211/762c75c1/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 257 bytes
Desc: not available
Url : http://lists.openswan.org/pipermail/users/attachments/20090211/762c75c1/attachment-0001.gif

More information about the Users mailing list