[Openswan Users] connection problem

Peter McGill petermcgill at goco.net
Wed Jan 7 14:06:48 EST 2009 

> -----Original Message-----
> From: users-bounces at openswan.org 
> [mailto:users-bounces at openswan.org] On Behalf Of emmanuel trillaud
> Sent: January 7, 2009 9:36 AM
> To: users at openswan.org
> Subject: [Openswan Users] connection problem
> 
> I'm trying to configure a VPN and I have somme problem during 
> connexion.
> 
> --- conf file
> 
> # basic configuration
> config setup
> 	plutodebug="all"
> 	# klipsdebug="crypt pfkey natt"
>  	klipsdebug="all"
>  	#
>  	# Only enable klipsdebug=all if you are a developer
>  	#

This comment is serious, turn off pluto and klips debug, they just clutter the logs. Only turn on if asked by a developer.
Makes finding the real error in the logs, like finding a needle in a haystack, and fills your hard drive with logs.
	#plutodebug=none
	#klipsdebug=none

>  	interfaces="ipsec0=eth0"
> 	protostack=netkey
>  	# NAT-TRAVERSAL support, see README.NAT-Traversal
>  	nat_traversal=no
>  	
> #virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.
> 0.0/12,!%v4:10.1.0.0/24,!%v4:192.168.0.0/24,!%v4:10.114.6.248/249
>  	#
> 	# enable this if you see "failed to find any available worker"
> 	nhelpers=0
>  	myid=91.xxx.xxx.xxx					
> 		
> # Add connections here
> #
> #connection DGFIP
> conn dgfip
> 	type=tunnel
> 	pfs=no
> 	keyingtries=3
> 	#disablearrivalcheck=no
> 	# preference : cipher=3des hash=md5 DH group 2
> 	
> #ike=aes-sha1,aes-md5,3des-sha1,3des-md5,3des-sha1-modp1024,3d
> es-md5-modp1024,aes-sha1-modp1536,aes-md5-modp1536,3des-sha1-m
> odp1536,3des-md5-modp1536
>         
> ike=3des-sha1-modp1024,3des-md5-modp1024,3des-sha1-modp1536,3d
> es-md5-modp1536,aes-sha1-modp1024,aes-sha1-modp1536
> 	esp=aes-sha1,aes-md5,3des-sha1,3des-md5
> 	authby=secret

What are you connecting to? If another openswan use RSA keys following the examples.
If your not connecting to openswan make your ike and esp settings match the other end.
Otherwise leave them default and don't set them.
For example, if the other end is configured to use 3des md5 dh group 2 (1024 bit):
	ike=3des-md5-modp1024
	esp=3des-md5
Configure the other end to just use these as well.

> 	left=91.xxx.xxx.xxx	
> 	leftsourceip=10.1.0.1
> 	leftsubnet=10.1.0.0/24
> 	#leftnexthop=91.xxx.xxx.xxx
> 	right=83.xxx.xxx.xxx
> 	rightsubnet=10.114.6.248/29
>  	rightsourceip=10.114.6.249
> 	auto=start
> #
> # sample VPN connections, see /etc/ipsec.d/examples/
> #
> #Disable Opportunistic Encryption
> include /etc/ipsec.d/examples/no_oe.conf
> #
> 
> ---Log file
> 
> 000 interface lo/lo 127.0.0.1
> 000 interface eth0/eth0 91.xxx.xxx.xxx
> 000 interface eth0:0/eth0:0 91.xxx.xxx.xxx
> 000 interface eth0/eth0 192.168.1.1
> 000 interface eth0/eth0 10.1.0.1
> 000 interface eth0/eth0 10.1.0.2
> 000 interface eth0:1/eth0:1 91.xxx.xxx.xxx
> 000 interface eth0:2/eth0:2 91.xxx.xxx.xxx
> 000 interface eth0:3/eth0:3 91.xxx.xxx.xxx
> 000 %myid = 91.xxx.xxx.xxx
> 000 debug 
> raw+crypt+parsing+emitting+control+lifecycle+klips+dns+oppo+co
> ntrolmore+pfkey+nattraversal+x509
> 000  
> 000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, 
> keysizemin=64, keysizemax=64
> 000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, 
> keysizemin=192, keysizemax=192
> 000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, 
> keysizemin=128, keysizemax=256
> 000 algorithm ESP auth attr: id=1, 
> name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
> 000 algorithm ESP auth attr: id=2, 
> name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
> 000 algorithm ESP auth attr: id=5, 
> name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256
> 000  
> 000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, 
> blocksize=8, keydeflen=192
> 000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, 
> blocksize=16, keydeflen=128
> 000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
> 000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
> 000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, 
> bits=1024
> 000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, 
> bits=1536
> 000 algorithm IKE dh group: id=14, 
> name=OAKLEY_GROUP_MODP2048, bits=2048
> 000 algorithm IKE dh group: id=15, 
> name=OAKLEY_GROUP_MODP3072, bits=3072
> 000 algorithm IKE dh group: id=16, 
> name=OAKLEY_GROUP_MODP4096, bits=4096
> 000 algorithm IKE dh group: id=17, 
> name=OAKLEY_GROUP_MODP6144, bits=6144
> 000 algorithm IKE dh group: id=18, 
> name=OAKLEY_GROUP_MODP8192, bits=8192
> 000  
> 000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} 
> :context={0,1,36} trans={0,1,108} attrs={0,1,72} 
> 000  
> 000 "dgfip": 
> 10.1.0.0/24===91.x.x.x...83.x.x.x===10.114.6.248/29; 
> prospective erouted; eroute owner: #0
> 000 "dgfip":     srcip=10.1.0.1; dstip=10.114.6.249; 
> srcup=ipsec _updown; dstup=ipsec _updown;
> 000 "dgfip":   ike_life: 3600s; ipsec_life: 28800s; 
> rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3
> 000 "dgfip":   policy: PSK+ENCRYPT+TUNNEL+UP; prio: 24,29; 
> interface: eth0; encap: esp;
> 000 "dgfip":   newest ISAKMP SA: #0; newest IPsec SA: #0; 
> 000 "dgfip":   IKE algorithms wanted: 
> 3DES_CBC(5)_000-SHA1(2)-MODP1024(2), 
> 3DES_CBC(5)_000-MD5(1)-MODP1024(2), 
> 3DES_CBC(5)_000-SHA1(2)-MODP1536(5), 
> 3DES_CBC(5)_000-MD5(1)-MODP1536(5); flags=strict
> 000 "dgfip":   IKE algorithms found: 
> 3DES_CBC(5)_192-SHA1(2)_160-MODP1024(2), 
> 3DES_CBC(5)_192-MD5(1)_128-MODP1024(2), 
> 3DES_CBC(5)_192-SHA1(2)_160-MODP1536(5), 
> 3DES_CBC(5)_192-MD5(1)_128-MODP1536(5)
> 000 "dgfip":   ESP algorithms wanted: AES(12)_000-SHA1(2), 
> AES(12)_000-MD5(1), 3DES(3)_000-SHA1(2), 3DES(3)_000-MD5(1); 
> flags=strict
> 000 "dgfip":   ESP algorithms loaded: AES(12)_000-SHA1(2), 
> AES(12)_000-MD5(1), 3DES(3)_000-SHA1(2), 3DES(3)_000-MD5(1); 
> flags=strict
> 000  
> 000 #1: "dgfip":500 STATE_MAIN_I3 (sent MI3, expecting MR3); 
> none in -1s; lastdpd=-1s(seq in:0 out:0)
> 000 #1: pending Phase 2 for "dgfip" replacing #0
> 
> I don't really understand what means the "000" in 
> 3DES_CBC(5)_000(2) and 
> why it seams to be problematic with
> 3DES_CBC(5)_192-SHA1(2)_160-MODP1024(2).
> I don't understand the last 2 lines which seems to be a problem.

This is not an error, nothing in your logs here shows any error.
It's just reporting that it is searching for any 3des sha1 modp1024,
And that it found a specific one. Not an error, normal log.

> Emmanuel Trillaud
> mel : etrillaud at ntsys.fr

Change debug options like specified above then, restart openswan and send us the new logs.

Peter

More information about the Users mailing list