[Openswan Users] net-to-net - openswan 2.6.18 on k.2.6.24.7

TC tonisaco at gmail.com
Wed Jan 7 15:15:27 EST 2009 

Hi,

on both sides run pc based routers with slackware 12.1
on both sides firewall is down. iptables -F
I added leftsource and rightsource but same result.
here is the ipsec auto --status output:

root at vpn:/usr/src/linux# *ipsec auto --status
000 using kernel interface: klips
000 interface ipsec0/eth0 82.79.77.xy
000 %myid = (none)
000 debug none
000
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=64, keysizemin=192,
keysizemax=192
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=128, keysizemin=128,
keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC,
keysizemin=128, keysizemax=128
000
000 algorithm IKE encrypt: id=3, name=OAKLEY_BLOWFISH_CBC, blocksize=8,
keydeflen=128
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
keydeflen=128
000 algorithm IKE encrypt: id=65004, name=OAKLEY_SERPENT_CBC, blocksize=16,
keydeflen=128
000 algorithm IKE encrypt: id=65005, name=OAKLEY_TWOFISH_CBC, blocksize=16,
keydeflen=128
000 algorithm IKE encrypt: id=65289, name=OAKLEY_TWOFISH_CBC_SSH,
blocksize=16, keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32
000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0}
trans={0,0,0} attrs={0,0,0}
000
000 "baiamare-negresti": 192.168.10.0/24===82.79.77.xy
<82.79.77.xy>[+S=C]---82.79.77.65...82.79.83.1---82.79.83.nm<82.79.83.nm>[+S=C]===
192.168.23.0/24; erouted; eroute owner: #4
000 "baiamare-negresti":     myip=192.168.10.254; hisip=192.168.23.1;
000 "baiamare-negresti":   ike_life: 3600s; ipsec_life: 28800s;
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3
000 "baiamare-negresti":   policy: RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW;
prio: 24,24; interface: eth0;
000 "baiamare-negresti":   newest ISAKMP SA: #3; newest IPsec SA: #4;
000 "baiamare-negresti":   IKE algorithm newest: AES_CBC_128-SHA1-MODP2048
000
000 #4: "baiamare-negresti":500 STATE_QUICK_R2 (IPsec SA established);
EVENT_SA_REPLACE in 28205s; newest IPSEC; eroute owner; isakmp#3; idle;
import:not set
000 #4: "baiamare-negresti"
esp.572de5cb at 82.79.83.nmesp.f718f73e@82.79.77.xytun.1004 at 82.79.83.nmtun.1003@82.79.77.xyref=13
refhim=9
000 #3: "baiamare-negresti":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA
established); EVENT_SA_REPLACE in 3005s; newest ISAKMP; lastdpd=-1s(seq in:0
out:0); idle; import:not set
000 #2: "baiamare-negresti":500 STATE_QUICK_I2 (sent QI2, IPsec SA
established); EVENT_SA_REPLACE in 27647s; isakmp#1; idle; import:admin
initiate
000 #2: "baiamare-negresti"
esp.f7140fdc at 82.79.83.nmesp.f718f73d@82.79.77.xytun.1001 at 82.79.83.nmtun.1002@82.79.77.xyref=11
refhim=9
000 #1: "baiamare-negresti":500 STATE_MAIN_I4 (ISAKMP SA established);
EVENT_SA_REPLACE in 2555s; lastdpd=-1s(seq in:0 out:0); idle; import:admin
initiate*


On Wed, Jan 7, 2009 at 9:13 PM, Peter McGill <petermcgill at goco.net> wrote:

> This is not uncommon, -I doesn't always work, try adding the following to
> your conf.
>        leftsourceip=192.168.10.254
>        rightsourceip=192.168.23.1
> Also check that your firewall isn't blocking tunnel traffic.
> You need to allow communication between 192.168.10.0/24 and
> 192.168.23.0/24 on ipsec0.
> Not sure what that Delete SA message is about, what ipsec device is on the
> other end of tunnel?
>
> Peter McGill
> IT Systems Analyst
> Gra Ham Energy Limited
>
> > -----Original Message-----
> > From: users-bounces at openswan.org
> > [mailto:users-bounces at openswan.org] On Behalf Of TC
> > Sent: January 7, 2009 12:20 PM
> > To: users at openswan.org
> > Subject: [Openswan Users] net-to-net - openswan 2.6.18 on k.2.6.24.7
> >
> > Hi all,
> >
> > I have installed kernel 2.6.24.7 + klips patch + openswan 2.6.18
> > I have made a net-to-net config. The connection start but I cannot
> > ping the end of the tunnel.
> >
> > ping 192.168.23.1 -I eth1 not working
> > ping 192.168.10.254 -I eth1 not working
> >
> > ping 192.168.10.254 -I eth1
> > PING 192.168.10.254 (192.168.10.254) from 192.168.23.1 eth1:
> > 56(84) bytes of data.
> > From 192.168.23.1 icmp_seq=2 Destination Host Unreachable
> > >From 192.168.23.1 icmp_seq=3 Destination Host Unreachable
> > From 192.168.23.1 icmp_seq=4 Destination Host Unreachable
> >
> >
> > A config(and same config to B but different ipsec.secrets)
> >
> > version 2.0
> >
> > config setup
> >     interfaces="ipsec0=eth0"
> >     protostack=klips
> >
> > conn block
> >     auto=ignore
> >
> > conn private
> >     auto=ignore
> >
> > conn private-or-clear
> >     auto=ignore
> >
> > conn clear-or-private
> >     auto=ignore
> >
> > conn clear
> >     auto=ignore
> >
> > conn packetdefault
> >     auto=ignore
> >
> > conn A-B
> >     left=WAN_IP_FROM_A
> >     leftnexthop=GATEWAY_FROM_A
> >     leftsubnet=192.168.10.0/24
> >     right=WAN_IP_FROM_B
> >     rightnexthop=GATEWAY_FROM_B
> >     rightsubnet=192.168.23.0/24
> >     type=tunnel
> >     auth=esp
> >     leftrsasigkey=0sAQOY...
> >     rightrsasigkey=0sAQNqB...
> >     auto=start
> >
> > in /var/log/syslog I have:
> >    Jan  7 19:13:12 vpn ipsec_setup: Starting Openswan IPsec 2.6.18...
> >    Jan  7 19:13:12 vpn ipsec__plutorun: 002 added connection
> > description "A-B"
> >    Jan  7 19:13:12 vpn ipsec__plutorun: 104 "A-B" #1:
> > STATE_MAIN_I1: initiate
> >
> > in /var/log.secure I have:
> > Jan  7 19:15:57 vpn pluto[10094]: "A-B" #1: STATE_MAIN_I2:
> > sent MI2, expecting MR2
> > Jan  7 19:15:57 vpn pluto[10094]: "A-B" #1: transition from
> > state STATE_MAIN_I2 to state STATE_MAIN_I3
> > Jan  7 19:15:57 vpn pluto[10094]: "A-B" #1: STATE_MAIN_I3:
> > sent MI3, expecting MR3
> > Jan  7 19:15:57 vpn pluto[10094]: "A-B" #1: received Vendor
> > ID payload [CAN-IKEv2]
> > Jan  7 19:15:57 vpn pluto[10094]: "A-B" #1: Main mode peer ID
> > is ID_IPV4_ADDR: '82.79.83.23'
> > Jan  7 19:15:57 vpn pluto[10094]: "A-B" #1: transition from
> > state STATE_MAIN_I3 to state STATE_MAIN_I4
> > Jan  7 19:15:57 vpn pluto[10094]: "A-B" #1: STATE_MAIN_I4:
> > ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=aes_128
> > prf=oakley_sha group=modp2048}
> > Jan  7 19:15:57 vpn pluto[10094]: "A-B" #2: initiating Quick
> > Mode RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW {using isakmp#1
> > msgid:beed36ed proposal=defaults pfsgroup=OAKLEY_GROUP_MODP2048}
> > Jan  7 19:15:57 vpn pluto[10094]: "A-B" #2: transition from
> > state STATE_QUICK_I1 to state STATE_QUICK_I2
> > Jan  7 19:15:57 vpn pluto[10094]: "A-B" #2: STATE_QUICK_I2:
> > sent QI2, IPsec SA established tunnel mode {ESP=>0x45d84918
> > <0x892b2f5a xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=none}
> > Jan  7 19:16:16 vpn pluto[10094]: "A-B" #1: ignoring Delete
> > SA payload: PROTO_IPSEC_ESP SA(0x45d84917) not found (maybe expired)
> > Jan  7 19:16:16 vpn pluto[10094]: "A-B" #1: received and
> > ignored informational message
> >
> >
> > Thx for Help.
> >
> > --
> > TC
> >
> >
>
>


-- 
--
TC
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20090107/91deab4e/attachment-0001.html

More information about the Users mailing list