[Openswan Users] Informational Exchange message must be encrypted trying to connect to SonicWall

Neil Aggarwal neil at JAMMConsulting.com
Thu Jan 15 17:21:02 EST 2009 

Hello:

I am trying to follow these instructions to connect
my linux machine at home to the SonicWall at work:
http://www.sonicwall.com/downloads/SonicOS_Enhanced_to_Openswan_Using_Aggres
sive_Mode_IKE_with_PreShared_key.pdf

I created /etc/ipsec.d/sonicwall.conf with this content:
conn sonicwall
     type=tunnel
     auto=add
     auth=esp
     pfs=no
     authby=secret
     keyingtries=0
     left=1.2.3.4 (My linux machine's eth0 IP)
     leftid=@home
     leftsubnet=1.2.3.4/28
     right=5.6.7.8 (The SonicWall's public IP)
     rightsubnet=192.168.1.0/24
     rightid=@001234567 (The SonicWall's Identifier)
     esp=3des-sha1
     keyexchange=ike
     ike=3des-sha1
     aggrmode=yes 

I created /etc/ipsec.d/sonicwall.secrets with this content:
@home @001234567 : PSK "sharedSecret"

When I do service ipsec start, I see these messages in the /var/log/secure:
Jan 15 16:14:18 jamm8 ipsec__plutorun: Starting Pluto subsystem...
Jan 15 16:14:18 jamm8 pluto[23823]: Starting Pluto (Openswan Version 2.6.14;
Vendor ID OEoSJUweaqAX) pid:23823
Jan 15 16:14:18 jamm8 pluto[23823]: Setting NAT-Traversal port-4500 floating
to on
Jan 15 16:14:18 jamm8 pluto[23823]:    port floating activation criteria
nat_t=1/port_float=1
Jan 15 16:14:18 jamm8 pluto[23823]:    including NAT-Traversal patch
(Version 0.6c)
Jan 15 16:14:18 jamm8 pluto[23823]: using /dev/urandom as source of random
entropy
Jan 15 16:14:18 jamm8 pluto[23823]: ike_alg_register_enc(): Activating
OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)
Jan 15 16:14:18 jamm8 pluto[23823]: ike_alg_register_enc(): Activating
OAKLEY_TWOFISH_CBC: Ok (ret=0)
Jan 15 16:14:18 jamm8 pluto[23823]: ike_alg_register_enc(): Activating
OAKLEY_SERPENT_CBC: Ok (ret=0)
Jan 15 16:14:18 jamm8 pluto[23823]: ike_alg_register_enc(): Activating
OAKLEY_AES_CBC: Ok (ret=0)
Jan 15 16:14:18 jamm8 pluto[23823]: ike_alg_register_enc(): Activating
OAKLEY_BLOWFISH_CBC: Ok (ret=0)
Jan 15 16:14:18 jamm8 pluto[23823]: ike_alg_register_hash(): Activating
OAKLEY_SHA2_512: Ok (ret=0)
Jan 15 16:14:18 jamm8 pluto[23823]: ike_alg_register_hash(): Activating
OAKLEY_SHA2_256: Ok (ret=0)
Jan 15 16:14:18 jamm8 pluto[23823]: starting up 1 cryptographic helpers
Jan 15 16:14:18 jamm8 pluto[23823]: started helper pid=23835 (fd:7)
Jan 15 16:14:18 jamm8 pluto[23835]: using /dev/urandom as source of random
entropy
Jan 15 16:14:18 jamm8 pluto[23823]: Using Linux 2.6 IPsec interface code on
2.6.18-92.1.10.el5PAE (experimental code)
Jan 15 16:14:18 jamm8 pluto[23823]: ike_alg_register_enc(): WARNING: enc
alg=0 not found in constants.c:oakley_enc_names  
Jan 15 16:14:18 jamm8 pluto[23823]: ike_alg_register_enc(): Activating
<NULL>: Ok (ret=0)
Jan 15 16:14:18 jamm8 pluto[23823]: ike_alg_register_enc(): WARNING: enc
alg=0 not found in constants.c:oakley_enc_names  
Jan 15 16:14:18 jamm8 pluto[23823]: ike_alg_add(): ERROR: Algorithm already
exists
Jan 15 16:14:18 jamm8 pluto[23823]: ike_alg_register_enc(): Activating
<NULL>: FAILED (ret=-17)
Jan 15 16:14:18 jamm8 pluto[23823]: ike_alg_register_enc(): WARNING: enc
alg=0 not found in constants.c:oakley_enc_names  
Jan 15 16:14:18 jamm8 pluto[23823]: ike_alg_add(): ERROR: Algorithm already
exists
Jan 15 16:14:18 jamm8 pluto[23823]: ike_alg_register_enc(): Activating
<NULL>: FAILED (ret=-17)
Jan 15 16:14:18 jamm8 pluto[23823]: ike_alg_register_enc(): WARNING: enc
alg=0 not found in constants.c:oakley_enc_names  
Jan 15 16:14:18 jamm8 pluto[23823]: ike_alg_add(): ERROR: Algorithm already
exists
Jan 15 16:14:18 jamm8 pluto[23823]: ike_alg_register_enc(): Activating
<NULL>: FAILED (ret=-17)
Jan 15 16:14:18 jamm8 pluto[23823]: ike_alg_register_enc(): WARNING: enc
alg=0 not found in constants.c:oakley_enc_names  
Jan 15 16:14:18 jamm8 pluto[23823]: ike_alg_add(): ERROR: Algorithm already
exists
Jan 15 16:14:18 jamm8 pluto[23823]: ike_alg_register_enc(): Activating
<NULL>: FAILED (ret=-17)
Jan 15 16:14:18 jamm8 pluto[23823]: ike_alg_register_enc(): WARNING: enc
alg=0 not found in constants.c:oakley_enc_names  
Jan 15 16:14:18 jamm8 pluto[23823]: ike_alg_add(): ERROR: Algorithm already
exists
Jan 15 16:14:19 jamm8 pluto[23823]: ike_alg_register_enc(): Activating
<NULL>: FAILED (ret=-17)
Jan 15 16:14:19 jamm8 pluto[23823]: Could not change to directory
'/etc/ipsec.d/cacerts': /
Jan 15 16:14:19 jamm8 pluto[23823]: Could not change to directory
'/etc/ipsec.d/aacerts': /
Jan 15 16:14:19 jamm8 pluto[23823]: Could not change to directory
'/etc/ipsec.d/ocspcerts': /
Jan 15 16:14:19 jamm8 pluto[23823]: Could not change to directory
'/etc/ipsec.d/crls'
Jan 15 16:14:19 jamm8 pluto[23823]: Changing back to directory '/' failed -
(2 No such file or directory)
Jan 15 16:14:19 jamm8 pluto[23823]: Changing back to directory '/' failed -
(2 No such file or directory)
Jan 15 16:14:19 jamm8 pluto[23823]: added connection description "sonicwall"
Jan 15 16:14:19 jamm8 pluto[23823]: listening for IKE messages
Jan 15 16:14:19 jamm8 pluto[23823]: adding interface eth0/eth0
206.123.70.61:500
Jan 15 16:14:19 jamm8 pluto[23823]: adding interface eth0/eth0
206.123.70.61:4500
Jan 15 16:14:19 jamm8 pluto[23823]: adding interface lo/lo 127.0.0.1:500
Jan 15 16:14:19 jamm8 pluto[23823]: adding interface lo/lo 127.0.0.1:4500
Jan 15 16:14:19 jamm8 pluto[23823]: adding interface lo/lo ::1:500
Jan 15 16:14:19 jamm8 pluto[23823]: loading secrets from
"/etc/ipsec.secrets"
Jan 15 16:14:19 jamm8 pluto[23823]: loading secrets from
"/etc/ipsec.d/sonicwall.secrets"

Should I be concerned about the lack of certs directories?
I search Google, but it seems other people posted their logs with those
entries
and they did not seem to imply it was a problem so I decided to continue.

When I do ipsec auto --add sonicwall, I get these messages:

Jan 15 16:16:53 jamm8 pluto[23823]: "sonicwall": deleting connection
Jan 15 16:16:53 jamm8 pluto[23823]: added connection description "sonicwall"

So, I guess it took down the connection from last time and added it back
again.

Now, when I do ipsec auto --up sonicwall, I get these messages:

Jan 15 16:18:13 jamm8 pluto[23823]: "sonicwall" #1: multiple transforms were
set in aggressive mode. Only first one used.
Jan 15 16:18:13 jamm8 pluto[23823]: "sonicwall" #1: transform (5,2,2,0)
ignored.
Jan 15 16:18:13 jamm8 pluto[23823]: "sonicwall" #1: initiating Aggressive
Mode #1, connection "sonicwall"
Jan 15 16:18:13 jamm8 pluto[23823]: "sonicwall" #1: multiple transforms were
set in aggressive mode. Only first one used.
Jan 15 16:18:13 jamm8 pluto[23823]: "sonicwall" #1: transform (5,2,2,0)
ignored.
Jan 15 16:18:13 jamm8 pluto[23823]: | setting sec: 1
Jan 15 16:18:13 jamm8 pluto[23823]: "sonicwall" #1: Informational Exchange
message must be encrypted

I don't know what these messages mean.

Any help?

Thanks,
  Neil


--
Neil Aggarwal, (832)245-7314, www.JAMMConsulting.com
Eliminate junk email and reclaim your inbox.
Visit http://www.spammilter.com for details.

More information about the Users mailing list