[Openswan Users] Amazon Ec2 Ipsec and Cisco

Joe Skop joe.skop at gmail.com
Wed Jul 1 04:01:05 EDT 2009 

Hi,

2009/6/30 Joe Skop <joe.skop at gmail.com>:
> Hi Paul,
>
[...]

these are the news after installing new openswan 2.6.22:

ipsec.conf
----------------------------------------------------------------------
version 2.0
config setup
        nat_traversal=yes
        nhelpers=0
        interfaces=%defaultroute
        klipsdebug=none
        plutodebug=none
        protostack=netkey
conn test
        type=           tunnel
        authby=         secret
        left=           %defaultroute
        leftsubnet=     10.xxx.xxx.0/24
        right=          77.xxx.xxx.xxx
        rightsubnet=    192.xxx.xxx.xxx/32
        forceencaps=    yes
        ike=            3des
        esp=            3des
        keyexchange=    ike
        pfs=            no
        auto=           start


----------------------------------------------------------------------

logs:
----------------------------------------------------------------------

Jul  1 07:36:35 localhost kernel: NET: Registered protocol family 15
Jul  1 07:36:35 localhost ipsec_setup: Starting Openswan IPsec
U2.6.22/K2.6.21.7-2.fc8xen...
Jul  1 07:36:35 localhost ipsec_setup: Using NETKEY(XFRM) stack

==> auth.log <==
Jul  1 07:36:35 localhost ipsec__plutorun: Starting Pluto subsystem...
Jul  1 07:36:35 localhost pluto[2674]: Starting Pluto (Openswan
Version 2.6.22; Vendor ID OElj@]rTMBuM) pid:2674
Jul  1 07:36:35 localhost pluto[2674]: Setting NAT-Traversal port-4500
floating to on
Jul  1 07:36:35 localhost pluto[2674]:    port floating activation
criteria nat_t=1/port_float=1
Jul  1 07:36:35 localhost pluto[2674]:    including NAT-Traversal
patch (Version 0.6c)
Jul  1 07:36:35 localhost pluto[2674]: using /dev/urandom as source of
random entropy
Jul  1 07:36:35 localhost pluto[2674]: ike_alg_register_enc():
Activating OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)
Jul  1 07:36:35 localhost pluto[2674]: ike_alg_register_enc():
Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)
Jul  1 07:36:35 localhost pluto[2674]: ike_alg_register_enc():
Activating OAKLEY_SERPENT_CBC: Ok (ret=0)
Jul  1 07:36:35 localhost pluto[2674]: ike_alg_register_enc():
Activating OAKLEY_AES_CBC: Ok (ret=0)
Jul  1 07:36:35 localhost pluto[2674]: ike_alg_register_enc():
Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)
Jul  1 07:36:35 localhost pluto[2674]: ike_alg_register_hash():
Activating OAKLEY_SHA2_512: Ok (ret=0)
Jul  1 07:36:35 localhost pluto[2674]: ike_alg_register_hash():
Activating OAKLEY_SHA2_256: Ok (ret=0)
Jul  1 07:36:35 localhost pluto[2674]: no helpers will be started, all
cryptographic operations will be done inline
Jul  1 07:36:35 localhost pluto[2674]: Using Linux 2.6 IPsec interface
code on 2.6.21.7-2.fc8xen (experimental code)
Jul  1 07:36:36 localhost pluto[2674]: ike_alg_register_enc():
WARNING: enc alg=0 not found in constants.c:oakley_enc_names
Jul  1 07:36:36 localhost pluto[2674]: ike_alg_register_enc():
Activating <NULL>: Ok (ret=0)
Jul  1 07:36:36 localhost pluto[2674]: ike_alg_register_enc():
WARNING: enc alg=0 not found in constants.c:oakley_enc_names
Jul  1 07:36:36 localhost pluto[2674]: ike_alg_add(): ERROR: Algorithm
already exists
Jul  1 07:36:36 localhost pluto[2674]: ike_alg_register_enc():
Activating <NULL>: FAILED (ret=-17)
Jul  1 07:36:36 localhost pluto[2674]: ike_alg_register_enc():
WARNING: enc alg=0 not found in constants.c:oakley_enc_names
Jul  1 07:36:36 localhost pluto[2674]: ike_alg_add(): ERROR: Algorithm
already exists
Jul  1 07:36:36 localhost pluto[2674]: ike_alg_register_enc():
Activating <NULL>: FAILED (ret=-17)
Jul  1 07:36:36 localhost pluto[2674]: ike_alg_register_enc():
WARNING: enc alg=0 not found in constants.c:oakley_enc_names
Jul  1 07:36:36 localhost pluto[2674]: ike_alg_add(): ERROR: Algorithm
already exists
Jul  1 07:36:36 localhost pluto[2674]: ike_alg_register_enc():
Activating <NULL>: FAILED (ret=-17)
Jul  1 07:36:36 localhost pluto[2674]: ike_alg_register_enc():
WARNING: enc alg=0 not found in constants.c:oakley_enc_names
Jul  1 07:36:36 localhost pluto[2674]: ike_alg_add(): ERROR: Algorithm
already exists
Jul  1 07:36:36 localhost pluto[2674]: ike_alg_register_enc():
Activating <NULL>: FAILED (ret=-17)
Jul  1 07:36:36 localhost pluto[2674]: ike_alg_register_enc():
WARNING: enc alg=0 not found in constants.c:oakley_enc_names
Jul  1 07:36:36 localhost pluto[2674]: ike_alg_add(): ERROR: Algorithm
already exists
Jul  1 07:36:36 localhost pluto[2674]: ike_alg_register_enc():
Activating <NULL>: FAILED (ret=-17)
Jul  1 07:36:36 localhost pluto[2674]: Changed path to directory
'/etc/ipsec.d/cacerts'
Jul  1 07:36:36 localhost pluto[2674]: Changed path to directory
'/etc/ipsec.d/aacerts'
Jul  1 07:36:36 localhost pluto[2674]: Changed path to directory
'/etc/ipsec.d/ocspcerts'
Jul  1 07:36:36 localhost pluto[2674]: Changing to directory '/etc/ipsec.d/crls'
Jul  1 07:36:36 localhost pluto[2674]:   Warning: empty directory
Jul  1 07:36:36 localhost pluto[2674]: added connection description "test"
Jul  1 07:36:36 localhost pluto[2674]: listening for IKE messages
Jul  1 07:36:36 localhost pluto[2674]: NAT-Traversal: Trying new style NAT-T
Jul  1 07:36:36 localhost pluto[2674]: NAT-Traversal: ESPINUDP(1)
setup failed for new style NAT-T family IPv4 (errno=19)
Jul  1 07:36:36 localhost pluto[2674]: NAT-Traversal: Trying old style NAT-T
Jul  1 07:36:36 localhost pluto[2674]: adding interface eth0/eth0
10.xxx.xxx.xxx:500
Jul  1 07:36:36 localhost pluto[2674]: adding interface eth0/eth0
10.xxx.xxx.xxx:4500
Jul  1 07:36:36 localhost pluto[2674]: adding interface lo/lo 127.0.0.1:500
Jul  1 07:36:36 localhost pluto[2674]: adding interface lo/lo 127.0.0.1:4500
Jul  1 07:36:36 localhost pluto[2674]: adding interface lo/lo ::1:500
Jul  1 07:36:36 localhost pluto[2674]: loading secrets from "/etc/ipsec.secrets"
Jul  1 07:36:37 localhost pluto[2674]: "test" #1: initiating Main Mode
Jul  1 07:36:37 localhost pluto[2674]: "test" #1: ignoring Vendor ID
payload [FRAGMENTATION c0000000]
Jul  1 07:36:37 localhost pluto[2674]: "test" #1: transition from
state STATE_MAIN_I1 to state STATE_MAIN_I2
Jul  1 07:36:37 localhost pluto[2674]: "test" #1: STATE_MAIN_I2: sent
MI2, expecting MR2
Jul  1 07:36:37 localhost pluto[2674]: "test" #1: received Vendor ID
payload [Cisco-Unity]
Jul  1 07:36:37 localhost pluto[2674]: "test" #1: received Vendor ID
payload [XAUTH]
Jul  1 07:36:37 localhost pluto[2674]: "test" #1: ignoring unknown
Vendor ID payload [af1f66a0130233134b295618fadbbab3]
Jul  1 07:36:37 localhost pluto[2674]: "test" #1: ignoring Vendor ID
payload [Cisco VPN 3000 Series]
Jul  1 07:36:37 localhost pluto[2674]: "test" #1: transition from
state STATE_MAIN_I2 to state STATE_MAIN_I3
Jul  1 07:36:37 localhost pluto[2674]: "test" #1: STATE_MAIN_I3: sent
MI3, expecting MR3
Jul  1 07:36:37 localhost pluto[2674]: "test" #1: Main mode peer ID is
ID_IPV4_ADDR: '77.xxx.xxx.xxx'
Jul  1 07:36:37 localhost pluto[2674]: "test" #1: transition from
state STATE_MAIN_I3 to state STATE_MAIN_I4
Jul  1 07:36:37 localhost pluto[2674]: "test" #1: STATE_MAIN_I4:
ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
Jul  1 07:36:37 localhost pluto[2674]: "test" #2: initiating Quick
Mode PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW {using isakmp#1 msgid:ecb1268e
proposal=3DES(3)_192-MD5(1)_128, 3DES(3)_192-SHA1(2)_160
pfsgroup=no-pfs}
Jul  1 07:36:37 localhost pluto[2674]: "test" #1: ignoring
informational payload, type INVALID_ID_INFORMATION msgid=00000000
Jul  1 07:36:37 localhost pluto[2674]: "test" #1: received and ignored
informational message
Jul  1 07:36:37 localhost pluto[2674]: "test" #1: received Delete SA
payload: deleting ISAKMP State #1
Jul  1 07:36:37 localhost pluto[2674]: packet from 77.xxx.xxx.xxx:500:
received and ignored informational message

==> syslog <==
Jul  1 07:36:35 localhost ipsec_setup: ...Openswan IPsec started
Jul  1 07:36:35 localhost pluto: adjusting ipsec.d to /etc/ipsec.d
Jul  1 07:36:36 localhost ipsec__plutorun: adjusting ipsec.d to /etc/ipsec.d
Jul  1 07:36:36 localhost ipsec__plutorun: 002 added connection
description "test"
Jul  1 07:36:36 localhost ipsec__plutorun: 003 NAT-Traversal: Trying
new style NAT-T
Jul  1 07:36:36 localhost ipsec__plutorun: 003 NAT-Traversal:
ESPINUDP(1) setup failed for new style NAT-T family IPv4 (errno=19)
Jul  1 07:36:36 localhost ipsec__plutorun: 003 NAT-Traversal: Trying
old style NAT-T
Jul  1 07:36:37 localhost ipsec__plutorun: 104 "test" #1:
STATE_MAIN_I1: initiate

==> auth.log <==
Jul  1 07:36:41 localhost pluto[2674]: packet from 77.xxx.xxx.xxx:500:
ignoring Vendor ID payload [FRAGMENTATION c0000000]
Jul  1 07:36:41 localhost pluto[2674]: "test" #3: responding to Main Mode
Jul  1 07:36:41 localhost pluto[2674]: "test" #3: OAKLEY_DES_CBC is
not supported.  Attribute OAKLEY_ENCRYPTION_ALGORITHM
Jul  1 07:36:41 localhost pluto[2674]: "test" #3: transition from
state STATE_MAIN_R0 to state STATE_MAIN_R1
Jul  1 07:36:41 localhost pluto[2674]: "test" #3: STATE_MAIN_R1: sent
MR1, expecting MI2
Jul  1 07:36:42 localhost pluto[2674]: "test" #3: received Vendor ID
payload [Cisco-Unity]
Jul  1 07:36:42 localhost pluto[2674]: "test" #3: received Vendor ID
payload [XAUTH]
Jul  1 07:36:42 localhost pluto[2674]: "test" #3: ignoring unknown
Vendor ID payload [b7846f20a66fab47934c12f0fb60dfc3]
Jul  1 07:36:42 localhost pluto[2674]: "test" #3: ignoring Vendor ID
payload [Cisco VPN 3000 Series]
Jul  1 07:36:42 localhost pluto[2674]: "test" #3: transition from
state STATE_MAIN_R1 to state STATE_MAIN_R2
Jul  1 07:36:42 localhost pluto[2674]: "test" #3: STATE_MAIN_R2: sent
MR2, expecting MI3
Jul  1 07:36:42 localhost pluto[2674]: "test" #3: received Vendor ID
payload [Dead Peer Detection]
Jul  1 07:36:42 localhost pluto[2674]: "test" #3: Main mode peer ID is
ID_IPV4_ADDR: '77.xxx.xxx.xxx'
Jul  1 07:36:42 localhost pluto[2674]: "test" #3: transition from
state STATE_MAIN_R2 to state STATE_MAIN_R3
Jul  1 07:36:42 localhost pluto[2674]: "test" #3: STATE_MAIN_R3: sent
MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
Jul  1 07:36:42 localhost pluto[2674]: "test" #3: ignoring
informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000
Jul  1 07:36:42 localhost pluto[2674]: "test" #3: the peer proposed:
10.xxx.xxx.xxx/32:0/0 -> 192.xxx.xxx.xxx/32:0/0
Jul  1 07:36:42 localhost pluto[2674]: "test" #3: cannot respond to
IPsec SA request because no connection is known for
10.xxx.xxx.xxx[+S=C]...77.xxx.xxx.xxx<77.xxx.xxx.xxx>[+S=C]===192.xxx.xxx.xxx/32
Jul  1 07:36:42 localhost pluto[2674]: "test" #3: sending encrypted
notification INVALID_ID_INFORMATION to 77.xxx.xxx.xxx:500
----------------------------------------------------------

Looking "better" but still nothing happends.

Regards,
JS

More information about the Users mailing list