[Openswan Users] Amazon Ec2 Ipsec and Cisco
Joe Skop
joe.skop at gmail.com
Wed Jul 1 04:01:05 EDT 2009
Hi,
2009/6/30 Joe Skop <joe.skop at gmail.com>:
> Hi Paul,
>
[...]
these are the news after installing new openswan 2.6.22:
ipsec.conf
----------------------------------------------------------------------
version 2.0
config setup
nat_traversal=yes
nhelpers=0
interfaces=%defaultroute
klipsdebug=none
plutodebug=none
protostack=netkey
conn test
type= tunnel
authby= secret
left= %defaultroute
leftsubnet= 10.xxx.xxx.0/24
right= 77.xxx.xxx.xxx
rightsubnet= 192.xxx.xxx.xxx/32
forceencaps= yes
ike= 3des
esp= 3des
keyexchange= ike
pfs= no
auto= start
----------------------------------------------------------------------
logs:
----------------------------------------------------------------------
Jul 1 07:36:35 localhost kernel: NET: Registered protocol family 15
Jul 1 07:36:35 localhost ipsec_setup: Starting Openswan IPsec
U2.6.22/K2.6.21.7-2.fc8xen...
Jul 1 07:36:35 localhost ipsec_setup: Using NETKEY(XFRM) stack
==> auth.log <==
Jul 1 07:36:35 localhost ipsec__plutorun: Starting Pluto subsystem...
Jul 1 07:36:35 localhost pluto[2674]: Starting Pluto (Openswan
Version 2.6.22; Vendor ID OElj@]rTMBuM) pid:2674
Jul 1 07:36:35 localhost pluto[2674]: Setting NAT-Traversal port-4500
floating to on
Jul 1 07:36:35 localhost pluto[2674]: port floating activation
criteria nat_t=1/port_float=1
Jul 1 07:36:35 localhost pluto[2674]: including NAT-Traversal
patch (Version 0.6c)
Jul 1 07:36:35 localhost pluto[2674]: using /dev/urandom as source of
random entropy
Jul 1 07:36:35 localhost pluto[2674]: ike_alg_register_enc():
Activating OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)
Jul 1 07:36:35 localhost pluto[2674]: ike_alg_register_enc():
Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)
Jul 1 07:36:35 localhost pluto[2674]: ike_alg_register_enc():
Activating OAKLEY_SERPENT_CBC: Ok (ret=0)
Jul 1 07:36:35 localhost pluto[2674]: ike_alg_register_enc():
Activating OAKLEY_AES_CBC: Ok (ret=0)
Jul 1 07:36:35 localhost pluto[2674]: ike_alg_register_enc():
Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)
Jul 1 07:36:35 localhost pluto[2674]: ike_alg_register_hash():
Activating OAKLEY_SHA2_512: Ok (ret=0)
Jul 1 07:36:35 localhost pluto[2674]: ike_alg_register_hash():
Activating OAKLEY_SHA2_256: Ok (ret=0)
Jul 1 07:36:35 localhost pluto[2674]: no helpers will be started, all
cryptographic operations will be done inline
Jul 1 07:36:35 localhost pluto[2674]: Using Linux 2.6 IPsec interface
code on 2.6.21.7-2.fc8xen (experimental code)
Jul 1 07:36:36 localhost pluto[2674]: ike_alg_register_enc():
WARNING: enc alg=0 not found in constants.c:oakley_enc_names
Jul 1 07:36:36 localhost pluto[2674]: ike_alg_register_enc():
Activating <NULL>: Ok (ret=0)
Jul 1 07:36:36 localhost pluto[2674]: ike_alg_register_enc():
WARNING: enc alg=0 not found in constants.c:oakley_enc_names
Jul 1 07:36:36 localhost pluto[2674]: ike_alg_add(): ERROR: Algorithm
already exists
Jul 1 07:36:36 localhost pluto[2674]: ike_alg_register_enc():
Activating <NULL>: FAILED (ret=-17)
Jul 1 07:36:36 localhost pluto[2674]: ike_alg_register_enc():
WARNING: enc alg=0 not found in constants.c:oakley_enc_names
Jul 1 07:36:36 localhost pluto[2674]: ike_alg_add(): ERROR: Algorithm
already exists
Jul 1 07:36:36 localhost pluto[2674]: ike_alg_register_enc():
Activating <NULL>: FAILED (ret=-17)
Jul 1 07:36:36 localhost pluto[2674]: ike_alg_register_enc():
WARNING: enc alg=0 not found in constants.c:oakley_enc_names
Jul 1 07:36:36 localhost pluto[2674]: ike_alg_add(): ERROR: Algorithm
already exists
Jul 1 07:36:36 localhost pluto[2674]: ike_alg_register_enc():
Activating <NULL>: FAILED (ret=-17)
Jul 1 07:36:36 localhost pluto[2674]: ike_alg_register_enc():
WARNING: enc alg=0 not found in constants.c:oakley_enc_names
Jul 1 07:36:36 localhost pluto[2674]: ike_alg_add(): ERROR: Algorithm
already exists
Jul 1 07:36:36 localhost pluto[2674]: ike_alg_register_enc():
Activating <NULL>: FAILED (ret=-17)
Jul 1 07:36:36 localhost pluto[2674]: ike_alg_register_enc():
WARNING: enc alg=0 not found in constants.c:oakley_enc_names
Jul 1 07:36:36 localhost pluto[2674]: ike_alg_add(): ERROR: Algorithm
already exists
Jul 1 07:36:36 localhost pluto[2674]: ike_alg_register_enc():
Activating <NULL>: FAILED (ret=-17)
Jul 1 07:36:36 localhost pluto[2674]: Changed path to directory
'/etc/ipsec.d/cacerts'
Jul 1 07:36:36 localhost pluto[2674]: Changed path to directory
'/etc/ipsec.d/aacerts'
Jul 1 07:36:36 localhost pluto[2674]: Changed path to directory
'/etc/ipsec.d/ocspcerts'
Jul 1 07:36:36 localhost pluto[2674]: Changing to directory '/etc/ipsec.d/crls'
Jul 1 07:36:36 localhost pluto[2674]: Warning: empty directory
Jul 1 07:36:36 localhost pluto[2674]: added connection description "test"
Jul 1 07:36:36 localhost pluto[2674]: listening for IKE messages
Jul 1 07:36:36 localhost pluto[2674]: NAT-Traversal: Trying new style NAT-T
Jul 1 07:36:36 localhost pluto[2674]: NAT-Traversal: ESPINUDP(1)
setup failed for new style NAT-T family IPv4 (errno=19)
Jul 1 07:36:36 localhost pluto[2674]: NAT-Traversal: Trying old style NAT-T
Jul 1 07:36:36 localhost pluto[2674]: adding interface eth0/eth0
10.xxx.xxx.xxx:500
Jul 1 07:36:36 localhost pluto[2674]: adding interface eth0/eth0
10.xxx.xxx.xxx:4500
Jul 1 07:36:36 localhost pluto[2674]: adding interface lo/lo 127.0.0.1:500
Jul 1 07:36:36 localhost pluto[2674]: adding interface lo/lo 127.0.0.1:4500
Jul 1 07:36:36 localhost pluto[2674]: adding interface lo/lo ::1:500
Jul 1 07:36:36 localhost pluto[2674]: loading secrets from "/etc/ipsec.secrets"
Jul 1 07:36:37 localhost pluto[2674]: "test" #1: initiating Main Mode
Jul 1 07:36:37 localhost pluto[2674]: "test" #1: ignoring Vendor ID
payload [FRAGMENTATION c0000000]
Jul 1 07:36:37 localhost pluto[2674]: "test" #1: transition from
state STATE_MAIN_I1 to state STATE_MAIN_I2
Jul 1 07:36:37 localhost pluto[2674]: "test" #1: STATE_MAIN_I2: sent
MI2, expecting MR2
Jul 1 07:36:37 localhost pluto[2674]: "test" #1: received Vendor ID
payload [Cisco-Unity]
Jul 1 07:36:37 localhost pluto[2674]: "test" #1: received Vendor ID
payload [XAUTH]
Jul 1 07:36:37 localhost pluto[2674]: "test" #1: ignoring unknown
Vendor ID payload [af1f66a0130233134b295618fadbbab3]
Jul 1 07:36:37 localhost pluto[2674]: "test" #1: ignoring Vendor ID
payload [Cisco VPN 3000 Series]
Jul 1 07:36:37 localhost pluto[2674]: "test" #1: transition from
state STATE_MAIN_I2 to state STATE_MAIN_I3
Jul 1 07:36:37 localhost pluto[2674]: "test" #1: STATE_MAIN_I3: sent
MI3, expecting MR3
Jul 1 07:36:37 localhost pluto[2674]: "test" #1: Main mode peer ID is
ID_IPV4_ADDR: '77.xxx.xxx.xxx'
Jul 1 07:36:37 localhost pluto[2674]: "test" #1: transition from
state STATE_MAIN_I3 to state STATE_MAIN_I4
Jul 1 07:36:37 localhost pluto[2674]: "test" #1: STATE_MAIN_I4:
ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
Jul 1 07:36:37 localhost pluto[2674]: "test" #2: initiating Quick
Mode PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW {using isakmp#1 msgid:ecb1268e
proposal=3DES(3)_192-MD5(1)_128, 3DES(3)_192-SHA1(2)_160
pfsgroup=no-pfs}
Jul 1 07:36:37 localhost pluto[2674]: "test" #1: ignoring
informational payload, type INVALID_ID_INFORMATION msgid=00000000
Jul 1 07:36:37 localhost pluto[2674]: "test" #1: received and ignored
informational message
Jul 1 07:36:37 localhost pluto[2674]: "test" #1: received Delete SA
payload: deleting ISAKMP State #1
Jul 1 07:36:37 localhost pluto[2674]: packet from 77.xxx.xxx.xxx:500:
received and ignored informational message
==> syslog <==
Jul 1 07:36:35 localhost ipsec_setup: ...Openswan IPsec started
Jul 1 07:36:35 localhost pluto: adjusting ipsec.d to /etc/ipsec.d
Jul 1 07:36:36 localhost ipsec__plutorun: adjusting ipsec.d to /etc/ipsec.d
Jul 1 07:36:36 localhost ipsec__plutorun: 002 added connection
description "test"
Jul 1 07:36:36 localhost ipsec__plutorun: 003 NAT-Traversal: Trying
new style NAT-T
Jul 1 07:36:36 localhost ipsec__plutorun: 003 NAT-Traversal:
ESPINUDP(1) setup failed for new style NAT-T family IPv4 (errno=19)
Jul 1 07:36:36 localhost ipsec__plutorun: 003 NAT-Traversal: Trying
old style NAT-T
Jul 1 07:36:37 localhost ipsec__plutorun: 104 "test" #1:
STATE_MAIN_I1: initiate
==> auth.log <==
Jul 1 07:36:41 localhost pluto[2674]: packet from 77.xxx.xxx.xxx:500:
ignoring Vendor ID payload [FRAGMENTATION c0000000]
Jul 1 07:36:41 localhost pluto[2674]: "test" #3: responding to Main Mode
Jul 1 07:36:41 localhost pluto[2674]: "test" #3: OAKLEY_DES_CBC is
not supported. Attribute OAKLEY_ENCRYPTION_ALGORITHM
Jul 1 07:36:41 localhost pluto[2674]: "test" #3: transition from
state STATE_MAIN_R0 to state STATE_MAIN_R1
Jul 1 07:36:41 localhost pluto[2674]: "test" #3: STATE_MAIN_R1: sent
MR1, expecting MI2
Jul 1 07:36:42 localhost pluto[2674]: "test" #3: received Vendor ID
payload [Cisco-Unity]
Jul 1 07:36:42 localhost pluto[2674]: "test" #3: received Vendor ID
payload [XAUTH]
Jul 1 07:36:42 localhost pluto[2674]: "test" #3: ignoring unknown
Vendor ID payload [b7846f20a66fab47934c12f0fb60dfc3]
Jul 1 07:36:42 localhost pluto[2674]: "test" #3: ignoring Vendor ID
payload [Cisco VPN 3000 Series]
Jul 1 07:36:42 localhost pluto[2674]: "test" #3: transition from
state STATE_MAIN_R1 to state STATE_MAIN_R2
Jul 1 07:36:42 localhost pluto[2674]: "test" #3: STATE_MAIN_R2: sent
MR2, expecting MI3
Jul 1 07:36:42 localhost pluto[2674]: "test" #3: received Vendor ID
payload [Dead Peer Detection]
Jul 1 07:36:42 localhost pluto[2674]: "test" #3: Main mode peer ID is
ID_IPV4_ADDR: '77.xxx.xxx.xxx'
Jul 1 07:36:42 localhost pluto[2674]: "test" #3: transition from
state STATE_MAIN_R2 to state STATE_MAIN_R3
Jul 1 07:36:42 localhost pluto[2674]: "test" #3: STATE_MAIN_R3: sent
MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
Jul 1 07:36:42 localhost pluto[2674]: "test" #3: ignoring
informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000
Jul 1 07:36:42 localhost pluto[2674]: "test" #3: the peer proposed:
10.xxx.xxx.xxx/32:0/0 -> 192.xxx.xxx.xxx/32:0/0
Jul 1 07:36:42 localhost pluto[2674]: "test" #3: cannot respond to
IPsec SA request because no connection is known for
10.xxx.xxx.xxx[+S=C]...77.xxx.xxx.xxx<77.xxx.xxx.xxx>[+S=C]===192.xxx.xxx.xxx/32
Jul 1 07:36:42 localhost pluto[2674]: "test" #3: sending encrypted
notification INVALID_ID_INFORMATION to 77.xxx.xxx.xxx:500
----------------------------------------------------------
Looking "better" but still nothing happends.
Regards,
JS
More information about the Users
mailing list