[Openswan Users] Problem with ipsec connection

CrashOverload at gmx.de CrashOverload at gmx.de
Mon Jul 6 05:20:58 EDT 2009 

Hi,

I got a problem to establish a IPSEC NAT-T connection from OpenSwan to a Nortel Gateway. From the Remote Admin I got encryption settings to set in my config. I´m Using OpenSwan 2.6.22 and CentOS 5.2

But the connection is always pending in ike phase 2.

I hope you could help me. I´m working on that since week´s and can´t get it to work. But we need it in a short time.

Encryption Settings from remote admin:
3 des  sha1 group 2
shared key: xxxxxxxxxxx



This is the Server Overview:

local-ipsec---->NAT-Gateway---->Internet<-----remote-Nortel-gateway<----Remote-Server

ipsec-verfiy display´s following output:

Linux Openswan U2.6.22/K2.6.18-92.el5 (netkey)
Checking for IPsec support in kernel                            [OK]
NETKEY detected, testing for disabled ICMP send_redirects       [OK]
NETKEY detected, testing for disabled ICMP accept_redirects     [OK]
Checking for RSA private key (/etc/ipsec.secrets)               [OK]
Checking that pluto is running                                  [OK]
Two or more interfaces found, checking IP forwarding            [OK]
Checking NAT and MASQUERADEing                                  [OK]
Checking for 'ip' command                                       [OK]
Checking for 'iptables' command                                 [OK]
Opportunistic Encryption Support                                [DISABLED]

ipsec.conf:

        authby=secret
        auto=add
        ike=3des-sha1-modp1024
        esp=3des-sha1
        forceencaps=no
        left=192.168.25.77
        leftid=192.168.25.77
        leftsubnet=192.168.25.77/32
        pfs=yes
        right=12.13.14.15
        rightid=12.13.14.15
        rightsubnet=192.168.66.77/32
        type=tunnel



Output from /var/log/messages:
ipsec__plutorun: 003 NAT-Traversal: Trying new style NAT-T
ipsec__plutorun: 003 NAT-Traversal: ESPINUDP(1) setup failed for new style NAT-T family IPv4 (errno=19)
ipsec__plutorun: 003 NAT-Traversal: Trying old style NAT-T


Output from /var/log/secure:
STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x3ca25267 <0xf9dc8a26 xfrm=3DES_0 -HMAC_SHA1 NATOA=none NATD=none DPD=none}
modecfg pull: noquirk policy:push not-client
phase 1 is done, looking for phase 2 to unpend
* processed 1 messages from cryptographic helpers
next event EVENT_PENDING_DDNS in 31 seconds
next event EVENT_PENDING_DDNS in 31 seconds
next event EVENT_PENDING_DDNS in 0 seconds
*time to handle event
handling event EVENT_PENDING_DDNS
event after this is EVENT_PENDING_PHASE2 in 0 seconds
inserting event EVENT_PENDING_DDNS, timeout in 60 seconds
event added after event EVENT_PENDING_PHASE2handling 
event EVENT_PENDING_PHASE2
event after this is EVENT_PENDING_DDNS in 60 seconds
inserting event EVENT_PENDING_PHASE2, timeout in 120 seconds

-- 
Neu: GMX Doppel-FLAT mit Internet-Flatrate + Telefon-Flatrate
für nur 19,99 Euro/mtl.!* http://portal.gmx.net/de/go/dsl02

More information about the Users mailing list