[Openswan Users] Amazon Ec2 Ipsec and Cisco

Joe Skop joe.skop at gmail.com
Tue Jun 30 10:45:38 EDT 2009 

Hi,

again me. So I solved some problems, but still the vpn doesn't works.
Really, I don't know what else can I do...

/etc/ipsec.conf:
------------------------------------------------------------------
version 2.0
config setup
nat_traversal=yes
nhelpers=0
interfaces=%defaultroute
klipsdebug=none
plutodebug=none

conn test
        type=           tunnel
        authby=         secret
        left=           %defaultroute
        leftsubnet=     10.xxx.xxx.0/24
        right=          77.xxx.xxx.xxx
        rightsubnet=    192.xxx.xxx.xxx/32
        esp=            3des-sha1
        keyexchange=    ike
        pfs=            no
        auto=           start
------------------------------------------------------------------

/etc/ipsec.secrets:
------------------------------------------------------------------
10.xxx.xxx.xxx 77.xxx.xxx.xxx : PSK "testkey"
------------------------------------------------------------------

And finally, the logging:
------------------------------------------------------------------

==> auth.log <==
Jun 30 14:33:21 ip-10-xxx-xxx-xxx ipsec__plutorun: Unknown default RSA
hostkey scheme, not generating a default hostkey

==> syslog <==
Jun 30 14:33:20 ip-10-xxx-xxx-xxx kernel: NET: Registered protocol family 15
Jun 30 14:33:20 ip-10-xxx-xxx-xxx ipsec_setup: NETKEY on eth0
10.xxx.xxx.xxx/255.255.254.0 broadcast 10.xxx.xxx.255

==> auth.log <==
Jun 30 14:33:21 ip-10-xxx-xxx-xxx ipsec__plutorun: Starting Pluto subsystem...
Jun 30 14:33:21 ip-10-xxx-xxx-xxx pluto[23556]: Starting Pluto
(Openswan Version 2.4.12 LDAP_V3 PLUTO_SENDS_VENDORID
PLUTO_USES_KEYRR; Vendor ID OE`lPH|Vbpuu)
Jun 30 14:33:21 ip-10-xxx-xxx-xxx pluto[23556]: Setting NAT-Traversal
port-4500 floating to on
Jun 30 14:33:21 ip-10-xxx-xxx-xxx pluto[23556]:    port floating
activation criteria nat_t=1/port_fload=1
Jun 30 14:33:21 ip-10-xxx-xxx-xxx pluto[23556]:   including
NAT-Traversal patch (Version 0.6c)
Jun 30 14:33:21 ip-10-xxx-xxx-xxx pluto[23556]:
ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Jun 30 14:33:21 ip-10-xxx-xxx-xxx pluto[23556]: no helpers will be
started, all cryptographic operations will be done inline
Jun 30 14:33:21 ip-10-xxx-xxx-xxx pluto[23556]: Using NETKEY IPsec
interface code on 2.6.21.7-2.fc8xen
Jun 30 14:33:22 ip-10-xxx-xxx-xxx pluto[23556]: Changing to directory
'/etc/ipsec.d/cacerts'
Jun 30 14:33:22 ip-10-xxx-xxx-xxx pluto[23556]: Changing to directory
'/etc/ipsec.d/aacerts'
Jun 30 14:33:22 ip-10-xxx-xxx-xxx pluto[23556]: Changing to directory
'/etc/ipsec.d/ocspcerts'
Jun 30 14:33:22 ip-10-xxx-xxx-xxx pluto[23556]: Changing to directory
'/etc/ipsec.d/crls'
Jun 30 14:33:22 ip-10-xxx-xxx-xxx pluto[23556]:   Warning: empty directory
Jun 30 14:33:22 ip-10-xxx-xxx-xxx pluto[23556]: added connection
description "test"
Jun 30 14:33:22 ip-10-xxx-xxx-xxx pluto[23556]: listening for IKE messages
Jun 30 14:33:22 ip-10-xxx-xxx-xxx pluto[23556]: adding interface
eth0/eth0 10.xxx.xxx.xxx:500
Jun 30 14:33:22 ip-10-xxx-xxx-xxx pluto[23556]: adding interface
eth0/eth0 10.xxx.xxx.xxx:4500
Jun 30 14:33:22 ip-10-xxx-xxx-xxx pluto[23556]: adding interface lo/lo
127.0.0.1:500
Jun 30 14:33:22 ip-10-xxx-xxx-xxx pluto[23556]: adding interface lo/lo
127.0.0.1:4500
Jun 30 14:33:22 ip-10-xxx-xxx-xxx pluto[23556]: adding interface lo/lo ::1:500
Jun 30 14:33:22 ip-10-xxx-xxx-xxx pluto[23556]: loading secrets from
"/etc/ipsec.secrets"
Jun 30 14:33:22 ip-10-xxx-xxx-xxx pluto[23556]: "test" #1: initiating Main Mode
Jun 30 14:33:22 ip-10-xxx-xxx-xxx pluto[23556]: "test" #1: ignoring
Vendor ID payload [FRAGMENTATION c0000000]
Jun 30 14:33:22 ip-10-xxx-xxx-xxx pluto[23556]: "test" #1: transition
from state STATE_MAIN_I1 to state STATE_MAIN_I2
Jun 30 14:33:22 ip-10-xxx-xxx-xxx pluto[23556]: "test" #1:
STATE_MAIN_I2: sent MI2, expecting MR2
Jun 30 14:33:22 ip-10-xxx-xxx-xxx pluto[23556]: "test" #1: received
Vendor ID payload [Cisco-Unity]
Jun 30 14:33:22 ip-10-xxx-xxx-xxx pluto[23556]: "test" #1: received
Vendor ID payload [XAUTH]
Jun 30 14:33:22 ip-10-xxx-xxx-xxx pluto[23556]: "test" #1: ignoring
unknown Vendor ID payload [9d884f74d527864c3a1c46f96e1afd83]
Jun 30 14:33:22 ip-10-xxx-xxx-xxx pluto[23556]: "test" #1: ignoring
Vendor ID payload [Cisco VPN 3000 Series]
Jun 30 14:33:22 ip-10-xxx-xxx-xxx pluto[23556]: "test" #1: I did not
send a certificate because I do not have one.
Jun 30 14:33:22 ip-10-xxx-xxx-xxx pluto[23556]: "test" #1: transition
from state STATE_MAIN_I2 to state STATE_MAIN_I3
Jun 30 14:33:22 ip-10-xxx-xxx-xxx pluto[23556]: "test" #1:
STATE_MAIN_I3: sent MI3, expecting MR3
Jun 30 14:33:22 ip-10-xxx-xxx-xxx pluto[23556]: "test" #1: Main mode
peer ID is ID_IPV4_ADDR: '77.xxx.xxx.xxx'
Jun 30 14:33:22 ip-10-xxx-xxx-xxx pluto[23556]: "test" #1: transition
from state STATE_MAIN_I3 to state STATE_MAIN_I4
Jun 30 14:33:22 ip-10-xxx-xxx-xxx pluto[23556]: "test" #1:
STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
Jun 30 14:33:22 ip-10-xxx-xxx-xxx pluto[23556]: "test" #2: initiating
Quick Mode PSK+ENCRYPT+TUNNEL+UP {using isakmp#1}

==> syslog <==
Jun 30 14:33:21 ip-10-xxx-xxx-xxx ipsec_setup: ...Openswan IPsec started
Jun 30 14:33:21 ip-10-xxx-xxx-xxx ipsec_setup: Starting Openswan IPsec 2.4.12...
Jun 30 14:33:22 ip-10-xxx-xxx-xxx ipsec__plutorun: 104 "test" #1:
STATE_MAIN_I1: initiate
Jun 30 14:33:22 ip-10-xxx-xxx-xxx ipsec__plutorun: ...could not start
conn "test"

==> auth.log <==
Jun 30 14:33:22 ip-10-xxx-xxx-xxx pluto[23556]: "test" #1: ignoring
informational payload, type INVALID_ID_INFORMATION
Jun 30 14:33:22 ip-10-xxx-xxx-xxx pluto[23556]: "test" #1: received
and ignored informational message
Jun 30 14:33:22 ip-10-xxx-xxx-xxx pluto[23556]: "test" #1: received
Delete SA payload: deleting ISAKMP State #1
Jun 30 14:33:22 ip-10-xxx-xxx-xxx pluto[23556]: packet from
77.xxx.xxx.xxx:500: received and ignored informational message
Jun 30 14:33:25 ip-10-xxx-xxx-xxx pluto[23556]: packet from
77.xxx.xxx.xxx:500: ignoring Vendor ID payload [FRAGMENTATION
c0000000]
Jun 30 14:33:25 ip-10-xxx-xxx-xxx pluto[23556]: "test" #3: responding
to Main Mode
Jun 30 14:33:25 ip-10-xxx-xxx-xxx pluto[23556]: "test" #3:
OAKLEY_DES_CBC is not supported.  Attribute
OAKLEY_ENCRYPTION_ALGORITHM
Jun 30 14:33:25 ip-10-xxx-xxx-xxx pluto[23556]: "test" #3: transition
from state STATE_MAIN_R0 to state STATE_MAIN_R1
Jun 30 14:33:25 ip-10-xxx-xxx-xxx pluto[23556]: "test" #3:
STATE_MAIN_R1: sent MR1, expecting MI2
Jun 30 14:33:25 ip-10-xxx-xxx-xxx pluto[23556]: "test" #3: received
Vendor ID payload [Cisco-Unity]
Jun 30 14:33:25 ip-10-xxx-xxx-xxx pluto[23556]: "test" #3: received
Vendor ID payload [XAUTH]
Jun 30 14:33:25 ip-10-xxx-xxx-xxx pluto[23556]: "test" #3: ignoring
unknown Vendor ID payload [8147d6b39bf84795951aa9dd67537163]
Jun 30 14:33:25 ip-10-xxx-xxx-xxx pluto[23556]: "test" #3: ignoring
Vendor ID payload [Cisco VPN 3000 Series]
Jun 30 14:33:25 ip-10-xxx-xxx-xxx pluto[23556]: "test" #3: transition
from state STATE_MAIN_R1 to state STATE_MAIN_R2
Jun 30 14:33:25 ip-10-xxx-xxx-xxx pluto[23556]: "test" #3:
STATE_MAIN_R2: sent MR2, expecting MI3
Jun 30 14:33:25 ip-10-xxx-xxx-xxx pluto[23556]: "test" #3: received
Vendor ID payload [Dead Peer Detection]
Jun 30 14:33:25 ip-10-xxx-xxx-xxx pluto[23556]: "test" #3: Main mode
peer ID is ID_IPV4_ADDR: '77.xxx.xxx.xxx'
Jun 30 14:33:25 ip-10-xxx-xxx-xxx pluto[23556]: "test" #3: I did not
send a certificate because I do not have one.
Jun 30 14:33:25 ip-10-xxx-xxx-xxx pluto[23556]: "test" #3: transition
from state STATE_MAIN_R2 to state STATE_MAIN_R3
Jun 30 14:33:25 ip-10-xxx-xxx-xxx pluto[23556]: "test" #3:
STATE_MAIN_R3: sent MR3, ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha
group=modp1024}
Jun 30 14:33:25 ip-10-xxx-xxx-xxx pluto[23556]: "test" #3: ignoring
informational payload, type IPSEC_INITIAL_CONTACT
Jun 30 14:33:25 ip-10-xxx-xxx-xxx pluto[23556]: "test" #3: cannot
respond to IPsec SA request because no connection is known for
10.xxx.xxx.xxx...77.xxx.xxx.xxx===192.xxx.xxx.xxx/32
Jun 30 14:33:25 ip-10-xxx-xxx-xxx pluto[23556]: "test" #3: sending
encrypted notification INVALID_ID_INFORMATION to 77.xxx.xxx.xxx:500


------------------------------------------------------------------

sure, I feel it is something simple and stupid (probably like me), but
I can't go out of this nightmare...

Regards,
JS


2009/6/26 Joe Skop <joe.skop at gmail.com>:
> Hi,
[...]

More information about the Users mailing list