[Openswan Users] Help needed to set up OpenSwan/ClarkConnect to Draytek Vigor router

Nick Howitt n1ck.h0w1tt at gmail.com
Mon Mar 30 16:00:58 EDT 2009 

Hi,

I have recently installed a ClarkConnect 4.3 firewall/router to replace 
my old router. I have upgraded OpenSwan to v2.4.13 (2.6.20 won't 
compile; 2.6.18 may compile but I do not understand the output as I am 
new to Linux)

The set up I want is CC to Draytek Vigor 2600 LAN/LAN connection and CC 
to Draytek Vigor 2900 LAN/LAN connection.

Concentrating on the CC to Draytek Vigor 2600 connection, I have the 
following setup. Both CC and 2600 are on dynamic IP's with dynamic DNS 
FQDN's available. I would like the 2600 to call the CC box.

My ipsec.conf looks like:
version 2.0
config setup
   interfaces=%defaultroute

conn %default
   authby=secret
   auto=start
   keyingtries=%forever
   left=%defaultroute
   leftsubnet=192.168.2.0/24
   leftsourceip=192.168.2.1

conn Mark
   right=%any
   rightsubnet=192.168.20.0/24
   rightid=FarEndFQDN

My ipsec.secrets is just:
: PSK "MyPSK"

When I start ipsec I get the following log in /var/log/messages:

Mar 29 22:25:41 server pluto[13357]: added connection description "Mark"
Mar 29 22:25:41 server pluto[13357]: "Mark": cannot route connection 
without knowing our nexthop
Mar 29 22:25:42 server pluto[13357]: "Mark": cannot initiate connection 
without knowing peer IP address (kind=CK_TEMPLATE)
Mar 29 22:29:01 server pluto[13357]: "Mum"[3] 78.150.201.201 #4: 
switched from "Mum" to "Mark"
Mar 29 22:29:01 server pluto[13357]: "Mark"[1] 78.150.201.201 #4: 
deleting connection "Mum" instance with peer 78.150.201.201 
{isakmp=#0/ipsec=#0}
Mar 29 22:29:01 server pluto[13357]: "Mark"[1] 78.150.201.201 #4: I did 
not send a certificate because I do not have one.
Mar 29 22:29:01 server pluto[13357]: "Mark"[1] 78.150.201.201 #4: 
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Mar 29 22:29:01 server pluto[13357]: "Mark"[1] 78.150.201.201 #4: 
STATE_MAIN_R3: sent MR3, ISAKMP SA established 
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5 
group=modp1024}
Mar 29 22:29:03 server pluto[13357]: "Mark"[1] 78.150.201.201 #5: 
responding to Quick Mode {msgid:7ffffefc}
Mar 29 22:29:03 server pluto[13357]: "Mark"[1] 78.150.201.201 #5: 
transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Mar 29 22:29:03 server pluto[13357]: "Mark"[1] 78.150.201.201 #5: 
STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Mar 29 22:29:06 server pluto[13357]: "Mark"[1] 78.150.201.201 #5: 
transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Mar 29 22:29:06 server pluto[13357]: "Mark"[1] 78.150.201.201 #5: 
STATE_QUICK_R2: IPsec SA established {ESP=>0xfffefd51 <0x0ae041f2 
xfrm=3DES_0-HMAC_SHA1 NATD=none DPD=none}
Mar 29 23:09:26 server pluto[13357]: "Mark"[1] 78.150.201.201 #6: 
responding to Quick Mode {msgid:59b265cb}
Mar 29 23:09:26 server pluto[13357]: "Mark"[1] 78.150.201.201 #6: 
transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Mar 29 23:09:26 server pluto[13357]: "Mark"[1] 78.150.201.201 #6: 
STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Mar 29 23:09:29 server pluto[13357]: "Mark"[1] 78.150.201.201 #6: 
transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Mar 29 23:09:29 server pluto[13357]: "Mark"[1] 78.150.201.201 #6: 
STATE_QUICK_R2: IPsec SA established {ESP=>0xfffefd52 <0x7aad08cb 
xfrm=3DES_0-HMAC_SHA1 NATD=none DPD=none}
Mar 29 23:09:29 server pluto[13357]: "Mark"[1] 78.150.201.201 #4: 
received Delete SA(0xfffefd51) payload: deleting IPSEC State #5
Mar 29 23:09:29 server pluto[13357]: "Mark"[1] 78.150.201.201 #4: 
received and ignored informational message
Mar 29 23:24:31 server pluto[13357]: "Mark"[1] 78.150.201.201 #10: 
initiating Main Mode to replace #4
Mar 29 23:24:31 server pluto[13357]: "Mark"[1] 78.150.201.201 #10: 
transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
Mar 29 23:24:31 server pluto[13357]: "Mark"[1] 78.150.201.201 #10: 
STATE_MAIN_I2: sent MI2, expecting MR2
Mar 29 23:24:35 server pluto[13357]: "Mark"[1] 78.150.201.201 #10: I did 
not send a certificate because I do not have one.
Mar 29 23:24:35 server pluto[13357]: "Mark"[1] 78.150.201.201 #10: 
transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Mar 29 23:24:35 server pluto[13357]: "Mark"[1] 78.150.201.201 #10: 
STATE_MAIN_I3: sent MI3, expecting MR3
Mar 29 23:24:38 server pluto[13357]: "Mark"[1] 78.150.201.201 #10: 
discarding duplicate packet; already STATE_MAIN_I3
Mar 29 23:24:43 server pluto[13357]: "Mark"[1] 78.150.201.201 #10: 
discarding duplicate packet; already STATE_MAIN_I3
Mar 29 23:25:45 server pluto[13357]: "Mark"[1] 78.150.201.201 #10: max 
number of retransmissions (2) reached STATE_MAIN_I3.  Possible 
authentication failure: no acceptable response to our first encrypted 
message
Mar 29 23:25:45 server pluto[13357]: "Mark"[1] 78.150.201.201 #10: 
starting keying attempt 2 of an unlimited number
Mar 29 23:25:45 server pluto[13357]: "Mark"[1] 78.150.201.201 #12: 
initiating Main Mode to replace #10
Mar 29 23:25:45 server pluto[13357]: "Mark"[1] 78.150.201.201 #12: 
transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
Mar 29 23:25:45 server pluto[13357]: "Mark"[1] 78.150.201.201 #12: 
STATE_MAIN_I2: sent MI2, expecting MR2
Mar 29 23:25:48 server pluto[13357]: "Mark"[1] 78.150.201.201 #12: I did 
not send a certificate because I do not have one.

This goes on and on repeating every few seconds.

At this point I can connect to the LAN side of the Draytek router 
through the VPN which shows a 3DES-MD5 tunnel active, but I cannot 
contact any PC beyond the Draytek router, and nor can any PC there 
contact my server.

I suspect my problem is near the beginning where it says it cannot 
route, but what is the fix?

I have chosen a road worrier set up as it seems the most appropriate for 
a fairly dynamic far end IP, but I am happy to change it.

Also should I be worried about all these pluto messages? If yes, how do 
I fix them, if not how do I stop them (plutodebug=none?)?

Many thanks,

Nick

More information about the Users mailing list