[Openswan Users] Help needed to set up OpenSwan/ClarkConnect to Draytek Vigor router

simon charles charlessimon at hotmail.com
Tue Mar 31 14:59:36 EDT 2009 

Hi !

   From your ipsec.conf   "auto=start" - will generate "cannot route
connection.." on the server side since the peer ip address of the
roadwarrior connection is not known at the time when ipsec was started
on the server. Ideally you want "auto=add" on the server side to have
that connection available when the roadwarrior peer tries to establish
the connection.

    From the logs - its is evident that the tunnel gets established -
and if you are unable to pass traffic - please look at firewall rules
at either end and ip forwarding on the linux box. If all looks well - then you can try adding the
following parameters in ipsec.conf "nat_traversal=yes" and if it is
still unsuccessful then add "foreceencaps=yes".
     Running tcpdump on the interfaces would also give you a fair idea of whats going on.



- Simon Charles - 




> Date: Mon, 30 Mar 2009 21:00:58 +0100
> From: n1ck.h0w1tt at gmail.com
> To: users at openswan.org
> Subject: [Openswan Users] Help needed to set up OpenSwan/ClarkConnect to	Draytek Vigor router
> 
> Hi,
> 
> I have recently installed a ClarkConnect 4.3 firewall/router to replace 
> my old router. I have upgraded OpenSwan to v2.4.13 (2.6.20 won't 
> compile; 2.6.18 may compile but I do not understand the output as I am 
> new to Linux)
> 
> The set up I want is CC to Draytek Vigor 2600 LAN/LAN connection and CC 
> to Draytek Vigor 2900 LAN/LAN connection.
> 
> Concentrating on the CC to Draytek Vigor 2600 connection, I have the 
> following setup. Both CC and 2600 are on dynamic IP's with dynamic DNS 
> FQDN's available. I would like the 2600 to call the CC box.
> 
> My ipsec.conf looks like:
> version 2.0
> config setup
>    interfaces=%defaultroute
> 
> conn %default
>    authby=secret
>    auto=start
>    keyingtries=%forever
>    left=%defaultroute
>    leftsubnet=192.168.2.0/24
>    leftsourceip=192.168.2.1
> 
> conn Mark
>    right=%any
>    rightsubnet=192.168.20.0/24
>    rightid=FarEndFQDN
> 
> My ipsec.secrets is just:
> : PSK "MyPSK"
> 
> When I start ipsec I get the following log in /var/log/messages:
> 
> Mar 29 22:25:41 server pluto[13357]: added connection description "Mark"
> Mar 29 22:25:41 server pluto[13357]: "Mark": cannot route connection 
> without knowing our nexthop
> Mar 29 22:25:42 server pluto[13357]: "Mark": cannot initiate connection 
> without knowing peer IP address (kind=CK_TEMPLATE)
> Mar 29 22:29:01 server pluto[13357]: "Mum"[3] 78.150.201.201 #4: 
> switched from "Mum" to "Mark"
> Mar 29 22:29:01 server pluto[13357]: "Mark"[1] 78.150.201.201 #4: 
> deleting connection "Mum" instance with peer 78.150.201.201 
> {isakmp=#0/ipsec=#0}
> Mar 29 22:29:01 server pluto[13357]: "Mark"[1] 78.150.201.201 #4: I did 
> not send a certificate because I do not have one.
> Mar 29 22:29:01 server pluto[13357]: "Mark"[1] 78.150.201.201 #4: 
> transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
> Mar 29 22:29:01 server pluto[13357]: "Mark"[1] 78.150.201.201 #4: 
> STATE_MAIN_R3: sent MR3, ISAKMP SA established 
> {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5 
> group=modp1024}
> Mar 29 22:29:03 server pluto[13357]: "Mark"[1] 78.150.201.201 #5: 
> responding to Quick Mode {msgid:7ffffefc}
> Mar 29 22:29:03 server pluto[13357]: "Mark"[1] 78.150.201.201 #5: 
> transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
> Mar 29 22:29:03 server pluto[13357]: "Mark"[1] 78.150.201.201 #5: 
> STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
> Mar 29 22:29:06 server pluto[13357]: "Mark"[1] 78.150.201.201 #5: 
> transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
> Mar 29 22:29:06 server pluto[13357]: "Mark"[1] 78.150.201.201 #5: 
> STATE_QUICK_R2: IPsec SA established {ESP=>0xfffefd51 <0x0ae041f2 
> xfrm=3DES_0-HMAC_SHA1 NATD=none DPD=none}
> Mar 29 23:09:26 server pluto[13357]: "Mark"[1] 78.150.201.201 #6: 
> responding to Quick Mode {msgid:59b265cb}
> Mar 29 23:09:26 server pluto[13357]: "Mark"[1] 78.150.201.201 #6: 
> transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
> Mar 29 23:09:26 server pluto[13357]: "Mark"[1] 78.150.201.201 #6: 
> STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
> Mar 29 23:09:29 server pluto[13357]: "Mark"[1] 78.150.201.201 #6: 
> transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
> Mar 29 23:09:29 server pluto[13357]: "Mark"[1] 78.150.201.201 #6: 
> STATE_QUICK_R2: IPsec SA established {ESP=>0xfffefd52 <0x7aad08cb 
> xfrm=3DES_0-HMAC_SHA1 NATD=none DPD=none}
> Mar 29 23:09:29 server pluto[13357]: "Mark"[1] 78.150.201.201 #4: 
> received Delete SA(0xfffefd51) payload: deleting IPSEC State #5
> Mar 29 23:09:29 server pluto[13357]: "Mark"[1] 78.150.201.201 #4: 
> received and ignored informational message
> Mar 29 23:24:31 server pluto[13357]: "Mark"[1] 78.150.201.201 #10: 
> initiating Main Mode to replace #4
> Mar 29 23:24:31 server pluto[13357]: "Mark"[1] 78.150.201.201 #10: 
> transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
> Mar 29 23:24:31 server pluto[13357]: "Mark"[1] 78.150.201.201 #10: 
> STATE_MAIN_I2: sent MI2, expecting MR2
> Mar 29 23:24:35 server pluto[13357]: "Mark"[1] 78.150.201.201 #10: I did 
> not send a certificate because I do not have one.
> Mar 29 23:24:35 server pluto[13357]: "Mark"[1] 78.150.201.201 #10: 
> transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
> Mar 29 23:24:35 server pluto[13357]: "Mark"[1] 78.150.201.201 #10: 
> STATE_MAIN_I3: sent MI3, expecting MR3
> Mar 29 23:24:38 server pluto[13357]: "Mark"[1] 78.150.201.201 #10: 
> discarding duplicate packet; already STATE_MAIN_I3
> Mar 29 23:24:43 server pluto[13357]: "Mark"[1] 78.150.201.201 #10: 
> discarding duplicate packet; already STATE_MAIN_I3
> Mar 29 23:25:45 server pluto[13357]: "Mark"[1] 78.150.201.201 #10: max 
> number of retransmissions (2) reached STATE_MAIN_I3.  Possible 
> authentication failure: no acceptable response to our first encrypted 
> message
> Mar 29 23:25:45 server pluto[13357]: "Mark"[1] 78.150.201.201 #10: 
> starting keying attempt 2 of an unlimited number
> Mar 29 23:25:45 server pluto[13357]: "Mark"[1] 78.150.201.201 #12: 
> initiating Main Mode to replace #10
> Mar 29 23:25:45 server pluto[13357]: "Mark"[1] 78.150.201.201 #12: 
> transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
> Mar 29 23:25:45 server pluto[13357]: "Mark"[1] 78.150.201.201 #12: 
> STATE_MAIN_I2: sent MI2, expecting MR2
> Mar 29 23:25:48 server pluto[13357]: "Mark"[1] 78.150.201.201 #12: I did 
> not send a certificate because I do not have one.
> 
> This goes on and on repeating every few seconds.
> 
> At this point I can connect to the LAN side of the Draytek router 
> through the VPN which shows a 3DES-MD5 tunnel active, but I cannot 
> contact any PC beyond the Draytek router, and nor can any PC there 
> contact my server.
> 
> I suspect my problem is near the beginning where it says it cannot 
> route, but what is the fix?
> 
> I have chosen a road worrier set up as it seems the most appropriate for 
> a fairly dynamic far end IP, but I am happy to change it.
> 
> Also should I be worried about all these pluto messages? If yes, how do 
> I fix them, if not how do I stop them (plutodebug=none?)?
> 
> Many thanks,
> 
> Nick
> 
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan: 
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20090331/0f6dc03a/attachment.html

More information about the Users mailing list