[Openswan Users] IPSEC VPN established but no connection or packets send
Markus Locher
ml at as-support.com
Thu May 14 06:25:08 EDT 2009
Hi list,
this is realy weared. This ipsec vpn in tunnel mode worked for several
weeks in suse 10.3 environment and now - after
update to 11.0 it seems to work, but no ping does leave the network.
I got an error message, but the tunnel seems to be up. Look for "HERE
!!! " text.
This is a connection from an 1&1 (1und1) server to our internal cisco
router. We have to encapsulate the ESP packets again into
UDP because without "forceencaps=yes" the connection doesn't work. 1&1
swears that they don't block anything, but this can't be true.
Please help.
----------------------- IPSEC.CONF ---------------------------
config setup
nat_traversal=yes
nhelpers=0
#interfaces="ipsec=eth0"
interfaces=%defaultroute
# Add connections here
conn IPSECTUNNEL
#
authby=secret
forceencaps=yes
pfs=no # default is yes
rekey=yes
keyexchange=ike
type=tunnel
#
ike=3des-sha1-modp1024
esp=3des-sha1
#
dpddelay=30
dpdtimeout=120
dpdaction=clear
#
# The local client.
#
# Connect to the server _with_ this connection details.
left=%defaultroute
leftsourceip=192.168.0.100
leftsubnet=192.168.0.0/24
#
# The remote server.
#
# Connect to the server _at_ this IP address.
right=27.1.1.23
rightsubnet=192.168.0.0/24
#
# Change 'ignore' to 'add' to enable this configuration.
#
#auto=add
auto=start
----------------------- END ipsec.conf -------------------------------
# rcipsec start
----------------- VAR/LOG/MESSAGES ------------------
May 14 12:13:10 s15318887 kernel: [ 1613.297672] Initializing XFRM
netlink socket
May 14 12:13:10 s15318887 ipsec_setup: NETKEY on eth0
87.106.244.79/255.255.255.255 broadcast
87.106.244.79
May 14 12:13:10 s15318887 ipsec__plutorun: Starting Pluto
subsystem...
May 14 12:13:10 s15318887 pluto[8522]: Starting Pluto (Openswan Version
2.4.7 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID
OEZ~BaB]r\134p_)
May 14 12:13:10 s15318887 pluto[8522]: Setting NAT-Traversal port-4500
floating to on
May 14 12:13:10 s15318887 pluto[8522]: port floating activation
criteria nat_t=1/port_fload=1
May 14 12:13:10 s15318887 pluto[8522]: including NAT-Traversal patch
(Version 0.6c)
May 14 12:13:10 s15318887 pluto[8522]: ike_alg_register_enc():
Activating OAKLEY_AES_CBC: Ok (ret=0)
May 14 12:13:10 s15318887 pluto[8522]: no helpers will be started, all
cryptographic operations will be done inline
May 14 12:13:10 s15318887 pluto[8522]: Using NETKEY IPsec interface code
on 2.6.27.21rootserver-20090324a
May 14 12:13:10 s15318887 ipsec_setup: ...Openswan IPsec started
May 14 12:13:10 s15318887 ipsec_setup: Starting Openswan IPsec
U2.4.7/K2.6.27.21rootserver-20090324a...
May 14 12:13:10 s15318887 pluto[8522]: Changing to directory
'/etc/ipsec.d/cacerts'
May 14 12:13:10 s15318887 pluto[8522]: Could not change to directory
'/etc/ipsec.d/aacerts'
May 14 12:13:10 s15318887 pluto[8522]: Could not change to directory
'/etc/ipsec.d/ocspcerts'
May 14 12:13:10 s15318887 pluto[8522]: Changing to directory
'/etc/ipsec.d/crls'
May 14 12:13:10 s15318887 pluto[8522]: Warning: empty directory
May 14 12:13:10 s15318887 pluto[8522]: added connection description
"IPSECTUNNEL"
May 14 12:13:10 s15318887 pluto[8522]: listening for IKE messages
May 14 12:13:10 s15318887 pluto[8522]: adding interface eth0/eth0
192.168.0.100:500
May 14 12:13:10 s15318887 pluto[8522]: adding interface eth0/eth0
192.168.0.100:4500
May 14 12:13:10 s15318887 pluto[8522]: adding interface eth0/eth0
87.06.44.9:500
May 14 12:13:10 s15318887 pluto[8522]: adding interface eth0/eth0
87.06.44.9:4500
May 14 12:13:10 s15318887 pluto[8522]: adding interface lo/lo 127.0.0.2:500
May 14 12:13:10 s15318887 pluto[8522]: adding interface lo/lo 127.0.0.2:4500
May 14 12:13:10 s15318887 pluto[8522]: adding interface lo/lo 127.0.0.1:500
May 14 12:13:10 s15318887 pluto[8522]: adding interface lo/lo 127.0.0.1:4500
May 14 12:13:10 s15318887 pluto[8522]: adding interface lo/lo ::1:500
May 14 12:13:10 s15318887 pluto[8522]: loading secrets from
"/etc/ipsec.secrets"
***************************** HERE! !!!!
*************************************
May 14 12:13:10 s15318887 pluto[8522]: "IPSECTUNNEL" #1: initiating Main
Mode
May 14 12:13:10 s15318887 ipsec__plutorun: 104 "IPSECTUNNEL" #1:
STATE_MAIN_I1: initiate
May 14 12:13:10 s15318887 ipsec__plutorun: ...could not start conn
"IPSECTUNNEL"
***************************** HERE! !!!!
*************************************
May 14 12:13:10 s15318887 pluto[8522]: "IPSECTUNNEL" #1: received Vendor
ID payload [draft-ietf-ipsec-nat-t-ike-03] method set to=108
May 14 12:13:10 s15318887 pluto[8522]: "IPSECTUNNEL" #1: enabling
possible NAT-traversal with method draft-ietf-ipsec-nat-t-ike-02/03
May 14 12:13:10 s15318887 pluto[8522]: "IPSECTUNNEL" #1: transition from
state STATE_MAIN_I1 to state STATE_MAIN_I2
May 14 12:13:10 s15318887 pluto[8522]: "IPSECTUNNEL" #1: STATE_MAIN_I2:
sent MI2, expecting MR2
May 14 12:13:10 s15318887 pluto[8522]: "IPSECTUNNEL" #1: ignoring Vendor
ID payload [Cisco-Unity]
May 14 12:13:10 s15318887 pluto[8522]: "IPSECTUNNEL" #1: received Vendor
ID payload [Dead Peer Detection]
May 14 12:13:10 s15318887 pluto[8522]: "IPSECTUNNEL" #1: ignoring
unknown Vendor ID payload [65ce0809a7faf588c9862dbd5fef9d22]
May 14 12:13:10 s15318887 pluto[8522]: "IPSECTUNNEL" #1: ignoring Vendor
ID payload [XAUTH]
May 14 12:13:10 s15318887 pluto[8522]: "IPSECTUNNEL" #1: I did not send
a certificate because I do not have one.
May 14 12:13:10 s15318887 pluto[8522]: "IPSECTUNNEL" #1: NAT-Traversal:
Result using draft-ietf-ipsec-nat-t-ike-02/03: both are NATed
May 14 12:13:10 s15318887 pluto[8522]: "IPSECTUNNEL" #1: transition from
state STATE_MAIN_I2 to state STATE_MAIN_I3
May 14 12:13:10 s15318887 pluto[8522]: "IPSECTUNNEL" #1: STATE_MAIN_I3:
sent MI3, expecting MR3
May 14 12:13:11 s15318887 pluto[8522]: | protocol/port in Phase 1 ID
Payload is 17/0. accepted with port_floating NAT-T
May 14 12:13:11 s15318887 pluto[8522]: "IPSECTUNNEL" #1: Main mode peer
ID is ID_IPV4_ADDR: '27.1.1.23'
May 14 12:13:11 s15318887 pluto[8522]: "IPSECTUNNEL" #1: transition from
state STATE_MAIN_I3 to state STATE_MAIN_I4
May 14 12:13:11 s15318887 pluto[8522]: "IPSECTUNNEL" #1: STATE_MAIN_I4:
ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
May 14 12:13:11 s15318887 pluto[8522]: "IPSECTUNNEL" #1: Dead Peer
Detection (RFC 3706): enabled
May 14 12:13:11 s15318887 pluto[8522]: "IPSECTUNNEL" #2: initiating
Quick Mode PSK+ENCRYPT+TUNNEL+UP {using isakmp#1}
May 14 12:13:11 s15318887 pluto[8522]: "IPSECTUNNEL" #2: ignoring
informational payload, type IPSEC_RESPONDER_LIFETIME
May 14 12:13:11 s15318887 pluto[8522]: "IPSECTUNNEL" #2: Dead Peer
Detection (RFC 3706): enabled
May 14 12:13:11 s15318887 pluto[8522]: "IPSECTUNNEL" #2: transition from
state STATE_QUICK_I1 to state STATE_QUICK_I2
May 14 12:13:11 s15318887 pluto[8522]: "IPSECTUNNEL" #2: STATE_QUICK_I2:
sent QI2, IPsec SA established {ESP/NAT=>0xa98a2970 <0x5deabd7d
xfrm=3DES_0-HMAC_SHA1 NATD=27.1.1.23:4500 DPD=enabled}
------------------------------------------------------------------END
LOG ------------------
Regards Markus
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ml.vcf
Type: text/x-vcard
Size: 290 bytes
Desc: not available
Url : http://lists.openswan.org/pipermail/users/attachments/20090514/341a8b19/attachment.vcf
More information about the Users
mailing list