[Openswan Users] newbie with 1st setup question

Thu May 14 14:23:38 EDT 2009

Evening all,  I'm new to this list and new to IPSEC and Openswan, so if this 
is a FAQ I appologise.

I've followed the instructions on the wiki to install Openswan, and to 
configure an IPSEC connection between groucho and harpo (both Fedora 9).

When I start up the connection, the output in the session window looks okay, 
but the log files on both machines show problems, and I cannot get traffic to 
pass down the VPN.

If someone could point out the error of my ways I'd appreciate it.

Gary

[console]

[root at groucho ~]# ipsec auto --up leeds-to-rmg                                                                                                             
104 "leeds-to-rmg" #6: STATE_MAIN_I1: initiate
010 "leeds-to-rmg" #6: STATE_MAIN_I1: retransmission; will wait 20s for 
response
003 "leeds-to-rmg" #6: received Vendor ID payload [Openswan (this version) 
2.6.19 ]
003 "leeds-to-rmg" #6: received Vendor ID payload [Dead Peer Detection]
003 "leeds-to-rmg" #6: received Vendor ID payload [RFC 3947] method set to=109
106 "leeds-to-rmg" #6: STATE_MAIN_I2: sent MI2, expecting MR2
010 "leeds-to-rmg" #6: STATE_MAIN_I2: retransmission; will wait 20s for 
response
003 "leeds-to-rmg" #6: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): i 
am NATed
108 "leeds-to-rmg" #6: STATE_MAIN_I3: sent MI3, expecting MR3
003 "leeds-to-rmg" #6: received Vendor ID payload [CAN-IKEv2]
004 "leeds-to-rmg" #6: STATE_MAIN_I4: ISAKMP SA established 
{auth=OAKLEY_RSA_SIG cipher=aes_128 prf=oakley_sha group=modp2048}
117 "leeds-to-rmg" #7: STATE_QUICK_I1: initiate
004 "leeds-to-rmg" #7: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel 
mode {ESP=>0xec8073f0 <0x7c1258f6 xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none 
DPD=none}
[root at groucho ~]# ping 10.1.1.115
PING 10.1.1.115 (10.1.1.115) 56(84) bytes of data.
^C
--- 10.1.1.115 ping statistics ---
5 packets transmitted, 0 received, 100% packet loss, time 4254ms

[root at groucho ~]#

[/var/log/ipsec on groucho]

[root at groucho ~]# tail -f /var/log/ipsec
May 14 18:50:44 s_sys at groucho pluto[2598]: "leeds-to-rmg" #6: initiating Main 
Mode
May 14 18:50:54 s_sys at groucho pluto[2598]: "leeds-to-rmg" #6: received Vendor 
ID payload [Openswan (this version) 2.6.19 ]
May 14 18:50:54 s_sys at groucho pluto[2598]: "leeds-to-rmg" #6: received Vendor 
ID payload [Dead Peer Detection]
May 14 18:50:54 s_sys at groucho pluto[2598]: "leeds-to-rmg" #6: received Vendor 
ID payload [RFC 3947] method set to=109
May 14 18:50:54 s_sys at groucho pluto[2598]: "leeds-to-rmg" #6: enabling 
possible NAT-traversal with method 4
May 14 18:50:54 s_sys at groucho pluto[2598]: "leeds-to-rmg" #6: discarding 
packet received during asynchronous work (DNS or crypto) in STATE_MAIN_I1
May 14 18:50:54 s_sys at groucho pluto[2598]: "leeds-to-rmg" #6: transition from 
state STATE_MAIN_I1 to state STATE_MAIN_I2
May 14 18:50:54 s_sys at groucho pluto[2598]: "leeds-to-rmg" #6: STATE_MAIN_I2: 
sent MI2, expecting MR2
May 14 18:51:04 s_sys at groucho pluto[2598]: "leeds-to-rmg" #6: NAT-Traversal: 
Result using RFC 3947 (NAT-Traversal): i am NATed
May 14 18:51:04 s_sys at groucho pluto[2598]: "leeds-to-rmg" #6: transition from 
state STATE_MAIN_I2 to state STATE_MAIN_I3
May 14 18:51:04 s_sys at groucho pluto[2598]: "leeds-to-rmg" #6: STATE_MAIN_I3: 
sent MI3, expecting MR3
May 14 18:51:04 s_sys at groucho pluto[2598]: "leeds-to-rmg" #6: received Vendor 
ID payload [CAN-IKEv2]
May 14 18:51:04 s_sys at groucho pluto[2598]: "leeds-to-rmg" #6: Main mode peer 
ID is ID_FQDN: '@harpo.ringways.co.uk'
May 14 18:51:04 s_sys at groucho pluto[2598]: "leeds-to-rmg" #6: transition from 
state STATE_MAIN_I3 to state STATE_MAIN_I4
May 14 18:51:04 s_sys at groucho pluto[2598]: "leeds-to-rmg" #6: STATE_MAIN_I4: 
ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=aes_128 prf=oakley_sha 
group=modp2048}
May 14 18:51:04 s_sys at groucho pluto[2598]: "leeds-to-rmg" #7: initiating Quick 
Mode RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW {using isakmp#6 msgid:c4a84f9a 
proposal=defaults pfsgroup=OAKLEY_GROUP_MODP2048}
May 14 18:51:04 s_sys at groucho pluto[2598]: "leeds-to-rmg" #7: transition from 
state STATE_QUICK_I1 to state STATE_QUICK_I2
May 14 18:51:04 s_sys at groucho pluto[2598]: "leeds-to-rmg" #7: STATE_QUICK_I2: 
sent QI2, IPsec SA established tunnel mode {ESP=>0xec8073f0 <0x7c1258f6 
xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=none}
May 14 18:51:14 s_sys at groucho pluto[2598]: packet from 77.86.27.2:500: phase 1 
message is part of an unknown exchange

[/var/log/ipsec on harpo]

[root at harpo ~]# tail -f /var/log/ipsec 
May 14 18:44:59 s_sys at harpo pluto[30054]: packet from 91.85.127.194:52855: 
received Vendor ID payload [Openswan (this version) 2.6.19 ]
May 14 18:44:59 s_sys at harpo pluto[30054]: packet from 91.85.127.194:52855: 
received Vendor ID payload [Dead Peer Detection]            
May 14 18:44:59 s_sys at harpo pluto[30054]: packet from 91.85.127.194:52855: 
received Vendor ID payload [RFC 3947] method set to=109     
May 14 18:44:59 s_sys at harpo pluto[30054]: packet from 91.85.127.194:52855: 
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but 
already using method 109                                                                                                                                              
May 14 18:44:59 s_sys at harpo pluto[30054]: packet from 91.85.127.194:52855: 
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but 
already using method 109                                                                                                                                            
May 14 18:44:59 s_sys at harpo pluto[30054]: packet from 91.85.127.194:52855: 
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but 
already using method 109                                                                                                                                              
May 14 18:44:59 s_sys at harpo pluto[30054]: "leeds-to-rmg" #4: responding to 
Main Mode                                                                         
May 14 18:44:59 s_sys at harpo pluto[30054]: "leeds-to-rmg" #4: transition from 
state STATE_MAIN_R0 to state STATE_MAIN_R1                                      
May 14 18:44:59 s_sys at harpo pluto[30054]: "leeds-to-rmg" #4: STATE_MAIN_R1: 
sent MR1, expecting MI2                                                          
May 14 18:45:09 s_sys at harpo pluto[30054]: packet from 91.85.127.194:52855: 
received Vendor ID payload [Openswan (this version) 2.6.19 ]                      
May 14 18:45:09 s_sys at harpo pluto[30054]: packet from 91.85.127.194:52855: 
received Vendor ID payload [Dead Peer Detection]                                  
May 14 18:45:09 s_sys at harpo pluto[30054]: packet from 91.85.127.194:52855: 
received Vendor ID payload [RFC 3947] method set to=109                           
May 14 18:45:09 s_sys at harpo pluto[30054]: packet from 91.85.127.194:52855: 
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but 
already using method 109                                                                                                                                              
May 14 18:45:09 s_sys at harpo pluto[30054]: packet from 91.85.127.194:52855: 
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but 
already using method 109                                                                                                                                            
May 14 18:45:09 s_sys at harpo pluto[30054]: packet from 91.85.127.194:52855: 
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but 
already using method 109                                                                                                                                              
May 14 18:45:09 s_sys at harpo pluto[30054]: "leeds-to-rmg" #5: responding to 
Main Mode                                                                         
May 14 18:45:09 s_sys at harpo pluto[30054]: "leeds-to-rmg" #5: transition from 
state STATE_MAIN_R0 to state STATE_MAIN_R1                                      
May 14 18:45:09 s_sys at harpo pluto[30054]: "leeds-to-rmg" #5: STATE_MAIN_R1: 
sent MR1, expecting MI2
May 14 18:45:09 s_sys at harpo pluto[30054]: "leeds-to-rmg" #5: NAT-Traversal: 
Result using RFC 3947 (NAT-Traversal): peer is NATed
May 14 18:45:09 s_sys at harpo pluto[30054]: "leeds-to-rmg" #5: transition from 
state STATE_MAIN_R1 to state STATE_MAIN_R2
May 14 18:45:09 s_sys at harpo pluto[30054]: "leeds-to-rmg" #5: STATE_MAIN_R2: 
sent MR2, expecting MI3
May 14 18:45:19 s_sys at harpo pluto[30054]: "leeds-to-rmg" #5: discarding 
duplicate packet; already STATE_MAIN_R2
May 14 18:45:19 s_sys at harpo pluto[30054]: "leeds-to-rmg" #5: Main mode peer ID 
is ID_FQDN: '@groucho.ringways.co.uk'
May 14 18:45:19 s_sys at harpo pluto[30054]: "leeds-to-rmg" #5: transition from 
state STATE_MAIN_R2 to state STATE_MAIN_R3
May 14 18:45:19 s_sys at harpo pluto[30054]: "leeds-to-rmg" #5: new NAT mapping 
for #5, was 91.85.127.194:52855, now 91.85.127.194:52892
May 14 18:45:19 s_sys at harpo pluto[30054]: "leeds-to-rmg" #5: STATE_MAIN_R3: 
sent MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=aes_128 
prf=oakley_sha group=modp2048}
May 14 18:45:19 s_sys at harpo pluto[30054]: "leeds-to-rmg" #5: the peer 
proposed: 10.1.0.0/16:0/0 -> 10.6.0.0/16:0/0
May 14 18:45:19 s_sys at harpo pluto[30054]: "leeds-to-rmg" #6: responding to 
Quick Mode proposal {msgid:c4a84f9a}
May 14 18:45:19 s_sys at harpo pluto[30054]: "leeds-to-rmg" #6:     us: 
10.1.0.0/16===77.86.27.2<77.86.27.2>[@harpo.ringways.co.uk,+S=C]---77.86.27.1
May 14 18:45:19 s_sys at harpo pluto[30054]: "leeds-to-rmg" #6:   them: 
77.86.27.1---91.85.127.194<91.85.127.194>[@groucho.ringways.co.uk,
+S=C]===10.6.0.0/16
May 14 18:45:19 s_sys at harpo pluto[30054]: "leeds-to-rmg" #6: transition from 
state STATE_QUICK_R0 to state STATE_QUICK_R1
May 14 18:45:19 s_sys at harpo pluto[30054]: "leeds-to-rmg" #6: STATE_QUICK_R1: 
sent QR1, inbound IPsec SA installed, expecting QI2
May 14 18:45:19 s_sys at harpo pluto[30054]: "leeds-to-rmg" #6: transition from 
state STATE_QUICK_R1 to state STATE_QUICK_R2
May 14 18:45:19 s_sys at harpo pluto[30054]: "leeds-to-rmg" #6: STATE_QUICK_R2: 
IPsec SA established tunnel mode {ESP=>0x7c1258f6 <0xec8073f0 
xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=91.85.127.194:52892 DPD=none}
May 14 18:46:09 s_sys at harpo pluto[30054]: "leeds-to-rmg" #4: max number of 
retransmissions (2) reached STATE_MAIN_R1

[/etc/ipsec.d/leeds-to-rmg.conf]

[root at harpo ~]# more /etc/ipsec.d/leeds-to-rmg.conf
conn leeds-to-rmg
    left=77.86.27.2
    leftid=@harpo.ringways.co.uk
    leftsubnet=10.1.0.0/16
    leftnexthop=%defaultroute
    leftrsasigkey=[cut]
    rightnexthop=%defaultroute
    right=91.85.127.194
    rightsubnet=10.6.0.0/16
    rightid=@groucho.ringways.co.uk
    rightrsasigkey=[cut]
    auto=start
[root at harpo ~]#

-- 
Gary Stainburn

This email does not contain private or confidential material as it
may be snooped on by interested government parties for unknown
and undisclosed purposes - Regulation of Investigatory Powers Act, 2000     