[Openswan Users] trying to connect OpenSWAN 2.6.19 to a Netgear FVS338

Marcos Hacker mfhacker at hotmail.com
Tue May 19 10:35:32 EDT 2009



> Date: Mon, 18 May 2009 21:20:29 -0400
> From: paul at xelerance.com
> To: mfhacker at hotmail.com
> CC: users at openswan.org
> Subject: Re: [Openswan Users] trying to connect OpenSWAN 2.6.19 to a Netgear FVS338
> 
> On Mon, 18 May 2009, Marcos Hacker wrote:
> 
> > Does it make a difference if we use the whack command line or ipsec.conf?
> > I'm not sure why using the whack command line was chosen. It was probably
> > the easier route at the time.
> 
> No it does not make a difference, though the config file seems much
> easier to use according to me. Also, if the whack syntax changes, the
> config file syntax will remain the same.
> 
> > If the right/Netgear certificate is not loaded on the left/Linux device
> > manually, then it is not sent over (after checking ipsec auto --listall).
> 
> Not even with leftsendcert=always?
> 
The certificate is not being sent even with leftsendcert=always, or  --to --sendcert always  our case.

> > After reading about the 3/30/09 security release, I upgraded from
> > OpenSWAN 2.6.19 to 2.6.21 and can no longer get the IPSec SA established.
> > If I revert back to 2.6.19, the connection establishes as expected.
> > Again, in both cases, we have the public certificate from the right
> > manually loaded on the left.
> 
> Odd. Can you try openswan-2.6.22dr2, and it fails, give me the output
> with full pluto debug?
> 
I tried openswan-2.6.22dr2. It fails to complete phase 2 as well. Below are the debug outputs from both openswan-2.6.19 (successfully connects) and openswan-2.6.22dr2. The failure case for openswan-2.6.21 looks the same as openswan-2.6.22dr2.

> > pluto[177]: "vpn_tunnel" #1: STATE_MAIN_I4: ISAKMP SA established
> > {auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_md5
> > group=modp1024}
> > pluto[177]: "vpn_tunnel" #2: initiating Quick Mode
> > RSASIG+ENCRYPT+COMPRESS+TUNNEL+UP {using isakmp#1 msgid:8499abd4
> > proposal=3DES(3)_192-MD5(1)_128 pfsgroup=no-pfs}
> > pluto[177]: "vpn_tunnel" #1: ignoring informational payload, type
> > NO_PROPOSAL_CHOSEN msgid=00000000
> 
> Odd, the proposal is the same, the phase1 is the same, yet the remote
> rejected it. It would definitely help to get both pluto debug logs
> (2.6.21 and 2.6.22dr2)
> 
> Paul

OpenSWAN 2.6.22dr2 output

sh-2.05b# ipsec whack --initiate --asynchronous --name vpn_tunnel --debug-x509
pluto[225]: "vpn_tunnel": extra debugging enabled for connection: x509
pluto[225]: | processing connection vpn_tunnel
pluto[225]: "vpn_tunnel" #1: extra debugging enabled for connection: none
pluto[225]: | processing connection vpn_tunnel
pluto[225]: "vpn_tunnel" #1: extra debugging enabled for connection: none
pluto[225]: | processing connection vpn_tunnel
pluto[225]: "vpn_tunnel" #1: initiating Main Mode
002 "vpn_tunnel": extra debugging enabled for connection: x509
002 "vpn_tunnel" #1: extra debugging enabled for connection: none
002 "vpn_tunnel" #1: extra debugging enabled for connection: none
002 "vpn_tunnel" #1: initiating Main Mode
104 "vpn_tunnel" #1: STATE_MAIN_I1: initiate
sh-2.05b# pluto[225]: "vpn_tunnel" #1: extra debugging enabled for connection: x509
pluto[225]: | processing connection vpn_tunnel
pluto[225]: "vpn_tunnel" #1: ignoring unknown Vendor ID payload [3b9031dce4fcf88b489a923963dd0c49]
pluto[225]: "vpn_tunnel" #1: ignoring Vendor ID payload [KAME/racoon]
pluto[225]: "vpn_tunnel" #1: extra debugging enabled for connection: x509
pluto[225]: | processing connection vpn_tunnel
pluto[225]: "vpn_tunnel" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
pluto[225]: "vpn_tunnel" #1: STATE_MAIN_I2: sent MI2, expecting MR2
pluto[225]: "vpn_tunnel" #1: extra debugging enabled for connection: x509
pluto[225]: | processing connection vpn_tunnel
pluto[225]: "vpn_tunnel" #1: ignoring Vendor ID payload [KAME/racoon]
pluto[225]: "vpn_tunnel" #1: extra debugging enabled for connection: x509
pluto[225]: | processing connection vpn_tunnel
pluto[225]: "vpn_tunnel" #1: I am sending my cert
pluto[225]: "vpn_tunnel" #1: I am sending a certificate request
pluto[225]: "vpn_tunnel" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
pluto[225]: "vpn_tunnel" #1: STATE_MAIN_I3: sent MI3, expecting MR3
pluto[225]: "vpn_tunnel" #1: extra debugging enabled for connection: x509
pluto[225]: | processing connection vpn_tunnel
pluto[225]: "vpn_tunnel" #1: Main mode peer ID is ID_IPV4_ADDR: '130.168.1.2'
pluto[225]: | subject: 'C=US, ST=Florida, O=Corp, OU=Group, CN=Device'
pluto[225]: | issuer:  'C=US, ST=Florida, O=Corporation, OU=Group, CN=Device'
pluto[225]: |   not before  : May 15 13:19:17 UTC 2009
pluto[225]: |   current time: May 19 14:53:31 UTC 2009
pluto[225]: |   not after   : May 15 13:19:17 UTC 2010
pluto[225]: | valid certificate for "C=US, ST=Florida, O=Corp, OU=Group, CN=Device"
pluto[225]: | issuer cacert "C=US, ST=Florida, O=Corporation, OU=Group, CN=Device" found
pluto[225]: | signature algorithm: 'sha-1WithRSAEncryption'
pluto[225]: | valid certificate signature (C=US, ST=Florida, O=Corporation, OU=Group, CN=Device -> C=US, ST=Florida, O=Corp, OU=Group, CN=Device)
pluto[225]: "vpn_tunnel" #1: no crl from issuer "C=US, ST=Florida, O=Corporation, OU=Group, CN=Device" found (strict=no)
pluto[225]: | subject: 'C=US, ST=Florida, O=Corporation, OU=Group, CN=Device'
pluto[225]: | issuer:  'C=US, ST=Florida, O=Corporation, OU=Group, CN=Device'
pluto[225]: | authkey:  d3:6b:70:0c:93:8b:60:d0:78:54:24:b2:d3:7e:5e:ff:af:13:8d:0f
pluto[225]: |   not before  : Jan 01 00:00:00 UTC 2000
pluto[225]: |   current time: May 19 14:53:31 UTC 2009
pluto[225]: |   not after   : Dec 31 23:59:59 UTC 2037
pluto[225]: | valid certificate for "C=US, ST=Florida, O=Corporation, OU=Group, CN=Device"
pluto[225]: | issuer cacert "C=US, ST=Florida, O=Corporation, OU=Group, CN=Device" found
pluto[225]: | signature algorithm: 'sha-1WithRSAEncryption'
pluto[225]: | valid certificate signature (C=US, ST=Florida, O=Corporation, OU=Group, CN=Device -> C=US, ST=Florida, O=Corporation, OU=Group, CN=Device)
pluto[225]: | Public key validated
pluto[225]: |   trusted_ca called with a=C=US, ST=Florida, O=Corporation, OU=Group, CN=Device b=C=US, ST=Florida, O=Corporation, OU=Group, CN=Device
pluto[225]: "vpn_tunnel" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
pluto[225]: "vpn_tunnel" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1024}
pluto[225]: "vpn_tunnel" #2: extra debugging enabled for connection: none
pluto[225]: | processing connection vpn_tunnel
pluto[225]: "vpn_tunnel" #2: initiating Quick Mode RSASIG+ENCRYPT+COMPRESS+TUNNEL+UP {using isakmp#1 msgid:9b1ff4bf proposal=3DES(3)_192-MD5(1)_128 pfsgroup=no-pfs}
pluto[225]: "vpn_tunnel" #1: extra debugging enabled for connection: x509
pluto[225]: | processing connection vpn_tunnel
pluto[225]: "vpn_tunnel" #1: ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000
pluto[225]: "vpn_tunnel" #1: received and ignored informational message
pluto[225]: "vpn_tunnel" #2: extra debugging enabled for connection: x509
pluto[225]: | processing connection vpn_tunnel
pluto[225]: "vpn_tunnel" #1: extra debugging enabled for connection: x509
pluto[225]: | processing connection vpn_tunnel
pluto[225]: "vpn_tunnel" #1: ignoring informational payload, type NO_PROPOSAL_CHOSEN msgid=00000000
pluto[225]: "vpn_tunnel" #1: received and ignored informational message
pluto[225]: "vpn_tunnel" #2: extra debugging enabled for connection: x509
pluto[225]: | processing connection vpn_tunnel
pluto[225]: "vpn_tunnel" #1: extra debugging enabled for connection: x509
pluto[225]: | processing connection vpn_tunnel
pluto[225]: "vpn_tunnel" #1: ignoring informational payload, type NO_PROPOSAL_CHOSEN msgid=00000000
pluto[225]: "vpn_tunnel" #1: received and ignored informational message
pluto[225]: "vpn_tunnel" #2: extra debugging enabled for connection: x509
pluto[225]: | processing connection vpn_tunnel
pluto[225]: "vpn_tunnel" #1: extra debugging enabled for connection: x509
pluto[225]: | processing connection vpn_tunnel
pluto[225]: "vpn_tunnel" #1: ignoring informational payload, type NO_PROPOSAL_CHOSEN msgid=00000000
pluto[225]: "vpn_tunnel" #1: received and ignored informational message
pluto[225]: "vpn_tunnel" #2: extra debugging enabled for connection: x509
pluto[225]: | processing connection vpn_tunnel
pluto[225]: "vpn_tunnel" #2: max number of retransmissions (2) reached STATE_QUICK_I1.  No acceptable response to our first Quick Mode message: perhaps peer likes no proposal

OpenSWAN 2.6.19 output 

sh-2.05b# ipsec whack --initiate --asynchronous --name vpn_tunnel --debug-x509
pluto[268]: "vpn_tunnel": extra debugging enabled for connection: x509
pluto[268]: | processing connection vpn_tunnel
pluto[268]: "vpn_tunnel" #1: extra debugging enabled for connection: none
pluto[268]: | processing connection vpn_tunnel
pluto[268]: "vpn_tunnel" #1: extra debugging enabled for connection: none
pluto[268]: | processing connection vpn_tunnel
pluto[268]: "vpn_tunnel" #1: initiating Main Mode
002 "vpn_tunnel": extra debugging enabled for connection: x509
002 "vpn_tunnel" #1: extra debugging enabled for connection: none
002 "vpn_tunnel" #1: extra debugging enabled for connection: none
002 "vpn_tunnel" #1: initiating Main Mode
104 "vpn_tunnel" #1: STATE_MAIN_I1: initiate
sh-2.05b# pluto[268]: "vpn_tunnel" #1: extra debugging enabled for connection: x509
pluto[268]: | processing connection vpn_tunnel
pluto[268]: "vpn_tunnel" #1: ignoring unknown Vendor ID payload [3b9031dce4fcf88b489a923963dd0c49]
pluto[268]: "vpn_tunnel" #1: ignoring Vendor ID payload [KAME/racoon]
pluto[268]: "vpn_tunnel" #1: extra debugging enabled for connection: x509
pluto[268]: | processing connection vpn_tunnel
pluto[268]: "vpn_tunnel" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
pluto[268]: "vpn_tunnel" #1: STATE_MAIN_I2: sent MI2, expecting MR2
pluto[268]: "vpn_tunnel" #1: extra debugging enabled for connection: x509
pluto[268]: | processing connection vpn_tunnel
pluto[268]: "vpn_tunnel" #1: ignoring Vendor ID payload [KAME/racoon]
pluto[268]: "vpn_tunnel" #1: extra debugging enabled for connection: x509
pluto[268]: | processing connection vpn_tunnel
pluto[268]: "vpn_tunnel" #1: I am sending my cert
pluto[268]: "vpn_tunnel" #1: I am sending a certificate request
pluto[268]: "vpn_tunnel" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
pluto[268]: "vpn_tunnel" #1: STATE_MAIN_I3: sent MI3, expecting MR3
pluto[268]: "vpn_tunnel" #1: extra debugging enabled for connection: x509
pluto[268]: | processing connection vpn_tunnel
pluto[268]: "vpn_tunnel" #1: Main mode peer ID is ID_IPV4_ADDR: '130.168.1.2'
pluto[268]: | subject: 'C=US, ST=Florida, O=Corp, OU=Group, CN=Device'
pluto[268]: | issuer:  'C=US, ST=Florida, O=Corporation, OU=Group, CN=Device'
pluto[268]: |   not before  : May 15 13:19:17 UTC 2009
pluto[268]: |   current time: May 19 14:54:48 UTC 2009
pluto[268]: |   not after   : May 15 13:19:17 UTC 2010
pluto[268]: | valid certificate for "C=US, ST=Florida, O=Corp, OU=Group, CN=Device"
pluto[268]: | issuer cacert "C=US, ST=Florida, O=Corporation, OU=Group, CN=Device" found
pluto[268]: | signature algorithm: 'sha-1WithRSAEncryption'
pluto[268]: | valid certificate signature (C=US, ST=Florida, O=Corporation, OU=Group, CN=Device -> C=US, ST=Florida, O=Corp, OU=Group, CN=Device)
pluto[268]: "vpn_tunnel" #1: no crl from issuer "C=US, ST=Florida, O=Corporation, OU=Group, CN=Device" found (strict=no)
pluto[268]: | subject: 'C=US, ST=Florida, O=Corporation, OU=Group, CN=Device'
pluto[268]: | issuer:  'C=US, ST=Florida, O=Corporation, OU=Group, CN=Device'
pluto[268]: | authkey:  d3:6b:70:0c:93:8b:60:d0:78:54:24:b2:d3:7e:5e:ff:af:13:8d:0f
pluto[268]: |   not before  : Jan 01 00:00:00 UTC 2000
pluto[268]: |   current time: May 19 14:54:48 UTC 2009
pluto[268]: |   not after   : Dec 31 23:59:59 UTC 2037
pluto[268]: | valid certificate for "C=US, ST=Florida, O=Corporation, OU=Group, CN=Device"
pluto[268]: | issuer cacert "C=US, ST=Florida, O=Corporation, OU=Group, CN=Device" found
pluto[268]: | signature algorithm: 'sha-1WithRSAEncryption'
pluto[268]: | valid certificate signature (C=US, ST=Florida, O=Corporation, OU=Group, CN=Device -> C=US, ST=Florida, O=Corporation, OU=Group, CN=Device)
pluto[268]: | Public key validated
pluto[268]: |   trusted_ca called with a=C=US, ST=Florida, O=Corporation, OU=Group, CN=Device b=C=US, ST=Florida, O=Corporation, OU=Group, CN=Device
pluto[268]: "vpn_tunnel" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
pluto[268]: "vpn_tunnel" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1024}
pluto[268]: "vpn_tunnel" #2: extra debugging enabled for connection: none
pluto[268]: | processing connection vpn_tunnel
pluto[268]: "vpn_tunnel" #2: initiating Quick Mode RSASIG+ENCRYPT+COMPRESS+TUNNEL+UP {using isakmp#1 msgid:2ecb3fed proposal=3DES(3)_192-MD5(1)_128 pfsgroup=no-pfs}
pluto[268]: "vpn_tunnel" #1: extra debugging enabled for connection: x509
pluto[268]: | processing connection vpn_tunnel
pluto[268]: "vpn_tunnel" #1: ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000
pluto[268]: "vpn_tunnel" #1: received and ignored informational message
pluto[268]: "vpn_tunnel" #2: extra debugging enabled for connection: x509
pluto[268]: | processing connection vpn_tunnel
pluto[268]: "vpn_tunnel" #2: extra debugging enabled for connection: x509
pluto[268]: | processing connection vpn_tunnel
pluto[268]: |   trusted_ca called with a=C=US, ST=Florida, O=Corporation, OU=Group, CN=Device b=C=US, ST=Florida, O=Corporation, OU=Group, CN=Device
pluto[268]: |   trusted_ca called with a=C=US, ST=Florida, O=Corporation, OU=Group, CN=Device b=C=US, ST=Florida, O=Corporation, OU=Group, CN=Device
pluto[268]: |   trusted_ca called with a=C=US, ST=Florida, O=Corporation, OU=Group, CN=Device b=C=US, ST=Florida, O=Corporation, OU=Group, CN=Device
pluto[268]: "vpn_tunnel" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
pluto[268]: "vpn_tunnel" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x066958a9 <0xa21036f0 xfrm=3DES_0-HMAC_MD5 NATOA=none NATD=none DPD=none}

marcos

_________________________________________________________________
Hotmail® has ever-growing storage! Don’t worry about storage limits.
http://windowslive.com/Tutorial/Hotmail/Storage?ocid=TXT_TAGLM_WL_HM_Tutorial_Storage1_052009
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20090519/dc506551/attachment-0001.html 


More information about the Users mailing list