[Openswan Users] trying to connect OpenSWAN 2.6.19 to a Netgear FVS338
Marcos Hacker
mfhacker at hotmail.com
Fri May 29 15:09:08 EDT 2009
Hi Paul,
I have more information on the difference between connecting with OpenSWAN 2.6.19 and 2.6.22dr2 to our Netgear FVS338.
To recap, using certificates phase 2 connects with OpenSWAN 2.6.19 but does not with 2.6.22dr2.
The code change that seems to break the phase 2 portion of the connection is in /programs/pluto/spdb_v1_struct.c. If I remove this change (/* add IPcomp proposal if policy asks for it */), both 2.6.20 & 2.6.22dr2 complete the IPsec SA.
marcos
From: mfhacker at hotmail.com
To: paul at xelerance.com
Date: Tue, 19 May 2009 10:35:32 -0400
CC: users at openswan.org
Subject: Re: [Openswan Users] trying to connect OpenSWAN 2.6.19 to a Netgear FVS338
> Date: Mon, 18 May 2009 21:20:29 -0400
> From: paul at xelerance.com
> To: mfhacker at hotmail.com
> CC: users at openswan.org
> Subject: Re: [Openswan Users] trying to connect OpenSWAN 2.6.19 to a Netgear FVS338
>
> On Mon, 18 May 2009, Marcos Hacker wrote:
>
> > Does it make a difference if we use the whack command line or ipsec.conf?
> > I'm not sure why using the whack command line was chosen. It was probably
> > the easier route at the time.
>
> No it does not make a difference, though the config file seems much
> easier to use according to me. Also, if the whack syntax changes, the
> config file syntax will remain the same.
>
> > If the right/Netgear certificate is not loaded on the left/Linux device
> > manually, then it is not sent over (after checking ipsec auto --listall).
>
> Not even with leftsendcert=always?
>
The certificate is not being sent even with leftsendcert=always, or --to --sendcert always our case.
> > After reading about the 3/30/09 security release, I upgraded from
> > OpenSWAN 2.6.19 to 2.6.21 and can no longer get the IPSec SA established.
> > If I revert back to 2.6.19, the connection establishes as expected.
> > Again, in both cases, we have the public certificate from the right
> > manually loaded on the left.
>
> Odd. Can you try openswan-2.6.22dr2, and it fails, give me the output
> with full pluto debug?
>
I tried openswan-2.6.22dr2. It fails to complete phase 2 as well. Below are the debug outputs from both openswan-2.6.19 (successfully connects) and openswan-2.6.22dr2. The failure case for openswan-2.6.21 looks the same as openswan-2.6.22dr2.
> > pluto[177]: "vpn_tunnel" #1: STATE_MAIN_I4: ISAKMP SA established
> > {auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_md5
> > group=modp1024}
> > pluto[177]: "vpn_tunnel" #2: initiating Quick Mode
> > RSASIG+ENCRYPT+COMPRESS+TUNNEL+UP {using isakmp#1 msgid:8499abd4
> > proposal=3DES(3)_192-MD5(1)_128 pfsgroup=no-pfs}
> > pluto[177]: "vpn_tunnel" #1: ignoring informational payload, type
> > NO_PROPOSAL_CHOSEN msgid=00000000
>
> Odd, the proposal is the same, the phase1 is the same, yet the remote
> rejected it. It would definitely help to get both pluto debug logs
> (2.6.21 and 2.6.22dr2)
>
> Paul
OpenSWAN 2.6.22dr2 output
sh-2.05b# ipsec whack --initiate --asynchronous --name vpn_tunnel --debug-x509
pluto[225]: "vpn_tunnel": extra debugging enabled for connection: x509
pluto[225]: | processing connection vpn_tunnel
pluto[225]: "vpn_tunnel" #1: extra debugging enabled for connection: none
pluto[225]: | processing connection vpn_tunnel
pluto[225]: "vpn_tunnel" #1: extra debugging enabled for connection: none
pluto[225]: | processing connection vpn_tunnel
pluto[225]: "vpn_tunnel" #1: initiating Main Mode
002 "vpn_tunnel": extra debugging enabled for connection: x509
002 "vpn_tunnel" #1: extra debugging enabled for connection: none
002 "vpn_tunnel" #1: extra debugging enabled for connection: none
002 "vpn_tunnel" #1: initiating Main Mode
104 "vpn_tunnel" #1: STATE_MAIN_I1: initiate
sh-2.05b# pluto[225]: "vpn_tunnel" #1: extra debugging enabled for connection: x509
pluto[225]: | processing connection vpn_tunnel
pluto[225]: "vpn_tunnel" #1: ignoring unknown Vendor ID payload [3b9031dce4fcf88b489a923963dd0c49]
pluto[225]: "vpn_tunnel" #1: ignoring Vendor ID payload [KAME/racoon]
pluto[225]: "vpn_tunnel" #1: extra debugging enabled for connection: x509
pluto[225]: | processing connection vpn_tunnel
pluto[225]: "vpn_tunnel" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
pluto[225]: "vpn_tunnel" #1: STATE_MAIN_I2: sent MI2, expecting MR2
pluto[225]: "vpn_tunnel" #1: extra debugging enabled for connection: x509
pluto[225]: | processing connection vpn_tunnel
pluto[225]: "vpn_tunnel" #1: ignoring Vendor ID payload [KAME/racoon]
pluto[225]: "vpn_tunnel" #1: extra debugging enabled for connection: x509
pluto[225]: | processing connection vpn_tunnel
pluto[225]: "vpn_tunnel" #1: I am sending my cert
pluto[225]: "vpn_tunnel" #1: I am sending a certificate request
pluto[225]: "vpn_tunnel" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
pluto[225]: "vpn_tunnel" #1: STATE_MAIN_I3: sent MI3, expecting MR3
pluto[225]: "vpn_tunnel" #1: extra debugging enabled for connection: x509
pluto[225]: | processing connection vpn_tunnel
pluto[225]: "vpn_tunnel" #1: Main mode peer ID is ID_IPV4_ADDR: '130.168.1.2'
pluto[225]: | subject: 'C=US, ST=Florida, O=Corp, OU=Group, CN=Device'
pluto[225]: | issuer: 'C=US, ST=Florida, O=Corporation, OU=Group, CN=Device'
pluto[225]: | not before : May 15 13:19:17 UTC 2009
pluto[225]: | current time: May 19 14:53:31 UTC 2009
pluto[225]: | not after : May 15 13:19:17 UTC 2010
pluto[225]: | valid certificate for "C=US, ST=Florida, O=Corp, OU=Group, CN=Device"
pluto[225]: | issuer cacert "C=US, ST=Florida, O=Corporation, OU=Group, CN=Device" found
pluto[225]: | signature algorithm: 'sha-1WithRSAEncryption'
pluto[225]: | valid certificate signature (C=US, ST=Florida, O=Corporation, OU=Group, CN=Device -> C=US, ST=Florida, O=Corp, OU=Group, CN=Device)
pluto[225]: "vpn_tunnel" #1: no crl from issuer "C=US, ST=Florida, O=Corporation, OU=Group, CN=Device" found (strict=no)
pluto[225]: | subject: 'C=US, ST=Florida, O=Corporation, OU=Group, CN=Device'
pluto[225]: | issuer: 'C=US, ST=Florida, O=Corporation, OU=Group, CN=Device'
pluto[225]: | authkey: d3:6b:70:0c:93:8b:60:d0:78:54:24:b2:d3:7e:5e:ff:af:13:8d:0f
pluto[225]: | not before : Jan 01 00:00:00 UTC 2000
pluto[225]: | current time: May 19 14:53:31 UTC 2009
pluto[225]: | not after : Dec 31 23:59:59 UTC 2037
pluto[225]: | valid certificate for "C=US, ST=Florida, O=Corporation, OU=Group, CN=Device"
pluto[225]: | issuer cacert "C=US, ST=Florida, O=Corporation, OU=Group, CN=Device" found
pluto[225]: | signature algorithm: 'sha-1WithRSAEncryption'
pluto[225]: | valid certificate signature (C=US, ST=Florida, O=Corporation, OU=Group, CN=Device -> C=US, ST=Florida, O=Corporation, OU=Group, CN=Device)
pluto[225]: | Public key validated
pluto[225]: | trusted_ca called with a=C=US, ST=Florida, O=Corporation, OU=Group, CN=Device b=C=US, ST=Florida, O=Corporation, OU=Group, CN=Device
pluto[225]: "vpn_tunnel" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
pluto[225]: "vpn_tunnel" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1024}
pluto[225]: "vpn_tunnel" #2: extra debugging enabled for connection: none
pluto[225]: | processing connection vpn_tunnel
pluto[225]: "vpn_tunnel" #2: initiating Quick Mode RSASIG+ENCRYPT+COMPRESS+TUNNEL+UP {using isakmp#1 msgid:9b1ff4bf proposal=3DES(3)_192-MD5(1)_128 pfsgroup=no-pfs}
pluto[225]: "vpn_tunnel" #1: extra debugging enabled for connection: x509
pluto[225]: | processing connection vpn_tunnel
pluto[225]: "vpn_tunnel" #1: ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000
pluto[225]: "vpn_tunnel" #1: received and ignored informational message
pluto[225]: "vpn_tunnel" #2: extra debugging enabled for connection: x509
pluto[225]: | processing connection vpn_tunnel
pluto[225]: "vpn_tunnel" #1: extra debugging enabled for connection: x509
pluto[225]: | processing connection vpn_tunnel
pluto[225]: "vpn_tunnel" #1: ignoring informational payload, type NO_PROPOSAL_CHOSEN msgid=00000000
pluto[225]: "vpn_tunnel" #1: received and ignored informational message
pluto[225]: "vpn_tunnel" #2: extra debugging enabled for connection: x509
pluto[225]: | processing connection vpn_tunnel
pluto[225]: "vpn_tunnel" #1: extra debugging enabled for connection: x509
pluto[225]: | processing connection vpn_tunnel
pluto[225]: "vpn_tunnel" #1: ignoring informational payload, type NO_PROPOSAL_CHOSEN msgid=00000000
pluto[225]: "vpn_tunnel" #1: received and ignored informational message
pluto[225]: "vpn_tunnel" #2: extra debugging enabled for connection: x509
pluto[225]: | processing connection vpn_tunnel
pluto[225]: "vpn_tunnel" #1: extra debugging enabled for connection: x509
pluto[225]: | processing connection vpn_tunnel
pluto[225]: "vpn_tunnel" #1: ignoring informational payload, type NO_PROPOSAL_CHOSEN msgid=00000000
pluto[225]: "vpn_tunnel" #1: received and ignored informational message
pluto[225]: "vpn_tunnel" #2: extra debugging enabled for connection: x509
pluto[225]: | processing connection vpn_tunnel
pluto[225]: "vpn_tunnel" #2: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
OpenSWAN 2.6.19 output
sh-2.05b# ipsec whack --initiate --asynchronous --name vpn_tunnel --debug-x509
pluto[268]: "vpn_tunnel": extra debugging enabled for connection: x509
pluto[268]: | processing connection vpn_tunnel
pluto[268]: "vpn_tunnel" #1: extra debugging enabled for connection: none
pluto[268]: | processing connection vpn_tunnel
pluto[268]: "vpn_tunnel" #1: extra debugging enabled for connection: none
pluto[268]: | processing connection vpn_tunnel
pluto[268]: "vpn_tunnel" #1: initiating Main Mode
002 "vpn_tunnel": extra debugging enabled for connection: x509
002 "vpn_tunnel" #1: extra debugging enabled for connection: none
002 "vpn_tunnel" #1: extra debugging enabled for connection: none
002 "vpn_tunnel" #1: initiating Main Mode
104 "vpn_tunnel" #1: STATE_MAIN_I1: initiate
sh-2.05b# pluto[268]: "vpn_tunnel" #1: extra debugging enabled for connection: x509
pluto[268]: | processing connection vpn_tunnel
pluto[268]: "vpn_tunnel" #1: ignoring unknown Vendor ID payload [3b9031dce4fcf88b489a923963dd0c49]
pluto[268]: "vpn_tunnel" #1: ignoring Vendor ID payload [KAME/racoon]
pluto[268]: "vpn_tunnel" #1: extra debugging enabled for connection: x509
pluto[268]: | processing connection vpn_tunnel
pluto[268]: "vpn_tunnel" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
pluto[268]: "vpn_tunnel" #1: STATE_MAIN_I2: sent MI2, expecting MR2
pluto[268]: "vpn_tunnel" #1: extra debugging enabled for connection: x509
pluto[268]: | processing connection vpn_tunnel
pluto[268]: "vpn_tunnel" #1: ignoring Vendor ID payload [KAME/racoon]
pluto[268]: "vpn_tunnel" #1: extra debugging enabled for connection: x509
pluto[268]: | processing connection vpn_tunnel
pluto[268]: "vpn_tunnel" #1: I am sending my cert
pluto[268]: "vpn_tunnel" #1: I am sending a certificate request
pluto[268]: "vpn_tunnel" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
pluto[268]: "vpn_tunnel" #1: STATE_MAIN_I3: sent MI3, expecting MR3
pluto[268]: "vpn_tunnel" #1: extra debugging enabled for connection: x509
pluto[268]: | processing connection vpn_tunnel
pluto[268]: "vpn_tunnel" #1: Main mode peer ID is ID_IPV4_ADDR: '130.168.1.2'
pluto[268]: | subject: 'C=US, ST=Florida, O=Corp, OU=Group, CN=Device'
pluto[268]: | issuer: 'C=US, ST=Florida, O=Corporation, OU=Group, CN=Device'
pluto[268]: | not before : May 15 13:19:17 UTC 2009
pluto[268]: | current time: May 19 14:54:48 UTC 2009
pluto[268]: | not after : May 15 13:19:17 UTC 2010
pluto[268]: | valid certificate for "C=US, ST=Florida, O=Corp, OU=Group, CN=Device"
pluto[268]: | issuer cacert "C=US, ST=Florida, O=Corporation, OU=Group, CN=Device" found
pluto[268]: | signature algorithm: 'sha-1WithRSAEncryption'
pluto[268]: | valid certificate signature (C=US, ST=Florida, O=Corporation, OU=Group, CN=Device -> C=US, ST=Florida, O=Corp, OU=Group, CN=Device)
pluto[268]: "vpn_tunnel" #1: no crl from issuer "C=US, ST=Florida, O=Corporation, OU=Group, CN=Device" found (strict=no)
pluto[268]: | subject: 'C=US, ST=Florida, O=Corporation, OU=Group, CN=Device'
pluto[268]: | issuer: 'C=US, ST=Florida, O=Corporation, OU=Group, CN=Device'
pluto[268]: | authkey: d3:6b:70:0c:93:8b:60:d0:78:54:24:b2:d3:7e:5e:ff:af:13:8d:0f
pluto[268]: | not before : Jan 01 00:00:00 UTC 2000
pluto[268]: | current time: May 19 14:54:48 UTC 2009
pluto[268]: | not after : Dec 31 23:59:59 UTC 2037
pluto[268]: | valid certificate for "C=US, ST=Florida, O=Corporation, OU=Group, CN=Device"
pluto[268]: | issuer cacert "C=US, ST=Florida, O=Corporation, OU=Group, CN=Device" found
pluto[268]: | signature algorithm: 'sha-1WithRSAEncryption'
pluto[268]: | valid certificate signature (C=US, ST=Florida, O=Corporation, OU=Group, CN=Device -> C=US, ST=Florida, O=Corporation, OU=Group, CN=Device)
pluto[268]: | Public key validated
pluto[268]: | trusted_ca called with a=C=US, ST=Florida, O=Corporation, OU=Group, CN=Device b=C=US, ST=Florida, O=Corporation, OU=Group, CN=Device
pluto[268]: "vpn_tunnel" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
pluto[268]: "vpn_tunnel" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1024}
pluto[268]: "vpn_tunnel" #2: extra debugging enabled for connection: none
pluto[268]: | processing connection vpn_tunnel
pluto[268]: "vpn_tunnel" #2: initiating Quick Mode RSASIG+ENCRYPT+COMPRESS+TUNNEL+UP {using isakmp#1 msgid:2ecb3fed proposal=3DES(3)_192-MD5(1)_128 pfsgroup=no-pfs}
pluto[268]: "vpn_tunnel" #1: extra debugging enabled for connection: x509
pluto[268]: | processing connection vpn_tunnel
pluto[268]: "vpn_tunnel" #1: ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000
pluto[268]: "vpn_tunnel" #1: received and ignored informational message
pluto[268]: "vpn_tunnel" #2: extra debugging enabled for connection: x509
pluto[268]: | processing connection vpn_tunnel
pluto[268]: "vpn_tunnel" #2: extra debugging enabled for connection: x509
pluto[268]: | processing connection vpn_tunnel
pluto[268]: | trusted_ca called with a=C=US, ST=Florida, O=Corporation, OU=Group, CN=Device b=C=US, ST=Florida, O=Corporation, OU=Group, CN=Device
pluto[268]: | trusted_ca called with a=C=US, ST=Florida, O=Corporation, OU=Group, CN=Device b=C=US, ST=Florida, O=Corporation, OU=Group, CN=Device
pluto[268]: | trusted_ca called with a=C=US, ST=Florida, O=Corporation, OU=Group, CN=Device b=C=US, ST=Florida, O=Corporation, OU=Group, CN=Device
pluto[268]: "vpn_tunnel" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
pluto[268]: "vpn_tunnel" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x066958a9 <0xa21036f0 xfrm=3DES_0-HMAC_MD5 NATOA=none NATD=none DPD=none}
marcos
Hotmail® has ever-growing storage! Don’t worry about storage limits. Check it out.
_________________________________________________________________
Insert movie times and more without leaving Hotmail®.
http://windowslive.com/Tutorial/Hotmail/QuickAdd?ocid=TXT_TAGLM_WL_HM_Tutorial_QuickAdd1_052009
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20090529/a20e836e/attachment-0001.html
More information about the Users
mailing list