[Openswan Users] Ipsec Server Configuration

Walter Hansen whansen at corporate-image.com
Fri Oct 30 19:31:14 EDT 2009 

Once again we seem to be having troubles getting a secure tunnel going
between a Linux server and a Cisco 3000 router.
New Server: Fedora Core 8 Openswan 2.4.9-2.fc8
Old Server (working now): Fedora 2  Linux Openswan U2.2.0/K2.6.8-1.521smp
(native)
The server is giving me this:

# ipsec auto --verbose --up prod-sms
002 "prod-sms" #110: initiating Main Mode
104 "prod-sms" #110: STATE_MAIN_I1: initiate
003 "prod-sms" #110: ignoring Vendor ID payload [FRAGMENTATION c0000000]
002 "prod-sms" #110: transition from state STATE_MAIN_I1 to state
STATE_MAIN_I2
106 "prod-sms" #110: STATE_MAIN_I2: sent MI2, expecting MR2
003 "prod-sms" #110: received Vendor ID payload [Cisco-Unity]
003 "prod-sms" #110: received Vendor ID payload [XAUTH]
003 "prod-sms" #110: ignoring unknown Vendor ID payload
[c42ac15544515788520e18f30d368014]
003 "prod-sms" #110: ignoring Vendor ID payload [Cisco VPN 3000 Series]
002 "prod-sms" #110: I did not send a certificate because I do not have one.
002 "prod-sms" #110: transition from state STATE_MAIN_I2 to state
STATE_MAIN_I3
108 "prod-sms" #110: STATE_MAIN_I3: sent MI3, expecting MR3
003 "prod-sms" #110: received Vendor ID payload [Dead Peer Detection]
002 "prod-sms" #110: Main mode peer ID is ID_IPV4_ADDR: '216.160.25.121'
002 "prod-sms" #110: transition from state STATE_MAIN_I3 to state
STATE_MAIN_I4
004 "prod-sms" #110: STATE_MAIN_I4: ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5
group=modp1024}
002 "prod-sms" #111: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP {using
isakmp#110}
117 "prod-sms" #111: STATE_QUICK_I1: initiate
010 "prod-sms" #111: STATE_QUICK_I1: retransmission; will wait 20s for
response
010 "prod-sms" #111: STATE_QUICK_I1: retransmission; will wait 40s for
response
031 "prod-sms" #111: max number of retransmissions (2) reached
STATE_QUICK_I1.  No acceptable response to our first Quick Mode message:
perhaps peer likes no proposal
000 "prod-sms" #111: starting keying attempt 2 of an unlimited number, but
releasing whack


I copied the configuration over form our server at the same server farm and
changed the left side values. However it's a much later version of
Fedora(core 8) and I installed the current version of openswan (2.4.9-2.fc8)
using yum.

I got this info from the other end of the tunnel:

Yes we will drop connections that do not match the security associations as
we see in our logs. Not sure which SA but please review your
configs/encryption properties and make sure they match the document I sent
you. You said you copied configs from one server to another; I usually build
each tunnel individually, could this be the problem?

15302 10/27/2009 23:06:00.190 SEV=8 IKEDBG/96 RPT=10363 208.109.86.109
Received encrypted packet with no matching SA, dropping

I also see only IKE sessions hitting my firewall...I need to see ESP
packets...you need to send us interesting traffic to bring up the tunnel.
Other than live real time log monitor and traces not much I can do. Let me
know if you'd like to look at this tomorrow and we can arrange a time for a
call


 Here is the current ipsec.conf:

# cat ipsec.conf
# /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.13 2004/03/24 04:14:39 ken Exp $

# This file:  /usr/local/share/doc/openswan/ipsec.conf-sample
#
# Manual:     ipsec.conf.5


version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        # Debug-logging controls:  "none" for (almost) none, "all" for lots.
        # klipsdebug=none
        # plutodebug="control parsing"

# Add connections here


conn prod-sms
        left=208.109.86.109
        leftsubnet=208.109.86.0/24
        leftnexthop=208.109.86.254
        right=216.160.25.121
        rightid=216.160.25.121
        rightsubnet=206.220.212.0/24
        pfs=no
        xauth=no
        type=tunnel
        keyexchange=ike
        ike=3des-md5-modp1024
        authby=secret
        auto=start

conn test-sms-213
        left=208.109.86.109
        leftsubnet=208.109.86.0/24
        leftnexthop=208.109.86.254
        right=67.96.131.33
        rightid=67.96.131.33
        rightsubnet=206.220.213.0/24
        pfs=no
        xauth=no
        type=tunnel
        keyexchange=ike
        ike=3des-md5-modp1024
        authby=secret
        auto=start

conn test-sms-214
        left=208.109.86.109
        leftsubnet=208.109.86.0/24
        leftnexthop=208.109.86.254
        right=67.96.131.33
        rightid=67.96.131.33
        rightsubnet=206.220.214.0/24
        pfs=no
        xauth=no
        type=tunnel
        keyexchange=ike
        ike=3des-md5-modp1024
        authby=secret
        auto=start



#conn test
#       left=216.69.164.214
#       leftnexthop=%defaultroute
#       leftsubnet=216.69.164.214/32
#       right=64.142.21.254
#       rightsubnet=192.168.167.0/24
#       rightnexthop=%defaultroute
#       ike=3des-md5-modp1024
#        pfs=no
#       type=tunnel
#       dpddelay=30
#       dpdtimeout=120
#       dpdaction=clear
#       authby=secret
#       auto=start


#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf

More information about the Users mailing list