[Openswan Users] Ipsec Server Configuration

Walter Hansen whansen at corporate-image.com
Sat Oct 31 02:28:20 EDT 2009 

Hope this is helpful.

Paul Wouters wrote:
> On Fri, 30 Oct 2009, Walter Hansen wrote:
> 
>> Once again we seem to be having troubles getting a secure tunnel going
>> between a Linux server and a Cisco 3000 router.
>> New Server: Fedora Core 8 Openswan 2.4.9-2.fc8
> 
> That's not "new". That's very old. Don't expect it to work with modern
> client operating systems.

Are you referring to 2.4.9-2? That's what yum installed by default as
the correct one for FC8. If that's the case, perhaps I should uninstall
and try a compiled version.

>> 117 "prod-sms" #111: STATE_QUICK_I1: initiate
>> 010 "prod-sms" #111: STATE_QUICK_I1: retransmission; will wait 20s for
>> response
>> 010 "prod-sms" #111: STATE_QUICK_I1: retransmission; will wait 40s for
> 
> The other end rejected you. Check its logs.

Unfortunately I don't have direct access to the logs.

>> Yes we will drop connections that do not match the security 
>> associations as
>> we see in our logs. Not sure which SA but please review your
>> configs/encryption properties and make sure they match the document I 
>> sent
>> you. You said you copied configs from one server to another; I usually 
>> build
>> each tunnel individually, could this be the problem?
> 
> The defaults might have changed. openswan 2.2 might have used 3des-md5 or
> modp1024 where openswan 2.4.x might have used aes-sha1 or modp1536. Check
> that document.
> 
>> 15302 10/27/2009 23:06:00.190 SEV=8 IKEDBG/96 RPT=10363 208.109.86.109
>> Received encrypted packet with no matching SA, dropping

That ^ is from the cisco logs on the other end.

> That's odd. I am not sure why you are seeing that. Are there more 
> tunnels to
> the same end?
> 
>> # basic configuration
>> config setup
>>        # Debug-logging controls:  "none" for (almost) none, "all" for 
>> lots.
>>        # klipsdebug=none
>>        # plutodebug="control parsing"
> 
> No nat configured here, so if you are behind nat, it wont work.

It's actually a single server with no nat but the other end of the
tunnel is used to configuring for networks so the configuration was set
up to include a fake network. We have two servers operating with tunnels
with a setup like this.

>> conn prod-sms
>>        left=208.109.86.109
>>        leftsubnet=208.109.86.0/24
>>        leftnexthop=208.109.86.254
>>        right=216.160.25.121
>>        rightid=216.160.25.121
>>        rightsubnet=206.220.212.0/24
> 
> Which i think there is or else you cannot be the ipsec endpoint for
> the subnet you are trying to protect.
> 
>>        xauth=no
>>        type=tunnel
>>        keyexchange=ike
>>        ike=3des-md5-modp1024
> 
> perhaps try adding esp=3des-md5 too?

Looks much the same:

# ipsec auto --up prod-sms
104 "prod-sms" #61: STATE_MAIN_I1: initiate
003 "prod-sms" #61: ignoring Vendor ID payload [FRAGMENTATION c0000000]
106 "prod-sms" #61: STATE_MAIN_I2: sent MI2, expecting MR2
003 "prod-sms" #61: received Vendor ID payload [Cisco-Unity]
003 "prod-sms" #61: received Vendor ID payload [XAUTH]
003 "prod-sms" #61: ignoring unknown Vendor ID payload
[9e5448ade9bdfba6fff486adfcda31d8]
003 "prod-sms" #61: ignoring Vendor ID payload [Cisco VPN 3000 Series]
108 "prod-sms" #61: STATE_MAIN_I3: sent MI3, expecting MR3
003 "prod-sms" #61: received Vendor ID payload [Dead Peer Detection]
004 "prod-sms" #61: STATE_MAIN_I4: ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5
group=modp1024}
117 "prod-sms" #62: STATE_QUICK_I1: initiate
010 "prod-sms" #62: STATE_QUICK_I1: retransmission; will wait 20s for
response
010 "prod-sms" #62: STATE_QUICK_I1: retransmission; will wait 40s for
response
031 "prod-sms" #62: max number of retransmissions (2) reached
STATE_QUICK_I1.  No acceptable response to our first Quick Mode message:
perhaps peer likes no proposal
000 "prod-sms" #62: starting keying attempt 2 of an unlimited number,
but releasing whack


# ipsec auto status
ipsec auto: warning: obsolete command syntax used
000 interface lo/lo ::1
000 interface lo/lo 127.0.0.1
000 interface eth0/eth0 208.109.86.109
000 %myid = (none)
000 debug none
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64,
keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192,
keysizemax=192
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8,
keysizemin=40, keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0,
keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128,
keysizemax=256
000 algorithm ESP encrypt: id=13, name=(null), ivlen=8, keysizemin=128,
keysizemax=256
000 algorithm ESP encrypt: id=22, name=(null), ivlen=8, keysizemin=128,
keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256,
keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC,
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0
000
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,15,36}
trans={0,15,540} attrs={0,15,360}
000
000 "prod-sms":
208.109.86.0/24===208.109.86.109---208.109.86.254...216.160.25.121===206.220.212.0/24; 

erouted HOLD; eroute owner: #0
000 "prod-sms":     srcip=unset; dstip=unset; srcup=ipsec _updown;
dstup=ipsec _updown;
000 "prod-sms":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin:
540s; rekey_fuzz: 100%; keyingtries: 0
000 "prod-sms":   policy: PSK+ENCRYPT+TUNNEL+UP; prio: 24,24; interface:
eth0; encap: esp;
000 "prod-sms":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "prod-sms":   IKE algorithms wanted:
3DES_CBC(5)_000-MD5(1)-MODP1024(2); flags=strict
000 "prod-sms":   IKE algorithms found:
3DES_CBC(5)_192-MD5(1)_128-MODP1024(2)
000 "prod-sms":   ESP algorithms wanted: 3DES(3)_000-MD5(1); flags=strict
000 "prod-sms":   ESP algorithms loaded: 3DES(3)_000-MD5(1); flags=strict
000 "test-sms-213":
208.109.86.0/24===208.109.86.109---208.109.86.254...67.96.131.33===206.220.213.0/24; 

prospective erouted; eroute owner: #0
000 "test-sms-213":     srcip=unset; dstip=unset; srcup=ipsec _updown;
dstup=ipsec _updown;
000 "test-sms-213":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin:
540s; rekey_fuzz: 100%; keyingtries: 0
000 "test-sms-213":   policy: PSK+ENCRYPT+TUNNEL+UP; prio: 24,24;
interface: eth0; encap: esp;
000 "test-sms-213":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "test-sms-213":   IKE algorithms wanted:
3DES_CBC(5)_000-MD5(1)-MODP1024(2); flags=strict
000 "test-sms-213":   IKE algorithms found:
3DES_CBC(5)_192-MD5(1)_128-MODP1024(2)
000 "test-sms-214":
208.109.86.0/24===208.109.86.109---208.109.86.254...67.96.131.33===206.220.214.0/24; 

prospective erouted; eroute owner: #0
000 "test-sms-214":     srcip=unset; dstip=unset; srcup=ipsec _updown;
dstup=ipsec _updown;
000 "test-sms-214":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin:
540s; rekey_fuzz: 100%; keyingtries: 0
000 "test-sms-214":   policy: PSK+ENCRYPT+TUNNEL+UP; prio: 24,24;
interface: eth0; encap: esp;
000 "test-sms-214":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "test-sms-214":   IKE algorithms wanted:
3DES_CBC(5)_000-MD5(1)-MODP1024(2); flags=strict
000 "test-sms-214":   IKE algorithms found:
3DES_CBC(5)_192-MD5(1)_128-MODP1024(2)
000
000 #26: "prod-sms":500 STATE_QUICK_I1 (sent QI1, expecting QR1);
EVENT_RETRANSMIT in 39s; lastdpd=-1s(seq in:0 out:0)
000 #22: "prod-sms":500 STATE_QUICK_I1 (sent QI1, expecting QR1);
EVENT_RETRANSMIT in 8s; lastdpd=-1s(seq in:0 out:0)
000 #29: "prod-sms":500 STATE_QUICK_I1 (sent QI1, expecting QR1);
EVENT_RETRANSMIT in 2s; lastdpd=-1s(seq in:0 out:0)
000 #37: "prod-sms":500 STATE_QUICK_I1 (sent QI1, expecting QR1);
EVENT_RETRANSMIT in 9s; lastdpd=-1s(seq in:0 out:0)
000 #35: "prod-sms":500 STATE_QUICK_I1 (sent QI1, expecting QR1);
EVENT_RETRANSMIT in 18s; lastdpd=-1s(seq in:0 out:0)
000 #24: "prod-sms":500 STATE_QUICK_I1 (sent QI1, expecting QR1);
EVENT_RETRANSMIT in 28s; lastdpd=-1s(seq in:0 out:0)
000 #33: "prod-sms":500 STATE_QUICK_I1 (sent QI1, expecting QR1);
EVENT_RETRANSMIT in 8s; lastdpd=-1s(seq in:0 out:0)
000 #31: "test-sms-213":500 STATE_QUICK_I1 (sent QI1, expecting QR1);
EVENT_RETRANSMIT in 2s; lastdpd=-1s(seq in:0 out:0)
000 #30: "test-sms-214":500 STATE_QUICK_I1 (sent QI1, expecting QR1);
EVENT_RETRANSMIT in 2s; lastdpd=-1s(seq in:0 out:0)
000



> Paul
>

More information about the Users mailing list