[Openswan Users] Openswan and V-IPSecure
JT Edwards
tstrike34 at gmail.com
Thu Sep 3 10:08:55 EDT 2009
> Hi Paul and Erich,
>
> Two problems.... Been working on this for 2 weeks and for the like of me
> (after many nights of reading) still cant get these two to talk via
> certificates.... I did get a PSK connection going but the ISAKAMP died on
> me and I spent all night trying to get that connection back up (for every
> one archive message I read, I tried it and the PSK connection would not
> come up).
>
> I went back to trying certificates again and this is what I am getting....
> I am trying hard as I can to be patient but two weeks of sweat equity and
> no results proves frustrating my friends...
>
> securelog
>
> Sep 3 08:34:17 wizbang pluto[5181]: packet from 12.234.22.224:500:
> ignoring unknown Vendor ID payload [810fa565f8ab14369105d706fbd57279]
> Sep 3 08:34:17 wizbang pluto[5181]: packet from 12.234.22.224:500:
> ignoring unknown Vendor ID payload [3b9031dce4fcf88b489a923963dd0c49]
> Sep 3 08:34:17 wizbang pluto[5181]: "openswan-to-vipsecure" #4:
> responding to Main Mode
> Sep 3 08:34:17 wizbang pluto[5181]: "openswan-to-vipsecure" #4:
> transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
> Sep 3 08:34:17 wizbang pluto[5181]: "openswan-to-vipsecure" #4:
> STATE_MAIN_R1: sent MR1, expecting MI2
> Sep 3 08:34:18 wizbang pluto[5181]: "openswan-to-vipsecure" #4: ignoring
> Vendor ID payload [KAME/racoon]
> Sep 3 08:34:18 wizbang pluto[5181]: "openswan-to-vipsecure" #4:
> transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
> Sep 3 08:34:18 wizbang pluto[5181]: "openswan-to-vipsecure" #4:
> STATE_MAIN_R2: sent MR2, expecting MI3
> Sep 3 08:34:18 wizbang pluto[5181]: "openswan-to-vipsecure" #4: Main mode
> peer ID is ID_IPV4_ADDR: '12.234.22.224'
> Sep 3 08:34:18 wizbang pluto[5181]: "openswan-to-vipsecure" #4: no
> suitable connection for peer '12.234.22.224'
> Sep 3 08:34:18 wizbang pluto[5181]: "openswan-to-vipsecure" #4: sending
> encrypted notification INVALID_ID_INFORMATION to 12.234.22.224:500
> Sep 3 08:34:28 wizbang pluto[5181]: "openswan-to-vipsecure" #4: Main mode
> peer ID is ID_IPV4_ADDR: '12.234.22.224'
> Sep 3 08:34:28 wizbang pluto[5181]: "openswan-to-vipsecure" #4: no
> suitable connection for peer '12.234.22.224'
> Sep 3 08:34:28 wizbang pluto[5181]: "openswan-to-vipsecure" #4: sending
> encrypted notification INVALID_ID_INFORMATION to 12.234.22.224:500
> Sep 3 08:34:28 wizbang pluto[5181]: "openswan-to-vipsecure" #4: Main mode
> peer ID is ID_IPV4_ADDR: '12.234.22.224'
> Sep 3 08:34:28 wizbang pluto[5181]: "openswan-to-vipsecure" #4: no
> suitable connection for peer '12.234.22.224'
> Sep 3 08:34:28 wizbang pluto[5181]: "openswan-to-vipsecure" #4: sending
> encrypted notification INVALID_ID_INFORMATION to 12.234.22.224:500
> Sep 3 08:34:38 wizbang pluto[5181]: "openswan-to-vipsecure" #4: Main mode
> peer ID is ID_IPV4_ADDR: '12.234.22.224'
> Sep 3 08:34:38 wizbang pluto[5181]: "openswan-to-vipsecure" #4: no
> suitable connection for peer '12.234.22.224'
> Sep 3 08:34:38 wizbang pluto[5181]: "openswan-to-vipsecure" #4: sending
> encrypted notification INVALID_ID_INFORMATION to 12.234.22.224:500
> Sep 3 08:34:48 wizbang pluto[5181]: "openswan-to-vipsecure" #4: Main mode
> peer ID is ID_IPV4_ADDR: '12.234.22.224'
> Sep 3 08:34:48 wizbang pluto[5181]: "openswan-to-vipsecure" #4: no
> suitable connection for peer '12.234.22.224'
> Sep 3 08:34:48 wizbang pluto[5181]: "openswan-to-vipsecure" #4: sending
> encrypted notification INVALID_ID_INFORMATION to 12.234.22.224:500
> Sep 3 08:34:48 wizbang pluto[5181]: "openswan-to-vipsecure" #4: Main mode
> peer ID is ID_IPV4_ADDR: '12.234.22.224'
> Sep 3 08:34:48 wizbang pluto[5181]: "openswan-to-vipsecure" #4: no
> suitable connection for peer '12.234.22.224'
> Sep 3 08:34:48 wizbang pluto[5181]: "openswan-to-vipsecure" #4: sending
> encrypted notification INVALID_ID_INFORMATION to 12.234.22.224:500
>
>
> Starting IPsec: Starting Openswan IPsec 2.4.9...
> [ OK ]
> -bash-3.2# ipsec auto --status
> 000 interface lo/lo ::1
> 000 interface lo/lo 127.0.0.1
> 000 interface lo/lo 127.0.0.1
> 000 interface virbr0/virbr0 192.168.122.1
> 000 interface virbr0/virbr0 192.168.122.1
> 000 interface eth0/eth0 22.34.33.26
> 000 interface eth0/eth0 22.34.33.26
> 000 %myid = (none)
> 000 debug none
> 000
> 000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64,
> keysizemax=64
> 000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192,
> keysizemax=192
> 000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, keysizemin=40,
> keysizemax=128
> 000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8,
> keysizemin=40, keysizemax=448
> 000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0,
> keysizemax=0
> 000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128,
> keysizemax=256
> 000 algorithm ESP encrypt: id=13, name=(null), ivlen=8, keysizemin=128,
> keysizemax=256
> 000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8,
> keysizemin=128, keysizemax=256
> 000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8,
> keysizemin=128, keysizemax=256
> 000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
> keysizemin=128, keysizemax=128
> 000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
> keysizemin=160, keysizemax=160
> 000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256,
> keysizemin=256, keysizemax=256
> 000 algorithm ESP auth attr: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD,
> keysizemin=160, keysizemax=160
> 000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC,
> keysizemin=128, keysizemax=128
> 000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0,
> keysizemax=0
> 000
> 000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
> keydeflen=192
> 000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
> keydeflen=128
> 000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
> 000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
> 000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
> 000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
> 000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
> 000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
> 000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
> 000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
> 000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
> 000
> 000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,0,0}
> trans={0,0,0} attrs={0,0,0}
> 000
> 000 "openswan-to-vipsecure": 192.168.122.0/24===22.34.33.26[C=US, ST=TX,
> L=Austin, O=wizbangco,
> OU=Executive]:17/%any...12.234.22.224:17/%any===192.168.111.0/24;
> unrouted; eroute owner: #0
> 000 "openswan-to-vipsecure": srcip=unset; dstip=unset; srcup=ipsec
> _updown; dstup=ipsec _updown;
> 000 "openswan-to-vipsecure": CAs: 'C=US, ST=TX, L=Austin, O=wizbangco,
> OU=Executive, CN=AIT, E=jt.edwards at wizbangco.com'...'C=US, ST=TX,
> L=Austin, O=wizbangco, OU=Executive, CN=AIT, E=jt.edwards at wizbangco.com'
> 000 "openswan-to-vipsecure": ike_life: 3600s; ipsec_life: 28800s;
> rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
> 000 "openswan-to-vipsecure": policy: RSASIG+ENCRYPT+TUNNEL; prio: 24,24;
> interface: eth0; encap: esp;
> 000 "openswan-to-vipsecure": newest ISAKMP SA: #0; newest IPsec SA: #0;
> 000
> 000
> -bash-3.2# ipsec auto --status
> 000 interface lo/lo ::1
> 000 interface lo/lo 127.0.0.1
> 000 interface lo/lo 127.0.0.1
> 000 interface virbr0/virbr0 192.168.122.1
> 000 interface virbr0/virbr0 192.168.122.1
> 000 interface eth0/eth0 22.34.33.26
> 000 interface eth0/eth0 22.34.33.26
> 000 %myid = (none)
> 000 debug none
> 000
> 000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64,
> keysizemax=64
> 000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192,
> keysizemax=192
> 000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, keysizemin=40,
> keysizemax=128
> 000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8,
> keysizemin=40, keysizemax=448
> 000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0,
> keysizemax=0
> 000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128,
> keysizemax=256
> 000 algorithm ESP encrypt: id=13, name=(null), ivlen=8, keysizemin=128,
> keysizemax=256
> 000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8,
> keysizemin=128, keysizemax=256
> 000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8,
> keysizemin=128, keysizemax=256
> 000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
> keysizemin=128, keysizemax=128
> 000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
> keysizemin=160, keysizemax=160
> 000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256,
> keysizemin=256, keysizemax=256
> 000 algorithm ESP auth attr: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD,
> keysizemin=160, keysizemax=160
> 000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC,
> keysizemin=128, keysizemax=128
> 000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0,
> keysizemax=0
> 000
> 000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
> keydeflen=192
> 000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
> keydeflen=128
> 000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
> 000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
> 000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
> 000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
> 000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
> 000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
> 000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
> 000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
> 000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
> 000
> 000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,0,0}
> trans={0,0,0} attrs={0,0,0}
> 000
> 000 "openswan-to-vipsecure": 192.168.122.0/24===22.34.33.26[C=US, ST=TX,
> L=Austin, O=wizbangco,
> OU=Executive]:17/%any...12.234.22.224:17/%any===192.168.111.0/24;
> unrouted; eroute owner: #0
> 000 "openswan-to-vipsecure": srcip=unset; dstip=unset; srcup=ipsec
> _updown; dstup=ipsec _updown;
> 000 "openswan-to-vipsecure": CAs: 'C=US, ST=TX, L=Austin, O=wizbangco,
> OU=Executive, CN=AIT, E=jt.edwards at wizbangco.com'...'C=US, ST=TX,
> L=Austin, O=wizbangco, OU=Executive, CN=AIT, E=jt.edwards at wizbangco.com'
> 000 "openswan-to-vipsecure": ike_life: 3600s; ipsec_life: 28800s;
> rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
> 000 "openswan-to-vipsecure": policy: RSASIG+ENCRYPT+TUNNEL; prio: 24,24;
> interface: eth0; encap: esp;
> 000 "openswan-to-vipsecure": newest ISAKMP SA: #0; newest IPsec SA: #0;
> 000
> 000 #1: "openswan-to-vipsecure":500 STATE_MAIN_R2 (sent MR2, expecting
> MI3); EVENT_RETRANSMIT in 36s; nodpd
> 000
>
> conn openswan-to-vipsecure
> #
> #
> #
> #
> # Use a certificate. Disable Perfect Forward Secrecy.
> #
> authby=rsasig
> pfs=no
> auto=add
> # we cannot rekey for %any, let client rekey
> # Do not enable the line below. It is implicitely used, and
> # specifying it will currently break when using nat-t.
> # type=transport. See http://bugs.xelerance.com/view.php?id=466
> #
> type=tunnel
> left=22.34.33.26
> # or you can use: left=YourIPAddress
> leftrsasigkey=%cert
> leftcert=/etc/ipsec.d/certs/aittorden.pem
> leftsendcert=yes
> leftsubnet=192.168.122.0/24
> # Work-around for original (non-updated) Windows 2000/XP clients,
> # to support all clients, use leftprotoport=17/%any
> leftprotoport=17/%any
> #
> # The remote user.
> #
> right=12.234.22.224
> rightca=%same
> rightrsasigkey=%cert
> rightprotoport=17/%any
> rightsubnet=192.168.111.0/24
>
> JT Edwards
> Senior Solutions Architect (Automation and Service Management)
> IBM Tivoli Certified
> Direct: 281-226-0284
> Direct: 512-772-3266
> Follow Me: 1866-866-4391 ext 1
> AIM tstrike34
> GoogleTalk tstrike34 at gmail.com
>
> --------------------------------------------------
> From: "Paul Wouters" <paul at xelerance.com>
> Sent: Wednesday, September 02, 2009 11:24 AM
> To: "JT Edwards" <tstrike34 at gmail.com>
> Cc: "Erich Titl" <erich.titl at think.ch>; <users at openswan.org>
> Subject: Re: [Openswan Users] Openswan and V-IPSecure
>
>> On Wed, 2 Sep 2009, JT Edwards wrote:
>>
>>> Sep 2 09:15:54 wizbang pluto[18118]: "ait-to-home"[1] 12.234.22.224 #1:
>>> Main mo de peer ID is ID_FQDN: '@chipper.dyndns.org'
>>
>>> type=transport
>>> left=22.34.33.26
>>> leftid=@wizbang.me.org
>>> leftrsasigkey=%cert
>>> leftcert=/etc/ipsec.d/certs/aittorden.pem
>>> leftprotoport=17/1701
>>> right=%any
>>> rightca=%same
>>> rightid=@chipper.dyndns.org
>>> rightrsasigkey=%cert
>>
>> Why are you not using the X.509 RDN's for ids?
>>
>> The normal setup here would be to have leftid=%fromcert on openswan 2.6
>> or
>> no leftid= on openswan 2.4, and no rightid= at all. Then the certificate
>> RDN
>> will be used. Maybe add an leftsendcert=always to convince the other end
>> to use its cert too?
>>
>>> rightprotoport=17/0
>>
>> use 17/%any
>>
>> Also use openswan 2.4 due to bug #1004.
>>
>> Paul
>
More information about the Users
mailing list