[Openswan Users] Openswan and V-IPSecure

JT Edwards tstrike34 at gmail.com
Thu Sep 3 09:40:16 EDT 2009 

Hi Paul and Erich,

Two problems.... Been working on this for 2 weeks and for the like of me 
(after many nights of reading) still cant get these two to talk via 
certificates.... I did get a PSK connection going but the ISAKAMP died on me 
and I spent all night trying to get that connection back up (for every one 
archive message I read, I tried it and the PSK connection would not come 
up).

I went back to trying certificates again and this is what I am getting.... 
I am trying hard as I can to  be patient but two weeks of sweat equity and 
no results proves frustrating my friends...

securelog

Sep  3 08:34:17 wizbang pluto[5181]: packet from 12.234.22.224:500: ignoring 
unknown Vendor ID payload [810fa565f8ab14369105d706fbd57279]
Sep  3 08:34:17 wizbang pluto[5181]: packet from 12.234.22.224:500: ignoring 
unknown Vendor ID payload [3b9031dce4fcf88b489a923963dd0c49]
Sep  3 08:34:17 wizbang pluto[5181]: "openswan-to-vipsecure" #4: responding 
to Main Mode
Sep  3 08:34:17 wizbang pluto[5181]: "openswan-to-vipsecure" #4: transition 
from state STATE_MAIN_R0 to state STATE_MAIN_R1
Sep  3 08:34:17 wizbang pluto[5181]: "openswan-to-vipsecure" #4: 
STATE_MAIN_R1: sent MR1, expecting MI2
Sep  3 08:34:18 wizbang pluto[5181]: "openswan-to-vipsecure" #4: ignoring 
Vendor ID payload [KAME/racoon]
Sep  3 08:34:18 wizbang pluto[5181]: "openswan-to-vipsecure" #4: transition 
from state STATE_MAIN_R1 to state STATE_MAIN_R2
Sep  3 08:34:18 wizbang pluto[5181]: "openswan-to-vipsecure" #4: 
STATE_MAIN_R2: sent MR2, expecting MI3
Sep  3 08:34:18 wizbang pluto[5181]: "openswan-to-vipsecure" #4: Main mode 
peer ID is ID_IPV4_ADDR: '12.234.22.224'
Sep  3 08:34:18 wizbang pluto[5181]: "openswan-to-vipsecure" #4: no suitable 
connection for peer '12.234.22.224'
Sep  3 08:34:18 wizbang pluto[5181]: "openswan-to-vipsecure" #4: sending 
encrypted notification INVALID_ID_INFORMATION to 12.234.22.224:500
Sep  3 08:34:28 wizbang pluto[5181]: "openswan-to-vipsecure" #4: Main mode 
peer ID is ID_IPV4_ADDR: '12.234.22.224'
Sep  3 08:34:28 wizbang pluto[5181]: "openswan-to-vipsecure" #4: no suitable 
connection for peer '12.234.22.224'
Sep  3 08:34:28 wizbang pluto[5181]: "openswan-to-vipsecure" #4: sending 
encrypted notification INVALID_ID_INFORMATION to 12.234.22.224:500
Sep  3 08:34:28 wizbang pluto[5181]: "openswan-to-vipsecure" #4: Main mode 
peer ID is ID_IPV4_ADDR: '12.234.22.224'
Sep  3 08:34:28 wizbang pluto[5181]: "openswan-to-vipsecure" #4: no suitable 
connection for peer '12.234.22.224'
Sep  3 08:34:28 wizbang pluto[5181]: "openswan-to-vipsecure" #4: sending 
encrypted notification INVALID_ID_INFORMATION to 12.234.22.224:500
Sep  3 08:34:38 wizbang pluto[5181]: "openswan-to-vipsecure" #4: Main mode 
peer ID is ID_IPV4_ADDR: '12.234.22.224'
Sep  3 08:34:38 wizbang pluto[5181]: "openswan-to-vipsecure" #4: no suitable 
connection for peer '12.234.22.224'
Sep  3 08:34:38 wizbang pluto[5181]: "openswan-to-vipsecure" #4: sending 
encrypted notification INVALID_ID_INFORMATION to 12.234.22.224:500
Sep  3 08:34:48 wizbang pluto[5181]: "openswan-to-vipsecure" #4: Main mode 
peer ID is ID_IPV4_ADDR: '12.234.22.224'
Sep  3 08:34:48 wizbang pluto[5181]: "openswan-to-vipsecure" #4: no suitable 
connection for peer '12.234.22.224'
Sep  3 08:34:48 wizbang pluto[5181]: "openswan-to-vipsecure" #4: sending 
encrypted notification INVALID_ID_INFORMATION to 12.234.22.224:500
Sep  3 08:34:48 wizbang pluto[5181]: "openswan-to-vipsecure" #4: Main mode 
peer ID is ID_IPV4_ADDR: '12.234.22.224'
Sep  3 08:34:48 wizbang pluto[5181]: "openswan-to-vipsecure" #4: no suitable 
connection for peer '12.234.22.224'
Sep  3 08:34:48 wizbang pluto[5181]: "openswan-to-vipsecure" #4: sending 
encrypted notification INVALID_ID_INFORMATION to 12.234.22.224:500


Starting IPsec:  Starting Openswan IPsec 2.4.9...
                                                           [  OK  ]
-bash-3.2# ipsec auto --status
000 interface lo/lo ::1
000 interface lo/lo 127.0.0.1
000 interface lo/lo 127.0.0.1
000 interface virbr0/virbr0 192.168.122.1
000 interface virbr0/virbr0 192.168.122.1
000 interface eth0/eth0 22.34.33.26
000 interface eth0/eth0 22.34.33.26
000 %myid = (none)
000 debug none
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, 
keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, 
keysizemax=192
000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, keysizemin=40, 
keysizemax=128
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, 
keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, 
keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, 
keysizemax=256
000 algorithm ESP encrypt: id=13, name=(null), ivlen=8, keysizemin=128, 
keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, 
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, 
keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, 
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, 
keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, 
keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD, 
keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC, 
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0
000
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, 
keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, 
keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,0,0} 
trans={0,0,0} attrs={0,0,0}
000
000 "openswan-to-vipsecure": 192.168.122.0/24===22.34.33.26[C=US, ST=TX, 
L=Austin, O=wizbangco, 
OU=Executive]:17/%any...12.234.22.224:17/%any===192.168.111.0/24; unrouted; 
eroute owner: #0
000 "openswan-to-vipsecure":     srcip=unset; dstip=unset; srcup=ipsec 
_updown; dstup=ipsec _updown;
000 "openswan-to-vipsecure":   CAs: 'C=US, ST=TX, L=Austin, O=wizbangco, 
OU=Executive, CN=AIT, E=jt.edwards at wizbangco.com'...'C=US, ST=TX, L=Austin, 
O=wizbangco, OU=Executive, CN=AIT, E=jt.edwards at wizbangco.com'
000 "openswan-to-vipsecure":   ike_life: 3600s; ipsec_life: 28800s; 
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "openswan-to-vipsecure":   policy: RSASIG+ENCRYPT+TUNNEL; prio: 24,24; 
interface: eth0; encap: esp;
000 "openswan-to-vipsecure":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000
000
-bash-3.2# ipsec auto --status
000 interface lo/lo ::1
000 interface lo/lo 127.0.0.1
000 interface lo/lo 127.0.0.1
000 interface virbr0/virbr0 192.168.122.1
000 interface virbr0/virbr0 192.168.122.1
000 interface eth0/eth0 22.34.33.26
000 interface eth0/eth0 22.34.33.26
000 %myid = (none)
000 debug none
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, 
keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, 
keysizemax=192
000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, keysizemin=40, 
keysizemax=128
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, 
keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, 
keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, 
keysizemax=256
000 algorithm ESP encrypt: id=13, name=(null), ivlen=8, keysizemin=128, 
keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, 
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, 
keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, 
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, 
keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, 
keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD, 
keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC, 
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0
000
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, 
keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, 
keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,0,0} 
trans={0,0,0} attrs={0,0,0}
000
000 "openswan-to-vipsecure": 192.168.122.0/24===22.34.33.26[C=US, ST=TX, 
L=Austin, O=wizbangco, 
OU=Executive]:17/%any...12.234.22.224:17/%any===192.168.111.0/24; unrouted; 
eroute owner: #0
000 "openswan-to-vipsecure":     srcip=unset; dstip=unset; srcup=ipsec 
_updown; dstup=ipsec _updown;
000 "openswan-to-vipsecure":   CAs: 'C=US, ST=TX, L=Austin, O=wizbangco, 
OU=Executive, CN=AIT, E=jt.edwards at wizbangco.com'...'C=US, ST=TX, L=Austin, 
O=wizbangco, OU=Executive, CN=AIT, E=jt.edwards at wizbangco.com'
000 "openswan-to-vipsecure":   ike_life: 3600s; ipsec_life: 28800s; 
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "openswan-to-vipsecure":   policy: RSASIG+ENCRYPT+TUNNEL; prio: 24,24; 
interface: eth0; encap: esp;
000 "openswan-to-vipsecure":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000
000 #1: "openswan-to-vipsecure":500 STATE_MAIN_R2 (sent MR2, expecting MI3); 
EVENT_RETRANSMIT in 36s; nodpd
000

conn openswan-to-vipsecure
        #
        #
        #
        #
        # Use a certificate. Disable Perfect Forward Secrecy.
        #
        authby=rsasig
        pfs=no
        auto=add
        # we cannot rekey for %any, let client rekey
        # Do not enable the line below. It is implicitely used, and
        # specifying it will currently break when using nat-t.
        # type=transport. See http://bugs.xelerance.com/view.php?id=466
        #
        type=tunnel
        left=22.34.33.26
        # or you can use: left=YourIPAddress
        leftrsasigkey=%cert
        leftcert=/etc/ipsec.d/certs/aittorden.pem
        leftsendcert=yes
        leftsubnet=192.168.122.0/24
        # Work-around for original (non-updated) Windows 2000/XP clients,
        # to support all clients, use leftprotoport=17/%any
        leftprotoport=17/%any
        #
        # The remote user.
        #
        right=12.234.22.224
        rightca=%same
        rightrsasigkey=%cert
        rightprotoport=17/%any
        rightsubnet=192.168.111.0/24

JT Edwards
Senior Solutions Architect (Automation and Service Management)
IBM Tivoli Certified
Direct: 281-226-0284
Direct: 512-772-3266
Follow Me: 1866-866-4391 ext 1
AIM tstrike34
GoogleTalk tstrike34 at gmail.com

--------------------------------------------------
From: "Paul Wouters" <paul at xelerance.com>
Sent: Wednesday, September 02, 2009 11:24 AM
To: "JT Edwards" <tstrike34 at gmail.com>
Cc: "Erich Titl" <erich.titl at think.ch>; <users at openswan.org>
Subject: Re: [Openswan Users] Openswan and V-IPSecure

> On Wed, 2 Sep 2009, JT Edwards wrote:
>
>> Sep  2 09:15:54 wizbang pluto[18118]: "ait-to-home"[1] 12.234.22.224 #1:
>> Main mo de peer ID is ID_FQDN: '@chipper.dyndns.org'
>
>>        type=transport
>>        left=22.34.33.26
>>        leftid=@wizbang.me.org
>>        leftrsasigkey=%cert
>>        leftcert=/etc/ipsec.d/certs/aittorden.pem
>>        leftprotoport=17/1701
>>        right=%any
>>        rightca=%same
>>        rightid=@chipper.dyndns.org
>>        rightrsasigkey=%cert
>
> Why are you not using the X.509 RDN's for ids?
>
> The normal setup here would be to have leftid=%fromcert on openswan 2.6 or
> no leftid= on openswan 2.4, and no rightid= at all. Then the certificate 
> RDN
> will be used. Maybe add an leftsendcert=always to convince the other end 
> to use its cert too?
>
>>        rightprotoport=17/0
>
> use 17/%any
>
> Also use openswan 2.4 due to bug #1004.
>
> Paul

More information about the Users mailing list