[Openswan Users] Openswan and V-IPSecure

JT Edwards tstrike34 at gmail.com
Fri Sep 11 01:52:23 EDT 2009


Oky dokey guys... Sorry its been a little bit but family issues came up.

I went ahead and upgraded to 2.6.23 (from 2.4.15.... I didn't know if I was
supposed to take on this new code or not).

It seems that the problems with certificates exchanging continues but in a
different aspect.  Paul, the AER DSN was absolutely correct, but now I am at
this stage:

Sep 11 00:21:15 torden8 pluto[30407]: "ait-torden" #2: starting keying
attempt 3 of an unlimited number
Sep 11 00:21:15 torden8 pluto[30407]: "ait-torden" #3: initiating Main Mode
to replace #2
Sep 11 00:21:15 torden8 pluto[30407]: "ait-torden" #3: ignoring unknown
Vendor ID payload [3b9031dce4fcf88b489a923963dd0c49]
Sep 11 00:21:15 torden8 pluto[30407]: "ait-torden" #3: ignoring Vendor ID
payload [KAME/racoon]
Sep 11 00:21:15 torden8 pluto[30407]: "ait-torden" #3: transition from state
STATE_MAIN_I1 to state STATE_MAIN_I2
Sep 11 00:21:15 torden8 pluto[30407]: "ait-torden" #3: STATE_MAIN_I2: sent
MI2, expecting MR2
Sep 11 00:21:16 torden8 pluto[30407]: "ait-torden" #3: ignoring Vendor ID
payload [KAME/racoon]
Sep 11 00:21:16 torden8 pluto[30407]: "ait-torden" #3: transition from state
STATE_MAIN_I2 to state STATE_MAIN_I3
Sep 11 00:21:16 torden8 pluto[30407]: "ait-torden" #3: STATE_MAIN_I3: sent
MI3, expecting MR3
Sep 11 00:21:26 torden8 pluto[30407]: "ait-torden" #3: discarding duplicate
packet; already STATE_MAIN_I3

What am I doing wrong?

----------------------------------
V-IPSecure (read: racoon implementation) says:

2009 Sep 11 00:32:57 [SRXN3205] [IKE] Phase 1 negotiation failed due to time
up for 22.123.34.56[500]. 19ba6b19ee995cc6:0e7f1948d2051e45_
2009 Sep 11 00:33:07 [SRXN3205] [IKE] Configuration found for
22.123.34.56[500]._
2009 Sep 11 00:33:07 [SRXN3205] [IKE] Received request for new phase 1
negotiation: 12.234.22.224[500]<=>22.123.34.56[500]_
2009 Sep 11 00:33:07 [SRXN3205] [IKE] Beginning Identity Protection mode._
2009 Sep 11 00:33:07 [SRXN3205] [IKE] Received unknown Vendor ID_
                - Last output repeated 3 times -
2009 Sep 11 00:33:07 [SRXN3205] [IKE] Received Vendor ID:
draft-ietf-ipsec-nat-t-ike-02__
2009 Sep 11 00:33:07 [SRXN3205] [IKE] Received unknown Vendor ID_
                - Last output repeated twice -
2009 Sep 11 00:33:08 [SRXN3205] [IKE] no peer's CERT payload found._
2009 Sep 11 00:33:18 [SRXN3205] [IKE] Received Malformed packet of payload
length 29373 and total length 232._
                - Last output repeated twice -
2009 Sep 11 00:34:08 [SRXN3205] [IKE] Phase 1 negotiation failed due to time
up for 22.123.34.56[500]. 93a3722f65567d5e:ad27188747d7f244_
2009 Sep 11 00:34:18 [SRXN3205] [IKE] Configuration found for
22.123.34.56[500]._
2009 Sep 11 00:34:18 [SRXN3205] [IKE] Received request for new phase 1
negotiation: 12.234.22.224[500]<=>22.123.34.56[500]_
2009 Sep 11 00:34:18 [SRXN3205] [IKE] Beginning Identity Protection mode._
2009 Sep 11 00:34:18 [SRXN3205] [IKE] Received unknown Vendor ID_
                - Last output repeated 3 times -
2009 Sep 11 00:34:18 [SRXN3205] [IKE] Received Vendor ID:
draft-ietf-ipsec-nat-t-ike-02__
2009 Sep 11 00:34:18 [SRXN3205] [IKE] Received unknown Vendor ID_
                - Last output repeated twice -
2009 Sep 11 00:34:19 [SRXN3205] [IKE] no peer's CERT payload found._

-------------------


Here is the ipsec auto --status

-bash-3.2# ipsec auto --status
000 using kernel interface: netkey
000 interface lo/lo ::1
000 interface lo/lo 127.0.0.1
000 interface lo/lo 127.0.0.1
000 interface tun0/tun0 172.16.0.1
000 interface tun0/tun0 172.16.0.1
000 interface virbr0/virbr0 192.168.122.1
000 interface virbr0/virbr0 192.168.122.1
000 interface as0t0/as0t0 10.8.0.1
000 interface as0t0/as0t0 10.8.0.1
000 interface eth0/eth0 22.123.34.56
000 interface eth0/eth0 22.123.34.56
000 %myid = (none)
000 debug none
000
000 virtual_private (%priv):
000 - allowed 3 subnets: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16
000 - disallowed 1 subnet: 192.168.0.0/24
000 WARNING: Either virtual_private= was not specified, or there was a
syntax
000          error in that line. 'left/rightsubnet=%priv' will not work!
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64,
keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192,
keysizemax=192
000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, keysizemin=40,
keysizemax=128
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40,
keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0,
keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128,
keysizemax=256
000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8, keysizemin=128,
keysizemax=256
000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256,
keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD,
keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC,
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0
000
000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=131
000 algorithm IKE encrypt: id=3, name=OAKLEY_BLOWFISH_CBC, blocksize=8,
keydeflen=128
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
keydeflen=128
000 algorithm IKE encrypt: id=65004, name=OAKLEY_SERPENT_CBC, blocksize=16,
keydeflen=128
000 algorithm IKE encrypt: id=65005, name=OAKLEY_TWOFISH_CBC, blocksize=16,
keydeflen=128
000 algorithm IKE encrypt: id=65289, name=OAKLEY_TWOFISH_CBC_SSH,
blocksize=16, keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32
000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0}
trans={0,0,0} attrs={0,0,0}
000
000 "ait-torden": 22.123.34.56<22.123.34.56>[C=US, ST=TX, L=Austin,
O=AutomaticIT, OU=Executive,+S=C]...12.234.22.224<12.234.22.224>[C=US,
ST=TX, L=Austin, O=AutomaticIT, OU=Executive,+S=C]; prospective erouted;
eroute owner: #0
000 "ait-torden":     myip=unset; hisip=unset;
000 "ait-torden":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s;
rekey_fuzz: 100%; keyingtries: 0
000 "ait-torden":   policy: RSASIG+ENCRYPT+PFS+DONTREKEY+UP+IKEv2ALLOW;
prio: 32,32; interface: eth0;
000 "ait-torden":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000
000 #7: "ait-torden":500 STATE_MAIN_I3 (sent MI3, expecting MR3);
EVENT_RETRANSMIT in 16s; nodpd; idle; import:admin initiate
000 #7: pending Phase 2 for "ait-torden" replacing #0
000


Here is my ipsec.conf


# /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.16 2005/07/26 12:29:45 ken Exp $

# This file:  /usr/local/share/doc/openswan/ipsec.conf-sample
#
# Manual:     ipsec.conf.5


version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        nat_traversal=yes
        oe=off
        protostack=netkey
        virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192.168.0.0/24


# Add connections here
conn ait-torden
        auto=start
        authby=rsasig
        rekey=no
        type=transport
        left=22.123.34.56
        leftrsasigkey=%cert
        leftsendcert=always
        leftid="C=US/ST=TX/L=Austin/O=AutomaticIT/OU=Executive"
        right=12.234.22.224
        rightid="C=US/ST=TX/L=Austin/O=AutomaticIT/OU=Executive"
        rightrsasigkey=%cert


JT Edwards
Senior Solutions Architect (Automation and Service Management)
IBM Tivoli Certified
Direct: 281-226-0284
Direct: 512-772-3266
Follow Me: 1866-866-4391 ext 1
AIM tstrike34
GoogleTalk tstrike34 at gmail.com

--------------------------------------------------
From: "Paul Wouters" <paul at xelerance.com>
Sent: Thursday, September 03, 2009 12:03 PM
To: "JT Edwards" <tstrike34 at gmail.com>
Cc: "Erich Titl" <erich.titl at think.ch>; <users at openswan.org>
Subject: Re: [Openswan Users] Openswan and V-IPSecure

> On Thu, 3 Sep 2009, JT Edwards wrote:
>
>> I went back to trying certificates again and this is what I am
>> getting.... I am trying hard as I can to  be patient but two weeks of
>> sweat equity and no results proves frustrating my friends...
>
>> Sep  3 08:34:18 wizbang pluto[5181]: "openswan-to-vipsecure" #4: Main
>> mode peer ID is ID_IPV4_ADDR: '12.234.22.224'
>> Sep  3 08:34:18 wizbang pluto[5181]: "openswan-to-vipsecure" #4: no
>> suitable connection for peer '12.234.22.224'
>
> The peer is expected to present an ID_DER_ASN1_DN and not a ID_IPV4_ADDR
> when
> using certificates. You can try and setting rightid=12.234.22.224 but it
> might just delay the actual problem.
>
> Be aware some appliances do not reload their IKE phase1 connection when
> you
> make a configuration change, and a reboot might be required to clear it.
>
>> Starting IPsec:  Starting Openswan IPsec 2.4.9...
>
> Upgrade to 2.4.15
>
> Paul 



More information about the Users mailing list