[Openswan Users] Openswan and V-IPSecure
JT Edwards
tstrike34 at gmail.com
Fri Sep 11 15:30:07 EDT 2009
Paul,
First, thanks for your kind wisdom the community really appreciates and so
do I.
After correcting my ipsec.conf, I got this message. I held off on contact
the list about this and did some Googling. Afterwards, I completely rebuilt
my ipsec.secrets and the private key (ca_key.pem). Afterwards I rebuilt the
Certificate Authority (ca.crt), the client certificate (ait2torden.pem) with
a new CSR.
I loaded both into V-IPSecure and Openswan.
Two problems:
1. Once I enable openswan, the computer I am remoting from is no longer able
to connect directly to the Openswan gateway. (I can remote from another
network however).
2. Please see below because I am an absolute VPN idiot... but I am learning
fast:
securelog
Sep 11 14:19:33 whiskers ipsec__plutorun: Starting Pluto subsystem...
Sep 11 14:19:33 whiskers pluto[31676]: Starting Pluto (Openswan Version
2.6.23; Vendor ID OEm at kgSFEH@\177) pid:31676
Sep 11 14:19:33 whiskers pluto[31676]: Setting NAT-Traversal port-4500
floating to on
Sep 11 14:19:33 whiskers pluto[31676]: port floating activation criteria
nat_t=1/port_float=1
Sep 11 14:19:33 whiskers pluto[31676]: including NAT-Traversal patch
(Version 0.6c)
Sep 11 14:19:33 whiskers pluto[31676]: using /dev/urandom as source of
random entropy
Sep 11 14:19:33 whiskers pluto[31676]: ike_alg_register_enc(): Activating
OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)
Sep 11 14:19:33 whiskers pluto[31676]: ike_alg_register_enc(): Activating
OAKLEY_TWOFISH_CBC: Ok (ret=0)
Sep 11 14:19:33 whiskers pluto[31676]: ike_alg_register_enc(): Activating
OAKLEY_SERPENT_CBC: Ok (ret=0)
Sep 11 14:19:33 whiskers pluto[31676]: ike_alg_register_enc(): Activating
OAKLEY_AES_CBC: Ok (ret=0)
Sep 11 14:19:33 whiskers pluto[31676]: ike_alg_register_enc(): Activating
OAKLEY_BLOWFISH_CBC: Ok (ret=0)
Sep 11 14:19:33 whiskers pluto[31676]: ike_alg_register_hash(): Activating
OAKLEY_SHA2_512: Ok (ret=0)
Sep 11 14:19:33 whiskers pluto[31676]: ike_alg_register_hash(): Activating
OAKLEY_SHA2_256: Ok (ret=0)
Sep 11 14:19:33 whiskers pluto[31676]: starting up 3 cryptographic helpers
Sep 11 14:19:33 whiskers pluto[31680]: using /dev/urandom as source of
random entropy
Sep 11 14:19:33 whiskers pluto[31676]: started helper pid=31680 (fd:7)
Sep 11 14:19:33 whiskers pluto[31676]: started helper pid=31682 (fd:8)
Sep 11 14:19:33 whiskers pluto[31682]: using /dev/urandom as source of
random entropy
Sep 11 14:19:33 whiskers pluto[31683]: using /dev/urandom as source of
random entropy
Sep 11 14:19:33 whiskers pluto[31676]: started helper pid=31683 (fd:9)
Sep 11 14:19:33 whiskers pluto[31676]: Using Linux 2.6 IPsec interface code
on 2.6.18-128.7.1.el5xen (experimental code)
Sep 11 14:19:33 whiskers pluto[31676]: ike_alg_register_enc(): WARNING: enc
alg=0 not found in constants.c:oakley_enc_names
Sep 11 14:19:33 whiskers pluto[31676]: ike_alg_register_enc(): Activating
<NULL>: Ok (ret=0)
Sep 11 14:19:33 whiskers pluto[31676]: ike_alg_register_enc(): WARNING: enc
alg=0 not found in constants.c:oakley_enc_names
Sep 11 14:19:33 whiskers pluto[31676]: ike_alg_add(): ERROR: Algorithm
already exists
Sep 11 14:19:33 whiskers pluto[31676]: ike_alg_register_enc(): Activating
<NULL>: FAILED (ret=-17)
Sep 11 14:19:33 whiskers pluto[31676]: ike_alg_register_enc(): WARNING: enc
alg=0 not found in constants.c:oakley_enc_names
Sep 11 14:19:33 whiskers pluto[31676]: ike_alg_add(): ERROR: Algorithm
already exists
Sep 11 14:19:33 whiskers pluto[31676]: ike_alg_register_enc(): Activating
<NULL>: FAILED (ret=-17)
Sep 11 14:19:33 whiskers pluto[31676]: ike_alg_register_enc(): WARNING: enc
alg=0 not found in constants.c:oakley_enc_names
Sep 11 14:19:33 whiskers pluto[31676]: ike_alg_add(): ERROR: Algorithm
already exists
Sep 11 14:19:33 whiskers pluto[31676]: ike_alg_register_enc(): Activating
<NULL>: FAILED (ret=-17)
Sep 11 14:19:33 whiskers pluto[31676]: ike_alg_register_enc(): WARNING: enc
alg=0 not found in constants.c:oakley_enc_names
Sep 11 14:19:33 whiskers pluto[31676]: ike_alg_add(): ERROR: Algorithm
already exists
Sep 11 14:19:33 whiskers pluto[31676]: ike_alg_register_enc(): Activating
<NULL>: FAILED (ret=-17)
Sep 11 14:19:33 whiskers pluto[31676]: ike_alg_register_enc(): WARNING: enc
alg=0 not found in constants.c:oakley_enc_names
Sep 11 14:19:33 whiskers pluto[31676]: ike_alg_add(): ERROR: Algorithm
already exists
Sep 11 14:19:33 whiskers pluto[31676]: ike_alg_register_enc(): Activating
<NULL>: FAILED (ret=-17)
Sep 11 14:19:33 whiskers pluto[31676]: Changed path to directory
'/etc/ipsec.d/cacerts'
Sep 11 14:19:33 whiskers pluto[31676]: loaded CA cert file 'ca.crt' (1655
bytes)
Sep 11 14:19:33 whiskers pluto[31676]: Changed path to directory
'/etc/ipsec.d/aacerts'
Sep 11 14:19:33 whiskers pluto[31676]: Changed path to directory
'/etc/ipsec.d/ocspcerts'
Sep 11 14:19:33 whiskers pluto[31676]: Changing to directory
'/etc/ipsec.d/crls'
Sep 11 14:19:33 whiskers pluto[31676]: loaded crl file 'ait2tordencrl.pem'
(690 bytes)
Sep 11 14:19:33 whiskers pluto[31676]: loading certificate from
/etc/ipsec.d//certs/ait2torden.pem
Sep 11 14:19:33 whiskers pluto[31676]: loaded host cert file
'/etc/ipsec.d//certs/ait2torden.pem' (1233 bytes)
Sep 11 14:19:33 whiskers pluto[31676]: added connection description
"ait-torden"
Sep 11 14:19:33 whiskers pluto[31676]: listening for IKE messages
Sep 11 14:19:33 whiskers pluto[31676]: NAT-Traversal: Trying new style NAT-T
Sep 11 14:19:33 whiskers pluto[31676]: NAT-Traversal: ESPINUDP(1) setup
failed for new style NAT-T family IPv4 (errno=19)
Sep 11 14:19:33 whiskers pluto[31676]: NAT-Traversal: Trying old style NAT-T
Sep 11 14:19:33 whiskers pluto[31676]: adding interface eth0/eth0
22.123.34.56:500
Sep 11 14:19:33 whiskers pluto[31676]: adding interface eth0/eth0
22.123.34.56:4500
Sep 11 14:19:33 whiskers pluto[31676]: adding interface as0t0/as0t0
10.8.0.1:500
Sep 11 14:19:33 whiskers pluto[31676]: adding interface as0t0/as0t0
10.8.0.1:4500
Sep 11 14:19:33 whiskers pluto[31676]: adding interface virbr0/virbr0
192.168.122.1:500
Sep 11 14:19:33 whiskers pluto[31676]: adding interface virbr0/virbr0
192.168.122.1:4500
Sep 11 14:19:33 whiskers pluto[31676]: adding interface tun0/tun0
172.16.0.1:500
Sep 11 14:19:33 whiskers pluto[31676]: adding interface tun0/tun0
172.16.0.1:4500
Sep 11 14:19:33 whiskers pluto[31676]: adding interface lo/lo 127.0.0.1:500
Sep 11 14:19:33 whiskers pluto[31676]: adding interface lo/lo 127.0.0.1:4500
Sep 11 14:19:33 whiskers pluto[31676]: adding interface lo/lo ::1:500
Sep 11 14:19:33 whiskers pluto[31676]: loading secrets from
"/etc/ipsec.secrets"
Sep 11 14:19:33 whiskers pluto[31676]: loaded private key file
'/etc/ipsec.d/private/ca_key.pem' (1675 bytes)
Sep 11 14:19:33 whiskers pluto[31676]: loaded private key for keyid:
PPK_RSA:AwEAAc3GG
Sep 11 14:19:33 whiskers pluto[31676]: "ait-torden" #1: initiating Main Mode
Sep 11 14:20:03 whiskers pluto[31676]: packet from 12.234.22.224:500:
ignoring unknown Vendor ID payload [810fa565f8ab14369105d706fbd57279]
Sep 11 14:20:03 whiskers pluto[31676]: packet from 12.234.22.224:500:
ignoring unknown Vendor ID payload [3b9031dce4fcf88b489a923963dd0c49]
Sep 11 14:20:03 whiskers pluto[31676]: "ait-torden" #2: responding to Main
Mode
Sep 11 14:20:03 whiskers pluto[31676]: "ait-torden" #2: transition from
state STATE_MAIN_R0 to state STATE_MAIN_R1
Sep 11 14:20:03 whiskers pluto[31676]: "ait-torden" #2: STATE_MAIN_R1: sent
MR1, expecting MI2
Sep 11 14:20:03 whiskers pluto[31676]: "ait-torden" #2: ignoring Vendor ID
payload [KAME/racoon]
Sep 11 14:20:03 whiskers pluto[31676]: "ait-torden" #2: transition from
state STATE_MAIN_R1 to state STATE_MAIN_R2
Sep 11 14:20:03 whiskers pluto[31676]: "ait-torden" #2: STATE_MAIN_R2: sent
MR2, expecting MI3
Sep 11 14:20:04 whiskers pluto[31676]: "ait-torden" #1: ignoring unknown
Vendor ID payload [3b9031dce4fcf88b489a923963dd0c49]
Sep 11 14:20:04 whiskers pluto[31676]: "ait-torden" #1: ignoring Vendor ID
payload [KAME/racoon]
Sep 11 14:20:04 whiskers pluto[31676]: "ait-torden" #1: transition from
state STATE_MAIN_I1 to state STATE_MAIN_I2
Sep 11 14:20:04 whiskers pluto[31676]: "ait-torden" #1: STATE_MAIN_I2: sent
MI2, expecting MR2
Sep 11 14:20:04 whiskers pluto[31676]: "ait-torden" #2: Main mode peer ID is
ID_DER_ASN1_DN: 'C=US, ST=TX, L=Austin, O=AutomaticIT, OU=Executive'
Sep 11 14:20:04 whiskers pluto[31676]: "ait-torden" #2: no suitable
connection for peer 'C=US, ST=TX, L=Austin, O=AutomaticIT, OU=Executive'
Sep 11 14:20:04 whiskers pluto[31676]: "ait-torden" #2: sending encrypted
notification INVALID_ID_INFORMATION to 12.234.22.224:500
Sep 11 14:20:05 whiskers pluto[31676]: "ait-torden" #1: ignoring Vendor ID
payload [KAME/racoon]
Sep 11 14:20:05 whiskers pluto[31676]: "ait-torden" #1: I am sending my cert
Sep 11 14:20:05 whiskers pluto[31676]: "ait-torden" #1: I am sending a
certificate request
Sep 11 14:20:05 whiskers pluto[31676]: "ait-torden" #1: unable to locate my
private key for RSA Signature
Sep 11 14:20:05 whiskers pluto[31676]: "ait-torden" #1: sending notification
AUTHENTICATION_FAILED to 12.234.22.224:500
Sep 11 14:20:13 whiskers pluto[31676]: "ait-torden" #2: Main mode peer ID is
ID_DER_ASN1_DN: 'C=US, ST=TX, L=Austin, O=AutomaticIT, OU=Executive'
Sep 11 14:20:13 whiskers pluto[31676]: "ait-torden" #2: no suitable
connection for peer 'C=US, ST=TX, L=Austin, O=AutomaticIT, OU=Executive'
Sep 11 14:20:13 whiskers pluto[31676]: "ait-torden" #2: sending encrypted
notification INVALID_ID_INFORMATION to 12.234.22.224:500
Sep 11 14:20:14 whiskers pluto[31676]: "ait-torden" #2: Main mode peer ID is
ID_DER_ASN1_DN: 'C=US, ST=TX, L=Austin, O=AutomaticIT, OU=Executive'
Sep 11 14:20:14 whiskers pluto[31676]: "ait-torden" #2: no suitable
connection for peer 'C=US, ST=TX, L=Austin, O=AutomaticIT, OU=Executive'
Sep 11 14:20:14 whiskers pluto[31676]: "ait-torden" #2: sending encrypted
notification INVALID_ID_INFORMATION to 12.234.22.224:500
Sep 11 14:20:15 whiskers pluto[31676]: "ait-torden" #1: discarding duplicate
packet; already STATE_MAIN_I2
Sep 11 14:20:24 whiskers pluto[31676]: "ait-torden" #2: Main mode peer ID is
ID_DER_ASN1_DN: 'C=US, ST=TX, L=Austin, O=AutomaticIT, OU=Executive'
Sep 11 14:20:24 whiskers pluto[31676]: "ait-torden" #2: no suitable
connection for peer 'C=US, ST=TX, L=Austin, O=AutomaticIT, OU=Executive'
Sep 11 14:20:24 whiskers pluto[31676]: "ait-torden" #2: sending encrypted
notification INVALID_ID_INFORMATION to 12.234.22.224:500
Sep 11 14:20:25 whiskers pluto[31676]: "ait-torden" #1: discarding duplicate
packet; already STATE_MAIN_I2
Sep 11 14:20:33 whiskers pluto[31676]: "ait-torden" #2: Main mode peer ID is
ID_DER_ASN1_DN: 'C=US, ST=TX, L=Austin, O=AutomaticIT, OU=Executive'
Sep 11 14:20:33 whiskers pluto[31676]: "ait-torden" #2: no suitable
connection for peer 'C=US, ST=TX, L=Austin, O=AutomaticIT, OU=Executive'
Sep 11 14:20:33 whiskers pluto[31676]: "ait-torden" #2: sending encrypted
notification INVALID_ID_INFORMATION to 12.234.22.224:500
Sep 11 14:20:34 whiskers pluto[31676]: "ait-torden" #2: Main mode peer ID is
ID_DER_ASN1_DN: 'C=US, ST=TX, L=Austin, O=AutomaticIT, OU=Executive'
Sep 11 14:20:34 whiskers pluto[31676]: "ait-torden" #2: no suitable
connection for peer 'C=US, ST=TX, L=Austin, O=AutomaticIT, OU=Executive'
Sep 11 14:20:34 whiskers pluto[31676]: "ait-torden" #2: sending encrypted
notification INVALID_ID_INFORMATION to 12.234.22.224:500
ipsec.conf (latest)
# /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.16 2005/07/26 12:29:45 ken Exp $
# This file: /usr/local/share/doc/openswan/ipsec.conf-sample
#
# Manual: ipsec.conf.5
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
nat_traversal=yes
oe=off
protostack=netkey
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192.168.0.0/24
# Add connections here
conn ait-torden
auto=start
authby=rsasig
rekey=no
type=tunnel
left=22.123.34.56
leftcert=/etc/ipsec.d//certs/ait2torden.pem
leftrsasigkey=/etc/ipsec.d/private/ca_key.pem
leftsendcert=always
leftid="C=US/ST=TX/L=Austin/O=AutomaticIT/OU=Executive"
right=12.234.22.224
# rightid="C=US/ST=TX/L=Austin/O=AutomaticIT/OU=Executive"
rightrsasigkey=/etc/ipsec.d/private/ca_key.pem
JT Edwards
Senior Solutions Architect (Automation and Service Management)
IBM Tivoli Certified
Direct: 281-226-0284
Direct: 512-772-3266
Follow Me: 1866-866-4391 ext 1
AIM tstrike34
GoogleTalk tstrike34 at gmail.com
--------------------------------------------------
From: "JT Edwards" <tstrike34 at gmail.com>
Sent: Friday, September 11, 2009 1:52 AM
To: "Paul Wouters" <paul at xelerance.com>
Cc: "Erich Titl" <erich.titl at think.ch>; <users at openswan.org>
Subject: Re: [Openswan Users] Openswan and V-IPSecure
> Oky dokey guys... Sorry its been a little bit but family issues came up.
>
> I went ahead and upgraded to 2.6.23 (from 2.4.15.... I didn't know if I
> was
> supposed to take on this new code or not).
>
> It seems that the problems with certificates exchanging continues but in a
> different aspect. Paul, the AER DSN was absolutely correct, but now I am
> at
> this stage:
>
> Sep 11 00:21:15 torden8 pluto[30407]: "ait-torden" #2: starting keying
> attempt 3 of an unlimited number
> Sep 11 00:21:15 torden8 pluto[30407]: "ait-torden" #3: initiating Main
> Mode
> to replace #2
> Sep 11 00:21:15 torden8 pluto[30407]: "ait-torden" #3: ignoring unknown
> Vendor ID payload [3b9031dce4fcf88b489a923963dd0c49]
> Sep 11 00:21:15 torden8 pluto[30407]: "ait-torden" #3: ignoring Vendor ID
> payload [KAME/racoon]
> Sep 11 00:21:15 torden8 pluto[30407]: "ait-torden" #3: transition from
> state
> STATE_MAIN_I1 to state STATE_MAIN_I2
> Sep 11 00:21:15 torden8 pluto[30407]: "ait-torden" #3: STATE_MAIN_I2: sent
> MI2, expecting MR2
> Sep 11 00:21:16 torden8 pluto[30407]: "ait-torden" #3: ignoring Vendor ID
> payload [KAME/racoon]
> Sep 11 00:21:16 torden8 pluto[30407]: "ait-torden" #3: transition from
> state
> STATE_MAIN_I2 to state STATE_MAIN_I3
> Sep 11 00:21:16 torden8 pluto[30407]: "ait-torden" #3: STATE_MAIN_I3: sent
> MI3, expecting MR3
> Sep 11 00:21:26 torden8 pluto[30407]: "ait-torden" #3: discarding
> duplicate
> packet; already STATE_MAIN_I3
>
> What am I doing wrong?
>
> ----------------------------------
> V-IPSecure (read: racoon implementation) says:
>
> 2009 Sep 11 00:32:57 [SRXN3205] [IKE] Phase 1 negotiation failed due to
> time
> up for 22.123.34.56[500]. 19ba6b19ee995cc6:0e7f1948d2051e45_
> 2009 Sep 11 00:33:07 [SRXN3205] [IKE] Configuration found for
> 22.123.34.56[500]._
> 2009 Sep 11 00:33:07 [SRXN3205] [IKE] Received request for new phase 1
> negotiation: 12.234.22.224[500]<=>22.123.34.56[500]_
> 2009 Sep 11 00:33:07 [SRXN3205] [IKE] Beginning Identity Protection mode._
> 2009 Sep 11 00:33:07 [SRXN3205] [IKE] Received unknown Vendor ID_
> - Last output repeated 3 times -
> 2009 Sep 11 00:33:07 [SRXN3205] [IKE] Received Vendor ID:
> draft-ietf-ipsec-nat-t-ike-02__
> 2009 Sep 11 00:33:07 [SRXN3205] [IKE] Received unknown Vendor ID_
> - Last output repeated twice -
> 2009 Sep 11 00:33:08 [SRXN3205] [IKE] no peer's CERT payload found._
> 2009 Sep 11 00:33:18 [SRXN3205] [IKE] Received Malformed packet of payload
> length 29373 and total length 232._
> - Last output repeated twice -
> 2009 Sep 11 00:34:08 [SRXN3205] [IKE] Phase 1 negotiation failed due to
> time
> up for 22.123.34.56[500]. 93a3722f65567d5e:ad27188747d7f244_
> 2009 Sep 11 00:34:18 [SRXN3205] [IKE] Configuration found for
> 22.123.34.56[500]._
> 2009 Sep 11 00:34:18 [SRXN3205] [IKE] Received request for new phase 1
> negotiation: 12.234.22.224[500]<=>22.123.34.56[500]_
> 2009 Sep 11 00:34:18 [SRXN3205] [IKE] Beginning Identity Protection mode._
> 2009 Sep 11 00:34:18 [SRXN3205] [IKE] Received unknown Vendor ID_
> - Last output repeated 3 times -
> 2009 Sep 11 00:34:18 [SRXN3205] [IKE] Received Vendor ID:
> draft-ietf-ipsec-nat-t-ike-02__
> 2009 Sep 11 00:34:18 [SRXN3205] [IKE] Received unknown Vendor ID_
> - Last output repeated twice -
> 2009 Sep 11 00:34:19 [SRXN3205] [IKE] no peer's CERT payload found._
>
> -------------------
>
>
> Here is the ipsec auto --status
>
> -bash-3.2# ipsec auto --status
> 000 using kernel interface: netkey
> 000 interface lo/lo ::1
> 000 interface lo/lo 127.0.0.1
> 000 interface lo/lo 127.0.0.1
> 000 interface tun0/tun0 172.16.0.1
> 000 interface tun0/tun0 172.16.0.1
> 000 interface virbr0/virbr0 192.168.122.1
> 000 interface virbr0/virbr0 192.168.122.1
> 000 interface as0t0/as0t0 10.8.0.1
> 000 interface as0t0/as0t0 10.8.0.1
> 000 interface eth0/eth0 22.123.34.56
> 000 interface eth0/eth0 22.123.34.56
> 000 %myid = (none)
> 000 debug none
> 000
> 000 virtual_private (%priv):
> 000 - allowed 3 subnets: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16
> 000 - disallowed 1 subnet: 192.168.0.0/24
> 000 WARNING: Either virtual_private= was not specified, or there was a
> syntax
> 000 error in that line. 'left/rightsubnet=%priv' will not work!
> 000
> 000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64,
> keysizemax=64
> 000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192,
> keysizemax=192
> 000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, keysizemin=40,
> keysizemax=128
> 000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8,
> keysizemin=40,
> keysizemax=448
> 000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0,
> keysizemax=0
> 000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128,
> keysizemax=256
> 000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8,
> keysizemin=128,
> keysizemax=256
> 000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8,
> keysizemin=128, keysizemax=256
> 000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8,
> keysizemin=128, keysizemax=256
> 000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8,
> keysizemin=128, keysizemax=256
> 000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8,
> keysizemin=128, keysizemax=256
> 000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=8,
> keysizemin=128, keysizemax=256
> 000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=8,
> keysizemin=128, keysizemax=256
> 000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8,
> keysizemin=128, keysizemax=256
> 000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8,
> keysizemin=128, keysizemax=256
> 000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
> keysizemin=128, keysizemax=128
> 000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
> keysizemin=160, keysizemax=160
> 000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256,
> keysizemin=256, keysizemax=256
> 000 algorithm ESP auth attr: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD,
> keysizemin=160, keysizemax=160
> 000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC,
> keysizemin=128, keysizemax=128
> 000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0,
> keysizemax=0
> 000
> 000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=131
> 000 algorithm IKE encrypt: id=3, name=OAKLEY_BLOWFISH_CBC, blocksize=8,
> keydeflen=128
> 000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
> keydeflen=192
> 000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
> keydeflen=128
> 000 algorithm IKE encrypt: id=65004, name=OAKLEY_SERPENT_CBC,
> blocksize=16,
> keydeflen=128
> 000 algorithm IKE encrypt: id=65005, name=OAKLEY_TWOFISH_CBC,
> blocksize=16,
> keydeflen=128
> 000 algorithm IKE encrypt: id=65289, name=OAKLEY_TWOFISH_CBC_SSH,
> blocksize=16, keydeflen=128
> 000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
> 000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
> 000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32
> 000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64
> 000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
> 000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
> 000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
> 000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
> 000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
> 000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
> 000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
> 000
> 000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0}
> trans={0,0,0} attrs={0,0,0}
> 000
> 000 "ait-torden": 22.123.34.56<22.123.34.56>[C=US, ST=TX, L=Austin,
> O=AutomaticIT, OU=Executive,+S=C]...12.234.22.224<12.234.22.224>[C=US,
> ST=TX, L=Austin, O=AutomaticIT, OU=Executive,+S=C]; prospective erouted;
> eroute owner: #0
> 000 "ait-torden": myip=unset; hisip=unset;
> 000 "ait-torden": ike_life: 3600s; ipsec_life: 28800s; rekey_margin:
> 540s;
> rekey_fuzz: 100%; keyingtries: 0
> 000 "ait-torden": policy: RSASIG+ENCRYPT+PFS+DONTREKEY+UP+IKEv2ALLOW;
> prio: 32,32; interface: eth0;
> 000 "ait-torden": newest ISAKMP SA: #0; newest IPsec SA: #0;
> 000
> 000 #7: "ait-torden":500 STATE_MAIN_I3 (sent MI3, expecting MR3);
> EVENT_RETRANSMIT in 16s; nodpd; idle; import:admin initiate
> 000 #7: pending Phase 2 for "ait-torden" replacing #0
> 000
>
>
> Here is my ipsec.conf
>
>
> # /etc/ipsec.conf - Openswan IPsec configuration file
> # RCSID $Id: ipsec.conf.in,v 1.16 2005/07/26 12:29:45 ken Exp $
>
> # This file: /usr/local/share/doc/openswan/ipsec.conf-sample
> #
> # Manual: ipsec.conf.5
>
>
> version 2.0 # conforms to second version of ipsec.conf specification
>
> # basic configuration
> config setup
> nat_traversal=yes
> oe=off
> protostack=netkey
>
> virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192.168.0.0/24
>
>
> # Add connections here
> conn ait-torden
> auto=start
> authby=rsasig
> rekey=no
> type=transport
> left=22.123.34.56
> leftrsasigkey=%cert
> leftsendcert=always
> leftid="C=US/ST=TX/L=Austin/O=AutomaticIT/OU=Executive"
> right=12.234.22.224
> rightid="C=US/ST=TX/L=Austin/O=AutomaticIT/OU=Executive"
> rightrsasigkey=%cert
>
>
> JT Edwards
> Senior Solutions Architect (Automation and Service Management)
> IBM Tivoli Certified
> Direct: 281-226-0284
> Direct: 512-772-3266
> Follow Me: 1866-866-4391 ext 1
> AIM tstrike34
> GoogleTalk tstrike34 at gmail.com
>
> --------------------------------------------------
> From: "Paul Wouters" <paul at xelerance.com>
> Sent: Thursday, September 03, 2009 12:03 PM
> To: "JT Edwards" <tstrike34 at gmail.com>
> Cc: "Erich Titl" <erich.titl at think.ch>; <users at openswan.org>
> Subject: Re: [Openswan Users] Openswan and V-IPSecure
>
>> On Thu, 3 Sep 2009, JT Edwards wrote:
>>
>>> I went back to trying certificates again and this is what I am
>>> getting.... I am trying hard as I can to be patient but two weeks of
>>> sweat equity and no results proves frustrating my friends...
>>
>>> Sep 3 08:34:18 wizbang pluto[5181]: "openswan-to-vipsecure" #4: Main
>>> mode peer ID is ID_IPV4_ADDR: '12.234.22.224'
>>> Sep 3 08:34:18 wizbang pluto[5181]: "openswan-to-vipsecure" #4: no
>>> suitable connection for peer '12.234.22.224'
>>
>> The peer is expected to present an ID_DER_ASN1_DN and not a ID_IPV4_ADDR
>> when
>> using certificates. You can try and setting rightid=12.234.22.224 but it
>> might just delay the actual problem.
>>
>> Be aware some appliances do not reload their IKE phase1 connection when
>> you
>> make a configuration change, and a reboot might be required to clear it.
>>
>>> Starting IPsec: Starting Openswan IPsec 2.4.9...
>>
>> Upgrade to 2.4.15
>>
>> Paul
>
More information about the Users
mailing list