[Openswan Users] Openswan and V-IPSecure (SUCCESS with a question)
JT Edwards
tstrike34 at gmail.com
Wed Sep 16 23:24:03 EDT 2009
The root of the problem is that phase 2 fails miserably... Suggestions
(sorta frustrated)???
securelog
Sep 16 20:32:31 torden8 pluto[2908]: "ait-2-torden-xen" #15: STATE_MAIN_I4:
ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192
prf=oakley_sha group=modp1024}
Sep 16 20:32:31 torden8 pluto[2908]: "ait-2-torden-xen" #15: ignoring
informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000
Sep 16 20:32:31 torden8 pluto[2908]: "ait-2-torden-xen" #15: received and
ignored informational message
Sep 16 21:22:59 torden8 pluto[2908]: "ait-2-torden-xen" #16: initiating Main
Mode to replace #15
Sep 16 21:22:59 torden8 pluto[2908]: "ait-2-torden-xen" #16: ignoring
unknown Vendor ID payload [3b9031dce4fcf88b489a923963dd0c49]
Sep 16 21:22:59 torden8 pluto[2908]: "ait-2-torden-xen" #16: ignoring Vendor
ID payload [KAME/racoon]
Sep 16 21:23:00 torden8 pluto[2908]: "ait-2-torden-xen" #16: transition from
state STATE_MAIN_I1 to state STATE_MAIN_I2
Sep 16 21:23:00 torden8 pluto[2908]: "ait-2-torden-xen" #16: STATE_MAIN_I2:
sent MI2, expecting MR2
Sep 16 21:23:00 torden8 pluto[2908]: "ait-2-torden-xen" #16: ignoring Vendor
ID payload [KAME/racoon]
Sep 16 21:23:00 torden8 pluto[2908]: "ait-2-torden-xen" #16: transition from
state STATE_MAIN_I2 to state STATE_MAIN_I3
Sep 16 21:23:00 torden8 pluto[2908]: "ait-2-torden-xen" #16: STATE_MAIN_I3:
sent MI3, expecting MR3
Sep 16 21:23:00 torden8 pluto[2908]: "ait-2-torden-xen" #16: Main mode peer
ID is ID_IPV4_ADDR: '12.234.22.224'
Sep 16 21:23:00 torden8 pluto[2908]: "ait-2-torden-xen" #16: transition from
state STATE_MAIN_I3 to state STATE_MAIN_I4
Sep 16 21:23:00 torden8 pluto[2908]: "ait-2-torden-xen" #16: STATE_MAIN_I4:
ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192
prf=oakley_sha group=modp1024}
Sep 16 21:23:00 torden8 pluto[2908]: "ait-2-torden-xen" #16: ignoring
informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000
Sep 16 21:23:00 torden8 pluto[2908]: "ait-2-torden-xen" #16: received and
ignored informational message
>From the SRXN3205
- Last output repeated 3 times -
2009 Sep 16 19:46:39 [SRXN3205] [IKE] Received Vendor ID:
draft-ietf-ipsec-nat-t-ike-02__
2009 Sep 16 19:46:39 [SRXN3205] [IKE] Received unknown Vendor ID_
- Last output repeated twice -
2009 Sep 16 19:46:49 [SRXN3205] [IKE] ISAKMP-SA established for
12.234.22.224[500]-22.123.34.56[500] with
spi:446def1696a21692:b0256d49bea2c1c2_
2009 Sep 16 19:46:50 [SRXN3205] [IKE] Responding to new phase 2 negotiation:
12.234.22.224[0]<=>22.123.34.56[0]_
2009 Sep 16 19:46:50 [SRXN3205] [IKE] Using IPsec SA configuration:
192.168.133.0/24<->192.168.122.1/24_
2009 Sep 16 19:46:50 [SRXN3205] [IKE] IPsec-SA established: ESP/Tunnel
22.123.34.56->12.234.22.224 with spi=96818959(0x5c5570f)_
2009 Sep 16 19:46:50 [SRXN3205] [IKE] IPsec-SA established: ESP/Tunnel
12.234.22.224->22.123.34.56 with spi=1333344279(0x4f793817)_
2009 Sep 16 19:49:32 [SRXN3205] [IKE] Responding to new phase 2 negotiation:
12.234.22.224[0]<=>22.123.34.56[0]_
2009 Sep 16 19:49:32 [SRXN3205] [IKE] Using IPsec SA configuration:
192.168.111.0/24<->192.168.122.0/24_
2009 Sep 16 19:49:43 [SRXN3205] [IKE] Unknown notify message from
22.123.34.56[500].No phase2 handle found._
- Last output repeated 4 times -
2009 Sep 16 19:50:32 [SRXN3205] [IKE] Phase 2 negotiation failed due to time
up. 446def1696a21692:b0256d49bea2c1c2:433ded5a_
2009 Sep 16 19:50:32 [SRXN3205] [IKE] an undead schedule has been deleted:
'quick_r1prep'._
2009 Sep 16 19:51:09 [SRXN3205] [IKE] Purged ISAKMP-SA with proto_id=ISAKMP
and spi=aa7a7ae22e74fbdb:6081520e53ec55bc._
2009 Sep 16 19:51:10 [SRXN3205] [IKE] ISAKMP-SA deleted for
12.234.22.224[500]-22.123.34.56[500] with
spi:aa7a7ae22e74fbdb:6081520e53ec55bc_
2009 Sep 16 19:51:11 [SRXN3205] [IKE] Phase 2 sa expired
12.234.22.224-22.123.34.56_
2009 Sep 16 19:51:12 [SRXN3205] [IKE] Phase 2 sa deleted
12.234.22.224-22.123.34.56_
2009 Sep 16 19:54:01 [SRXN3205] [IKE] Phase 2 sa expired
12.234.22.224-22.123.34.56_
2009 Sep 16 19:54:02 [SRXN3205] [IKE] Phase 2 sa deleted
12.234.22.224-22.123.34.56_
2009 Sep 16 20:32:00 [SRXN3205] [IKE] Configuration found for
22.123.34.56[500]._
2009 Sep 16 20:32:00 [SRXN3205] [IKE] Received request for new phase 1
negotiation: 12.234.22.224[500]<=>22.123.34.56[500]_
2009 Sep 16 20:32:00 [SRXN3205] [IKE] Beginning Identity Protection mode._
2009 Sep 16 20:32:00 [SRXN3205] [IKE] Received unknown Vendor ID_
- Last output repeated 3 times -
2009 Sep 16 20:32:00 [SRXN3205] [IKE] Received Vendor ID:
draft-ietf-ipsec-nat-t-ike-02__
2009 Sep 16 20:32:00 [SRXN3205] [IKE] Received unknown Vendor ID_
- Last output repeated twice -
2009 Sep 16 20:32:31 [SRXN3205] [IKE] ISAKMP-SA established for
12.234.22.224[500]-22.123.34.56[500] with
spi:0efcefdbe7a52d45:632c9d2ce93ee462_
2009 Sep 16 20:32:31 [SRXN3205] [IKE] Sending Informational Exchange: notify
payload[INITIAL-CONTACT]_
2009 Sep 16 20:46:49 [SRXN3205] [IKE] Purged ISAKMP-SA with proto_id=ISAKMP
and spi=446def1696a21692:b0256d49bea2c1c2._
2009 Sep 16 20:46:50 [SRXN3205] [IKE] ISAKMP-SA deleted for
12.234.22.224[500]-22.123.34.56[500] with
spi:446def1696a21692:b0256d49bea2c1c2_
2009 Sep 16 21:21:09 [SRXN3205] [IKE] no phase2 found for "vmware2xen"_
2009 Sep 16 21:21:09 [SRXN3205] [IKE] IPSec configuration with identifer
"vmware2xen" deleted sucessfully_
2009 Sep 16 21:22:59 [SRXN3205] [IKE] Configuration found for
22.123.34.56[500]._
2009 Sep 16 21:22:59 [SRXN3205] [IKE] Received request for new phase 1
negotiation: 12.234.22.224[500]<=>22.123.34.56[500]_
2009 Sep 16 21:22:59 [SRXN3205] [IKE] Beginning Identity Protection mode._
2009 Sep 16 21:22:59 [SRXN3205] [IKE] Received unknown Vendor ID_
- Last output repeated 3 times -
2009 Sep 16 21:22:59 [SRXN3205] [IKE] Received Vendor ID:
draft-ietf-ipsec-nat-t-ike-02__
2009 Sep 16 21:22:59 [SRXN3205] [IKE] Received unknown Vendor ID_
- Last output repeated twice -
2009 Sep 16 21:23:00 [SRXN3205] [IKE] ISAKMP-SA established for
12.234.22.224[500]-22.123.34.56[500] with
spi:cfd84b970d2fdde0:924fd6e44c340005_
2009 Sep 16 21:23:00 [SRXN3205] [IKE] Sending Informational Exchange: notify
payload[INITIAL-CONTACT]_
2009 Sep 16 21:32:31 [SRXN3205] [IKE] Purged ISAKMP-SA with proto_id=ISAKMP
and spi=0efcefdbe7a52d45:632c9d2ce93ee462._
2009 Sep 16 21:32:32 [SRXN3205] [IKE] ISAKMP-SA deleted for
12.234.22.224[500]-22.123.34.56[500] with
spi:0efcefdbe7a52d45:632c9d2ce93ee462_
JT
--------------------------------------------------
From: "JT Edwards" <tstrike34 at gmail.com>
Sent: Wednesday, September 16, 2009 11:18 PM
To: "Paul Wouters" <paul at xelerance.com>
Cc: <users at openswan.org>
Subject: Re: [Openswan Users] Openswan and V-IPSecure (SUCCESS with a
question)
> Paul and list:
>
> After 3 weeks, tonight I learned that Openswan and V-IPSecure doesn't work
> together because of this:
>
> Pure IPSec vpn tunnel
> =====================
>
> In a pure IPSec vpn tunnel, only ip traffic is encrypted/decrypted.
>
> If you have non ip traffic, example, ipx, then it is not able to go into
> the vpn tunnel.
>
> OSPF, EIGRP, are not transferred in the tunnel.
>
> The url below might be helpful for you about IPSec,
>
> An Introduction to IP Security (IPSec) Encryption
> Cisco
> GRE over IPSec vpn tunnel
> =========================
>
> In a GRE over IPSec vpn tunnel, the original packet whether ip, ipx,
> etc... is first going to be GRE encapsulated and then this packet is then
> subjected to IPSec encapsulation.
>
> Therefore, in a GRE over IPSec tunnel, all routing traffic (ip and non ip)
> can be routed through because when the original packet (ip/non ip) is GRE
> encapsulated, then it will have an ip header (as defined by the GRE tunnel
> (normally the tunnel interface ip addresses)) then the IPSec protocol can
> understand the ip packet and and can therefore be able to encapsulate the
> GRE packet to make it GRE over IPSec.
>
> --------snip----------
>
> I got this from the Netgear folks about 10 minutes ago... I am completely
> frustrated. According the schematic I provided, I plan to install a
> openswan server on .250. I should not have a problem with an Openswan
> server behind a NAT right?
>
> JT
>
>
> --------------------------------------------------
> From: "JT Edwards" <tstrike34 at gmail.com>
> Sent: Wednesday, September 16, 2009 10:08 PM
> To: "Paul Wouters" <paul at xelerance.com>
> Cc: <users at openswan.org>
> Subject: Re: [Openswan Users] Openswan and V-IPSecure (SUCCESS with a
> question)
>
>> Paul,
>>
>> Here is what I what I have been working on....
>>
>> http://i149.photobucket.com/albums/s71/Tstrike29/Linking_AIT_to_torden-1.jpg
>>
>> Here is the ipsec.conf
>>
>> # /etc/ipsec.conf - Openswan IPsec configuration file
>> # RCSID $Id: ipsec.conf.in,v 1.16 2005/07/26 12:29:45 ken Exp $
>>
>> # This file: /usr/local/share/doc/openswan/ipsec.conf-sample
>> #
>> # Manual: ipsec.conf.5
>>
>>
>> version 2.0 # conforms to second version of ipsec.conf specification
>>
>> # basic configuration
>> config setup
>> nat_traversal=yes
>> oe=off
>> protostack=netkey
>>
>> virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192.168.0.0/24
>>
>> conn ait-2-torden-xen
>> type=tunnel
>> keyingtries=7
>> aggrmode=no
>> compress=no
>> authby=secret
>> left=22.123.34.56
>> leftid=22.123.34.56
>> leftnexthop=22.123.34.1
>> leftsubnet=192.168.122.0/24
>> leftsourceip=192.168.122.1
>> right=12.234.22.224
>> rightid=12.234.22.224
>> rightnexthop=12.234.22.1
>> rightsubnet=192.168.133.0/24
>> rightsourceip=192.168.133.2
>> auto=start
>> conn ait-2-torden-vmware
>> type=tunnel
>> keyingtries=7
>> compress=no
>> authby=secret
>> left=22.123.34.56
>> leftid=22.123.34.56
>> leftsubnet=192.168.122.0/24
>> leftnexthop=22.123.34.1
>> leftsourceip=192.168.122.1
>> right=12.234.22.224
>> rightid=12.234.22.224
>> rightsubnet=192.168.111.0/24
>> rightnexthop=12.234.22.1
>> rightsourceip=192.168.111.2
>> auto=start
>>
>> Do I have this right?
>>
>> Best Regards,
>> JT
>>
>> --------------------------------------------------
>> From: "Paul Wouters" <paul at xelerance.com>
>> Sent: Wednesday, September 16, 2009 8:47 PM
>> To: "JT Edwards" <tstrike34 at gmail.com>
>> Cc: <users at openswan.org>
>> Subject: Re: [Openswan Users] Openswan and V-IPSecure (SUCCESS with a
>> question)
>>
>>> On Wed, 16 Sep 2009, JT Edwards wrote:
>>>
>>>> Can we post diagrams (of course with false IPs) I had a question and
>>>> the only way I could ask it is to also post a diagram for the list to
>>>> look at.
>>>
>>> Please use a link to page somewhere.
>>>
>>> Paul
>>
More information about the Users
mailing list