[Openswan Users] Openswan and V-IPSecure [SOLVED]

JT Edwards tstrike34 at gmail.com
Tue Sep 22 22:29:45 EDT 2009


Paul,

Figured it out finally. I will be publishing a how-to with sample configs 
for future Netgear SRXN3205 and Openswan users. Working like a charm after a 
month of damn sweat equity!

Thank you for your help! Look for the link to the doc soon.

JT

JT Edwards
Senior Solutions Architect (Automation and Service Management)
IBM Tivoli Certified
Direct: 281-226-0284
Direct: 512-772-3266
Follow Me: 1866-866-4391 ext 1
AIM tstrike34
GoogleTalk tstrike34 at gmail.com

--------------------------------------------------
From: "JT Edwards" <tstrike34 at gmail.com>
Sent: Wednesday, September 16, 2009 11:24 PM
To: "Paul Wouters" <paul at xelerance.com>
Cc: <users at openswan.org>
Subject: Re: [Openswan Users] Openswan and V-IPSecure (SUCCESS with a 
question)

> The root of the problem is that phase 2 fails miserably... Suggestions 
> (sorta frustrated)???
>
>
> securelog
>
> Sep 16 20:32:31 torden8 pluto[2908]: "ait-2-torden-xen" #15: 
> STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY 
> cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
> Sep 16 20:32:31 torden8 pluto[2908]: "ait-2-torden-xen" #15: ignoring 
> informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000
> Sep 16 20:32:31 torden8 pluto[2908]: "ait-2-torden-xen" #15: received and 
> ignored informational message
> Sep 16 21:22:59 torden8 pluto[2908]: "ait-2-torden-xen" #16: initiating 
> Main Mode to replace #15
> Sep 16 21:22:59 torden8 pluto[2908]: "ait-2-torden-xen" #16: ignoring 
> unknown Vendor ID payload [3b9031dce4fcf88b489a923963dd0c49]
> Sep 16 21:22:59 torden8 pluto[2908]: "ait-2-torden-xen" #16: ignoring 
> Vendor ID payload [KAME/racoon]
> Sep 16 21:23:00 torden8 pluto[2908]: "ait-2-torden-xen" #16: transition 
> from state STATE_MAIN_I1 to state STATE_MAIN_I2
> Sep 16 21:23:00 torden8 pluto[2908]: "ait-2-torden-xen" #16: 
> STATE_MAIN_I2: sent MI2, expecting MR2
> Sep 16 21:23:00 torden8 pluto[2908]: "ait-2-torden-xen" #16: ignoring 
> Vendor ID payload [KAME/racoon]
> Sep 16 21:23:00 torden8 pluto[2908]: "ait-2-torden-xen" #16: transition 
> from state STATE_MAIN_I2 to state STATE_MAIN_I3
> Sep 16 21:23:00 torden8 pluto[2908]: "ait-2-torden-xen" #16: 
> STATE_MAIN_I3: sent MI3, expecting MR3
> Sep 16 21:23:00 torden8 pluto[2908]: "ait-2-torden-xen" #16: Main mode 
> peer ID is ID_IPV4_ADDR: '12.234.22.224'
> Sep 16 21:23:00 torden8 pluto[2908]: "ait-2-torden-xen" #16: transition 
> from state STATE_MAIN_I3 to state STATE_MAIN_I4
> Sep 16 21:23:00 torden8 pluto[2908]: "ait-2-torden-xen" #16: 
> STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY 
> cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
> Sep 16 21:23:00 torden8 pluto[2908]: "ait-2-torden-xen" #16: ignoring 
> informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000
> Sep 16 21:23:00 torden8 pluto[2908]: "ait-2-torden-xen" #16: received and 
> ignored informational message
>
> From the SRXN3205
>
> - Last output repeated 3 times -
> 2009 Sep 16 19:46:39 [SRXN3205] [IKE] Received Vendor ID: 
> draft-ietf-ipsec-nat-t-ike-02__
> 2009 Sep 16 19:46:39 [SRXN3205] [IKE] Received unknown Vendor ID_
> - Last output repeated twice -
> 2009 Sep 16 19:46:49 [SRXN3205] [IKE] ISAKMP-SA established for 
> 12.234.22.224[500]-22.123.34.56[500] with 
> spi:446def1696a21692:b0256d49bea2c1c2_
> 2009 Sep 16 19:46:50 [SRXN3205] [IKE] Responding to new phase 2 
> negotiation: 12.234.22.224[0]<=>22.123.34.56[0]_
> 2009 Sep 16 19:46:50 [SRXN3205] [IKE] Using IPsec SA configuration: 
> 192.168.133.0/24<->192.168.122.1/24_
> 2009 Sep 16 19:46:50 [SRXN3205] [IKE] IPsec-SA established: ESP/Tunnel 
> 22.123.34.56->12.234.22.224 with spi=96818959(0x5c5570f)_
> 2009 Sep 16 19:46:50 [SRXN3205] [IKE] IPsec-SA established: ESP/Tunnel 
> 12.234.22.224->22.123.34.56 with spi=1333344279(0x4f793817)_
> 2009 Sep 16 19:49:32 [SRXN3205] [IKE] Responding to new phase 2 
> negotiation: 12.234.22.224[0]<=>22.123.34.56[0]_
> 2009 Sep 16 19:49:32 [SRXN3205] [IKE] Using IPsec SA configuration: 
> 192.168.111.0/24<->192.168.122.0/24_
> 2009 Sep 16 19:49:43 [SRXN3205] [IKE] Unknown notify message from 
> 22.123.34.56[500].No phase2 handle found._
> - Last output repeated 4 times -
> 2009 Sep 16 19:50:32 [SRXN3205] [IKE] Phase 2 negotiation failed due to 
> time up. 446def1696a21692:b0256d49bea2c1c2:433ded5a_
> 2009 Sep 16 19:50:32 [SRXN3205] [IKE] an undead schedule has been deleted: 
> 'quick_r1prep'._
> 2009 Sep 16 19:51:09 [SRXN3205] [IKE] Purged ISAKMP-SA with 
> proto_id=ISAKMP and spi=aa7a7ae22e74fbdb:6081520e53ec55bc._
> 2009 Sep 16 19:51:10 [SRXN3205] [IKE] ISAKMP-SA deleted for 
> 12.234.22.224[500]-22.123.34.56[500] with 
> spi:aa7a7ae22e74fbdb:6081520e53ec55bc_
> 2009 Sep 16 19:51:11 [SRXN3205] [IKE] Phase 2 sa expired 
> 12.234.22.224-22.123.34.56_
> 2009 Sep 16 19:51:12 [SRXN3205] [IKE] Phase 2 sa deleted 
> 12.234.22.224-22.123.34.56_
> 2009 Sep 16 19:54:01 [SRXN3205] [IKE] Phase 2 sa expired 
> 12.234.22.224-22.123.34.56_
> 2009 Sep 16 19:54:02 [SRXN3205] [IKE] Phase 2 sa deleted 
> 12.234.22.224-22.123.34.56_
> 2009 Sep 16 20:32:00 [SRXN3205] [IKE] Configuration found for 
> 22.123.34.56[500]._
> 2009 Sep 16 20:32:00 [SRXN3205] [IKE] Received request for new phase 1 
> negotiation: 12.234.22.224[500]<=>22.123.34.56[500]_
> 2009 Sep 16 20:32:00 [SRXN3205] [IKE] Beginning Identity Protection mode._
> 2009 Sep 16 20:32:00 [SRXN3205] [IKE] Received unknown Vendor ID_
> - Last output repeated 3 times -
> 2009 Sep 16 20:32:00 [SRXN3205] [IKE] Received Vendor ID: 
> draft-ietf-ipsec-nat-t-ike-02__
> 2009 Sep 16 20:32:00 [SRXN3205] [IKE] Received unknown Vendor ID_
> - Last output repeated twice -
> 2009 Sep 16 20:32:31 [SRXN3205] [IKE] ISAKMP-SA established for 
> 12.234.22.224[500]-22.123.34.56[500] with 
> spi:0efcefdbe7a52d45:632c9d2ce93ee462_
> 2009 Sep 16 20:32:31 [SRXN3205] [IKE] Sending Informational Exchange: 
> notify payload[INITIAL-CONTACT]_
> 2009 Sep 16 20:46:49 [SRXN3205] [IKE] Purged ISAKMP-SA with 
> proto_id=ISAKMP and spi=446def1696a21692:b0256d49bea2c1c2._
> 2009 Sep 16 20:46:50 [SRXN3205] [IKE] ISAKMP-SA deleted for 
> 12.234.22.224[500]-22.123.34.56[500] with 
> spi:446def1696a21692:b0256d49bea2c1c2_
> 2009 Sep 16 21:21:09 [SRXN3205] [IKE] no phase2 found for "vmware2xen"_
> 2009 Sep 16 21:21:09 [SRXN3205] [IKE] IPSec configuration with identifer 
> "vmware2xen" deleted sucessfully_
> 2009 Sep 16 21:22:59 [SRXN3205] [IKE] Configuration found for 
> 22.123.34.56[500]._
> 2009 Sep 16 21:22:59 [SRXN3205] [IKE] Received request for new phase 1 
> negotiation: 12.234.22.224[500]<=>22.123.34.56[500]_
> 2009 Sep 16 21:22:59 [SRXN3205] [IKE] Beginning Identity Protection mode._
> 2009 Sep 16 21:22:59 [SRXN3205] [IKE] Received unknown Vendor ID_
> - Last output repeated 3 times -
> 2009 Sep 16 21:22:59 [SRXN3205] [IKE] Received Vendor ID: 
> draft-ietf-ipsec-nat-t-ike-02__
> 2009 Sep 16 21:22:59 [SRXN3205] [IKE] Received unknown Vendor ID_
> - Last output repeated twice -
> 2009 Sep 16 21:23:00 [SRXN3205] [IKE] ISAKMP-SA established for 
> 12.234.22.224[500]-22.123.34.56[500] with 
> spi:cfd84b970d2fdde0:924fd6e44c340005_
> 2009 Sep 16 21:23:00 [SRXN3205] [IKE] Sending Informational Exchange: 
> notify payload[INITIAL-CONTACT]_
> 2009 Sep 16 21:32:31 [SRXN3205] [IKE] Purged ISAKMP-SA with 
> proto_id=ISAKMP and spi=0efcefdbe7a52d45:632c9d2ce93ee462._
> 2009 Sep 16 21:32:32 [SRXN3205] [IKE] ISAKMP-SA deleted for 
> 12.234.22.224[500]-22.123.34.56[500] with 
> spi:0efcefdbe7a52d45:632c9d2ce93ee462_
>
>
> JT
> --------------------------------------------------
> From: "JT Edwards" <tstrike34 at gmail.com>
> Sent: Wednesday, September 16, 2009 11:18 PM
> To: "Paul Wouters" <paul at xelerance.com>
> Cc: <users at openswan.org>
> Subject: Re: [Openswan Users] Openswan and V-IPSecure (SUCCESS with a 
> question)
>
>> Paul and list:
>>
>> After 3 weeks, tonight I learned that Openswan and V-IPSecure doesn't 
>> work together because of this:
>>
>> Pure IPSec vpn tunnel
>> =====================
>>
>> In a pure IPSec vpn tunnel, only ip traffic is encrypted/decrypted.
>>
>> If you have non ip traffic, example, ipx, then it is not able to go into 
>> the vpn tunnel.
>>
>> OSPF, EIGRP, are not transferred in the tunnel.
>>
>> The url below might be helpful for you about IPSec,
>>
>> An Introduction to IP Security (IPSec) Encryption
>> Cisco
>> GRE over IPSec vpn tunnel
>> =========================
>>
>> In a GRE over IPSec vpn tunnel, the original packet whether ip, ipx, 
>> etc... is first going to be GRE encapsulated and then this packet is then 
>> subjected to IPSec encapsulation.
>>
>> Therefore, in a GRE over IPSec tunnel, all routing traffic (ip and non 
>> ip) can be routed through because when the original packet (ip/non ip) is 
>> GRE encapsulated, then it will have an ip header (as defined by the GRE 
>> tunnel (normally the tunnel interface ip addresses)) then the IPSec 
>> protocol can understand the ip packet and and can therefore be able to 
>> encapsulate the GRE packet to make it GRE over IPSec.
>>
>> --------snip----------
>>
>> I got this from the Netgear folks about 10 minutes ago... I am completely 
>> frustrated. According the schematic I provided, I plan to install a 
>> openswan server on .250.  I should not have a problem with an Openswan 
>> server behind a NAT right?
>>
>> JT
>>
>>
>> --------------------------------------------------
>> From: "JT Edwards" <tstrike34 at gmail.com>
>> Sent: Wednesday, September 16, 2009 10:08 PM
>> To: "Paul Wouters" <paul at xelerance.com>
>> Cc: <users at openswan.org>
>> Subject: Re: [Openswan Users] Openswan and V-IPSecure (SUCCESS with a 
>> question)
>>
>>> Paul,
>>>
>>> Here is what I what I have been working on....
>>>
>>> http://i149.photobucket.com/albums/s71/Tstrike29/Linking_AIT_to_torden-1.jpg
>>>
>>> Here is the ipsec.conf
>>>
>>> # /etc/ipsec.conf - Openswan IPsec configuration file
>>> # RCSID $Id: ipsec.conf.in,v 1.16 2005/07/26 12:29:45 ken Exp $
>>>
>>> # This file:  /usr/local/share/doc/openswan/ipsec.conf-sample
>>> #
>>> # Manual:     ipsec.conf.5
>>>
>>>
>>> version 2.0     # conforms to second version of ipsec.conf specification
>>>
>>> # basic configuration
>>> config setup
>>>        nat_traversal=yes
>>>        oe=off
>>>        protostack=netkey
>>>
>>> virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192.168.0.0/24
>>>
>>> conn ait-2-torden-xen
>>>        type=tunnel
>>>        keyingtries=7
>>>        aggrmode=no
>>>        compress=no
>>>        authby=secret
>>>        left=22.123.34.56
>>>        leftid=22.123.34.56
>>>        leftnexthop=22.123.34.1
>>>        leftsubnet=192.168.122.0/24
>>>        leftsourceip=192.168.122.1
>>>        right=12.234.22.224
>>>        rightid=12.234.22.224
>>>        rightnexthop=12.234.22.1
>>>        rightsubnet=192.168.133.0/24
>>>        rightsourceip=192.168.133.2
>>>        auto=start
>>> conn ait-2-torden-vmware
>>>        type=tunnel
>>>        keyingtries=7
>>>        compress=no
>>>        authby=secret
>>>        left=22.123.34.56
>>>        leftid=22.123.34.56
>>>        leftsubnet=192.168.122.0/24
>>>        leftnexthop=22.123.34.1
>>>        leftsourceip=192.168.122.1
>>>        right=12.234.22.224
>>>        rightid=12.234.22.224
>>>        rightsubnet=192.168.111.0/24
>>>        rightnexthop=12.234.22.1
>>>        rightsourceip=192.168.111.2
>>>        auto=start
>>>
>>> Do I have this right?
>>>
>>> Best Regards,
>>> JT
>>>
>>> --------------------------------------------------
>>> From: "Paul Wouters" <paul at xelerance.com>
>>> Sent: Wednesday, September 16, 2009 8:47 PM
>>> To: "JT Edwards" <tstrike34 at gmail.com>
>>> Cc: <users at openswan.org>
>>> Subject: Re: [Openswan Users] Openswan and V-IPSecure (SUCCESS with a 
>>> question)
>>>
>>>> On Wed, 16 Sep 2009, JT Edwards wrote:
>>>>
>>>>> Can we post diagrams (of course with false IPs) I had a question and 
>>>>> the only way I could ask it is to also post a diagram for the list to 
>>>>> look at.
>>>>
>>>> Please use a link to page somewhere.
>>>>
>>>> Paul
>>> 


More information about the Users mailing list