[Openswan Users] Still server crash
Dennis van der Meer
dennisvandermeer at greenchem-adblue.com
Mon Apr 5 08:19:08 EDT 2010
Hi Paul,
The configuration will only be used on my VMWare test system. For
production I will use different
keys. I have made a little bit more progress but still it is not
working. Right now I also have
a L2TP server running (xl2tpd) so when I have ipsec running correctly I
could get started on the
next part.
Since I am now working from a different location the ip information
changed a little.
The server itself still has 10.0.15.1 as its internal address. The
external ip address has become
192.168.95.140. I have an XP client that connects from 192.168.95.104.
I had to comment the last line in the config file otherwise I will get
the same error like I did
in my previous email. Here is my new config:
# /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.16 2005/07/26 12:29:45 ken Exp $
# This file: /usr/local/share/doc/openswan/ipsec.conf-sample
#
# Manual: ipsec.conf.5
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
uniqueids=yes
nat_traversal=no
virtual_private=%v4:10.0.0.0/16,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4
:!192.168.2.0/24,%v4:!10.0.2.0/24,%v4:!10.0.7.0/24,%v4:!192.168.100.0/24
protostack=klips
plutodebug="none"
klipsdebug="none"
conn %default
keyingtries=0
disablearrivalcheck=no
authby=secret
dpddelay=60
dpdtimeout=120
dpdaction=clear
conn RoadWarrior
authby=secret
pfs=no
rekey=no
keyingtries=3
left=%defaultroute
leftprotoport=17/1701
right=%any
rightprotoport=17/%any
auto=add
type=tunnel
# keyexchange=ike
This is the output from /var/log/secure:
Apr 5 13:56:47 telemetry ipsec__plutorun: Starting Pluto subsystem...
Apr 5 13:56:47 telemetry pluto[2147]: Starting Pluto (Openswan Version
2.6.25; Vendor ID OEC`nT{wo^XH) pid:2147
Apr 5 13:56:47 telemetry pluto[2147]: Setting NAT-Traversal port-4500
floating to off
Apr 5 13:56:47 telemetry pluto[2147]: port floating activation
criteria nat_t=0/port_float=1
Apr 5 13:56:47 telemetry pluto[2147]: NAT-Traversal support
[disabled]
Apr 5 13:56:47 telemetry pluto[2147]: using /dev/urandom as source of
random entropy
Apr 5 13:56:47 telemetry pluto[2147]: ike_alg_register_enc():
Activating OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)
Apr 5 13:56:47 telemetry pluto[2147]: ike_alg_register_enc():
Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)
Apr 5 13:56:47 telemetry pluto[2147]: ike_alg_register_enc():
Activating OAKLEY_SERPENT_CBC: Ok (ret=0)
Apr 5 13:56:47 telemetry pluto[2147]: ike_alg_register_enc():
Activating OAKLEY_AES_CBC: Ok (ret=0)
Apr 5 13:56:47 telemetry pluto[2147]: ike_alg_register_enc():
Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)
Apr 5 13:56:47 telemetry pluto[2147]: ike_alg_register_hash():
Activating OAKLEY_SHA2_512: Ok (ret=0)
Apr 5 13:56:47 telemetry pluto[2147]: ike_alg_register_hash():
Activating OAKLEY_SHA2_256: Ok (ret=0)
Apr 5 13:56:47 telemetry pluto[2147]: starting up 1 cryptographic
helpers
Apr 5 13:56:47 telemetry pluto[2147]: started helper pid=2149 (fd:7)
Apr 5 13:56:47 telemetry pluto[2147]: Using KLIPS IPsec interface code
on 2.6.33-smp
Apr 5 13:56:47 telemetry pluto[2147]: Changed path to directory
'/etc/ipsec.d/cacerts'
Apr 5 13:56:47 telemetry pluto[2147]: Changed path to directory
'/etc/ipsec.d/aacerts'
Apr 5 13:56:47 telemetry pluto[2147]: Changed path to directory
'/etc/ipsec.d/ocspcerts'
Apr 5 13:56:47 telemetry pluto[2147]: Changing to directory
'/etc/ipsec.d/crls'
Apr 5 13:56:47 telemetry pluto[2147]: Warning: empty directory
Apr 5 13:56:47 telemetry pluto[2149]: using /dev/urandom as source of
random entropy
Apr 5 13:56:47 telemetry pluto[2147]: added connection description
"RoadWarrior"
Apr 5 13:56:47 telemetry pluto[2147]: listening for IKE messages
Apr 5 13:56:47 telemetry pluto[2147]: adding interface ipsec0/eth0
192.168.95.140:500
Apr 5 13:56:47 telemetry pluto[2147]: loading secrets from
"/etc/ipsec.secrets"
Apr 5 13:56:47 telemetry pluto[2147]: loaded private key for keyid:
PPK_RSA:AQOeDYPHf
Apr 5 13:56:56 telemetry pluto[2147]: packet from 192.168.95.104:500:
ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Apr 5 13:56:56 telemetry pluto[2147]: packet from 192.168.95.104:500:
ignoring Vendor ID payload [FRAGMENTATION]
Apr 5 13:56:56 telemetry pluto[2147]: packet from 192.168.95.104:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106,
but port floating is off
Apr 5 13:56:56 telemetry pluto[2147]: packet from 192.168.95.104:500:
ignoring Vendor ID payload [Vid-Initial-Contact]
Apr 5 13:56:56 telemetry pluto[2147]: "RoadWarrior"[1] 192.168.95.104
#1: responding to Main Mode from unknown peer 192.168.95.104
Apr 5 13:56:56 telemetry pluto[2147]: "RoadWarrior"[1] 192.168.95.104
#1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Apr 5 13:56:56 telemetry pluto[2147]: "RoadWarrior"[1] 192.168.95.104
#1: STATE_MAIN_R1: sent MR1, expecting MI2
Apr 5 13:56:56 telemetry pluto[2147]: "RoadWarrior"[1] 192.168.95.104
#1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Apr 5 13:56:56 telemetry pluto[2147]: "RoadWarrior"[1] 192.168.95.104
#1: STATE_MAIN_R2: sent MR2, expecting MI3
Apr 5 13:56:56 telemetry pluto[2147]: "RoadWarrior"[1] 192.168.95.104
#1: Main mode peer ID is ID_IPV4_ADDR: '192.168.95.104'
Apr 5 13:56:56 telemetry pluto[2147]: "RoadWarrior"[1] 192.168.95.104
#1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Apr 5 13:56:56 telemetry pluto[2147]: "RoadWarrior"[1] 192.168.95.104
#1: STATE_MAIN_R3: sent MR3, ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha
group=modp2048}
Apr 5 13:56:56 telemetry pluto[2147]: "RoadWarrior"[1] 192.168.95.104
#1: Dead Peer Detection (RFC 3706): not enabled because peer did not
advertise it
Apr 5 13:56:56 telemetry pluto[2147]: "RoadWarrior"[1] 192.168.95.104
#1: the peer proposed: 192.168.95.140/32:17/1701 ->
192.168.95.104/32:17/0
Apr 5 13:56:56 telemetry pluto[2147]: "RoadWarrior"[1] 192.168.95.104
#2: responding to Quick Mode proposal {msgid:0140e494}
Apr 5 13:56:56 telemetry pluto[2147]: "RoadWarrior"[1] 192.168.95.104
#2: us: 192.168.95.140[+S=C]:17/1701
Apr 5 13:56:56 telemetry pluto[2147]: "RoadWarrior"[1] 192.168.95.104
#2: them: 192.168.95.104[+S=C]:17/1701
Apr 5 13:56:56 telemetry pluto[2147]: | NAT-OA: 0 tunnel: 1
Apr 5 13:56:56 telemetry pluto[2147]: ERROR: "RoadWarrior"[1]
192.168.95.104 #2: pfkey write() of K_SADB_ADD message 5 for Add SA
esp.b2b35fa4 at 192.168.95.104 failed. Errno 71: Protocol error
Apr 5 13:56:56 telemetry pluto[2147]: | 02 03 00 03 12 00 00 00 05
00 00 00 63 08 00 00
Apr 5 13:56:56 telemetry pluto[2147]: | 03 00 01 00 b2 b3 5f a4 40
01 02 03 00 00 00 00
Apr 5 13:56:56 telemetry pluto[2147]: | 00 00 00 00 00 00 00 00 03
00 05 00 00 00 00 00
Apr 5 13:56:56 telemetry pluto[2147]: | 02 00 06 a5 c0 a8 5f 8c 00
00 00 00 00 00 00 00
Apr 5 13:56:56 telemetry pluto[2147]: | 03 00 06 00 00 00 00 00 02
00 06 a5 c0 a8 5f 68
Apr 5 13:56:56 telemetry pluto[2147]: | 00 00 00 00 00 00 00 00 03
00 08 00 80 00 00 00
Apr 5 13:56:56 telemetry pluto[2147]: | dd 6f c5 0d 9b 56 13 9c 12
f1 d4 3e cf f0 67 e1
Apr 5 13:56:56 telemetry pluto[2147]: | 04 00 09 00 c0 00 00 00 ab
83 a9 3a 4a 64 44 fc
Apr 5 13:56:56 telemetry pluto[2147]: | 88 b5 93 d1 33 58 4e 96 dd
0a cb 66 0d 01 11 c3
Apr 5 13:56:56 telemetry pluto[2147]: | failed to install outgoing SA:
0
Apr 5 13:56:57 telemetry pluto[2147]: "RoadWarrior"[1] 192.168.95.104
#2: discarding duplicate packet; already STATE_QUICK_R0
Apr 5 13:57:27 telemetry last message repeated 4 times
Apr 5 13:57:42 telemetry pluto[2147]: "RoadWarrior"[1] 192.168.95.104
#1: received Delete SA payload: deleting ISAKMP State #1
Apr 5 13:57:42 telemetry pluto[2147]: packet from 192.168.95.104:500:
received and ignored informational message
Apr 5 14:01:56 telemetry pluto[2147]: "RoadWarrior"[1] 192.168.95.104:
deleting connection "RoadWarrior" instance with peer 192.168.95.104
{isakmp=#0/ipsec=#0}
-----Original Message-----
From: Paul Wouters [mailto:paul at xelerance.com]
Sent: vrijdag 2 april 2010 23:57
To: Dennis van der Meer
Cc: David McCullough; users at openswan.org
Subject: Re: [Openswan Users] Still server crash
On Fri, 2 Apr 2010, Dennis van der Meer wrote:
> # basic configuration
> config setup
> uniqueids=yes
> nat_traversal=no
>
>
virtual_private=%v4:10.0.0.0/16,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4
>
:!192.168.2.0/24,%v4:!10.0.2.0/24,%v4:!10.0.7.0/24,%v4:!192.168.100.0/24
> protostack=klips
> plutodebug="none"
> klipsdebug="none"
That blank line will cause trouble
> conn RoadWarrior
> auto=add
> left=192.168.2.63
> leftsourceip=10.0.15.1
> leftsubnet=10.0.15.0/24
> leftprotoport=17/1701
>
> right=%any
> rightprotoport=17/%any
> rightsubnet=vhost:%no,%priv
> pfs=no
> authby=secret
> type=tunnel
> keyingtries=5
> keyexchange=ike
And so will that blanc line.
>
> ipsec.secrets:
>
> %any %any : PSK
> "716ce954e871ce7eb193c78624387dbed03cb25c6430adc672cf072d79b1c66c"
You will have to change this secret in production
> Apr 2 16:28:24 telemetry pluto[3192]: NAT-Traversal support
> [disabled]
This is due to the blanc line.
Paul
More information about the Users
mailing list