[Openswan Users] problem tunneling traffic, 2.6.26dr1 + KLIPS on 2.6.32.11

Olaf mailinglists at ban-solms.de
Fri Apr 30 06:09:00 EDT 2010


Hello everybody,


I am testing openswan 2.6.26dr1 (Version 2.6.master-201016.git to be
precise) with KLIPS on Linux 2.6.32.11.
Goal is a (basic) net-net tunnel.

This is no problem in a local testing environment (using private IP to
private IP), but as soon as I try to tunnel traffic across my PPPoE
internet connection, things mysteriously go wrong :-/


The tunnel appears to come up correctly (according to log, see below)
and using tcpdump I can see packets coming from the remote network, but
there are no packets going from my end to the remote.
All I see is dropped packets on ipsec0 (using ip -s link show dev ipsec0).
It is like there is a black hole eating my outbound traffic.


Is there something wrong with my config? Something I am missing?
Anything I could try?


Thanks

Olaf



PS: the remote is using openswan 2.6.25 and has no trouble building
tunnels (with working traffic ;-)) to other endpoints.



ipsec.conf (remote is identical, with left/right swapped for obvious
reasons ;-)):

version 2.0

config setup
        protostack=klips
        interfaces="%defaultroute ipsec1=wlan-1 "
        klipsdebug="none"
        plutodebug="none"
        uniqueids=yes
        nat_traversal=yes

virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192.168.1.0/255.255.255.0,%v4:!192.168.2.0/255.255.255.0,%v4:!192.168.3.0/255.255.255.0,%v4:!192.168.4.0/255.255.255.0,%v4:!192.168.2.0/24

conn %default
        keyingtries=0
        disablearrivalcheck=no

conn TunnelCert
        left=olaf.c.d
        leftsubnet=192.168.1.0/255.255.255.0
        right=tom.a.b
        rightsubnet=192.168.2.0/255.255.255.0
        leftcert=/etc/ipsec.d/certs/hostcert.pem
        rightcert=/etc/ipsec.d/certs/TunnelCertcert.pem

ike=aes128-sha-modp1536,aes128-sha-modp1024,aes128-md5-modp1536,aes128-md5-modp1024,3des-sha-modp1536,3des-sha-modp1024,3des-md5-modp1536,3des-md5-modp1024
        esp=aes128-sha1,aes128-md5,3des-sha1,3des-md5
        ikelifetime=1h
        keylife=8h
        dpddelay=30
        dpdtimeout=120
        dpdaction=restart
        pfs=yes
        authby=rsasig
        leftrsasigkey=%cert
        rightrsasigkey=%cert
        auto=start




20:59:14 pluto[27895] loading secrets from "/etc/ipsec.secrets"
20:59:14 pluto[27895]   loaded private key file
'/etc/ipsec.d/certs/hostkey.pem' (887 bytes)
20:59:14 pluto[27895] loaded private key for keyid: PPK_RSA:AwEAAdk5Z
20:59:14 pluto[27895] loading certificate from
/etc/ipsec.d/certs/hostcert.pem
20:59:14 pluto[27895]   loaded host cert file
'/etc/ipsec.d/certs/hostcert.pem' (1172 bytes)
20:59:14 pluto[27895] loading certificate from
/etc/ipsec.d/certs/TunnelCertcert.pem
20:59:14 pluto[27895]   loaded host cert file
'/etc/ipsec.d/certs/TunnelCertcert.pem' (1236 bytes)
20:59:14 pluto[27895] added connection description "TunnelCert"
20:59:14 pluto[27895] "TunnelCert" #1: initiating Main Mode
20:59:15 pluto[27895] "TunnelCert" #1: ignoring unknown Vendor ID
payload [4f45557d6068416e77737478]
20:59:15 pluto[27895] "TunnelCert" #1: received Vendor ID payload [Dead
Peer Detection]
20:59:15 pluto[27895] "TunnelCert" #1: received Vendor ID payload [RFC
3947] method set to=109
20:59:15 pluto[27895] "TunnelCert" #1: enabling possible NAT-traversal
with method 4
20:59:15 pluto[27895] "TunnelCert" #1: transition from state
STATE_MAIN_I1 to state STATE_MAIN_I2
20:59:15 pluto[27895] "TunnelCert" #1: STATE_MAIN_I2: sent MI2,
expecting MR2
20:59:15 pluto[27895] "TunnelCert" #1: NAT-Traversal: Result using RFC
3947 (NAT-Traversal): no NAT detected
20:59:15 pluto[27895] "TunnelCert" #1: I am sending my cert
20:59:15 pluto[27895] "TunnelCert" #1: I am sending a certificate request
20:59:15 pluto[27895] "TunnelCert" #1: transition from state
STATE_MAIN_I2 to state STATE_MAIN_I3
20:59:15 pluto[27895] "TunnelCert" #1: STATE_MAIN_I3: sent MI3,
expecting MR3
20:59:15 pluto[27895] "TunnelCert" #1: received Vendor ID payload
[CAN-IKEv2]
20:59:15 pluto[27895] "TunnelCert" #1: Main mode peer ID is
ID_DER_ASN1_DN: 'C=DE, O=tom, CN=tom.a.b'
20:59:15 pluto[27895] "TunnelCert" #1: issuer cacert not found
20:59:15 pluto[27895] "TunnelCert" #1: X.509 certificate rejected
20:59:15 pluto[27895] "TunnelCert" #1: transition from state
STATE_MAIN_I3 to state STATE_MAIN_I4
20:59:15 pluto[27895] "TunnelCert" #1: STATE_MAIN_I4: ISAKMP SA
established {auth=OAKLEY_RSA_SIG cipher=aes_128 prf=oakley_sha
group=modp1536}
20:59:15 pluto[27895] "TunnelCert" #1: Dead Peer Detection (RFC 3706):
enabled
20:59:15 pluto[27895] "TunnelCert" #2: initiating Quick Mode
RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW {using isakmp#1 msgid:78da343b
proposal=AES(12)_128-SHA1(2)_160, AES(12)_128-MD5(1)_128,
3DES(3)_192-SHA1(2)_160, 3DES(3)_192-MD5(1)_128
pfsgroup=OAKLEY_GROUP_MODP1536}
20:59:15 pluto[27895] "TunnelCert" #2: Dead Peer Detection (RFC 3706):
enabled
20:59:15 pluto[27895] "TunnelCert" #2: transition from state
STATE_QUICK_I1 to state STATE_QUICK_I2
20:59:15 pluto[27895] "TunnelCert" #2: STATE_QUICK_I2: sent QI2, IPsec
SA established tunnel mode {ESP=>0x2c3fa170 <0x046bb172
xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=enabled}
20:59:23 pluto[27895] packet from 87.164.170.213:500: ignoring unknown
Vendor ID payload [4f45557d6068416e77737478]
20:59:23 pluto[27895] packet from 87.164.170.213:500: received Vendor ID
payload [Dead Peer Detection]
20:59:23 pluto[27895] packet from 87.164.170.213:500: received Vendor ID
payload [RFC 3947] method set to=109
20:59:23 pluto[27895] packet from 87.164.170.213:500: received Vendor ID
payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using
method 109
20:59:23 pluto[27895] packet from 87.164.170.213:500: received Vendor ID
payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using
method 109
20:59:23 pluto[27895] packet from 87.164.170.213:500: received Vendor ID
payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using
method 109
20:59:23 pluto[27895] packet from 87.164.170.213:500: received Vendor ID
payload [draft-ietf-ipsec-nat-t-ike-00]
20:59:23 pluto[27895] "TunnelCert" #3: responding to Main Mode
20:59:23 pluto[27895] "TunnelCert" #3: transition from state
STATE_MAIN_R0 to state STATE_MAIN_R1
20:59:23 pluto[27895] "TunnelCert" #3: STATE_MAIN_R1: sent MR1,
expecting MI2
20:59:23 pluto[27895] "TunnelCert" #3: NAT-Traversal: Result using RFC
3947 (NAT-Traversal): no NAT detected
20:59:23 pluto[27895] "TunnelCert" #3: transition from state
STATE_MAIN_R1 to state STATE_MAIN_R2
20:59:23 pluto[27895] "TunnelCert" #3: STATE_MAIN_R2: sent MR2,
expecting MI3
20:59:23 pluto[27895] "TunnelCert" #3: Main mode peer ID is
ID_DER_ASN1_DN: 'C=DE, O=tom, CN=tom.a.b'
20:59:23 pluto[27895] "TunnelCert" #3: issuer cacert not found
20:59:23 pluto[27895] "TunnelCert" #3: X.509 certificate rejected
20:59:23 pluto[27895] "TunnelCert" #3: I am sending my cert
20:59:23 pluto[27895] "TunnelCert" #3: transition from state
STATE_MAIN_R2 to state STATE_MAIN_R3
20:59:23 pluto[27895] "TunnelCert" #3: STATE_MAIN_R3: sent MR3, ISAKMP
SA established {auth=OAKLEY_RSA_SIG cipher=aes_128 prf=oakley_sha
group=modp1536}
20:59:23 pluto[27895] "TunnelCert" #3: Dead Peer Detection (RFC 3706):
enabled
20:59:23 pluto[27895] "TunnelCert" #3: the peer proposed:
192.168.1.0/24:0/0 -> 192.168.2.0/24:0/0
20:59:23 pluto[27895] "TunnelCert" #4: responding to Quick Mode proposal
{msgid:814cf096}
20:59:23 pluto[27895] "TunnelCert" #4:     us:
192.168.1.0/24===79.200.48.67<olaf.c.d>[C=DE, O=olaf, CN=olaf.c.d,+S=C]
20:59:23 pluto[27895] "TunnelCert" #4:   them:
87.164.170.213<tom.a.b>[C=DE, O=tom, CN=tom.a.b,+S=C]===192.168.2.0/24
20:59:23 pluto[27895] | NAT-OA: 0 tunnel: 0
20:59:23 pluto[27895] "TunnelCert" #4: keeping refhim=66 during rekey
20:59:23 pluto[27895] "TunnelCert" #4: transition from state
STATE_QUICK_R0 to state STATE_QUICK_R1
20:59:23 pluto[27895] "TunnelCert" #4: STATE_QUICK_R1: sent QR1, inbound
IPsec SA installed, expecting QI2
20:59:23 pluto[27895] "TunnelCert" #4: Dead Peer Detection (RFC 3706):
enabled
20:59:23 pluto[27895] "TunnelCert" #4: transition from state
STATE_QUICK_R1 to state STATE_QUICK_R2
20:59:23 pluto[27895] "TunnelCert" #4: STATE_QUICK_R2: IPsec SA
established tunnel mode {ESP=>0x2c3fa171 <0x046bb173
xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=enabled}
21:48:23 pluto[27895] packet from 87.164.170.213:500: ignoring unknown
Vendor ID payload [4f45557d6068416e77737478]
21:48:23 pluto[27895] packet from 87.164.170.213:500: received Vendor ID
payload [Dead Peer Detection]
21:48:23 pluto[27895] packet from 87.164.170.213:500: received Vendor ID
payload [RFC 3947] method set to=109
21:48:23 pluto[27895] packet from 87.164.170.213:500: received Vendor ID
payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using
method 109
21:48:23 pluto[27895] packet from 87.164.170.213:500: received Vendor ID
payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using
method 109
21:48:23 pluto[27895] packet from 87.164.170.213:500: received Vendor ID
payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using
method 109
21:48:23 pluto[27895] packet from 87.164.170.213:500: received Vendor ID
payload [draft-ietf-ipsec-nat-t-ike-00]
21:48:23 pluto[27895] "TunnelCert" #5: responding to Main Mode
21:48:23 pluto[27895] "TunnelCert" #5: transition from state
STATE_MAIN_R0 to state STATE_MAIN_R1
21:48:23 pluto[27895] "TunnelCert" #5: STATE_MAIN_R1: sent MR1,
expecting MI2
21:48:23 pluto[27895] "TunnelCert" #5: NAT-Traversal: Result using RFC
3947 (NAT-Traversal): no NAT detected
21:48:23 pluto[27895] "TunnelCert" #5: transition from state
STATE_MAIN_R1 to state STATE_MAIN_R2
21:48:23 pluto[27895] "TunnelCert" #5: STATE_MAIN_R2: sent MR2,
expecting MI3
21:48:24 pluto[27895] "TunnelCert" #5: Main mode peer ID is
ID_DER_ASN1_DN: 'C=DE, O=tom, CN=tom.a.b'
21:48:24 pluto[27895] "TunnelCert" #5: issuer cacert not found
21:48:24 pluto[27895] "TunnelCert" #5: X.509 certificate rejected
21:48:24 pluto[27895] "TunnelCert" #5: I am sending my cert
21:48:24 pluto[27895] "TunnelCert" #5: transition from state
STATE_MAIN_R2 to state STATE_MAIN_R3
21:48:24 pluto[27895] "TunnelCert" #5: STATE_MAIN_R3: sent MR3, ISAKMP
SA established {auth=OAKLEY_RSA_SIG cipher=aes_128 prf=oakley_sha
group=modp1536}
21:48:24 pluto[27895] "TunnelCert" #5: Dead Peer Detection (RFC 3706):
enabled
21:59:14 pluto[27895] "TunnelCert" #1: received Delete SA payload:
deleting ISAKMP State #1
21:59:14 pluto[27895] packet from 87.164.170.213:500: received and
ignored informational message
21:59:23 pluto[27895] packet from 87.164.170.213:500: Informational
Exchange is for an unknown (expired?) SA with MSGID:0x39073836





More information about the Users mailing list