[Openswan Users] Two openswan tunnels with D-Link DI-808HV
Антон Райцин
remaster at termofest.ru
Fri Dec 10 08:31:03 EST 2010
Two openswan tunnels with D-Link DI-808HV
Hello, I have several problems with my openswan configuration
I have 2 tunnels to 2 D-Link DI-808HV from the one ubuntu 10.10 server
connected to the internet. The first tunnel (Lukovskkon) is starting
well, but after a several time it stops responding until I restart the
ipsec service. The second tunnel (Chelnykon) configured as the first
one, but I cannot access hosts on the right end of the tunnel – there is
no route to it, server just send my packets to the internet, not to the
tunnel. But from the right side I can access the left network.
Ipsec.conf:
config setup
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
protostack=netkey
interfaces=%defaultroute
uniqueids=yes
conn %default
keyingtries=0
disablearrivalcheck=no
#authby=rsasig
leftrsasigkey=%dns
rightrsasigkey=%dns
conn Lukovskkon
left=92.255.194.238
leftid=92.255.194.238
leftsubnet=192.168.1.0/24
leftnexthop=%defaultroute
right=83.151.5.36
rightsubnet=192.168.3.0/24
rightid=83.151.5.36
keyexchange=ike
ikelifetime=240m
keylife=3600s
pfs=yes
compress=no
authby=secret
keyingtries=0
auto=start
conn Chelnykon
left=92.255.194.238
leftsourceip=192.168.1.1
leftid=92.255.194.238
leftsubnet=192.168.1.0/24
leftnexthop=%defaultroute
right=79.175.29.70
rightsourceip=192.168.4.1
rightsubnet=192.168.4.0/24
rightid=79.175.29.70
keyexchange=ike
ikelifetime=240m
keylife=3600s
pfs=yes
compress=no
authby=secret
keyingtries=0
auto=start
the part of the log:
Dec 10 16:01:27 gate pluto[13110]: Starting Pluto (Openswan Version 2.6.26; Vendor ID OEPK~zvMNd_W) pid:13110
Dec 10 16:01:27 gate pluto[13110]: Setting NAT-Traversal port-4500 floating to on
Dec 10 16:01:27 gate pluto[13110]: port floating activation criteria nat_t=1/port_float=1
Dec 10 16:01:27 gate pluto[13110]: NAT-Traversal support [enabled]
Dec 10 16:01:27 gate pluto[13110]: using /dev/urandom as source of random entropy
Dec 10 16:01:27 gate pluto[13110]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)
Dec 10 16:01:27 gate pluto[13110]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)
Dec 10 16:01:27 gate pluto[13110]: ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok (ret=0)
Dec 10 16:01:27 gate pluto[13110]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Dec 10 16:01:27 gate pluto[13110]: ike_alg_register_enc(): Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)
Dec 10 16:01:27 gate pluto[13110]: ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)
Dec 10 16:01:27 gate pluto[13110]: ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)
Dec 10 16:01:27 gate pluto[13110]: starting up 3 cryptographic helpers
Dec 10 16:01:27 gate pluto[13110]: started helper pid=13114 (fd:7)
Dec 10 16:01:27 gate pluto[13110]: started helper pid=13115 (fd:8)
Dec 10 16:01:27 gate pluto[13114]: using /dev/urandom as source of random entropy
Dec 10 16:01:27 gate pluto[13110]: started helper pid=13116 (fd:9)
Dec 10 16:01:27 gate pluto[13110]: Using Linux 2.6 IPsec interface code on 2.6.35-22-generic-pae (experimental code)
Dec 10 16:01:27 gate pluto[13115]: using /dev/urandom as source of random entropy
Dec 10 16:01:27 gate pluto[13116]: using /dev/urandom as source of random entropy
Dec 10 16:01:27 gate pluto[13110]: ike_alg_register_enc(): Activating aes_ccm_8: Ok (ret=0)
Dec 10 16:01:27 gate pluto[13110]: ike_alg_add(): ERROR: Algorithm already exists
Dec 10 16:01:27 gate pluto[13110]: ike_alg_register_enc(): Activating aes_ccm_12: FAILED (ret=-17)
Dec 10 16:01:27 gate pluto[13110]: ike_alg_add(): ERROR: Algorithm already exists
Dec 10 16:01:27 gate pluto[13110]: ike_alg_register_enc(): Activating aes_ccm_16: FAILED (ret=-17)
Dec 10 16:01:27 gate pluto[13110]: ike_alg_add(): ERROR: Algorithm already exists
Dec 10 16:01:27 gate pluto[13110]: ike_alg_register_enc(): Activating aes_gcm_8: FAILED (ret=-17)
Dec 10 16:01:27 gate pluto[13110]: ike_alg_add(): ERROR: Algorithm already exists
Dec 10 16:01:27 gate pluto[13110]: ike_alg_register_enc(): Activating aes_gcm_12: FAILED (ret=-17)
Dec 10 16:01:27 gate pluto[13110]: ike_alg_add(): ERROR: Algorithm already exists
Dec 10 16:01:27 gate pluto[13110]: ike_alg_register_enc(): Activating aes_gcm_16: FAILED (ret=-17)
Dec 10 16:01:27 gate pluto[13110]: Changed path to directory '/etc/ipsec.d/cacerts'
Dec 10 16:01:27 gate pluto[13110]: Changed path to directory '/etc/ipsec.d/aacerts'
Dec 10 16:01:27 gate pluto[13110]: Changed path to directory '/etc/ipsec.d/ocspcerts'
Dec 10 16:01:27 gate pluto[13110]: Changing to directory '/etc/ipsec.d/crls'
Dec 10 16:01:27 gate pluto[13110]: Warning: empty directory
Dec 10 16:01:27 gate pluto[13110]: added connection description "Lukovskkon"
Dec 10 16:01:27 gate pluto[13110]: added connection description "Chelnykon"
Dec 10 16:01:27 gate pluto[13110]: listening for IKE messages
Dec 10 16:01:27 gate pluto[13110]: NAT-Traversal: Trying new style NAT-T
Dec 10 16:01:27 gate pluto[13110]: NAT-Traversal: ESPINUDP(1) setup failed for new style NAT-T family IPv4 (errno=19)
Dec 10 16:01:27 gate pluto[13110]: NAT-Traversal: Trying old style NAT-T
Dec 10 16:01:27 gate pluto[13110]: adding interface eth1/eth1 92.255.194.238:500
Dec 10 16:01:27 gate pluto[13110]: adding interface eth1/eth1 92.255.194.238:4500
Dec 10 16:01:27 gate pluto[13110]: adding interface eth0/eth0 192.168.1.1:500
Dec 10 16:01:27 gate pluto[13110]: adding interface eth0/eth0 192.168.1.1:4500
Dec 10 16:01:27 gate pluto[13110]: adding interface lo/lo 127.0.0.1:500
Dec 10 16:01:27 gate pluto[13110]: adding interface lo/lo 127.0.0.1:4500
Dec 10 16:01:27 gate pluto[13110]: adding interface lo/lo ::1:500
Dec 10 16:01:27 gate pluto[13110]: loading secrets from "/etc/ipsec.secrets"
Dec 10 16:01:27 gate pluto[13110]: no secrets filename matched "/var/lib/openswan/ipsec.secrets.inc"
Dec 10 16:01:27 gate pluto[13110]: "Lukovskkon" #1: initiating Main Mode
Dec 10 16:01:27 gate pluto[13110]: "Chelnykon" #2: initiating Main Mode
Dec 10 16:01:27 gate pluto[13110]: "Chelnykon" #2: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
Dec 10 16:01:27 gate pluto[13110]: "Chelnykon" #2: STATE_MAIN_I2: sent MI2, expecting MR2
Dec 10 16:01:27 gate pluto[13110]: "Chelnykon" #2: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Dec 10 16:01:27 gate pluto[13110]: "Chelnykon" #2: STATE_MAIN_I3: sent MI3, expecting MR3
Dec 10 16:01:27 gate pluto[13110]: "Lukovskkon" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
Dec 10 16:01:27 gate pluto[13110]: "Lukovskkon" #1: STATE_MAIN_I2: sent MI2, expecting MR2
Dec 10 16:01:27 gate pluto[13110]: "Lukovskkon" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Dec 10 16:01:27 gate pluto[13110]: "Lukovskkon" #1: STATE_MAIN_I3: sent MI3, expecting MR3
Dec 10 16:01:27 gate pluto[13110]: "Chelnykon" #2: Main mode peer ID is ID_IPV4_ADDR: '79.175.29.70'
Dec 10 16:01:27 gate pluto[13110]: "Chelnykon" #2: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
Dec 10 16:01:27 gate pluto[13110]: "Chelnykon" #2: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1024}
Dec 10 16:01:27 gate pluto[13110]: "Chelnykon" #3: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW {using isakmp#2 msgid:2514737a proposal=defaults pfsgroup=OAKLEY_GROUP_MODP1024}
Dec 10 16:01:27 gate pluto[13110]: "Lukovskkon" #1: Main mode peer ID is ID_IPV4_ADDR: '83.151.5.36'
Dec 10 16:01:27 gate pluto[13110]: "Lukovskkon" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
Dec 10 16:01:27 gate pluto[13110]: "Lukovskkon" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1024}
Dec 10 16:01:27 gate pluto[13110]: "Lukovskkon" #4: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW {using isakmp#1 msgid:c8540863 proposal=defaults pfsgroup=OAKLEY_GROUP_MODP1024}
Dec 10 16:01:28 gate pluto[13110]: "Chelnykon" #3: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Dec 10 16:01:28 gate pluto[13110]: "Chelnykon" #3: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x960462c1<0x0c311c19 xfrm=3DES_0-HMAC_SHA1 NATOA=none NATD=none DPD=none}
Dec 10 16:01:28 gate pluto[13110]: "Lukovskkon" #4: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Dec 10 16:01:28 gate pluto[13110]: "Lukovskkon" #4: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x1e074e95<0x13a75566 xfrm=3DES_0-HMAC_SHA1 NATOA=none NATD=none DPD=none}
Dec 10 16:01:31 gate pluto[13110]: "Chelnykon" #5: responding to Main Mode
Dec 10 16:01:31 gate pluto[13110]: "Chelnykon" #5: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Dec 10 16:01:31 gate pluto[13110]: "Chelnykon" #5: STATE_MAIN_R1: sent MR1, expecting MI2
Dec 10 16:01:31 gate pluto[13110]: "Lukovskkon" #6: responding to Main Mode
Dec 10 16:01:31 gate pluto[13110]: "Lukovskkon" #6: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Dec 10 16:01:31 gate pluto[13110]: "Lukovskkon" #6: STATE_MAIN_R1: sent MR1, expecting MI2
Dec 10 16:01:31 gate pluto[13110]: "Lukovskkon" #6: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Dec 10 16:01:31 gate pluto[13110]: "Lukovskkon" #6: STATE_MAIN_R2: sent MR2, expecting MI3
Dec 10 16:01:31 gate pluto[13110]: "Lukovskkon" #6: Main mode peer ID is ID_IPV4_ADDR: '83.151.5.36'
Dec 10 16:01:31 gate pluto[13110]: "Lukovskkon" #6: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Dec 10 16:01:31 gate pluto[13110]: "Lukovskkon" #6: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1024}
Dec 10 16:01:31 gate pluto[13110]: "Lukovskkon" #6: the peer proposed: 192.168.1.0/24:0/0 -> 192.168.3.0/24:0/0
Dec 10 16:01:31 gate pluto[13110]: "Lukovskkon" #7: responding to Quick Mode proposal {msgid:643fe80e}
Dec 10 16:01:31 gate pluto[13110]: "Lukovskkon" #7: us: 192.168.1.0/24===92.255.194.238<92.255.194.238>[+S=C]---92.255.194.237
Dec 10 16:01:31 gate pluto[13110]: "Lukovskkon" #7: them: 83.151.5.36<83.151.5.36>[+S=C]===192.168.3.0/24
Dec 10 16:01:31 gate pluto[13110]: "Lukovskkon" #7: keeping refhim=4294901761 during rekey
Dec 10 16:01:31 gate pluto[13110]: "Lukovskkon" #7: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Dec 10 16:01:31 gate pluto[13110]: "Lukovskkon" #7: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Dec 10 16:01:32 gate pluto[13110]: "Lukovskkon" #7: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Dec 10 16:01:32 gate pluto[13110]: "Lukovskkon" #7: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP=>0x1f07e7e7<0x08274fc2 xfrm=3DES_0-HMAC_SHA1 NATOA=none NATD=none DPD=none}
Dec 10 16:01:35 gate pluto[13110]: "Lukovskkon" #1: received Delete SA(0x1e074e95) payload: deleting IPSEC State #4
Dec 10 16:01:35 gate pluto[13110]: "Lukovskkon" #1: received and ignored informational message
Dec 10 16:01:36 gate pluto[13110]: "Chelnykon" #8: responding to Main Mode
Dec 10 16:01:36 gate pluto[13110]: "Chelnykon" #8: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Dec 10 16:01:36 gate pluto[13110]: "Chelnykon" #8: STATE_MAIN_R1: sent MR1, expecting MI2
Dec 10 16:01:46 gate pluto[13110]: "Chelnykon" #9: responding to Main Mode
Dec 10 16:01:46 gate pluto[13110]: "Chelnykon" #9: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Dec 10 16:01:46 gate pluto[13110]: "Chelnykon" #9: STATE_MAIN_R1: sent MR1, expecting MI2
Dec 10 16:01:56 gate pluto[13110]: "Chelnykon" #10: responding to Main Mode
Dec 10 16:01:56 gate pluto[13110]: "Chelnykon" #10: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Dec 10 16:01:56 gate pluto[13110]: "Chelnykon" #10: STATE_MAIN_R1: sent MR1, expecting MI2
Dec 10 16:02:16 gate pluto[13110]: "Chelnykon" #11: responding to Main Mode
Dec 10 16:02:16 gate pluto[13110]: "Chelnykon" #11: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Dec 10 16:02:16 gate pluto[13110]: "Chelnykon" #11: STATE_MAIN_R1: sent MR1, expecting MI2
Dec 10 16:02:17 gate pluto[13110]: packet from 79.175.29.70:500: ignoring Delete SA payload: not encrypted
Dec 10 16:02:17 gate pluto[13110]: packet from 79.175.29.70:500: received and ignored informational message
Dec 10 16:02:41 gate pluto[13110]: "Chelnykon" #5: max number of retransmissions (2) reached STATE_MAIN_R1
Dec 10 16:02:46 gate pluto[13110]: "Chelnykon" #8: max number of retransmissions (2) reached STATE_MAIN_R1
Dec 10 16:02:56 gate pluto[13110]: "Chelnykon" #9: max number of retransmissions (2) reached STATE_MAIN_R1
Dec 10 16:03:06 gate pluto[13110]: "Chelnykon" #10: max number of retransmissions (2) reached STATE_MAIN_R1
Dec 10 16:03:26 gate pluto[13110]: "Chelnykon" #11: max number of retransmissions (2) reached STATE_MAIN_R1
More information about the Users
mailing list