[Openswan Users] More bizarre ipsec problems; service ipsec stop hangs; random hosts offline; /var/log/secure going nuts...

Greg Scott GregScott at Infrasupport.com
Thu Jul 29 06:17:19 EDT 2010 

OK - just a quick summary.  Trying both 2.6.28dr7 and 2.6.27,
/var/log/secure shows this error:

Jul 29 03:44:32 MN-fw1 pluto[5926]: "/etc/ipsec.d/hostkey.secrets" line
14: malformed end of RSA private key -- indented '}' required

And after that, the tunnel never hooks up because keys don't match.  I
pasted in a sample of this file in my earlier post, and tried every
combination of spaces and tabs I could think of.  Anyway, with this new
NSS database, I don't get why this file is still in use.  At any rate, I
just downloaded and installed the Fedora 13 2.6.25-1 RPM at both sites
and now /var/log/secure looks much more reasonable.

So with this hostkey problem, I never got a chance to look at the
original problem that started all this.

[root at MN-fw1 openswan-2.6.27]# tail /var/log/secure -f
Jul 29 05:03:24 MN-fw1 pluto[19226]: adding interface eth2/eth2
192.168.253.1:4500
Jul 29 05:03:24 MN-fw1 pluto[19226]: adding interface lo/lo
127.0.0.1:500
Jul 29 05:03:24 MN-fw1 pluto[19226]: adding interface lo/lo
127.0.0.1:4500
Jul 29 05:03:24 MN-fw1 pluto[19226]: adding interface lo/lo ::1:500
Jul 29 05:03:24 MN-fw1 pluto[19226]: loading secrets from
"/etc/ipsec.secrets"
Jul 29 05:03:24 MN-fw1 pluto[19226]: loading secrets from
"/etc/ipsec.d/hostkey.secrets"
Jul 29 05:03:24 MN-fw1 pluto[19226]: loaded private key for keyid:
PPK_RSA:AQOwd0G2W
Jul 29 05:03:24 MN-fw1 pluto[19226]: "mn-hq" #1: initiating Main Mode
Jul 29 05:03:24 MN-fw1 pluto[19226]: ERROR: asynchronous network error
report on br0 (sport=500) for message to 69.66.252.178 port 500,
complainant 69.66.252.178: Connection refused [errno 111, origin ICMP
type 3 code 3 (not authenticated)]
Jul 29 05:03:26 MN-fw1 pluto[19226]: initiate on demand from
192.168.0.63:3079 to 10.0.0.2:80 proto=6 state: fos_start because:
acquire
Jul 29 05:03:32 MN-fw1 pluto[19226]: initiate on demand from
192.168.0.120:3000 to 10.0.0.120:3000 proto=17 state: fos_start because:
acquire
Jul 29 05:03:34 MN-fw1 pluto[19226]: ERROR: asynchronous network error
report on br0 (sport=500) for message to 69.66.252.178 port 500,
complainant 69.66.252.178: Connection refused [errno 111, origin ICMP
type 3 code 3 (not authenticated)]
Jul 29 05:03:38 MN-fw1 pluto[19226]: initiate on demand from
192.168.0.1:137 to 10.0.0.2:137 proto=17 state: fos_start because:
acquire
Jul 29 05:03:40 MN-fw1 pluto[19226]: packet from 69.66.252.178:500:
received Vendor ID payload [Openswan (this version) 2.6.25 ]
Jul 29 05:03:40 MN-fw1 pluto[19226]: packet from 69.66.252.178:500:
received Vendor ID payload [Dead Peer Detection]
Jul 29 05:03:40 MN-fw1 pluto[19226]: packet from 69.66.252.178:500:
received Vendor ID payload [RFC 3947] method set to=109
Jul 29 05:03:40 MN-fw1 pluto[19226]: packet from 69.66.252.178:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but
already using method 109
Jul 29 05:03:40 MN-fw1 pluto[19226]: packet from 69.66.252.178:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106,
but already using method 109
Jul 29 05:03:40 MN-fw1 pluto[19226]: packet from 69.66.252.178:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but
already using method 109
Jul 29 05:03:40 MN-fw1 pluto[19226]: packet from 69.66.252.178:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Jul 29 05:03:40 MN-fw1 pluto[19226]: "mn-hq" #2: responding to Main Mode
Jul 29 05:03:40 MN-fw1 pluto[19226]: "mn-hq" #2: transition from state
STATE_MAIN_R0 to state STATE_MAIN_R1
Jul 29 05:03:40 MN-fw1 pluto[19226]: "mn-hq" #2: STATE_MAIN_R1: sent
MR1, expecting MI2
Jul 29 05:03:40 MN-fw1 pluto[19226]: "mn-hq" #2: NAT-Traversal: Result
using RFC 3947 (NAT-Traversal): no NAT detected
Jul 29 05:03:40 MN-fw1 pluto[19226]: "mn-hq" #2: transition from state
STATE_MAIN_R1 to state STATE_MAIN_R2
Jul 29 05:03:40 MN-fw1 pluto[19226]: "mn-hq" #2: STATE_MAIN_R2: sent
MR2, expecting MI3
Jul 29 05:03:40 MN-fw1 pluto[19226]: "mn-hq" #2: Main mode peer ID is
ID_FQDN: '@hq.local'
Jul 29 05:03:40 MN-fw1 pluto[19226]: "mn-hq" #2: transition from state
STATE_MAIN_R2 to state STATE_MAIN_R3
Jul 29 05:03:40 MN-fw1 pluto[19226]: "mn-hq" #2: STATE_MAIN_R3: sent
MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=aes_128
prf=oakley_sha group=modp2048}
Jul 29 05:03:40 MN-fw1 pluto[19226]: "mn-hq" #2: the peer proposed:
192.168.0.0/24:0/0 -> 10.0.0.0/24:0/0
Jul 29 05:03:40 MN-fw1 pluto[19226]: "mn-hq" #3: responding to Quick
Mode proposal {msgid:1d724019}
Jul 29 05:03:40 MN-fw1 pluto[19226]: "mn-hq" #3:     us:
192.168.0.0/24===70.91.177.201<70.91.177.201>[@mn.local,+S=C]---70.91.17
7.202
Jul 29 05:03:40 MN-fw1 pluto[19226]: "mn-hq" #3:   them:
69.66.252.190---69.66.252.178<69.66.252.178>[@hq.local,+S=C]===10.0.0.0/
24
Jul 29 05:03:40 MN-fw1 pluto[19226]: | NAT-OA: 0 tunnel: 0
Jul 29 05:03:40 MN-fw1 pluto[19226]: "mn-hq" #3: transition from state
STATE_QUICK_R0 to state STATE_QUICK_R1
Jul 29 05:03:40 MN-fw1 pluto[19226]: "mn-hq" #3: STATE_QUICK_R1: sent
QR1, inbound IPsec SA installed, expecting QI2
Jul 29 05:03:41 MN-fw1 pluto[19226]: "mn-hq" #3: transition from state
STATE_QUICK_R1 to state STATE_QUICK_R2
Jul 29 05:03:41 MN-fw1 pluto[19226]: "mn-hq" #3: STATE_QUICK_R2: IPsec
SA established tunnel mode {ESP=>0xff83cc8c <0xdabb1ef2
xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=none}
Jul 29 05:03:54 MN-fw1 pluto[19226]: "mn-hq" #1: received Vendor ID
payload [Openswan (this version) 2.6.25 ]
Jul 29 05:03:54 MN-fw1 pluto[19226]: "mn-hq" #1: received Vendor ID
payload [Dead Peer Detection]
Jul 29 05:03:54 MN-fw1 pluto[19226]: "mn-hq" #1: received Vendor ID
payload [RFC 3947] method set to=109
Jul 29 05:03:54 MN-fw1 pluto[19226]: "mn-hq" #1: enabling possible
NAT-traversal with method 4
Jul 29 05:03:54 MN-fw1 pluto[19226]: "mn-hq" #1: transition from state
STATE_MAIN_I1 to state STATE_MAIN_I2
Jul 29 05:03:54 MN-fw1 pluto[19226]: "mn-hq" #1: STATE_MAIN_I2: sent
MI2, expecting MR2
Jul 29 05:03:54 MN-fw1 pluto[19226]: "mn-hq" #1: NAT-Traversal: Result
using RFC 3947 (NAT-Traversal): no NAT detected
Jul 29 05:03:54 MN-fw1 pluto[19226]: "mn-hq" #1: transition from state
STATE_MAIN_I2 to state STATE_MAIN_I3
Jul 29 05:03:54 MN-fw1 pluto[19226]: "mn-hq" #1: STATE_MAIN_I3: sent
MI3, expecting MR3
Jul 29 05:03:54 MN-fw1 pluto[19226]: "mn-hq" #1: received Vendor ID
payload [CAN-IKEv2]
Jul 29 05:03:54 MN-fw1 pluto[19226]: "mn-hq" #1: Main mode peer ID is
ID_FQDN: '@hq.local'
Jul 29 05:03:54 MN-fw1 pluto[19226]: "mn-hq" #1: transition from state
STATE_MAIN_I3 to state STATE_MAIN_I4
Jul 29 05:03:54 MN-fw1 pluto[19226]: "mn-hq" #1: STATE_MAIN_I4: ISAKMP
SA established {auth=OAKLEY_RSA_SIG cipher=aes_128 prf=oakley_sha
group=modp2048}
.
.
.

More information about the Users mailing list