[Openswan Users] esp string error: enc_alg not found

Steve Zeng SteveZ at airg.com
Tue May 25 15:57:41 EDT 2010


>Either use leftsubnets={169.254.255.2/30, 192.168.1.0/24} or create a second conn with a differet name, and different subnet= (singular) lines.
leftsubnets={169.254.255.2/30, 192.168.1.0/24} works great. Now I can ping from 192.168.1.x to 10.0.0.x. However, the ping is up and down:

ping 10.0.0.4
PING 10.0.0.4 (10.0.0.4) from 192.168.1.152 eth0: 56(84) bytes of data.
64 bytes from 10.0.0.4: icmp_seq=1 ttl=62 time=107 ms
64 bytes from 10.0.0.4: icmp_seq=2 ttl=62 time=112 ms
64 bytes from 10.0.0.4: icmp_seq=3 ttl=62 time=102 ms
64 bytes from 10.0.0.4: icmp_seq=4 ttl=62 time=87.9 ms
64 bytes from 10.0.0.4: icmp_seq=5 ttl=62 time=87.8 ms
64 bytes from 10.0.0.4: icmp_seq=6 ttl=62 time=87.3 ms
64 bytes from 10.0.0.4: icmp_seq=7 ttl=62 time=87.7 ms
64 bytes from 10.0.0.4: icmp_seq=8 ttl=62 time=87.5 ms
64 bytes from 10.0.0.4: icmp_seq=9 ttl=62 time=87.7 ms
64 bytes from 10.0.0.4: icmp_seq=20 ttl=62 time=116 ms
64 bytes from 10.0.0.4: icmp_seq=21 ttl=62 time=87.5 ms
64 bytes from 10.0.0.4: icmp_seq=22 ttl=62 time=88.3 ms
64 bytes from 10.0.0.4: icmp_seq=23 ttl=62 time=88.5 ms


--- 10.0.0.4 ping statistics ---
61 packets transmitted, 20 received, 67% packet loss, time 60003ms
rtt min/avg/max/mdev = 87.209/99.031/138.615/17.132 ms

same packet loss happened between the tunnel interfaces 169.254.255.2(my peer) == 169.254.255.1(amazon peer).

ipsec throws the following error logs. 

[root at fw1 etc]# tail -f /var/log/secure
May 25 19:49:43 fw1 pluto[12737]: "ec2-tunnel-01/2x2" #1: ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0x7f6d8b1d) not found (our SPI - bogus implementation)
May 25 19:49:43 fw1 pluto[12737]: "ec2-tunnel-01/2x2" #1: received and ignored informational message
May 25 19:49:53 fw1 pluto[12737]: "ec2-tunnel-01/1x1" #225: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW to replace #222 {using isakmp#1 msgid:ce2b6056 proposal=AES(12)_128-SHA1(2)_160 pfsgroup=OAKLEY_GROUP_MODP1024}
May 25 19:49:53 fw1 pluto[12737]: "ec2-tunnel-01/1x1" #225: Dead Peer Detection (RFC 3706): enabled
May 25 19:49:53 fw1 pluto[12737]: "ec2-tunnel-01/1x1" #225: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
May 25 19:49:53 fw1 pluto[12737]: "ec2-tunnel-01/1x1" #225: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x769111fb <0xd9cbee24 xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=enabled}
May 25 19:49:53 fw1 pluto[12737]: "ec2-tunnel-01/2x2" #1: received Delete SA payload: replace IPSEC State #223 in 10 seconds
May 25 19:49:53 fw1 pluto[12737]: "ec2-tunnel-01/2x2" #1: received and ignored informational message
May 25 19:49:53 fw1 pluto[12737]: "ec2-tunnel-01/2x2" #1: ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0xf5b2930b) not found (our SPI - bogus implementation)
May 25 19:49:53 fw1 pluto[12737]: "ec2-tunnel-01/2x2" #1: received and ignored informational message
May 25 19:50:03 fw1 pluto[12737]: "ec2-tunnel-01/2x2" #226: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW to replace #223 {using isakmp#1 msgid:71a18329 proposal=AES(12)_128-SHA1(2)_160 pfsgroup=OAKLEY_GROUP_MODP1024}
May 25 19:50:03 fw1 pluto[12737]: "ec2-tunnel-01/2x2" #226: Dead Peer Detection (RFC 3706): enabled
May 25 19:50:03 fw1 pluto[12737]: "ec2-tunnel-01/2x2" #226: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
May 25 19:50:03 fw1 pluto[12737]: "ec2-tunnel-01/2x2" #226: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x87692ca2 <0x3c255f86 xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=enabled}
May 25 19:50:03 fw1 pluto[12737]: "ec2-tunnel-01/2x2" #1: received Delete SA payload: replace IPSEC State #224 in 10 seconds
May 25 19:50:03 fw1 pluto[12737]: "ec2-tunnel-01/2x2" #1: received and ignored informational message
May 25 19:50:03 fw1 pluto[12737]: "ec2-tunnel-01/2x2" #1: ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0x18ffe6f7) not found (our SPI - bogus implementation)
May 25 19:50:03 fw1 pluto[12737]: "ec2-tunnel-01/2x2" #1: received and ignored informational message

my ipsec.conf is as follows:
# basic configuration
config setup
        interfaces=%defaultroute
        protostack=netkey
        klipsdebug=none
        plutodebug=none
#       virtual_private=%v4:192.168.0.0/19
        #nat_traversal=yes

conn ec2-tunnel-01
        type=           tunnel
        authby=         secret
        auth=           esp
        keyexchange=    ike
        ike=            aes128-sha1-modp1024
        ikelifetime=    28800s
        pfs=            yes
        esp=            aes128-sha1
        salifetime=     3600s
        dpdtimeout=     10
        dpddelay=       3
        left=           209.90.164.199
        right=          72.21.109.125
        leftsubnets=    {169.254.255.2/30,192.168.1.0/24}
        rightsubnets=   {169.254.255.1/30,10.0.0.0/24}
        auto=           start


When I run "ipsec auto --status", I got the following which seems good to me. 

000 "ec2-tunnel-01/1x1": 169.254.255.0/30===209.90.164.199<209.90.164.199>[+S=C]...72.21.109.125<72.21.109.125>[+S=C]===169.254.255.0/30; erouted; eroute owner: #207
000 "ec2-tunnel-01/1x1":     myip=unset; hisip=unset;
000 "ec2-tunnel-01/1x1":   ike_life: 28800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "ec2-tunnel-01/1x1":   policy: PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+lKOD+rKOD; prio: 30,30; interface: eth1.100;
000 "ec2-tunnel-01/1x1":   dpd: action:hold; delay:3; timeout:10;
000 "ec2-tunnel-01/1x1":   newest ISAKMP SA: #0; newest IPsec SA: #207;
000 "ec2-tunnel-01/1x1":   aliases: ec2-tunnel-01
000 "ec2-tunnel-01/1x1":   IKE algorithms wanted: AES_CBC(7)_128-SHA1(2)-MODP1024(2); flags=-strict
000 "ec2-tunnel-01/1x1":   IKE algorithms found:  AES_CBC(7)_128-SHA1(2)_160-2,
000 "ec2-tunnel-01/1x1":   ESP algorithms wanted: AES(12)_128-SHA1(2); flags=-strict
000 "ec2-tunnel-01/1x1":   ESP algorithms loaded: AES(12)_128-SHA1(2)_160
000 "ec2-tunnel-01/1x1":   ESP algorithm newest: AES_128-HMAC_SHA1; pfsgroup=<Phase1>
000 "ec2-tunnel-01/1x2": 169.254.255.0/30===209.90.164.199<209.90.164.199>[+S=C]...72.21.109.125<72.21.109.125>[+S=C]===10.0.0.0/24; erouted; eroute owner: #194
000 "ec2-tunnel-01/1x2":     myip=unset; hisip=unset;
000 "ec2-tunnel-01/1x2":   ike_life: 28800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "ec2-tunnel-01/1x2":   policy: PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+lKOD+rKOD; prio: 30,24; interface: eth1.100;
000 "ec2-tunnel-01/1x2":   dpd: action:hold; delay:3; timeout:10;
000 "ec2-tunnel-01/1x2":   newest ISAKMP SA: #0; newest IPsec SA: #194;
000 "ec2-tunnel-01/1x2":   aliases: ec2-tunnel-01
000 "ec2-tunnel-01/1x2":   IKE algorithms wanted: AES_CBC(7)_128-SHA1(2)-MODP1024(2); flags=-strict
000 "ec2-tunnel-01/1x2":   IKE algorithms found:  AES_CBC(7)_128-SHA1(2)_160-2,
000 "ec2-tunnel-01/1x2":   ESP algorithms wanted: AES(12)_128-SHA1(2); flags=-strict
000 "ec2-tunnel-01/1x2":   ESP algorithms loaded: AES(12)_128-SHA1(2)_160
000 "ec2-tunnel-01/1x2":   ESP algorithm newest: AES_128-HMAC_SHA1; pfsgroup=<Phase1>
000 "ec2-tunnel-01/2x1": 192.168.1.0/24===209.90.164.199<209.90.164.199>[+S=C]...72.21.109.125<72.21.109.125>[+S=C]===169.254.255.0/30; erouted; eroute owner: #209
000 "ec2-tunnel-01/2x1":     myip=unset; hisip=unset;
000 "ec2-tunnel-01/2x1":   ike_life: 28800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "ec2-tunnel-01/2x1":   policy: PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+lKOD+rKOD; prio: 24,30; interface: eth1.100;
000 "ec2-tunnel-01/2x1":   dpd: action:hold; delay:3; timeout:10;
000 "ec2-tunnel-01/2x1":   newest ISAKMP SA: #0; newest IPsec SA: #209;
000 "ec2-tunnel-01/2x1":   aliases: ec2-tunnel-01
000 "ec2-tunnel-01/2x1":   IKE algorithms wanted: AES_CBC(7)_128-SHA1(2)-MODP1024(2); flags=-strict
000 "ec2-tunnel-01/2x1":   IKE algorithms found:  AES_CBC(7)_128-SHA1(2)_160-2,
000 "ec2-tunnel-01/2x1":   ESP algorithms wanted: AES(12)_128-SHA1(2); flags=-strict
000 "ec2-tunnel-01/2x1":   ESP algorithms loaded: AES(12)_128-SHA1(2)_160
000 "ec2-tunnel-01/2x1":   ESP algorithm newest: AES_128-HMAC_SHA1; pfsgroup=<Phase1>
000 "ec2-tunnel-01/2x2": 192.168.1.0/24===209.90.164.199<209.90.164.199>[+S=C]...72.21.109.125<72.21.109.125>[+S=C]===10.0.0.0/24; erouted; eroute owner: #208
000 "ec2-tunnel-01/2x2":     myip=unset; hisip=unset;
000 "ec2-tunnel-01/2x2":   ike_life: 28800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "ec2-tunnel-01/2x2":   policy: PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+lKOD+rKOD; prio: 24,24; interface: eth1.100;
000 "ec2-tunnel-01/2x2":   dpd: action:hold; delay:3; timeout:10;
000 "ec2-tunnel-01/2x2":   newest ISAKMP SA: #1; newest IPsec SA: #208;
000 "ec2-tunnel-01/2x2":   aliases: ec2-tunnel-01
000 "ec2-tunnel-01/2x2":   IKE algorithms wanted: AES_CBC(7)_128-SHA1(2)-MODP1024(2); flags=-strict
000 "ec2-tunnel-01/2x2":   IKE algorithms found:  AES_CBC(7)_128-SHA1(2)_160-2,
000 "ec2-tunnel-01/2x2":   IKE algorithm newest: AES_CBC_128-SHA1-MODP1024
000 "ec2-tunnel-01/2x2":   ESP algorithms wanted: AES(12)_128-SHA1(2); flags=-strict
000 "ec2-tunnel-01/2x2":   ESP algorithms loaded: AES(12)_128-SHA1(2)_160
000 "ec2-tunnel-01/2x2":   ESP algorithm newest: AES_128-HMAC_SHA1; pfsgroup=<Phase1>
000
000 #207: "ec2-tunnel-01/1x1":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 9s; newest IPSEC; eroute owner; isakmp#1; idle; import:admin initiate
000 #207: "ec2-tunnel-01/1x1" esp.f6e169ba at 72.21.109.125 esp.d3ce06f5 at 209.90.164.199 tun.0 at 72.21.109.125 tun.0 at 209.90.164.199 ref=0 refhim=4294901761
000 #194: "ec2-tunnel-01/1x2":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 2673s; newest IPSEC; eroute owner; isakmp#1; idle; import:admin initiate
000 #194: "ec2-tunnel-01/1x2" esp.6e7f9dd1 at 72.21.109.125 esp.f9ecc669 at 209.90.164.199 tun.0 at 72.21.109.125 tun.0 at 209.90.164.199 ref=0 refhim=4294901761
000 #209: "ec2-tunnel-01/2x1":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 2978s; newest IPSEC; eroute owner; isakmp#1; idle; import:admin initiate
000 #209: "ec2-tunnel-01/2x1" esp.6d96ed0a at 72.21.109.125 esp.74abff5c at 209.90.164.199 tun.0 at 72.21.109.125 tun.0 at 209.90.164.199 ref=0 refhim=4294901761
000 #206: "ec2-tunnel-01/2x1":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_EXPIRE in 9s; isakmp#1; idle; import:admin initiate
000 #206: "ec2-tunnel-01/2x1" esp.2e089d5d at 72.21.109.125 esp.528089fd at 209.90.164.199 tun.0 at 72.21.109.125 tun.0 at 209.90.164.199 ref=0 refhim=4294901761
000 #208: "ec2-tunnel-01/2x2":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 2705s; newest IPSEC; eroute owner; isakmp#1; idle; import:admin initiate
000 #208: "ec2-tunnel-01/2x2" esp.2b85e20f at 72.21.109.125 esp.c90cb2d4 at 209.90.164.199 tun.0 at 72.21.109.125 tun.0 at 209.90.164.199 ref=0 refhim=4294901761
000 #1: "ec2-tunnel-01/2x2":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 26857s; newest ISAKMP; lastdpd=1s(seq in:8817 out:0); idle; import:admin initiate
000

-----Original Message-----
From: Paul Wouters [mailto:paul at xelerance.com] 
Sent: May 22, 2010 2:06 PM
To: Steve Zeng
Cc: users at openswan.org
Subject: RE: [Openswan Users] esp string error: enc_alg not found

On Fri, 21 May 2010, Steve Zeng wrote:

> 2) if I ping from one machine within mynetwork(192.168.1.0/24) to one instance within Amazon VPC (10.0.0.0/24), it does not get any response.
>
> When I look back my ipsec.conf, I realized that there is no subnet configs for either 192.168.1.0/24 or 10.0.0.0/24. I suspect that is the cause. So How can I add them in? I tried with
>
> 	  leftsubnets=    169.254.255.2/30, 192.168.1.0/24
>        rightsubnet=    169.254.255.1/30, 10.0.0.0/24
>
> but it does not seems the right syntax.
> syntax error, unexpected STRING, expecting EOL [192.168.1.0/24]

Either use leftsubnets={169.254.255.2/30, 192.168.1.0/24} or create a second conn with a differet name,
and different subnet= (singular) lines.

Paul


More information about the Users mailing list