[Openswan Users] Tunnel up, can't ping!! Help is much appreciated!!
"Ing. Rodrigo Méndez"
rodrigomf at bl.com.mx
Tue Nov 23 11:47:17 EST 2010
Hi there, I'm a new user so hello to all :D
I've been working on this for over a week and I'm really desperate now... any help is MUCH appreciated!!
The situation: I want to set up a simple VPN tunnel:
My Linux CentOS server (openswan) IP: xxx.xxx.xxx.1 ----- VPN Concentrator (Juniper ISG 2000) IP: yyy.yyy.yyy.2 --- Remote box 3 (private IP: zzz.zzz.zzz.3)
Boxes 1 and 2 have public IP. Box 3 has private IP (is behind the VPN Concentrator). The goal is to connect box 1 to box 3.
My Config is as follows:
# basic configuration
config setup
klipsdebug=none
plutodebug = none
interfaces=%defaultroute
protostack=netkey
nat_traversal=no
virtual_private= %v4:172.19.1.0/24
oe=off
nhelpers=0
uniqueids=yes
#agregado para openswan
conn iusacell-bitlab-test
type= tunnel
authby= secret
left= xxx.xxx.xxx.1
right= yyy.yyy.yyy.2
rightsubnet= zzz.zzz.zzz.3/32
auto= start #start at boot
compress= no #probar yes y no
esp= 3des-sha1
ike= 3des-sha1-modp1024
auth= esp
pfs= yes
keylife= 1h
ikelifetime= 8h
keyingtries= 0
The problem is that the tunnel is UP but there's no way I can connect or ping the other side. An interesting thing is that if I ping the other side from box 1 after I disabled iptables - service iptables stop- I get no response at all, but if iptables is active i get the error message "ping: sendmsg: operation not permitted"
Here is some debug info:
root at box1 [~]# ipsec setup status
/usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled
IPsec running - pluto pid: 4690
pluto pid 4690
1 tunnels up
some eroutes exist
----------------
Nov 22 20:33:18 bitlab ipsec__plutorun: Starting Pluto subsystem...
Nov 22 20:33:18 bitlab pluto[4690]: nss directory plutomain: /etc/ipsec.d
Nov 22 20:33:18 bitlab pluto[4690]: NSS Initialized
Nov 22 20:33:18 bitlab pluto[4690]: Non-fips mode set in /proc/sys/crypto/fips_enabled
Nov 22 20:33:18 bitlab pluto[4690]: Non-fips mode set in /proc/sys/crypto/fips_enabled
Nov 22 20:33:18 bitlab pluto[4690]: Starting Pluto (Openswan Version 2.6.21; Vendor ID OE~q\177kZNr}Wk) pid:4690
Nov 22 20:33:18 bitlab pluto[4690]: Setting NAT-Traversal port-4500 floating to off
Nov 22 20:33:18 bitlab pluto[4690]: port floating activation criteria nat_t=0/port_float=1
Nov 22 20:33:18 bitlab pluto[4690]: including NAT-Traversal patch (Version 0.6c) [disabled]
Nov 22 20:33:18 bitlab pluto[4690]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)
Nov 22 20:33:18 bitlab pluto[4690]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)
Nov 22 20:33:18 bitlab pluto[4690]: ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok (ret=0)
Nov 22 20:33:18 bitlab pluto[4690]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Nov 22 20:33:18 bitlab pluto[4690]: ike_alg_register_enc(): Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)
Nov 22 20:33:18 bitlab pluto[4690]: ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)
Nov 22 20:33:18 bitlab pluto[4690]: ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)
Nov 22 20:33:18 bitlab pluto[4690]: no helpers will be started, all cryptographic operations will be done inline
Nov 22 20:33:18 bitlab pluto[4690]: Using Linux 2.6 IPsec interface code on 2.6.18-128.1.10.el5PAE (experimental code)
Nov 22 20:33:18 bitlab pluto[4690]: ike_alg_register_enc(): WARNING: enc alg=0 not found in constants.c:oakley_enc_names
Nov 22 20:33:18 bitlab pluto[4690]: ike_alg_register_enc(): Activating <NULL>: Ok (ret=0)
Nov 22 20:33:18 bitlab pluto[4690]: ike_alg_register_enc(): WARNING: enc alg=0 not found in constants.c:oakley_enc_names
Nov 22 20:33:18 bitlab pluto[4690]: ike_alg_add(): ERROR: Algorithm already exists
Nov 22 20:33:18 bitlab pluto[4690]: ike_alg_register_enc(): Activating <NULL>: FAILED (ret=-17)
Nov 22 20:33:18 bitlab pluto[4690]: ike_alg_register_enc(): WARNING: enc alg=0 not found in constants.c:oakley_enc_names
Nov 22 20:33:18 bitlab pluto[4690]: ike_alg_add(): ERROR: Algorithm already exists
Nov 22 20:33:18 bitlab pluto[4690]: ike_alg_register_enc(): Activating <NULL>: FAILED (ret=-17)
Nov 22 20:33:18 bitlab pluto[4690]: ike_alg_register_enc(): WARNING: enc alg=0 not found in constants.c:oakley_enc_names
Nov 22 20:33:18 bitlab pluto[4690]: ike_alg_add(): ERROR: Algorithm already exists
Nov 22 20:33:18 bitlab pluto[4690]: ike_alg_register_enc(): Activating <NULL>: FAILED (ret=-17)
Nov 22 20:33:18 bitlab pluto[4690]: ike_alg_register_enc(): WARNING: enc alg=0 not found in constants.c:oakley_enc_names
Nov 22 20:33:18 bitlab pluto[4690]: ike_alg_add(): ERROR: Algorithm already exists
Nov 22 20:33:18 bitlab pluto[4690]: ike_alg_register_enc(): Activating <NULL>: FAILED (ret=-17)
Nov 22 20:33:18 bitlab pluto[4690]: ike_alg_register_enc(): WARNING: enc alg=0 not found in constants.c:oakley_enc_names
Nov 22 20:33:18 bitlab pluto[4690]: ike_alg_add(): ERROR: Algorithm already exists
Nov 22 20:33:18 bitlab pluto[4690]: ike_alg_register_enc(): Activating <NULL>: FAILED (ret=-17)
Nov 22 20:33:18 bitlab pluto[4690]: Could not change to directory '/etc/ipsec.d/cacerts': /root
Nov 22 20:33:18 bitlab pluto[4690]: Could not change to directory '/etc/ipsec.d/aacerts': /root
Nov 22 20:33:18 bitlab pluto[4690]: Could not change to directory '/etc/ipsec.d/ocspcerts': /root
Nov 22 20:33:18 bitlab pluto[4690]: Could not change to directory '/etc/ipsec.d/crls'
Nov 22 20:33:18 bitlab pluto[4690]: Non-fips mode set in /proc/sys/crypto/fips_enabled
Nov 22 20:33:19 bitlab pluto[4690]: Non-fips mode set in /proc/sys/crypto/fips_enabled
Nov 22 20:33:19 bitlab pluto[4690]: added connection description "iusacell-bitlab-test"
Nov 22 20:33:19 bitlab pluto[4690]: listening for IKE messages
Nov 22 20:33:19 bitlab pluto[4690]: adding interface eth0:9/eth0:9 xxx.xxx.xxx.139:500
Nov 22 20:33:19 bitlab pluto[4690]: adding interface eth0:8/eth0:8 xxx.xxx.xxx.138:500
Nov 22 20:33:19 bitlab pluto[4690]: adding interface eth0:7/eth0:7 xxx.xxx.xxx.137:500
Nov 22 20:33:19 bitlab pluto[4690]: adding interface eth0:6/eth0:6 xxx.xxx.xxx.136:500
Nov 22 20:33:19 bitlab pluto[4690]: adding interface eth0:5/eth0:5 xxx.xxx.xxx.135:500
Nov 22 20:33:19 bitlab pluto[4690]: adding interface eth0:4/eth0:4 xxx.xxx.xxx.134:500
Nov 22 20:33:19 bitlab pluto[4690]: adding interface eth0:3/eth0:3 xxx.xxx.xxx.133:500
Nov 22 20:33:19 bitlab pluto[4690]: adding interface eth0:2/eth0:2 xxx.xxx.xxx.132:500
Nov 22 20:33:19 bitlab pluto[4690]: adding interface eth0:1/eth0:1 xxx.xxx.xxx.131:500
Nov 22 20:33:19 bitlab pluto[4690]: adding interface eth0/eth0 xxx.xxx.xxx.130:500
Nov 22 20:33:19 bitlab pluto[4690]: adding interface lo/lo 127.0.0.1:500
Nov 22 20:33:19 bitlab pluto[4690]: adding interface lo/lo ::1:500
Nov 22 20:33:19 bitlab pluto[4690]: loading secrets from "/etc/ipsec.secrets"
Nov 22 20:33:20 bitlab pluto[4690]: "iusacell-bitlab-test" #1: initiating Main Mode
Nov 22 20:33:20 bitlab pluto[4690]: "iusacell-bitlab-test" #1: ignoring unknown Vendor ID payload [166f932d55eb64d8e4df4fd3]
Nov 22 20:33:20 bitlab pluto[4690]: "iusacell-bitlab-test" #1: received Vendor ID payload [Dead Peer Detection]
Nov 22 20:33:20 bitlab pluto[4690]: "iusacell-bitlab-test" #1: ignoring Vendor ID payload [HeartBeat Notify 386b0100]
Nov 22 20:33:20 bitlab pluto[4690]: packet from yyy.yyy.yyy.5:500: pluto_do_crypto: helper (-1) is exiting
Nov 22 20:33:20 bitlab pluto[4690]: "iusacell-bitlab-test" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
Nov 22 20:33:20 bitlab pluto[4690]: "iusacell-bitlab-test" #1: STATE_MAIN_I2: sent MI2, expecting MR2
Nov 22 20:33:20 bitlab pluto[4690]: packet from yyy.yyy.yyy.5:500: pluto_do_crypto: helper (-1) is exiting
Nov 22 20:33:20 bitlab pluto[4690]: "iusacell-bitlab-test" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Nov 22 20:33:20 bitlab pluto[4690]: "iusacell-bitlab-test" #1: STATE_MAIN_I3: sent MI3, expecting MR3
Nov 22 20:33:20 bitlab pluto[4690]: "iusacell-bitlab-test" #1: Main mode peer ID is ID_IPV4_ADDR: 'yyy.yyy.yyy.5'
Nov 22 20:33:20 bitlab pluto[4690]: "iusacell-bitlab-test" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
Nov 22 20:33:20 bitlab pluto[4690]: "iusacell-bitlab-test" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
Nov 22 20:33:20 bitlab pluto[4690]: "iusacell-bitlab-test" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW {using isakmp#1 msgid:c55a6428 proposal=3DES(3)_192-SHA1(2)_160 pfsgroup=OAKLEY_GROUP_MODP1024}
Nov 22 20:33:20 bitlab pluto[4690]: packet from yyy.yyy.yyy.5:500: pluto_do_crypto: helper (-1) is exiting
Nov 22 20:33:20 bitlab pluto[4690]: packet from yyy.yyy.yyy.5:500: pluto_do_crypto: helper (-1) is exiting
Nov 22 20:33:20 bitlab pluto[4690]: "iusacell-bitlab-test" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Nov 22 20:33:20 bitlab pluto[4690]: "iusacell-bitlab-test" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0xca7636a3 <0x1149928c xfrm=3DES_0-HMAC_SHA1 NATOA=none NATD=none DPD=none}
-------------------
ip xfrm state
src xxx.xxx.xxx.1 dst yyy.yyy.yyy.2
proto esp spi 0xca7636a3 reqid 16385 mode tunnel
replay-window 32
auth hmac(sha1) 0x3e03b7bf9e1d87a8.....
enc cbc(des3_ede) 0x0cacc228bbe60228706....
src yyy.yyy.yyy.2 dst xxx.xxx.xxx.1
proto esp spi 0x1149928c reqid 16385 mode tunnel
replay-window 32
auth hmac(sha1) 0x958b266363d47b5.....
enc cbc(des3_ede) 0xa06462e60decf....
----------------
ip xfrm policy
src zzz.zzz.zzz.3/32 dst xxx.xxx.xxx.1/32
dir in priority 2080
tmpl src yyy.yyy.yyy.2 dst xxx.xxx.xxx.1
proto esp reqid 16385 mode tunnel
src xxx.xxx.xxx.1/32 dst zzz.zzz.zzz.3/32
dir out priority 2080
tmpl src xxx.xxx.xxx.1 dst yyy.yyy.yyy.2
proto esp reqid 16385 mode tunnel
src zzz.zzz.zzz.3/32 dst xxx.xxx.xxx.1/32
dir fwd priority 2080
tmpl src yyy.yyy.yyy.2 dst xxx.xxx.xxx.1
proto esp reqid 16385 mode tunnel
I feel lost now... any help is MUCH appreciated!!
Thank you in advance!
Rodrigo
More information about the Users
mailing list