[Openswan Users] Openswan -> Linksys RV042 problem with "pluto_do_crypto" and one way tracert's
Nick Howitt
n1ck.h0w1tt at gmail.com
Tue Apr 5 16:21:46 EDT 2011
Hi,
I am trying to help someone set up a tunnel between ClearOS 5.2/Openswan
2.6.21 and a Linksys RV042. The ClearOS box appears to be running
multiwan and the Linksys is behind a 1-1 NAT device with public IP
77.239.239.239 and private IP 10.162.33.69. The ipsec.conf is:
version 2.0
config setup
protostack=netkey
klipsdebug=none
plutodebug=none
interfaces=%defaultroute
oe=no
conn %default
authby=secret
type=tunnel
left=%defaultroute
leftsubnet=192.168.10.0/24
leftsourceip=192.168.10.11
conn Test
auto=add
right=77.239.239.239
rightsubnet=192.168.2.0/24
rightid=10.162.33.69
dpdtimeout=120
dpddelay=30
dpdaction=hold
rekey=no
The tunnel appears to come up and he can ping/tracert from the Linksys
LAN to the ClearOS LAN but not from the ClearOS LAN to the LAN IP of the
linksys. He is also getting the message "pluto_do_crypto: helper (0) is
exiting" a few times. This is his /var/log/secure:
Apr 5 17:28:59 gate ipsec__plutorun: Starting Pluto subsystem...
Apr 5 17:28:59 gate pluto[30912]: nss directory plutomain: /etc/ipsec.d
Apr 5 17:28:59 gate pluto[30912]: NSS Initialized
Apr 5 17:28:59 gate pluto[30912]: Non-fips mode set in
/proc/sys/crypto/fips_enabled
Apr 5 17:28:59 gate pluto[30912]: Non-fips mode set in
/proc/sys/crypto/fips_enabled
Apr 5 17:28:59 gate pluto[30912]: Starting Pluto (Openswan Version
2.6.21; Vendor ID OE~q\177kZNr}Wk) pid:30912
Apr 5 17:28:59 gate pluto[30912]: Setting NAT-Traversal port-4500
floating to off
Apr 5 17:28:59 gate pluto[30912]: port floating activation criteria
nat_t=0/port_float=1
Apr 5 17:28:59 gate pluto[30912]: including NAT-Traversal patch
(Version 0.6c) [disabled]
Apr 5 17:28:59 gate pluto[30912]: ike_alg_register_enc(): Activating
OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)
Apr 5 17:28:59 gate pluto[30912]: ike_alg_register_enc(): Activating
OAKLEY_TWOFISH_CBC: Ok (ret=0)
Apr 5 17:28:59 gate pluto[30912]: ike_alg_register_enc(): Activating
OAKLEY_SERPENT_CBC: Ok (ret=0)
Apr 5 17:28:59 gate pluto[30912]: ike_alg_register_enc(): Activating
OAKLEY_AES_CBC: Ok (ret=0)
Apr 5 17:28:59 gate pluto[30912]: ike_alg_register_enc(): Activating
OAKLEY_BLOWFISH_CBC: Ok (ret=0)
Apr 5 17:28:59 gate pluto[30912]: ike_alg_register_hash(): Activating
OAKLEY_SHA2_512: Ok (ret=0)
Apr 5 17:28:59 gate pluto[30912]: ike_alg_register_hash(): Activating
OAKLEY_SHA2_256: Ok (ret=0)
Apr 5 17:28:59 gate pluto[30912]: starting up 1 cryptographic helpers
Apr 5 17:28:59 gate pluto[30912]: main fd(10) helper fd(11)
Apr 5 17:28:59 gate pluto[30912]: started helper (thread)
pid=-1208890480 (fd:10)
Apr 5 17:28:59 gate pluto[30912]: Using Linux 2.6 IPsec interface code
on 2.6.18-194.8.1.v5 (experimental code)
Apr 5 17:29:00 gate pluto[30912]: ike_alg_register_enc(): WARNING: enc
alg=0 not found in constants.c:oakley_enc_names
Apr 5 17:29:00 gate pluto[30912]: ike_alg_register_enc(): Activating
<NULL>: Ok (ret=0)
Apr 5 17:29:00 gate pluto[30912]: ike_alg_register_enc(): WARNING: enc
alg=0 not found in constants.c:oakley_enc_names
Apr 5 17:29:00 gate pluto[30912]: ike_alg_add(): ERROR: Algorithm
already exists
Apr 5 17:29:00 gate pluto[30912]: ike_alg_register_enc(): Activating
<NULL>: FAILED (ret=-17)
Apr 5 17:29:00 gate pluto[30912]: ike_alg_register_enc(): WARNING: enc
alg=0 not found in constants.c:oakley_enc_names
Apr 5 17:29:00 gate pluto[30912]: ike_alg_add(): ERROR: Algorithm
already exists
Apr 5 17:29:00 gate pluto[30912]: ike_alg_register_enc(): Activating
<NULL>: FAILED (ret=-17)
Apr 5 17:29:00 gate pluto[30912]: ike_alg_register_enc(): WARNING: enc
alg=0 not found in constants.c:oakley_enc_names
Apr 5 17:29:00 gate pluto[30912]: ike_alg_add(): ERROR: Algorithm
already exists
Apr 5 17:29:00 gate pluto[30912]: ike_alg_register_enc(): Activating
<NULL>: FAILED (ret=-17)
Apr 5 17:29:00 gate pluto[30912]: ike_alg_register_enc(): WARNING: enc
alg=0 not found in constants.c:oakley_enc_names
Apr 5 17:29:00 gate pluto[30912]: ike_alg_add(): ERROR: Algorithm
already exists
Apr 5 17:29:00 gate pluto[30912]: ike_alg_register_enc(): Activating
<NULL>: FAILED (ret=-17)
Apr 5 17:29:00 gate pluto[30912]: ike_alg_register_enc(): WARNING: enc
alg=0 not found in constants.c:oakley_enc_names
Apr 5 17:29:00 gate pluto[30912]: ike_alg_add(): ERROR: Algorithm
already exists
Apr 5 17:29:00 gate pluto[30912]: ike_alg_register_enc(): Activating
<NULL>: FAILED (ret=-17)
Apr 5 17:29:00 gate pluto[30912]: Could not change to directory
'/etc/ipsec.d/cacerts': /
Apr 5 17:29:00 gate pluto[30912]: Could not change to directory
'/etc/ipsec.d/aacerts': /
Apr 5 17:29:00 gate pluto[30912]: Could not change to directory
'/etc/ipsec.d/ocspcerts': /
Apr 5 17:29:00 gate pluto[30912]: Could not change to directory
'/etc/ipsec.d/crls'
Apr 5 17:29:00 gate pluto[30912]: added connection description "Test"
Apr 5 17:29:00 gate pluto[30912]: listening for IKE messages
Apr 5 17:29:00 gate pluto[30912]: adding interface pptp1/pptp1
192.168.10.81:500
Apr 5 17:29:00 gate pluto[30912]: adding interface pptp0/pptp0
192.168.10.80:500
Apr 5 17:29:00 gate pluto[30912]: adding interface eth2/eth2
192.168.10.11:500
Apr 5 17:29:00 gate pluto[30912]: adding interface eth1/eth1
77.241.241.241:500
Apr 5 17:29:00 gate pluto[30912]: adding interface eth0/eth0
81.24.24.24:500
Apr 5 17:29:00 gate pluto[30912]: adding interface lo/lo 127.0.0.1:500
Apr 5 17:29:00 gate pluto[30912]: adding interface lo/lo ::1:500
Apr 5 17:29:00 gate pluto[30912]: loading secrets from "/etc/ipsec.secrets"
Apr 5 17:29:16 gate pluto[30912]: packet from 77.239.239.239:500:
received Vendor ID payload [Dead Peer Detection]
Apr 5 17:29:16 gate pluto[30912]: "Test" #1: responding to Main Mode
Apr 5 17:29:16 gate pluto[30912]: "Test" #1: transition from state
STATE_MAIN_R0 to state STATE_MAIN_R1
Apr 5 17:29:16 gate pluto[30912]: "Test" #1: STATE_MAIN_R1: sent MR1,
expecting MI2
Apr 5 17:29:16 gate pluto[30912]: pluto_do_crypto: helper (0) is exiting
Apr 5 17:29:16 gate pluto[30912]: "Test" #1: transition from state
STATE_MAIN_R1 to state STATE_MAIN_R2
Apr 5 17:29:16 gate pluto[30912]: "Test" #1: STATE_MAIN_R2: sent MR2,
expecting MI3
Apr 5 17:29:16 gate pluto[30912]: pluto_do_crypto: helper (0) is exiting
Apr 5 17:29:17 gate pluto[30912]: "Test" #1: Main mode peer ID is
ID_IPV4_ADDR: '10.162.33.69'
Apr 5 17:29:17 gate pluto[30912]: "Test" #1: transition from state
STATE_MAIN_R2 to state STATE_MAIN_R3
Apr 5 17:29:17 gate pluto[30912]: "Test" #1: STATE_MAIN_R3: sent MR3,
ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1536}
Apr 5 17:29:17 gate pluto[30912]: "Test" #1: Dead Peer Detection (RFC
3706): enabled
Apr 5 17:29:17 gate pluto[30912]: "Test" #1: the peer proposed:
192.168.10.0/24:0/0 -> 192.168.2.0/24:0/0
Apr 5 17:29:17 gate pluto[30912]: pluto_do_crypto: helper (0) is exiting
Apr 5 17:29:17 gate pluto[30912]: pluto_do_crypto: helper (0) is exiting
Apr 5 17:29:17 gate pluto[30912]: "Test" #2: responding to Quick Mode
proposal {msgid:ac547e8c}
Apr 5 17:29:17 gate pluto[30912]: "Test" #2: us:
192.168.10.0/24===77.241.241.241[+S=C]
Apr 5 17:29:17 gate pluto[30912]: "Test" #2: them:
77.239.239.239<77.239.239.239>[10.162.33.69,+S=C]===192.168.2.0/24
Apr 5 17:29:17 gate pluto[30912]: "Test" #2: transition from state
STATE_QUICK_R0 to state STATE_QUICK_R1
Apr 5 17:29:17 gate pluto[30912]: "Test" #2: STATE_QUICK_R1: sent QR1,
inbound IPsec SA installed, expecting QI2
Apr 5 17:29:17 gate pluto[30912]: "Test" #2: Dead Peer Detection (RFC
3706): enabled
Apr 5 17:29:17 gate pluto[30912]: "Test" #2: transition from state
STATE_QUICK_R1 to state STATE_QUICK_R2
Apr 5 17:29:17 gate pluto[30912]: "Test" #2: STATE_QUICK_R2: IPsec SA
established tunnel mode {ESP=>0x9c07f38b <0x33bfc5e0
xfrm=3DES_0-HMAC_MD5 NATOA=none NATD=none DPD=enabled}
Do you know why he is getting the error message and have you any idea
why ping/tracert only works in one direction? Could multiwan be messing
things up? In a multiwan environment is "interfaces=%defaultroute" a
good configuration statement?
Thanks,
Nick
More information about the Users
mailing list