[Openswan Users] SUSPECT_SPAM_SA2-SMTP Openswan 2.6.33 esp Tunnel established . NO PING .
trafictemp
trafictemp at home.ro
Sat Apr 9 08:37:42 EDT 2011
Hello
I do not know what i am doing wrong but i am tired of getting nothing .
The scenario is a roadwarrior-shrewVpn-client>---wireless
router>--->openswan .
I would like a bit of help because i tried everything , and i think
something is wrong on the subnet defs .
This is my configuration used for the connection .
config setup
plutodebug = controlmore
klipsdebug = "none"
dumpdir=/var/run/pluto/
nat_traversal=no
oe=off
protostack=klips
interfaces="ipsec0=eth0"
conn %default
aggrmode=no
auth=esp
conn openswan-wirel
left=192.168.100.70
leftsubnet=192.168.100.0/24
right=%any
authby=secret
pfs=no (shrew vpn client on Windows XP/7 doesnt work with pfs on
:( )
type=tunnel
ike=aes256-md5-modp3072
phase2=esp
phase2alg=aes256-sha1
rekey=yes
keylife=15m
ikelifetime=30m
compress=no
dpddelay=30
dpdtimeout=120
dpdaction=hold
auto=add
Everything is ok . Tunnel is up .
0 192.168.100.0/24 -> 192.168.100.108/32 =>
tun0x1001 at 192.168.100.108
(and of course ZERO packets . can not ping / no data tranfer through the
tunnel .)
When "checking IP FORWARDING" ipsec verify says "FAILED".
Firewall has >>>NO<<< rules and everything is set to ACCEPT .
According to the book this variables where set so everything should work?
ipv4/ip_forward
ipv4/conf/default/rp_filter
ipv4/conf/all/accept_redirects
ipv4/conf/all/send_redirects
ipv4/icmp_ignore_bogus_error_responses
ipv4/conf/all/log_martians
-------------------output of------------
ipsec auto --status
000 "mini-roadwireless":
192.168.100.0/24===192.168.100.70<192.168.100.70>[+S=C]...%any[+S=C];
unrouted; eroute owner: #0
000 "mini-roadwireless": myip=unset; hisip=unset;
000 "mini-roadwireless": ike_life: 3600s; ipsec_life: 28800s;
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "mini-roadwireless": policy:
PSK+ENCRYPT+TUNNEL+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 24,32;
interface: eth0;
000 "mini-roadwireless": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "mini-roadwireless"[1]:
192.168.100.0/24===192.168.100.70<192.168.100.70>[+S=C]...192.168.100.108[+S=C];
erouted; eroute owner: #2
000 "mini-roadwireless"[1]: myip=unset; hisip=unset;
000 "mini-roadwireless"[1]: ike_life: 3600s; ipsec_life: 28800s;
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "mini-roadwireless"[1]: policy:
PSK+ENCRYPT+TUNNEL+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 24,32;
interface: eth0;
000 "mini-roadwireless"[1]: newest ISAKMP SA: #1; newest IPsec SA: #2;
000 "mini-roadwireless"[1]: IKE algorithm newest:
AES_CBC_256-MD5-MODP3072
000
000 #2: "mini-roadwireless"[1] 192.168.100.108:500 STATE_QUICK_R2 (IPsec
SA established); EVENT_SA_REPLACE in 3241s; newest IPSEC; eroute owner;
isakmp#1; idle; import:not set
000 #2: "mini-roadwireless"[1] 192.168.100.108
esp.e8ff0742 at 192.168.100.108 esp.9a10674a at 192.168.100.70
tun.1001 at 192.168.100.108 tun.1002 at 192.168.100.70 ref=43 refhim=41
000 #1: "mini-roadwireless"[1] 192.168.100.108:500 STATE_MAIN_R3 (sent
MR3, ISAKMP SA established); EVENT_SA_REPLACE in 3240s; newest ISAKMP;
nodpd; idle; import:not set
000
-----------------------
some output from the secure log by plutodebug goes here :
Apr 9 15:25:27 ignition pluto[2272]: "mini-roadwireless"[1]
192.168.100.108 #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_md5 group=modp3072}
Apr 9 15:25:27 ignition pluto[2272]: | processing connection
mini-roadwireless[1] 192.168.100.108
Apr 9 15:25:27 ignition pluto[2272]: "mini-roadwireless"[1]
192.168.100.108 #1: ignoring informational payload, type
IPSEC_INITIAL_CONTACT msgid=00000000
Apr 9 15:25:27 ignition pluto[2272]: "mini-roadwireless"[1]
192.168.100.108 #1: received and ignored informational message
Apr 9 15:25:27 ignition pluto[2272]: | processing connection
mini-roadwireless[1] 192.168.100.108
Apr 9 15:25:27 ignition pluto[2272]: "mini-roadwireless"[1]
192.168.100.108 #1: the peer proposed: 192.168.100.0/24:0/0 ->
192.168.100.108/32:0/0
Apr 9 15:25:27 ignition pluto[2272]: | find_client_connection starting
with mini-roadwireless
Apr 9 15:25:27 ignition pluto[2272]: | looking for 192.168.100.0/24:0/0
-> 192.168.100.108/32:0/0
Apr 9 15:25:27 ignition pluto[2272]: | concrete checking against sr#0
192.168.100.0/24 -> 192.168.100.108/32
Apr 9 15:25:27 ignition pluto[2272]: | match_id a=192.168.100.108
Apr 9 15:25:27 ignition pluto[2272]: | b=192.168.100.108
Apr 9 15:25:27 ignition pluto[2272]: | results matched
Apr 9 15:25:27 ignition pluto[2272]: | trusted_ca called with a=(empty)
b=(empty)
Apr 9 15:25:27 ignition pluto[2272]: | fc_try trying
mini-roadwireless:192.168.100.0/24:0/0 -> 192.168.100.108/32:0/0 vs
mini-roadwireless:192.168.100.0/24:0/0 -> 192.168.100.108/32:0/0
Apr 9 15:25:27 ignition pluto[2272]: | fc_try concluding with
mini-roadwireless [128]
Apr 9 15:25:27 ignition pluto[2272]: | fc_try mini-roadwireless gives
mini-roadwireless
Apr 9 15:25:27 ignition pluto[2272]: | concluding with d =
mini-roadwireless
Apr 9 15:25:27 ignition pluto[2272]: | client wildcard: no port
wildcard: no virtual: no
Apr 9 15:25:27 ignition pluto[2272]: | processing connection
mini-roadwireless[1] 192.168.100.108
Apr 9 15:25:27 ignition pluto[2272]: | event added at head of queue
Apr 9 15:25:27 ignition pluto[2272]: | deleting event for #2
Apr 9 15:25:27 ignition pluto[2272]: | event added after event
EVENT_PENDING_PHASE2
Apr 9 15:25:27 ignition pluto[2272]: | quick inI1_outR1: calculated
ke+nonce, calculating DH
Apr 9 15:25:27 ignition pluto[2272]: | processing connection
mini-roadwireless[1] 192.168.100.108
Apr 9 15:25:27 ignition pluto[2272]: "mini-roadwireless"[1]
192.168.100.108 #2: responding to Quick Mode proposal {msgid:dff2489d}
Apr 9 15:25:27 ignition pluto[2272]: "mini-roadwireless"[1]
192.168.100.108 #2: us:
192.168.100.0/24===192.168.100.70<192.168.100.70>[+S=C]
Apr 9 15:25:27 ignition pluto[2272]: "mini-roadwireless"[1]
192.168.100.108 #2: them: 192.168.100.108[+S=C]
Apr 9 15:25:27 ignition pluto[2272]: | finished processing quick inI1
Apr 9 15:25:27 ignition pluto[2272]: "mini-roadwireless"[1]
192.168.100.108 #2: transition from state STATE_QUICK_R0 to state
STATE_QUICK_R1
Apr 9 15:25:27 ignition pluto[2272]: | deleting event for #2
Apr 9 15:25:27 ignition pluto[2272]: | event added at head of queue
Apr 9 15:25:27 ignition pluto[2272]: "mini-roadwireless"[1]
192.168.100.108 #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed,
expecting QI2
Apr 9 15:25:27 ignition pluto[2272]: | processing connection
mini-roadwireless[1] 192.168.100.108
Apr 9 15:25:27 ignition pluto[2272]: | route_and_eroute with c:
mini-roadwireless (next: none) ero:null esr:{(nil)} ro:null rosr:{(nil)}
and state: 2
Apr 9 15:25:28 ignition pluto[2272]: | inI2: instance
mini-roadwireless[1], setting newest_ipsec_sa to #2 (was #0)
(spd.eroute=#2)
Apr 9 15:25:28 ignition pluto[2272]: "mini-roadwireless"[1]
192.168.100.108 #2: transition from state STATE_QUICK_R1 to state
STATE_QUICK_R2
Apr 9 15:25:28 ignition pluto[2272]: | deleting event for #2
Apr 9 15:25:28 ignition pluto[2272]: | event added after event
EVENT_SA_REPLACE for #1
Apr 9 15:25:28 ignition pluto[2272]: "mini-roadwireless"[1]
192.168.100.108 #2: STATE_QUICK_R2: IPsec SA established tunnel mode
{ESP=>0xe8ff0742 <0x9a10674a xfrm=AES_256-HMAC_MD5 NATOA=none NATD=none
DPD=none}
Apr 9 15:26:47 ignition pluto[2272]: | event added after event
EVENT_PENDING_PHASE2
Apr 9 15:26:47 ignition pluto[2272]: | event added at head of queue
Apr 9 15:28:47 ignition pluto[2272]: | event added after event
EVENT_SHUNT_SCAN
Apr 9 15:28:47 ignition pluto[2272]: | event added at head of queue
--
in case someone has an idea or had the same trouble , please reply .
thanks .
{ sent by - please read headers }
More information about the Users
mailing list