[Openswan Users] but no connection has been authorized with policy=PSK

Thomas Schweikle tps at vr-web.de
Mon Apr 11 15:30:57 EDT 2011


Am 11.04.2011 21:07, schrieb Paul Wouters:
> On Mon, 11 Apr 2011, Thomas Schweikle wrote:
> 
>> conn rz-openswan
>>        type=            tunnel
>>        auth=            esp
>>        authby=          secret
>>        keyexchange=     ike
>>        pfs=             no
>>        aggrmode=        no
>>        ike=             3des-sha1-modp1024
>>        esp=             3des-sha1
>>        auto=            add
> 
>> Since this is the only connection defined ...
>> and it is loaded:
> 
>> added connection description "rz-openswan"
> 
> You have no left/right parameters?

I have:
        # LOCAL
        leftid=          @rz
        left=            222.66.77.27
        leftnexthop=     222.66.77.1
        leftsubnet=      192.168.180.0/23
        #
        # REMOTE
        rightid=         @openswan
        right=           192.168.1.4
        rightnexthop=    192.168.1.1
        rightsubnet=     192.168.1.0/24


> ipsec auto --status ?
000 using kernel interface: netkey
000 interface lo/lo ::1
000 interface lo/lo 127.0.0.1
000 interface lo/lo 127.0.0.1
000 interface eth0/eth0 222.66.77.27
000 interface eth0/eth0 222.66.77.27
000 interface eth1/eth1 192.168.180.27
000 interface eth1/eth1 192.168.180.27
000 interface eth2/eth2 172.19.0.27
000 interface eth2/eth2 172.19.0.27
000 interface tap0/tap0 10.8.0.1
000 interface tap0/tap0 10.8.0.1
000 %myid = (none)
000 debug none
000
000 virtual_private (%priv):
000 - allowed 3 subnets: 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12
000 - disallowed 0 subnets:
000 WARNING: Disallowed subnets in virtual_private= is empty.
    If you have private address space in internal use, it
    should be excluded!

I have in ipsec.conf:
config setup
        plutostderrlog=  "/var/log/pluto.err"
        plutodebug=      "none"
        nat_traversal=   yes
        virtual_private= %v4:10.0.0.0/8,\
                         %v4:192.168.0.0/16,\
                         %v4:172.16.0.0/12,%v4
        oe=              off
        protostack=      netkey
        interfaces=      %none

I am not aware of a way to exclude my used private address-space
from virtual_private!

000
000 algorithm ESP encrypt: id=2,\
  name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64
000 algorithm ESP encrypt: id=3,\
  name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=6,\
  name=ESP_CAST, ivlen=8, keysizemin=40, keysizemax=128
000 algorithm ESP encrypt: id=7,\
  name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448
000 algorithm ESP encrypt: id=11,\
  name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0
000 algorithm ESP encrypt: id=12,\
  name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=13,\
  name=ESP_AES_CTR, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=14,\
 name=ESP_AES_CCM_A, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=15,\
  name=ESP_AES_CCM_B, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=16,\
  name=ESP_AES_CCM_C, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=18,\
  name=ESP_AES_GCM_A, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=19,\
  name=ESP_AES_GCM_B, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=20,\
  name=ESP_AES_GCM_C, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=22,\
  name=ESP_CAMELLIA, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252,\
  name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253,\
  name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1,\
  name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2,\
  name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5,\
  name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=6,\
  name=AUTH_ALGORITHM_HMAC_SHA2_384, keysizemin=384, keysizemax=384
000 algorithm ESP auth attr: id=7,\
  name=AUTH_ALGORITHM_HMAC_SHA2_512, keysizemin=512, keysizemax=512
000 algorithm ESP auth attr: id=8,\
  name=AUTH_ALGORITHM_HMAC_RIPEMD, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=9,\
  name=AUTH_ALGORITHM_AES_CBC, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=251,\
 name=(null), keysizemin=0, keysizemax=0
000
000 algorithm IKE encrypt: id=0,\
  name=(null), blocksize=16, keydeflen=131
000 algorithm IKE encrypt: id=3,\
  name=OAKLEY_BLOWFISH_CBC, blocksize=8, keydeflen=128
000 algorithm IKE encrypt: id=5,\
  name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: id=7,\
  name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=65004,\
  name=OAKLEY_SERPENT_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=65005,\
  name=OAKLEY_TWOFISH_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=65289,\
  name=OAKLEY_TWOFISH_CBC_SSH, blocksize=16, keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32
000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64
000 algorithm IKE dh group:\
  id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group:\
  id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group:\
  id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group:\
  id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group:\
  id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group:\
  id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group:\
  id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops: {curr_cnt, total_cnt, maxsz}\
  :context={0,0,0} trans={0,0,0} attrs={0,0,0}
000
000 "rz-openswan":\
  192.168.180.0/23===222.66.77.27<222.66.77.27>\
  [@rz,+S=C]---222.66.77.1...192.168.1.1---192.168.1.4<192.168.1.4>\
  [@openswan,+S=C]===192.168.1.0/24; unrouted; eroute owner: #0
000 "rz-openswan":     myip=unset; hisip=unset;
000 "rz-openswan":   ike_life: 3600s; ipsec_life: 28800s;\
  rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "rz-openswan":   policy:\
  PSK+ENCRYPT+TUNNEL+IKEv2ALLOW+lKOD+rKOD; prio: 23,24;\
  interface: eth0;
000 "rz-openswan":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "rz-openswan":   IKE algorithms wanted:\
  3DES_CBC(5)_000-SHA1(2)_000-MODP1024(2); flags=-strict
000 "rz-openswan":   IKE algorithms found:\
  3DES_CBC(5)_192-SHA1(2)_160-MODP1024(2)
000 "rz-openswan":   ESP algorithms wanted:\
  3DES(3)_000-SHA1(2)_000; flags=-strict
000 "rz-openswan":   ESP algorithms loaded:\
  3DES(3)_192-SHA1(2)_160


-- 
Thomas


More information about the Users mailing list