[Openswan Users] ipsec problem - asynchronous network error report
Sebastijan Šilec
sebastijan.silec at agenda.si
Tue Jun 21 09:29:46 EDT 2011
I have a problem using openswan ipsec (2.6.31)
I have a working configuration on ADSL (ppp), but wen using the same
conf on FTTH it doesnt work.
ipsec:conf:
-----
config setup
interfaces="ipsec0=ppp0"
nat_traversal=no
oe=off
protostack=klips
uniqueids=yes
# default settings for connections
conn %default
authby=secret
ikelifetime=86400s
keylife=3600s
keyingtries=0
ike=3des-md5;modp1024
phase2alg=3des-md5;modp1024
sareftrack=no
include /etc/ipsec.d/remote
-----
remote conf:
-----
conn remote-all
authby=secret
auto=start
# Left security gateway, subnet behind it, next hop toward right.
left=192.168.33.130
leftsubnet=0.0.0.0/0
#leftnexthop=%defaultroute
# Right security gateway, subnet behind it, next hop toward left.
right=10.231.249.166
rightsubnet=0.0.0.0/0
rightsourceip=10.228.248.1
------
This works on ppp, but if i switch to FTTH on eth2 the conf looks like :
(only interface is eth2 instead of ppp0, and WAN IP is different)
ipsec.conf
-----
config setup
interfaces="ipsec0=*eth2*"
nat_traversal=no
oe=off
protostack=klips
uniqueids=yes
# default settings for connections
conn %default
authby=secret
ikelifetime=86400s
keylife=3600s
keyingtries=0
ike=3des-md5;modp1024
phase2alg=3des-md5;modp1024
sareftrack=no
include /etc/ipsec.d/remote
-----
/etc/ipsec.d/remote:
conn remote-all
authby=secret
auto=start
# Left security gateway, subnet behind it, next hop toward right.
left=192.168.33.130
leftsubnet=0.0.0.0/0
I tried here with IP of default GW for FTTH or %defaultroute but won't
conect
#leftnexthop=%defaultroute
# Right security gateway, subnet behind it, next hop toward left.
right=10.253.19.226
rightsubnet=0.0.0.0/0
rightsourceip=10.228.248.1
Here is the error:
Jun 15 10:34:11 localhost pluto[8875]: Starting Pluto (Openswan Version
2.6.31; Vendor ID OE}GnD\177ZAYe[) pid:8875
Jun 15 10:34:11 localhost pluto[8875]: LEAK_DETECTIVE support [enabled]
Jun 15 10:34:11 localhost pluto[8875]: SAref support [disabled]:
Protocol not available
Jun 15 10:34:11 localhost pluto[8875]: SAbind support [disabled]:
Protocol not available
Jun 15 10:34:11 localhost pluto[8875]: NSS support [disabled]
Jun 15 10:34:11 localhost pluto[8875]: HAVE_STATSD notification support
not compiled in
Jun 15 10:34:11 localhost pluto[8875]: Setting NAT-Traversal port-4500
floating to off
Jun 15 10:34:11 localhost pluto[8875]: port floating activation
criteria nat_t=0/port_float=1
Jun 15 10:34:11 localhost pluto[8875]: NAT-Traversal support [disabled]
Jun 15 10:34:11 localhost pluto[8875]: using /dev/urandom as source of
random entropy
Jun 15 10:34:11 localhost pluto[8875]: ike_alg_register_enc():
Activating OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)
Jun 15 10:34:11 localhost pluto[8875]: ike_alg_register_enc():
Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)
Jun 15 10:34:11 localhost pluto[8875]: ike_alg_register_enc():
Activating OAKLEY_SERPENT_CBC: Ok (ret=0)
Jun 15 10:34:11 localhost pluto[8875]: ike_alg_register_enc():
Activating OAKLEY_AES_CBC: Ok (ret=0)
Jun 15 10:34:11 localhost pluto[8875]: ike_alg_register_enc():
Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)
Jun 15 10:34:11 localhost pluto[8875]: ike_alg_register_hash():
Activating OAKLEY_SHA2_512: Ok (ret=0)
Jun 15 10:34:11 localhost pluto[8875]: ike_alg_register_hash():
Activating OAKLEY_SHA2_256: Ok (ret=0)
Jun 15 10:34:11 localhost pluto[8875]: starting up 1 cryptographic helpers
Jun 15 10:34:11 localhost pluto[8875]: started helper pid=8878 (fd:7)
Jun 15 10:34:11 localhost pluto[8875]: Using KLIPS IPsec interface code
on 2.6.31.14-0.6-default
Jun 15 10:34:11 localhost pluto[8875]: Changed path to directory
'/etc/ipsec.d/cacerts'
Jun 15 10:34:11 localhost pluto[8875]: Could not change to directory
'/etc/ipsec.d/aacerts': /
Jun 15 10:34:11 localhost pluto[8875]: Could not change to directory
'/etc/ipsec.d/ocspcerts': /
Jun 15 10:34:11 localhost pluto[8875]: Changing to directory
'/etc/ipsec.d/crls'
Jun 15 10:34:11 localhost pluto[8875]: Warning: empty directory
Jun 15 10:34:11 localhost pluto[8878]: using /dev/urandom as source of
random entropy
Jun 15 10:34:11 localhost pluto[8875]: added connection description
"mercator-all"
Jun 15 10:34:11 localhost ipsec__plutorun: 002 added connection
description "mercator-all"
Jun 15 10:34:12 localhost pluto[8875]: listening for IKE messages
Jun 15 10:34:12 localhost pluto[8875]: | invalid listen= option ignored:
empty string
Jun 15 10:34:12 localhost pluto[8875]: adding interface ipsec0/eth2
10.253.19.226:500
Jun 15 10:34:12 localhost pluto[8875]: loading secrets from
"/etc/ipsec.secrets"
Jun 15 10:34:12 localhost pluto[8875]: "mercator-all" #1: initiating
Main Mode
Jun 15 10:34:12 localhost ipsec__plutorun: 104 "mercator-all" #1:
STATE_MAIN_I1: initiate
Jun 15 10:34:15 localhost pluto[8875]: "remote-all" #1: ERROR:
asynchronous network error report on eth2 (sport=500) for message to
192.168.23.130 port 500, complainant 10.253.19.226: No route to host
[errno 113, origin ICMP type 3 code 1 (not authenticated)]
Jun 15 10:34:19 localhost pluto[8875]: packet from 192.168.23.130:500:
Quick Mode message is for a non-existent (expired?) ISAKMP SA
Jun 15 10:34:21 localhost pluto[8875]: packet from 192.168.23.130:500:
Quick Mode message is for a non-existent (expired?) ISAKMP SA
Jun 15 10:34:23 localhost pluto[8875]: packet from 192.168.23.130:500:
Quick Mode message is for a non-existent (expired?) ISAKMP SA
Jun 15 10:34:25 localhost pluto[8875]: packet from 192.168.23.130:500:
Quick Mode message is for a non-existent (expired?) ISAKMP SA
Jun 15 10:34:25 localhost pluto[8875]: "remote-all" #1: ERROR:
asynchronous network error report on eth2 (sport=500) for message to
192.168.23.130 port 500, complainant 10.253.19.226: No route to host
[errno 113, origin ICMP type 3 code 1 (not authenticated)]
this are routes:
10.253.19.224 0.0.0.0 255.255.255.252 U 0 0 0 eth2
10.253.19.224 0.0.0.0 255.255.255.252 U 0 0 0
ipsec0
10.228.248.0 0.0.0.0 255.255.255.0 U 0 0
0 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0
0 0 lo
0.0.0.0 10.253.19.225 0.0.0.0 UG 0
0 0 eth2
I've notice this is missing in comparison to ppp0
0.0.0.0 0.0.0.0 128.0.0.0 U 0 0 0
ipsec0
128.0.0.0 0.0.0.0 128.0.0.0 U 0 0 0
ipsec0
ifconfig:
eth0 Link encap:Ethernet HWaddr 6C:F0:49:AB:31:BA
inet addr:10.228.248.1 Bcast:10.228.248.255 Mask:255.255.255.0
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
Interrupt:27 Base address:0xc000
eth2 Link encap:Ethernet HWaddr 00:08:A1:7E:FA:A8
inet addr:10.253.19.226 Bcast:10.253.19.227 Mask:255.255.255.252
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
Interrupt:20
ipsec0 Link encap:Ethernet HWaddr 00:08:A1:7E:FA:A8
inet addr:10.253.19.226 Mask:255.255.255.252
UP RUNNING NOARP MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
tcpdump on eth2 shows only incoming traffic from 192.168.23.130 port
500, but no response.
My gues is that something with routes is not ok, or do I have to add
something to ipsec configuration?
Anyone with a clue?
Thank you
--
Sebastijan Šilec, sistemska podpora
Predlog! Obiscite prenovljeno spletno stran http://www.agenda.si
ODPRTA KODA IN LINUX
STORITVE : POSLOVNE RESITVE : UPRAVLJANJE IT : INFRASTRUKTURA IT :
IZOBRAZEVANJE : PROGRAMSKA OPREMA
Visit our updated web page at http://www.agenda.si
OPEN SOURCE AND LINUX
SERVICES : BUSINESS SOLUTIONS : IT MANAGEMENT : IT INFRASTRUCTURE :
TRAINING : SOFTWARE
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20110621/a10560c5/attachment.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: sebastijan_silec.vcf
Type: text/x-vcard
Size: 326 bytes
Desc: not available
Url : http://lists.openswan.org/pipermail/users/attachments/20110621/a10560c5/attachment.vcf
More information about the Users
mailing list