[Openswan Users] Yet Another EC2 Config Debug

James Nelson james.nelson.ii at gmail.com
Wed Sep 7 16:58:01 EDT 2011


Newbie looking for any sort of help- it seems as though I can't even get the
plane off the ground at the moment.  The issue might be with the phase2 in
the .conf, but ipsec verify is showing everything is clear.  All of the
necessary files and logs are below, with the exception of the full barf.
 Anything stick out like a sore thumb?

-James

ipsec.conf:

config setup
        nat_traversal=yes
        # exclude networks used on server side by adding %v4:!a.b.c.0/24
        virtual_private=%v4:<CLIENT ED>/24,%v4:10.5.5.5/32
        # OE is now off by default. Uncomment and change to on, to enable.
        oe=off
        # which IPsec stack to use. netkey,klips,mast,auto or none
        protostack=netkey

conn ec2-to-checkpoint
        connaddrfamily=ipv4
        type=tunnel
        authby=secret
        ike=3des-md5;modp1024
        Ikelifetime=86400s
        phase2=esp
        Phase2alg=3des-md5-modp1024
        lifetime=28800s
        forceencaps=yes
        pfs=no
        left=<EC2 PRIVATE IP>
        leftid=<EC2 ELASTIC IP>
        leftnexthop=%defaultroute
        leftsubnet=10.5.5.5/32
        leftsourceip=10.5.5.5
        right=<CLIENT GATEWAY>
        rightsubnet=<CLIENT ED>
        auto=add

ipsec.secrets:
<EC2 ELASTIC IP> <CLIENT GATEWAY>: PSK "HeyLookImAKey"

var/log/messages:
Sep  7 20:18:05 kernel: NET: Unregistered protocol family 15
Sep  7 20:18:05 kernel: NET: Registered protocol family 15
Sep  7 20:18:06 kernel: Initializing XFRM netlink socket
Sep  7 20:18:06 kernel: padlock: VIA PadLock not detected.
Sep  7 20:18:06 kernel: padlock: VIA PadLock Hash Engine not detected.
Sep  7 20:18:06 kernel: Intel AES-NI instructions are not detected.
Sep  7 20:18:06 kernel: padlock: VIA PadLock not detected.
Sep  7 20:18:06 pluto: adjusting ipsec.d to /etc/ipsec.d

var/log/syslog:
Sep  7 20:18:05 kernel: NET: Unregistered protocol family 15
Sep  7 20:18:05 kernel: NET: Registered protocol family 15
Sep  7 20:18:05 ipsec_setup: Starting Openswan IPsec
U2.6.23/K2.6.32-317-ec2...
Sep  7 20:18:05 ipsec_setup: Using NETKEY(XFRM) stack
Sep  7 20:18:06 kernel: Initializing XFRM netlink socket
Sep  7 20:18:06 kernel: padlock: VIA PadLock not detected.
Sep  7 20:18:06 kernel: padlock: VIA PadLock Hash Engine not detected.
Sep  7 20:18:06 kernel: Intel AES-NI instructions are not detected.
Sep  7 20:18:06 kernel: padlock: VIA PadLock not detected.
Sep  7 20:18:06 ipsec_setup: multiple ip addresses, using  <EC2 PRIVATE> on
eth0
Sep  7 20:18:06 ipsec_setup: ...Openswan IPsec started
Sep  7 20:18:06 ipsec__plutorun: adjusting ipsec.d to /etc/ipsec.d
Sep  7 20:18:06 pluto: adjusting ipsec.d to /etc/ipsec.d
Sep  7 20:18:06 ipsec__plutorun: 034 esp string error: Non alphanum or valid
separator found in auth string, \
just after "3des-md5" (old_state=ST_AA)
Sep  7 20:18:06 ipsec__plutorun: 003 NAT-Traversal: Trying new style NAT-T
Sep  7 20:18:06 ipsec__plutorun: 003 NAT-Traversal: ESPINUDP(1) setup failed
for new style NAT-T family IPv4 \
(errno=19)
Sep  7 20:18:06 ipsec__plutorun: 003 NAT-Traversal: Trying old style NAT-T


var/log/auth.log:
...
pluto[19246]: ike_alg_register_enc(): WARNING: enc alg=0 not found in
constants.c:oakley_enc_\names
pluto[19246]: ike_alg_register_enc(): Activating <NULL>: Ok (ret=0)
pluto[19246]: ike_alg_register_enc(): WARNING: enc alg=0 not found in
constants.c:oakley_enc_\names
pluto[19246]: ike_alg_add(): ERROR: Algorithm already exists
pluto[19246]: ike_alg_register_enc(): Activating <NULL>: FAILED (ret=-17)
pluto[19246]: ike_alg_register_enc(): WARNING: enc alg=0 not found in
constants.c:oakley_enc_\names
pluto[19246]: ike_alg_add(): ERROR: Algorithm already exists
pluto[19246]: ike_alg_register_enc(): Activating <NULL>: FAILED (ret=-17)
pluto[19246]: ike_alg_register_enc(): WARNING: enc alg=0 not found in
constants.c:oakley_enc_\names
pluto[19246]: ike_alg_add(): ERROR: Algorithm already exists
pluto[19246]: ike_alg_register_enc(): Activating <NULL>: FAILED (ret=-17)
pluto[19246]: ike_alg_register_enc(): WARNING: enc alg=0 not found in
constants.c:oakley_enc_\names
pluto[19246]: ike_alg_add(): ERROR: Algorithm already exists
pluto[19246]: ike_alg_register_enc(): Activating <NULL>: FAILED (ret=-17)
pluto[19246]: ike_alg_register_enc(): WARNING: enc alg=0 not found in
constants.c:oakley_enc_\names
pluto[19246]: ike_alg_add(): ERROR: Algorithm already exists
pluto[19246]: ike_alg_register_enc(): Activating <NULL>: FAILED (ret=-17)
pluto[19246]: Changed path to directory '/etc/ipsec.d/cacerts'
pluto[19246]: Changed path to directory '/etc/ipsec.d/aacerts'
pluto[19246]: Changed path to directory '/etc/ipsec.d/ocspcerts'
pluto[19246]: Changing to directory '/etc/ipsec.d/crls'
pluto[19246]:   Warning: empty directory
pluto[19246]: added connection description "ec2-to-checkpoint"
pluto[19246]: listening for IKE messages
pluto[19246]: NAT-Traversal: Trying new style NAT-T
pluto[19246]: NAT-Traversal: ESPINUDP(1) setup failed for new style NAT-T
family IPv4 (errno=\19)
pluto[19246]: NAT-Traversal: Trying old style NAT-T
pluto[19246]: adding interface eth0:1/eth0:1 10.5.5.5:500
pluto[19246]: adding interface eth0:1/eth0:1 10.5.5.5:4500
pluto[19246]: adding interface eth0/eth0 XXX.XXX.XXX.XXX:500
pluto[19246]: adding interface eth0/eth0 XXX.XXX.XXX.XXX:4500
pluto[19246]: adding interface lo/lo XXX.XXX.XXX.XXX:500
pluto[19246]: adding interface lo/lo XXX.XXX.XXX.XXX:4500
pluto[19246]: adding interface lo/lo ::1:500
pluto[19246]: loading secrets from "/etc/ipsec.secrets"
pluto[19246]:   loaded private key file
'/etc/ipsec.d/private/ip-XX-XX-XXX-XXXKey.pem' (1675 \
bytes)
pluto[19246]: loaded private key for keyid: PPK_RSA:<XXXXXXXX>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20110907/32f7eeaf/attachment.html 


More information about the Users mailing list