[Openswan Users] phase 2 not working?

nemus at grayhatlabs.com nemus at grayhatlabs.com
Wed Apr 4 14:17:25 EDT 2012


Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                             	[OK]
Linux Openswan U2.6.32/K2.6.32-220.7.1.el6.x86_64 (netkey)
Checking for IPsec support in kernel                        	[OK]
 SAref kernel support                                       	[N/A]
 NETKEY:  Testing for disabled ICMP send_redirects          	[OK]
NETKEY detected, testing for disabled ICMP accept_redirects 	[OK]
Checking that pluto is running                              	[OK]
 Pluto listening for IKE on udp 500                         	[OK]
 Pluto listening for NAT-T on udp 4500                      	[OK]
Two or more interfaces found, checking IP forwarding        	[OK]
Checking NAT and MASQUERADEing                              	[OK]
Checking for 'ip' command                                   	[OK]
Checking /bin/sh is not /bin/dash                           	[OK]
Checking for 'iptables' command                             	[OK]
Opportunistic Encryption Support                            	[DISABLED]



# basic configuration
config setup
        # Debug-logging controls:  "none" for (almost) none, "all" for lots.
        # klipsdebug=none
         plutodebug="control parsing"
        # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
        protostack=netkey
        nat_traversal=yes
        virtual_private=
        oe=off
        # Enable this if you see "failed to find any available worker"
        nhelpers=0


conn test-b
        type=tunnel
        authby = secret
        left = x.x.x.181
        leftsubnet = x.x.x.0/24
        leftsourceip = x.x.x.181
        right= x.x.x.92
        rightsubnet= x.x.x.200/30
        esp=aes-256-sha1
        keyexchange = ike
        pfs = no
        auto = start
        lifetime=28800s

000 "test-b":
x.x.x.0/24===x.x.x.181<x.x.x.181>[+S=C]...x.x.x.92<x.x.x.92>[+S=C]===x.x.x.24/30;
prospective erouted; eroute owner: #0
000 "test-b":     myip=x.x.x.181; hisip=unset;
000 "test-b":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s;
rekey_fuzz: 100%; keyingtries: 0
000 "test-b":   policy:
PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 24,30;
interface: eth0;
000 "test-b":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "test-b":   ESP algorithms wanted: AES(12)_256-SHA1(2)_000; flags=-strict
000 "test-b":   ESP algorithms loaded: AES(12)_256-SHA1(2)_160

00 #2: "test-b":500 STATE_MAIN_I1 (sent MI1, expecting MR1);
EVENT_RETRANSMIT in 14s; nodpd; idle; import:admin initiate
000 #2: pending Phase 2 for "test-b" replacing #0

I am not sure why my connection is not working and I am not sure how to
read the output.
Also what does the following mean? and why am I getting this message?

000 "test-b":   ESP algorithms wanted: AES(12)_256-SHA1(2)_000; flags=-strict
000 "test-b":   ESP algorithms loaded: AES(12)_256-SHA1(2)_160

Is phase 1 working correctly? (and how do you know this?)

Also what would be causing phase 2 to not work?





More information about the Users mailing list