[Openswan Users] [FAILED] messages
Jarek Joachimiak
jaroslaw19 at gmail.com
Thu Apr 12 17:13:20 EDT 2012
Ok. Thanks for help. Now my ipsec verify looks like this:
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.6.28/K2.6.38-8-generic (netkey)
Checking for IPsec support in kernel [OK]
NETKEY detected, testing for disabled ICMP send_redirects [OK]
NETKEY detected, testing for disabled ICMP accept_redirects [OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for NAT-T on udp 4500 [OK]
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]
But when i try to pick up connection :
ipsec auto --up roadwarriod
nothing happens. I cant use ping, i cant log on to FTP and don't se
any info on terminal.
This is my ipsec.conf:
# basic configuration
config setup
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%4:172.16.0.0/12
interfaces=%defaultroute
conn sample
# Left security gateway, subnet behind it, nexthop toward right.
compress=yes
keyingtries=1
disablearrivalcheck=no
leftrsasigkey=%cert
rightrsasigkey=%cert
authby=rsasig
conn roadwarrior-net
leftsubnet=192.168.0.0/24
also=roadwarrior
conn roadwarrior
left=192.168.0.168
leftcert=server.pem
right=192.168.0.149
rightsubnet=192.168.0.0/24
auto=add
pfs=yes
conn block
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear-or-private
auto=ignore
conn clear
auto=ignore
conn packetdefault
auto=ignore
My ipsec.secrest:
: RSA server.key "server"
auth.log:
Apr 12 19:00:40 ifrit-VirtualBox ipsec__plutorun: Starting Pluto subsystem...
Apr 12 19:00:40 ifrit-VirtualBox pluto[3137]: Starting Pluto (Openswan
Version 2.6.28; Vendor ID OEQ{O\177nez{CQ) pid:3137
Apr 12 19:00:41 ifrit-VirtualBox pluto[3137]: SAref support
[disabled]: Protocol not available
Apr 12 19:00:41 ifrit-VirtualBox pluto[3137]: SAbind support
[disabled]: Protocol not available
Apr 12 19:00:41 ifrit-VirtualBox pluto[3137]: Setting NAT-Traversal
port-4500 floating to on
Apr 12 19:00:41 ifrit-VirtualBox pluto[3137]: port floating
activation criteria nat_t=1/port_float=1
Apr 12 19:00:41 ifrit-VirtualBox pluto[3137]: NAT-Traversal support
[enabled]
Apr 12 19:00:41 ifrit-VirtualBox pluto[3137]: fixup for bad
virtual_private entry '%4:172.16.0.0/12', please fix your
virtual_private line!
Apr 12 19:00:41 ifrit-VirtualBox pluto[3137]: fixup for bad
virtual_private entry '%4:172.16.0.0/12', please fix your
virtual_private line!
Apr 12 19:00:41 ifrit-VirtualBox pluto[3137]: using /dev/urandom as
source of random entropy
Apr 12 19:00:41 ifrit-VirtualBox pluto[3137]: ike_alg_register_enc():
Activating OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)
Apr 12 19:00:41 ifrit-VirtualBox pluto[3137]: ike_alg_register_enc():
Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)
Apr 12 19:00:41 ifrit-VirtualBox pluto[3137]: ike_alg_register_enc():
Activating OAKLEY_SERPENT_CBC: Ok (ret=0)
Apr 12 19:00:41 ifrit-VirtualBox pluto[3137]: ike_alg_register_enc():
Activating OAKLEY_AES_CBC: Ok (ret=0)
Apr 12 19:00:41 ifrit-VirtualBox pluto[3137]: ike_alg_register_enc():
Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)
Apr 12 19:00:41 ifrit-VirtualBox pluto[3137]: ike_alg_register_hash():
Activating OAKLEY_SHA2_512: Ok (ret=0)
Apr 12 19:00:41 ifrit-VirtualBox pluto[3137]: ike_alg_register_hash():
Activating OAKLEY_SHA2_256: Ok (ret=0)
Apr 12 19:00:41 ifrit-VirtualBox pluto[3137]: starting up 1
cryptographic helpers
Apr 12 19:00:41 ifrit-VirtualBox pluto[3137]: started helper pid=3140 (fd:7)
Apr 12 19:00:41 ifrit-VirtualBox pluto[3137]: Kernel interface auto-pick
Apr 12 19:00:41 ifrit-VirtualBox pluto[3137]: Using Linux 2.6 IPsec
interface code on 2.6.38-8-generic (experimental code)
Apr 12 19:00:41 ifrit-VirtualBox pluto[3140]: using /dev/urandom as
source of random entropy
Apr 12 19:00:41 ifrit-VirtualBox pluto[3137]: ike_alg_register_enc():
Activating aes_ccm_8: Ok (ret=0)
Apr 12 19:00:41 ifrit-VirtualBox pluto[3137]: ike_alg_add(): ERROR:
Algorithm already exists
Apr 12 19:00:41 ifrit-VirtualBox pluto[3137]: ike_alg_register_enc():
Activating aes_ccm_12: FAILED (ret=-17)
Apr 12 19:00:41 ifrit-VirtualBox pluto[3137]: ike_alg_add(): ERROR:
Algorithm already exists
Apr 12 19:00:41 ifrit-VirtualBox pluto[3137]: ike_alg_register_enc():
Activating aes_ccm_16: FAILED (ret=-17)
Apr 12 19:00:41 ifrit-VirtualBox pluto[3137]: ike_alg_add(): ERROR:
Algorithm already exists
Apr 12 19:00:41 ifrit-VirtualBox pluto[3137]: ike_alg_register_enc():
Activating aes_gcm_8: FAILED (ret=-17)
Apr 12 19:00:41 ifrit-VirtualBox pluto[3137]: ike_alg_add(): ERROR:
Algorithm already exists
Apr 12 19:00:41 ifrit-VirtualBox pluto[3137]: ike_alg_register_enc():
Activating aes_gcm_12: FAILED (ret=-17)
Apr 12 19:00:41 ifrit-VirtualBox pluto[3137]: ike_alg_add(): ERROR:
Algorithm already exists
Apr 12 19:00:41 ifrit-VirtualBox pluto[3137]: ike_alg_register_enc():
Activating aes_gcm_16: FAILED (ret=-17)
Apr 12 19:00:41 ifrit-VirtualBox pluto[3137]: Changed path to
directory '/etc/ipsec.d/cacerts'
Apr 12 19:00:41 ifrit-VirtualBox pluto[3137]: loaded CA cert file
'cacert.pem' (3253 bytes)
Apr 12 19:00:41 ifrit-VirtualBox pluto[3137]: Changed path to
directory '/etc/ipsec.d/aacerts'
Apr 12 19:00:41 ifrit-VirtualBox pluto[3137]: Changed path to
directory '/etc/ipsec.d/ocspcerts'
Apr 12 19:00:41 ifrit-VirtualBox pluto[3137]: Changing to directory
'/etc/ipsec.d/crls'
Apr 12 19:00:41 ifrit-VirtualBox pluto[3137]: loaded crl file
'crl.pem' (467 bytes)
Apr 12 19:00:41 ifrit-VirtualBox pluto[3137]: loading certificate from
server.pem
Apr 12 19:00:41 ifrit-VirtualBox pluto[3137]: loaded host cert file
'/etc/ipsec.d/certs/server.pem' (3147 bytes)
Apr 12 19:00:41 ifrit-VirtualBox pluto[3137]: added connection
description "roadwarrior-net"
Apr 12 19:00:41 ifrit-VirtualBox pluto[3137]: loading certificate from
server.pem
Apr 12 19:00:41 ifrit-VirtualBox pluto[3137]: loaded host cert file
'/etc/ipsec.d/certs/server.pem' (3147 bytes)
Apr 12 19:00:41 ifrit-VirtualBox pluto[3137]: added connection
description "roadwarrior"
Apr 12 19:00:41 ifrit-VirtualBox pluto[3137]: listening for IKE messages
Apr 12 19:00:41 ifrit-VirtualBox pluto[3137]: NAT-Traversal: Trying
new style NAT-T
Apr 12 19:00:41 ifrit-VirtualBox pluto[3137]: NAT-Traversal:
ESPINUDP(1) setup failed for new style NAT-T family IPv4 (errno=19)
Apr 12 19:00:41 ifrit-VirtualBox pluto[3137]: NAT-Traversal: Trying
old style NAT-T
Apr 12 19:00:41 ifrit-VirtualBox pluto[3137]: adding interface
eth0/eth0 192.168.0.149:500
Apr 12 19:00:41 ifrit-VirtualBox pluto[3137]: adding interface
eth0/eth0 192.168.0.149:4500
Apr 12 19:00:41 ifrit-VirtualBox pluto[3137]: adding interface lo/lo
127.0.0.1:500
Apr 12 19:00:41 ifrit-VirtualBox pluto[3137]: adding interface lo/lo
127.0.0.1:4500
Apr 12 19:00:41 ifrit-VirtualBox pluto[3137]: adding interface lo/lo ::1:500
Apr 12 19:00:41 ifrit-VirtualBox pluto[3137]: loading secrets from
"/etc/ipsec.secrets"
Apr 12 19:00:41 ifrit-VirtualBox pluto[3137]: loaded private key
file '/etc/ipsec.d/private/server.key' (963 bytes)
Apr 12 19:00:41 ifrit-VirtualBox pluto[3137]: loaded private key for
keyid: PPK_RSA:AwEAAcbay
ipsec status
IPsec running - pluto pid: 2129
pluto pid 2129
No tunnels up
Don't know how to fix it and i don't know what dosn't work.
2012/4/12 SVM <svm7 at mail15.com>:
> It's better to set these variables in sysctl.conf to zero:
>
> net.ipv4.conf.default.accept_redirects = 0
> net.ipv4.conf.default.send_redirects = 0
>
> instead of "conf.all"!
>
> Command "sysctl -p" will not always help to apply these variables for all
> network interfaces, so you have to set all of it to zero by hand, but just
> once. The others kernel variables (for all interfaces) will be nulled
> automatically after reboot.
>
>
>
> 12.04.2012 16:27, Jarek Joachimiak wrote:
>>
>> net.ipv4.conf.all.accept_redirects = 0
>> net.ipv4.conf.all.send_redirects = 0
>
>
> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
More information about the Users
mailing list