[Openswan Users] [FAILED] messages

Jarek Joachimiak jaroslaw19 at gmail.com
Thu Apr 12 17:13:20 EDT 2012


Ok. Thanks for help. Now my ipsec verify looks like this:
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                [OK]
Linux Openswan U2.6.28/K2.6.38-8-generic (netkey)
Checking for IPsec support in kernel                           [OK]
NETKEY detected, testing for disabled ICMP send_redirects      [OK]
NETKEY detected, testing for disabled ICMP accept_redirects    [OK]
Checking that pluto is running                                 [OK]
Pluto listening for IKE on udp 500                             [OK]
Pluto listening for NAT-T on udp 4500                          [OK]
Checking for 'ip' command                                      [OK]
Checking for 'iptables' command                                [OK]
Opportunistic Encryption Support                               [DISABLED]

But when i try to pick up connection :
ipsec auto --up roadwarriod

nothing happens. I cant use ping, i cant log on to FTP and don't se
any info on terminal.

This is my ipsec.conf:

# basic configuration
config setup
        nat_traversal=yes
        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%4:172.16.0.0/12
   interfaces=%defaultroute
conn sample
        # Left security gateway, subnet behind it, nexthop toward right.
   compress=yes
   keyingtries=1
   disablearrivalcheck=no
   leftrsasigkey=%cert
   rightrsasigkey=%cert
   authby=rsasig

conn roadwarrior-net
        leftsubnet=192.168.0.0/24
   also=roadwarrior

conn roadwarrior
   left=192.168.0.168
   leftcert=server.pem
   right=192.168.0.149
   rightsubnet=192.168.0.0/24
   auto=add
   pfs=yes
conn block
   auto=ignore

conn private
   auto=ignore

conn private-or-clear
   auto=ignore

conn clear-or-private
   auto=ignore

conn clear
   auto=ignore

conn packetdefault
   auto=ignore

My ipsec.secrest:
: RSA server.key "server"

auth.log:
Apr 12 19:00:40 ifrit-VirtualBox ipsec__plutorun: Starting Pluto subsystem...
Apr 12 19:00:40 ifrit-VirtualBox pluto[3137]: Starting Pluto (Openswan
Version 2.6.28; Vendor ID OEQ{O\177nez{CQ) pid:3137
Apr 12 19:00:41 ifrit-VirtualBox pluto[3137]: SAref support
[disabled]: Protocol not available
Apr 12 19:00:41 ifrit-VirtualBox pluto[3137]: SAbind support
[disabled]: Protocol not available
Apr 12 19:00:41 ifrit-VirtualBox pluto[3137]: Setting NAT-Traversal
port-4500 floating to on
Apr 12 19:00:41 ifrit-VirtualBox pluto[3137]:    port floating
activation criteria nat_t=1/port_float=1
Apr 12 19:00:41 ifrit-VirtualBox pluto[3137]:    NAT-Traversal support
[enabled]
Apr 12 19:00:41 ifrit-VirtualBox pluto[3137]: fixup for bad
virtual_private entry '%4:172.16.0.0/12', please fix your
virtual_private line!
Apr 12 19:00:41 ifrit-VirtualBox pluto[3137]: fixup for bad
virtual_private entry '%4:172.16.0.0/12', please fix your
virtual_private line!
Apr 12 19:00:41 ifrit-VirtualBox pluto[3137]: using /dev/urandom as
source of random entropy
Apr 12 19:00:41 ifrit-VirtualBox pluto[3137]: ike_alg_register_enc():
Activating OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)
Apr 12 19:00:41 ifrit-VirtualBox pluto[3137]: ike_alg_register_enc():
Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)
Apr 12 19:00:41 ifrit-VirtualBox pluto[3137]: ike_alg_register_enc():
Activating OAKLEY_SERPENT_CBC: Ok (ret=0)
Apr 12 19:00:41 ifrit-VirtualBox pluto[3137]: ike_alg_register_enc():
Activating OAKLEY_AES_CBC: Ok (ret=0)
Apr 12 19:00:41 ifrit-VirtualBox pluto[3137]: ike_alg_register_enc():
Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)
Apr 12 19:00:41 ifrit-VirtualBox pluto[3137]: ike_alg_register_hash():
Activating OAKLEY_SHA2_512: Ok (ret=0)
Apr 12 19:00:41 ifrit-VirtualBox pluto[3137]: ike_alg_register_hash():
Activating OAKLEY_SHA2_256: Ok (ret=0)
Apr 12 19:00:41 ifrit-VirtualBox pluto[3137]: starting up 1
cryptographic helpers
Apr 12 19:00:41 ifrit-VirtualBox pluto[3137]: started helper pid=3140 (fd:7)
Apr 12 19:00:41 ifrit-VirtualBox pluto[3137]: Kernel interface auto-pick
Apr 12 19:00:41 ifrit-VirtualBox pluto[3137]: Using Linux 2.6 IPsec
interface code on 2.6.38-8-generic (experimental code)
Apr 12 19:00:41 ifrit-VirtualBox pluto[3140]: using /dev/urandom as
source of random entropy
Apr 12 19:00:41 ifrit-VirtualBox pluto[3137]: ike_alg_register_enc():
Activating aes_ccm_8: Ok (ret=0)
Apr 12 19:00:41 ifrit-VirtualBox pluto[3137]: ike_alg_add(): ERROR:
Algorithm already exists
Apr 12 19:00:41 ifrit-VirtualBox pluto[3137]: ike_alg_register_enc():
Activating aes_ccm_12: FAILED (ret=-17)
Apr 12 19:00:41 ifrit-VirtualBox pluto[3137]: ike_alg_add(): ERROR:
Algorithm already exists
Apr 12 19:00:41 ifrit-VirtualBox pluto[3137]: ike_alg_register_enc():
Activating aes_ccm_16: FAILED (ret=-17)
Apr 12 19:00:41 ifrit-VirtualBox pluto[3137]: ike_alg_add(): ERROR:
Algorithm already exists
Apr 12 19:00:41 ifrit-VirtualBox pluto[3137]: ike_alg_register_enc():
Activating aes_gcm_8: FAILED (ret=-17)
Apr 12 19:00:41 ifrit-VirtualBox pluto[3137]: ike_alg_add(): ERROR:
Algorithm already exists
Apr 12 19:00:41 ifrit-VirtualBox pluto[3137]: ike_alg_register_enc():
Activating aes_gcm_12: FAILED (ret=-17)
Apr 12 19:00:41 ifrit-VirtualBox pluto[3137]: ike_alg_add(): ERROR:
Algorithm already exists
Apr 12 19:00:41 ifrit-VirtualBox pluto[3137]: ike_alg_register_enc():
Activating aes_gcm_16: FAILED (ret=-17)
Apr 12 19:00:41 ifrit-VirtualBox pluto[3137]: Changed path to
directory '/etc/ipsec.d/cacerts'
Apr 12 19:00:41 ifrit-VirtualBox pluto[3137]:   loaded CA cert file
'cacert.pem' (3253 bytes)
Apr 12 19:00:41 ifrit-VirtualBox pluto[3137]: Changed path to
directory '/etc/ipsec.d/aacerts'
Apr 12 19:00:41 ifrit-VirtualBox pluto[3137]: Changed path to
directory '/etc/ipsec.d/ocspcerts'
Apr 12 19:00:41 ifrit-VirtualBox pluto[3137]: Changing to directory
'/etc/ipsec.d/crls'
Apr 12 19:00:41 ifrit-VirtualBox pluto[3137]:   loaded crl file
'crl.pem' (467 bytes)
Apr 12 19:00:41 ifrit-VirtualBox pluto[3137]: loading certificate from
server.pem
Apr 12 19:00:41 ifrit-VirtualBox pluto[3137]:   loaded host cert file
'/etc/ipsec.d/certs/server.pem' (3147 bytes)
Apr 12 19:00:41 ifrit-VirtualBox pluto[3137]: added connection
description "roadwarrior-net"
Apr 12 19:00:41 ifrit-VirtualBox pluto[3137]: loading certificate from
server.pem
Apr 12 19:00:41 ifrit-VirtualBox pluto[3137]:   loaded host cert file
'/etc/ipsec.d/certs/server.pem' (3147 bytes)
Apr 12 19:00:41 ifrit-VirtualBox pluto[3137]: added connection
description "roadwarrior"
Apr 12 19:00:41 ifrit-VirtualBox pluto[3137]: listening for IKE messages
Apr 12 19:00:41 ifrit-VirtualBox pluto[3137]: NAT-Traversal: Trying
new style NAT-T
Apr 12 19:00:41 ifrit-VirtualBox pluto[3137]: NAT-Traversal:
ESPINUDP(1) setup failed for new style NAT-T family IPv4 (errno=19)
Apr 12 19:00:41 ifrit-VirtualBox pluto[3137]: NAT-Traversal: Trying
old style NAT-T
Apr 12 19:00:41 ifrit-VirtualBox pluto[3137]: adding interface
eth0/eth0 192.168.0.149:500
Apr 12 19:00:41 ifrit-VirtualBox pluto[3137]: adding interface
eth0/eth0 192.168.0.149:4500
Apr 12 19:00:41 ifrit-VirtualBox pluto[3137]: adding interface lo/lo
127.0.0.1:500
Apr 12 19:00:41 ifrit-VirtualBox pluto[3137]: adding interface lo/lo
127.0.0.1:4500
Apr 12 19:00:41 ifrit-VirtualBox pluto[3137]: adding interface lo/lo ::1:500
Apr 12 19:00:41 ifrit-VirtualBox pluto[3137]: loading secrets from
"/etc/ipsec.secrets"
Apr 12 19:00:41 ifrit-VirtualBox pluto[3137]:   loaded private key
file '/etc/ipsec.d/private/server.key' (963 bytes)
Apr 12 19:00:41 ifrit-VirtualBox pluto[3137]: loaded private key for
keyid: PPK_RSA:AwEAAcbay

ipsec status
IPsec running  - pluto pid: 2129
pluto pid 2129
No tunnels up

Don't know how to fix it and i don't know what dosn't work.

2012/4/12 SVM <svm7 at mail15.com>:
> It's better to set these variables in sysctl.conf to zero:
>
> net.ipv4.conf.default.accept_redirects = 0
> net.ipv4.conf.default.send_redirects = 0
>
> instead of "conf.all"!
>
> Command "sysctl -p" will not always help to apply these variables for all
> network interfaces, so you have to set all of it to zero by hand, but just
> once. The others kernel variables (for all interfaces) will be nulled
> automatically after reboot.
>
>
>
> 12.04.2012 16:27, Jarek Joachimiak wrote:
>>
>> net.ipv4.conf.all.accept_redirects = 0
>> net.ipv4.conf.all.send_redirects = 0
>
>
> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155


More information about the Users mailing list