[Openswan Users] stuck: openswan tunnel with STATE_QUICK_R2: IPsec SA established tunnel mode

Marius Schwarz support at evolution-hosting.eu
Wed Apr 18 16:53:52 EDT 2012 













Hi, 

i'm trying to connect an Android Samsung Tablet with an openswan server.
The Android is in a LAN with NAT as you can imagine from the log below.

I got it running so far as it gets to this messages:

STATE_QUICK_R2: IPsec SA established tunnel mode

After that it just dies.



Server: openswan-2.6.37-1.fc15.i686

----------------------------- ipsec.conf 

version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        # Debug-logging controls:  "none" for (almost) none, "all" for lots.
        # klipsdebug=all
         plutodebug="all"
         plutostderrlog=  "/var/log/pluto.err"
        # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
        protostack=netkey
        nat_traversal=yes
        # forceencaps=yes
       
virtual_private=%v4:10.0.0.0/8,%v4:174.16.0.0/12,%v4:192.168.0.0/16,%v4:!192.168
        oe=off
        # Enable this if you see "failed to find any available worker"
        # nhelpers=0

#You may put your configuration (.conf) file in the "/etc/ipsec.d/"
include /etc/ipsec.d/*.conf 

--------------------------------------------------

Roadwarrior conf:

conn roadwarrior2
        dpdaction=clear
        authby=secret
        type=tunnel


        left=%defaultroute
        leftnexthop=83.246.80.129
        leftsubnet=83.246.80.130/27

        right=%any
        rightsubnet=vhost:%no,%priv

    auto=add
    pfs=no    
----------------------------------------------------------


roadwarrior2"[2] 84.133.11.62 #5: responding to Main Mode from unknown peer
84.133.11.62
"roadwarrior2"[2] 84.133.11.62 #5: transition from state STATE_MAIN_R0 to state
STATE_MAIN_R1
"roadwarrior2"[2] 84.133.11.62 #5: STATE_MAIN_R1: sent MR1, expecting MI2
"roadwarrior2"[2] 84.133.11.62 #5: NAT-Traversal: Result using RFC 3947
(NAT-Traversal): peer is NATed
"roadwarrior2"[2] 84.133.11.62 #5: transition from state STATE_MAIN_R1 to state
STATE_MAIN_R2
"roadwarrior2"[2] 84.133.11.62 #5: STATE_MAIN_R2: sent MR2, expecting MI3
"roadwarrior2"[2] 84.133.11.62 #5: Main mode peer ID is ID_IPV4_ADDR: '192.168.0
"roadwarrior2"[2] 84.133.11.62 #5: transition from state STATE_MAIN_R2 to state
STATE_MAIN_R3
"roadwarrior2"[2] 84.133.11.62 #5: new NAT mapping for #5, was 84.133.11.62:500,
now 84.133.11.62:33771
"roadwarrior2"[2] 84.133.11.62 #5: STATE_MAIN_R3: sent MR3, ISAKMP SA
established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha
group=modp1024}
"roadwarrior2"[2] 84.133.11.62 #5: ignoring informational payload, type
IPSEC_INITIAL_CONTACT msgid=00000000
"roadwarrior2"[2] 84.133.11.62 #5: received and ignored informational message
"roadwarrior2"[2] 84.133.11.62 #5: the peer proposed: 83.246.80.130/32:0/0 ->
192.168.0.58/32:0/0
"roadwarrior2"[2] 84.133.11.62 #6: responding to Quick Mode proposal
{msgid:3ef30bda}
"roadwarrior2"[2] 84.133.11.62 #6:     us:
83.246.80.128/27===83.246.80.130[+S=C]---83.246.80.129
"roadwarrior2"[2] 84.133.11.62 #6:   them:
84.133.11.62[192.168.0.58,+S=C]===192.168.0.58/32
"roadwarrior2"[2] 84.133.11.62 #6: keeping refhim=4294901761 during rekey
"roadwarrior2"[2] 84.133.11.62 #6: transition from state STATE_QUICK_R0 to state
STATE_QUICK_R1
"roadwarrior2"[2] 84.133.11.62 #6: STATE_QUICK_R1: sent QR1, inbound IPsec SA
installed, expecting QI2
"roadwarrior2"[2] 84.133.11.62 #6: netlink_raw_eroute: WARNING: that_client port
0 and that_host port 33771 don't match. Using that_client port.
"roadwarrior2"[2] 84.133.11.62 #6: transition from state STATE_QUICK_R1 to state
STATE_QUICK_R2
"roadwarrior2"[2] 84.133.11.62 #6: STATE_QUICK_R2: IPsec SA established tunnel
mode {ESP=>0x02fb75ab <0xa2ca9fab xfrm=3DES_0-HMAC_SHA1 NATOA=none
NATD=84.133.11.62:33771 DPD=none}

followed by this: 

| modecfg pull: noquirk policy:push not-client
| phase 1 is done, looking for phase 2 to unpend
| * processed 0 messages from cryptographic helpers
| next event EVENT_NAT_T_KEEPALIVE in 19 seconds
| next event EVENT_NAT_T_KEEPALIVE in 19 seconds
|
| next event EVENT_NAT_T_KEEPALIVE in 0 seconds
| *time to handle event
| handling event EVENT_NAT_T_KEEPALIVE
| event after this is EVENT_PENDING_DDNS in 40 seconds
| processing connection roadwarrior2[2] 84.133.11.62
| processing connection roadwarrior2[2] 84.133.11.62
| processing connection roadwarrior2[2] 84.133.11.62
| processing connection roadwarrior2[2] 84.133.11.62
| next event EVENT_PENDING_DDNS in 40 seconds 

--------------------------------------------------

The Androidrequest just times out and i get an error message..

On the Android side I used : L2TP/IPSec PSK-VPN 
Without a L2TP key.

--------------------------------------------------

tcpdump : 

22:48:48.991204 IP 84.133.11.62.isakmp > 83.246.80.130.isakmp: isakmp: phase 1 I
ident
22:48:48.994430 IP 83.246.80.130.isakmp > 84.133.11.62.isakmp: isakmp: phase 1 R
ident
22:48:49.089711 IP 84.133.11.62.isakmp > 83.246.80.130.isakmp: isakmp: phase 1 I
ident
22:48:49.093615 IP 83.246.80.130.isakmp > 84.133.11.62.isakmp: isakmp: phase 1 R
ident
22:48:49.172630 IP 84.133.11.62.32964 > 83.246.80.130.ipsec-nat-t: NONESP-encap:
isakmp: phase 1 I ident[E]
22:48:49.175320 IP 83.246.80.130.ipsec-nat-t > 84.133.11.62.32964: NONESP-encap:
isakmp: phase 1 R ident[E]
22:48:49.237719 IP 84.133.11.62.32964 > 83.246.80.130.ipsec-nat-t: NONESP-encap:
isakmp: phase 2/others I inf[E]
22:48:50.247311 IP 84.133.11.62.32964 > 83.246.80.130.ipsec-nat-t: NONESP-encap:
isakmp: phase 2/others I oakley-quick[E]
22:48:50.254025 IP 83.246.80.130.ipsec-nat-t > 84.133.11.62.32964: NONESP-encap:
isakmp: phase 2/others R oakley-quick[E]
22:48:50.314021 IP 84.133.11.62.32964 > 83.246.80.130.ipsec-nat-t: NONESP-encap:
isakmp: phase 2/others I oakley-quick[E]
22:48:50.989296 IP 84.133.11.62.32964 > 83.246.80.130.ipsec-nat-t: UDP-encap:
ESP(spi=0xf843bb99,seq=0x1), length 108
22:48:50.989429 IP 83.246.80.130.ipsec-nat-t > 84.133.11.62.32964: UDP-encap:
ESP(spi=0x00e71644,seq=0x1), length 140
22:48:52.991993 IP 84.133.11.62.32964 > 83.246.80.130.ipsec-nat-t: UDP-encap:
ESP(spi=0xf843bb99,seq=0x2), length 108
22:48:52.992112 IP 83.246.80.130.ipsec-nat-t > 84.133.11.62.32964: UDP-encap:
ESP(spi=0x00e71644,seq=0x2), length 140
22:48:54.993945 IP 84.133.11.62.32964 > 83.246.80.130.ipsec-nat-t: UDP-encap:
ESP(spi=0xf843bb99,seq=0x3), length 108
22:48:54.994065 IP 83.246.80.130.ipsec-nat-t > 84.133.11.62.32964: UDP-encap:
ESP(spi=0x00e71644,seq=0x3), length 140
22:48:57.004504 IP 84.133.11.62.32964 > 83.246.80.130.ipsec-nat-t: UDP-encap:
ESP(spi=0xf843bb99,seq=0x4), length 108
22:48:57.004597 IP 83.246.80.130.ipsec-nat-t > 84.133.11.62.32964: UDP-encap:
ESP(spi=0x00e71644,seq=0x4), length 140
22:48:59.003358 IP 84.133.11.62.32964 > 83.246.80.130.ipsec-nat-t: UDP-encap:
ESP(spi=0xf843bb99,seq=0x5), length 108
22:48:59.003466 IP 83.246.80.130.ipsec-nat-t > 84.133.11.62.32964: UDP-encap:
ESP(spi=0x00e71644,seq=0x5), length 140
22:49:01.002733 IP 84.133.11.62.32964 > 83.246.80.130.ipsec-nat-t: UDP-encap:
ESP(spi=0xf843bb99,seq=0x6), length 108
22:49:01.002850 IP 83.246.80.130.ipsec-nat-t > 84.133.11.62.32964: UDP-encap:
ESP(spi=0x00e71644,seq=0x6), length 140
22:49:03.000809 IP 84.133.11.62.32964 > 83.246.80.130.ipsec-nat-t: UDP-encap:
ESP(spi=0xf843bb99,seq=0x7), length 108
22:49:03.000908 IP 83.246.80.130.ipsec-nat-t > 84.133.11.62.32964: UDP-encap:
ESP(spi=0x00e71644,seq=0x7), length 140
22:49:05.013784 IP 84.133.11.62.32964 > 83.246.80.130.ipsec-nat-t: UDP-encap:
ESP(spi=0xf843bb99,seq=0x8), length 108
22:49:05.013884 IP 83.246.80.130.ipsec-nat-t > 84.133.11.62.32964: UDP-encap:
ESP(spi=0x00e71644,seq=0x8), length 140
22:49:06.336417 IP 84.133.11.62.32964 > 83.246.80.130.ipsec-nat-t:
isakmp-nat-keep-alive
22:49:07.016703 IP 84.133.11.62.32964 > 83.246.80.130.ipsec-nat-t: UDP-encap:
ESP(spi=0xf843bb99,seq=0x9), length 108
22:49:07.016800 IP 83.246.80.130.ipsec-nat-t > 84.133.11.62.32964: UDP-encap:
ESP(spi=0x00e71644,seq=0x9), length 140
22:49:09.019575 IP 84.133.11.62.32964 > 83.246.80.130.ipsec-nat-t: UDP-encap:
ESP(spi=0xf843bb99,seq=0xa), length 108
22:49:09.019677 IP 83.246.80.130.ipsec-nat-t > 84.133.11.62.32964: UDP-encap:
ESP(spi=0x00e71644,seq=0xa), length 140
22:49:11.018371 IP 84.133.11.62.32964 > 83.246.80.130.ipsec-nat-t: UDP-encap:
ESP(spi=0xf843bb99,seq=0xb), length 108
22:49:11.018591 IP 83.246.80.130.ipsec-nat-t > 84.133.11.62.32964: UDP-encap:
ESP(spi=0x00e71644,seq=0xb), length 140
22:49:13.021909 IP 84.133.11.62.32964 > 83.246.80.130.ipsec-nat-t: UDP-encap:
ESP(spi=0xf843bb99,seq=0xc), length 108
22:49:13.022005 IP 83.246.80.130.ipsec-nat-t > 84.133.11.62.32964: UDP-encap:
ESP(spi=0x00e71644,seq=0xc), length 140
22:49:15.018666 IP 84.133.11.62.32964 > 83.246.80.130.ipsec-nat-t: UDP-encap:
ESP(spi=0xf843bb99,seq=0xd), length 108
22:49:15.018781 IP 83.246.80.130.ipsec-nat-t > 84.133.11.62.32964: UDP-encap:
ESP(spi=0x00e71644,seq=0xd), length 140
22:49:17.021300 IP 84.133.11.62.32964 > 83.246.80.130.ipsec-nat-t: UDP-encap:
ESP(spi=0xf843bb99,seq=0xe), length 108
22:49:17.021395 IP 83.246.80.130.ipsec-nat-t > 84.133.11.62.32964: UDP-encap:
ESP(spi=0x00e71644,seq=0xe), length 140
22:49:19.050613 IP 84.133.11.62.32964 > 83.246.80.130.ipsec-nat-t: UDP-encap:
ESP(spi=0xf843bb99,seq=0xf), length 108
22:49:19.050733 IP 83.246.80.130.ipsec-nat-t > 84.133.11.62.32964: UDP-encap:
ESP(spi=0x00e71644,seq=0xf), length 140
22:49:21.027375 IP 84.133.11.62.32964 > 83.246.80.130.ipsec-nat-t: UDP-encap:
ESP(spi=0xf843bb99,seq=0x10), length 108
22:49:21.027480 IP 83.246.80.130.ipsec-nat-t > 84.133.11.62.32964: UDP-encap:
ESP(spi=0x00e71644,seq=0x10), length 140
22:49:23.036921 IP 84.133.11.62.32964 > 83.246.80.130.ipsec-nat-t: UDP-encap:
ESP(spi=0xf843bb99,seq=0x11), length 108
22:49:23.037034 IP 83.246.80.130.ipsec-nat-t > 84.133.11.62.32964: UDP-encap:
ESP(spi=0x00e71644,seq=0x11), length 140
22:49:25.039574 IP 84.133.11.62.32964 > 83.246.80.130.ipsec-nat-t: UDP-encap:
ESP(spi=0xf843bb99,seq=0x12), length 108
22:49:25.039674 IP 83.246.80.130.ipsec-nat-t > 84.133.11.62.32964: UDP-encap:
ESP(spi=0x00e71644,seq=0x12), length 140
22:49:26.348190 IP 84.133.11.62.32964 > 83.246.80.130.ipsec-nat-t:
isakmp-nat-keep-alive
22:49:27.044163 IP 84.133.11.62.32964 > 83.246.80.130.ipsec-nat-t: UDP-encap:
ESP(spi=0xf843bb99,seq=0x13), length 108
22:49:27.044261 IP 83.246.80.130.ipsec-nat-t > 84.133.11.62.32964: UDP-encap:
ESP(spi=0x00e71644,seq=0x13), length 140
22:49:29.044953 IP 84.133.11.62.32964 > 83.246.80.130.ipsec-nat-t: UDP-encap:
ESP(spi=0xf843bb99,seq=0x14), length 108
22:49:29.045064 IP 83.246.80.130.ipsec-nat-t > 84.133.11.62.32964: UDP-encap:
ESP(spi=0x00e71644,seq=0x14), length 140


--------------------------------------------------

# ipsec setup --status
IPsec running  - pluto pid: 2422
pluto pid 2422
4 tunnels up
some eroutes exist

--------------------------------------------------

Does anyone have an idea ? 



best regards,

Marius Schwarz

More information about the Users mailing list