[Openswan Users] Problem with a simple connection.
adstar at genis-x.com
adstar at genis-x.com
Thu Dec 6 06:39:11 EST 2012
Hi Elison,
Sorry I totally forgot to cc the list..
I made the changes to my config but still have the issues with PSK
# /etc/ipsec.conf - Openswan IPsec configuration file
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
dumpdir=/var/run/pluto/
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
oe=off
protostack=auto
plutostderrlog=/var/log/pluto.log
interfaces="ipsec0=eth0"
conn multi-conn
rightsubnets={144.55.124.122/32,144.55.123.187/32,144.55.122.67/32,144.55.123.63/32,172.27.130.1/32,172.27.130.2/32,192.168.11.51/32,144.55.124.206/32} leftsubnets={103.29.173.70/32,103.29.173.71/32,103.29.173.72/32,103.29.173.73/32,103.29.173.74/32,103.29.173.75/32,103.29.173.76/32,103.29.173.80/32,103.29.173.81/32,103.29.173.82/32,103.29.173.83/32,103.29.173.84/32,103.29.173.8
also=conn
conn conn
type = tunnel
authby = secret
left = 103.29.173.140
right = 119.225.115.131
rightnexthop = %defaultroute
ike = aes256-sha1-modp1536
esp = aes256-sha1
keyexchange = ike
pfs = no
auto = add
My Pluto log
Plutorun started on Thu Dec 6 22:36:06 EDT 2012
adjusting ipsec.d to /etc/ipsec.d
Starting Pluto (Openswan Version 2.6.37; Vendor ID OEu\134d\134jy\134\134ap) pid:9770
LEAK_DETECTIVE support [disabled]
OCF support for IKE [disabled]
SAref support [disabled]: Protocol not available
SAbind support [disabled]: Protocol not available
NSS support [disabled]
HAVE_STATSD notification support not compiled in
Setting NAT-Traversal port-4500 floating to on
port floating activation criteria nat_t=1/port_float=1
NAT-Traversal support [enabled]
using /dev/urandom as source of random entropy
ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)
ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)
ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok (ret=0)
ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
ike_alg_register_enc(): Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)
ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)
ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)
starting up 1 cryptographic helpers
started helper pid=9773 (fd:4)
Kernel interface auto-pick
No Kernel NETKEY interface detected
Using KLIPS IPsec interface code on 2.6.35.14-i686
using /dev/urandom as source of random entropy
Changed path to directory '/etc/ipsec.d/cacerts'
Changed path to directory '/etc/ipsec.d/aacerts'
Changed path to directory '/etc/ipsec.d/ocspcerts'
Changing to directory '/etc/ipsec.d/crls'
Warning: empty directory
address family inconsistency in this connection=2 host=2/nexthop=0
attempt to load incomplete connection
address family inconsistency in this connection=2 host=2/nexthop=0
attempt to load incomplete connection
listening for IKE messages
adding interface ipsec0/eth0 103.29.172.40:500
adding interface ipsec0/eth0 103.29.172.40:4500
adding interface ipsec0/eth0:4 172.16.0.100:500
adding interface ipsec0/eth0:4 172.16.0.100:4500
adding interface ipsec0/eth0:2 103.29.175.1:500
adding interface ipsec0/eth0:2 103.29.175.1:4500
adding interface ipsec0/eth0:1 103.29.174.1:500
adding interface ipsec0/eth0:1 103.29.174.1:4500
adding interface ipsec0/eth0:0 103.29.173.1:500
adding interface ipsec0/eth0:0 103.29.173.1:4500
adding interface ipsec0/eth0 103.29.172.1:500
adding interface ipsec0/eth0 103.29.172.1:4500
loading secrets from "/etc/ipsec.secrets"
packet from 119.225.115.131:500: ignoring unknown Vendor ID payload [f4ed19e0c114eb516faaac0ee37daf2807b4381f000000010000138d50c08322...]
packet from 119.225.115.131:500: initial Main Mode message received on 103.29.172.40:500 but no connection has been authorized with policy=PSK
packet from 119.225.115.131:500: ignoring unknown Vendor ID payload [f4ed19e0c114eb516faaac0ee37daf2807b4381f000000010000138d50c08322...]
packet from 119.225.115.131:500: initial Main Mode message received on 103.29.172.40:500 but no connection has been authorized with policy=PSK
Cheers
Adam
-----Original Message-----
From: Elison Niven [mailto:elison.niven at elitecore.com]
Sent: Thursday, 6 December 2012 10:08 PM
To: adstar at genis-x.com
Cc: users at lists.openswan.org
Subject: Re: [Openswan Users] Problem with a simple connection.
> Ok so my external interface is eth1 internal eth0
You are receiving the main mode request on eth0.
You are receiving packets on this interface :
> packet from 119.225.115.131:500: initial Main Mode message received on
> 103.29.172.40:500 but no connection has been authorized with
> policy=PSK
Therefore you should have left=103.29.172.40 in your config. You can omit leftnexthop in the config.
Restart your ipsec service or do ipsec auto --rereadall after doing the changes.
Kindly do not take the discussion off-list.
On Thursday 06 December 2012 04:26:57 PM IST, adstar at genis-x.com wrote:
> Hi Elison,
>
> Ok so my external interface is eth1 internal eth0
>
> I'm not sure what to put as the left/leftnexthop.
> I have tried
> conn asic
> type = tunnel
> authby = secret
> left = 202.45.103.162
> leftnexthop = 202.45.103.161
> right = 119.225.115.131
> rightnexthop = %defaultroute
> ike = aes256-sha1-modp1536
> esp = aes256-sha1
> keyexchange = ike
> pfs = no
> auto = add
>
> but still get the error
> packet from 119.225.115.131:500: ignoring unknown Vendor ID payload
> [f4ed19e0c114eb516faaac0ee37daf2807b4381f000000010000138d50c0798a...]
> packet from 119.225.115.131:500: initial Main Mode message received on
> 103.29.172.40:500 but no connection has been authorized with
> policy=PSK packet from 119.225.115.131:500: ignoring unknown Vendor ID
> payload
> [f4ed19e0c114eb516faaac0ee37daf2807b4381f000000010000138d50c0798a...]
> packet from 119.225.115.131:500: initial Main Mode message received on
> 103.29.172.40:500 but no connection has been authorized with
> policy=PSK
>
> Also do you mean all IPV6 on all interfaces?
>
> Thanks for you help
> Cheers
> Adam
>
> 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
> link/ether 00:25:90:35:35:9e brd ff:ff:ff:ff:ff:ff
> inet 103.29.172.1/24 brd 103.29.172.255 scope global eth0
> inet 103.29.173.1/24 brd 103.29.173.255 scope global eth0:0
> inet 103.29.174.1/24 brd 103.29.174.255 scope global eth0:1
> inet 103.29.175.1/24 brd 103.29.175.255 scope global eth0:2
> inet 172.16.0.100/24 brd 172.16.0.255 scope global eth0:4
> inet 103.29.172.40/24 scope global secondary eth0
> inet6 fe80::225:90ff:fe35:359e/64 scope link
> valid_lft forever preferred_lft forever
> 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
> link/ether 00:25:90:35:35:9f brd ff:ff:ff:ff:ff:ff
> inet 202.45.103.162/30 brd 202.45.103.163 scope global eth1
> inet6 fe80::225:90ff:fe35:359f/64 scope link
> valid_lft forever preferred_lft forever
>
>
> I would like my external clients to connect to the IP 172.29.172.40
>
> firewall# ip route
> 202.45.103.160/30 dev eth1 proto kernel scope link src
> 202.45.103.162
> 172.16.0.0/24 dev eth0 proto kernel scope link src 172.16.0.100
> 103.29.174.0/24 dev eth0 proto kernel scope link src 103.29.174.1
> 103.29.175.0/24 dev eth0 proto kernel scope link src 103.29.175.1
> 103.29.172.0/24 dev eth0 proto kernel scope link src 103.29.172.1
> 103.29.173.0/24 dev eth0 proto kernel scope link src 103.29.173.1
> default via 202.45.103.161 dev eth1
>
>
>
>
> -----Original Message-----
> From: Elison Niven [mailto:elison.niven at elitecore.com]
> Sent: Thursday, 6 December 2012 9:27 PM
> To: adstar at genis-x.com
> Cc: users at lists.openswan.org
> Subject: Re: [Openswan Users] Problem with a simple connection.
>
> The address type of your host address (left) does not match with the address type of your nexthop (leftnexthop).
> You can try removing leftnexthop=%defaultroute and put in the actual
> IPv4 gateway, and do the same for rightnexthop.
> You can also try disabling IPv6.
>
> On Thursday 06 December 2012 08:48:45 AM IST, adstar at genis-x.com wrote:
>> Hi all,
>>
>> I’m having an issue setting up a tunnel that I need some help with.
>>
>> I have included the relevant files below
>>
>>
>> My first issue is when I start ipsec I get the following error:
>>
>> Dec 6 13:51:30 firewall ipsec__plutorun: 023 address family
>> inconsistency in this connection=2 host=2/nexthop=0
>>
>> Dec 6 13:51:30 firewall ipsec__plutorun: 037 attempt to load
>> incomplete connection
>>
>> Dec 6 13:51:30 firewall ipsec__plutorun: 023 address family
>> inconsistency in this connection=2 host=2/nexthop=0
>>
>> Dec 6 13:51:30 firewall ipsec__plutorun: 037 attempt to load
>> incomplete connection
>>
>> My second issue is the right side can’t connect.
>>
>> packet from 119.225.115.131:500: ignoring unknown Vendor ID payload
>> [f4ed19e0c114eb516faaac0ee37daf2807b4381f000000010000138d50c009ee...]
>>
>> packet from 119.225.115.131:500: initial Main Mode message received
>> on
>> 103.29.172.40:500 but no connection has been authorized with
>> policy=PSK
>>
>> packet from 119.225.115.131:500: ignoring unknown Vendor ID payload
>> [f4ed19e0c114eb516faaac0ee37daf2807b4381f000000010000138d50c009ee...]
>>
>> packet from 119.225.115.131:500: initial Main Mode message received
>> on
>> 103.29.172.40:500 but no connection has been authorized with
>> policy=PSK
>>
>> Can anyone help me on where to go from here?
>>
>> Cheers
>> Adam
>>
>> firewall# ipsec --version
>>
>> Linux Openswan 2.6.37 (klips)
>>
>>
>> firewall# cat ipsec.conf
>>
>> # /etc/ipsec.conf - Openswan IPsec configuration file
>>
>> version 2.0 # conforms to second version of ipsec.conf specification
>>
>> # basic configuration
>>
>> config setup
>>
>> #plutodebug = "all"
>>
>> #klipsdebug = "all"
>>
>> plutoopts="--perpeerlog"
>>
>> dumpdir=/var/run/pluto/
>>
>> nat_traversal=yes
>>
>>
>> virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%
>> v
>> 4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
>>
>> oe=off
>>
>> protostack=klips
>>
>> plutostderrlog=/var/log/pluto.log
>>
>> interfaces="ipsec0=eth0"
>>
>> listen=103.29.172.40
>>
>> # Add connections here
>>
>> conn multi-conn1
>>
>> rightsubnets={144.55.124.122/32,144.55.123.187/32,144.55.122.67/32,14
>> 4
>> .55.123.63/32,172.27.130.1/32,172.27.130.2/32,192.168.11.51/32,144.55.
>> 124.206/32}
>>
>> leftsubnets={103.29.173.70/32,103.29.173.71/32,103.29.173.72/32,103.2
>> 9
>> .173.73/32,103.29.173.74/32,103.29.173.75/32,103.29.173.76/32,103.29.
>> 1
>> 73.80/32,103.29.173.81/32,103.29.173.82/32,103.29.173.83/32,103.29.17
>> 3
>> .84/32,103.29.173.85/32,103.29.173.86/32,103.29.173.60/32,103.29.173.
>> 6 1/32,103.29.173.64/32,103.29.173.65/32}
>>
>> also=conn1
>>
>> conn conn1
>>
>> type = tunnel
>>
>> authby = secret
>>
>> left = 103.29.172.40
>>
>> leftnexthop = %defaultroute
>>
>> right = 119.225.115.131
>>
>> rightnexthop = %defaultroute
>>
>> ike = aes256-sha1-modp1536
>>
>> esp = aes256-sha1
>>
>> keyexchange = ike
>>
>> pfs = no
>>
>> auto = add
>>
>> firewall# cat ipsec.secrets
>>
>> # This file holds shared secrets or RSA private keys for inter-Pluto
>>
>> # authentication. See ipsec_pluto(8) manpage, and HTML documentation.
>>
>> 103.29.172.40 119.225.115.131: PSK "BLANK-BLANK-BLANK"
>>
>> firewall# ip addr
>>
>> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
>>
>> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>>
>> inet 127.0.0.1/8 scope host lo
>>
>> inet6 ::1/128 scope host
>>
>> valid_lft forever preferred_lft forever
>>
>> 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
>> state UP qlen 1000
>>
>> link/ether 00:25:90:35:35:9e brd ff:ff:ff:ff:ff:ff
>>
>> inet 103.29.172.1/24 brd 103.29.172.255 scope global eth0
>>
>> inet 103.29.173.1/24 brd 103.29.173.255 scope global eth0:0
>>
>> inet 103.29.174.1/24 brd 103.29.174.255 scope global eth0:1
>>
>> inet 103.29.175.1/24 brd 103.29.175.255 scope global eth0:2
>>
>> inet 172.16.0.100/24 brd 172.16.0.255 scope global eth0:4
>>
>> inet 103.29.172.40/24 scope global secondary eth0
>>
>> inet6 fe80::225:90ff:fe35:359e/64 scope link
>>
>> valid_lft forever preferred_lft forever
>>
>> 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
>> state UP qlen 1000
>>
>> link/ether 00:25:90:35:35:9f brd ff:ff:ff:ff:ff:ff
>>
>> inet 202.45.103.162/30 brd 202.45.103.163 scope global eth1
>>
>> inet6 fe80::225:90ff:fe35:359f/64 scope link
>>
>> valid_lft forever preferred_lft forever
>>
>> 82: ipsec0: <NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state
>> UNKNOWN qlen 10
>>
>> link/ether 00:25:90:35:35:9e brd ff:ff:ff:ff:ff:ff
>>
>> inet 103.29.172.1/32 scope global ipsec0
>>
>> inet 103.29.173.1/32 scope global ipsec0
>>
>> inet 103.29.174.1/32 scope global ipsec0
>>
>> inet 103.29.175.1/32 scope global ipsec0
>>
>> inet 172.16.0.100/32 scope global ipsec0
>>
>> inet 103.29.172.40/32 scope global ipsec0
>>
>> inet6 fe80::225:90ff:fe35:359e/128 scope link
>>
>> valid_lft forever preferred_lft forever
>>
>> 83: ipsec1: <NOARP> mtu 0 qdisc noop state DOWN qlen 10
>>
>> link/void
>>
>> firewall# cat daemon.log
>>
>> Dec 6 13:51:29 firewall ipsec_setup: Starting Openswan IPsec 2.6.37...
>>
>> Dec 6 13:51:29 firewall ipsec_setup: Using KLIPS/legacy stack
>>
>> Dec 6 13:51:30 firewall ipsec_setup: KLIPS debug `none'
>>
>> Dec 6 13:51:30 firewall ipsec_setup: KLIPS ipsec0 on eth0
>> 103.29.172.1/24 broadcast mtu 1500
>>
>> Dec 6 13:51:30 firewall ipsec_setup: ipsec0 -> NULL mtu=0(0) -> 0
>>
>> Dec 6 13:51:30 firewall ipsec_setup: ...Openswan IPsec started
>>
>> Dec 6 13:51:30 firewall ipsec__plutorun: 023 address family
>> inconsistency in this connection=2 host=2/nexthop=0
>>
>> Dec 6 13:51:30 firewall ipsec__plutorun: 037 attempt to load
>> incomplete connection
>>
>> Dec 6 13:51:30 firewall ipsec__plutorun: 023 address family
>> inconsistency in this connection=2 host=2/nexthop=0
>>
>> Dec 6 13:51:30 firewall ipsec__plutorun: 037 attempt to load
>> incomplete connection
>>
>>
>>
>> _______________________________________________
>> Users at lists.openswan.org
>> https://lists.openswan.org/mailman/listinfo/users
>> Micropayments:
>> https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>> Building and Integrating Virtual Private Networks with Openswan:
>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283
>> 1
>> 55
>
> --
> Best Regards,
> Elison Niven
>
>
>
--
Best Regards,
Elison Niven
More information about the Users
mailing list