[Openswan Users] Problem with a simple connection.

Elison Niven elison.niven at elitecore.com
Thu Dec 6 06:40:30 EST 2012


There's a typo. It should be left=103.29.172.40.
You have put left = 103.29.173.140

On Thursday 06 December 2012 05:09:11 PM IST, adstar at genis-x.com wrote:
> Hi Elison,
>
> Sorry I totally forgot to cc the list..
> I made the changes to my config but still have the issues with PSK
>
> # /etc/ipsec.conf - Openswan IPsec configuration file
> version 2.0     # conforms to second version of ipsec.conf specification
> # basic configuration
> config setup
>          dumpdir=/var/run/pluto/
>          nat_traversal=yes
>          virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
>          oe=off
>          protostack=auto
>          plutostderrlog=/var/log/pluto.log
>          interfaces="ipsec0=eth0"
>
> conn multi-conn
>          rightsubnets={144.55.124.122/32,144.55.123.187/32,144.55.122.67/32,144.55.123.63/32,172.27.130.1/32,172.27.130.2/32,192.168.11.51/32,144.55.124.206/32}        leftsubnets={103.29.173.70/32,103.29.173.71/32,103.29.173.72/32,103.29.173.73/32,103.29.173.74/32,103.29.173.75/32,103.29.173.76/32,103.29.173.80/32,103.29.173.81/32,103.29.173.82/32,103.29.173.83/32,103.29.173.84/32,103.29.173.8
>          also=conn
>
> conn conn
>          type = tunnel
>          authby = secret
>          left = 103.29.173.140
>          right = 119.225.115.131
>          rightnexthop = %defaultroute
>          ike = aes256-sha1-modp1536
>          esp = aes256-sha1
>          keyexchange = ike
>          pfs = no
>          auto = add
>
> My Pluto log
> Plutorun started on Thu Dec 6 22:36:06 EDT 2012
> adjusting ipsec.d to /etc/ipsec.d
> Starting Pluto (Openswan Version 2.6.37; Vendor ID OEu\134d\134jy\134\134ap) pid:9770
> LEAK_DETECTIVE support [disabled]
> OCF support for IKE [disabled]
> SAref support [disabled]: Protocol not available
> SAbind support [disabled]: Protocol not available
> NSS support [disabled]
> HAVE_STATSD notification support not compiled in
> Setting NAT-Traversal port-4500 floating to on
>     port floating activation criteria nat_t=1/port_float=1
>     NAT-Traversal support  [enabled]
> using /dev/urandom as source of random entropy
> ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)
> ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)
> ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok (ret=0)
> ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
> ike_alg_register_enc(): Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)
> ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)
> ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)
> starting up 1 cryptographic helpers
> started helper pid=9773 (fd:4)
> Kernel interface auto-pick
> No Kernel NETKEY interface detected
> Using KLIPS IPsec interface code on 2.6.35.14-i686
> using /dev/urandom as source of random entropy
> Changed path to directory '/etc/ipsec.d/cacerts'
> Changed path to directory '/etc/ipsec.d/aacerts'
> Changed path to directory '/etc/ipsec.d/ocspcerts'
> Changing to directory '/etc/ipsec.d/crls'
>    Warning: empty directory
> address family inconsistency in this connection=2 host=2/nexthop=0
> attempt to load incomplete connection
> address family inconsistency in this connection=2 host=2/nexthop=0
> attempt to load incomplete connection
> listening for IKE messages
> adding interface ipsec0/eth0 103.29.172.40:500
> adding interface ipsec0/eth0 103.29.172.40:4500
> adding interface ipsec0/eth0:4 172.16.0.100:500
> adding interface ipsec0/eth0:4 172.16.0.100:4500
> adding interface ipsec0/eth0:2 103.29.175.1:500
> adding interface ipsec0/eth0:2 103.29.175.1:4500
> adding interface ipsec0/eth0:1 103.29.174.1:500
> adding interface ipsec0/eth0:1 103.29.174.1:4500
> adding interface ipsec0/eth0:0 103.29.173.1:500
> adding interface ipsec0/eth0:0 103.29.173.1:4500
> adding interface ipsec0/eth0 103.29.172.1:500
> adding interface ipsec0/eth0 103.29.172.1:4500
> loading secrets from "/etc/ipsec.secrets"
> packet from 119.225.115.131:500: ignoring unknown Vendor ID payload [f4ed19e0c114eb516faaac0ee37daf2807b4381f000000010000138d50c08322...]
> packet from 119.225.115.131:500: initial Main Mode message received on 103.29.172.40:500 but no connection has been authorized with policy=PSK
> packet from 119.225.115.131:500: ignoring unknown Vendor ID payload [f4ed19e0c114eb516faaac0ee37daf2807b4381f000000010000138d50c08322...]
> packet from 119.225.115.131:500: initial Main Mode message received on 103.29.172.40:500 but no connection has been authorized with policy=PSK
>
> Cheers
> Adam
>
>
>
> -----Original Message-----
> From: Elison Niven [mailto:elison.niven at elitecore.com]
> Sent: Thursday, 6 December 2012 10:08 PM
> To: adstar at genis-x.com
> Cc: users at lists.openswan.org
> Subject: Re: [Openswan Users] Problem with a simple connection.
>
>> Ok so my external interface is  eth1 internal eth0
> You are receiving the main mode request on eth0.
>
> You are receiving packets on this interface :
>> packet from 119.225.115.131:500: initial Main Mode message received on
>> 103.29.172.40:500 but no connection has been authorized with
>> policy=PSK
> Therefore you should have left=103.29.172.40 in your config. You can omit leftnexthop in the config.
>
> Restart your ipsec service or do ipsec auto --rereadall after doing the changes.
> Kindly do not take the discussion off-list.
>
> On Thursday 06 December 2012 04:26:57 PM IST, adstar at genis-x.com wrote:
>> Hi Elison,
>>
>> Ok so my external interface is  eth1 internal eth0
>>
>> I'm not sure what to put as the left/leftnexthop.
>> I have tried
>> conn asic
>>           type = tunnel
>>           authby = secret
>>           left = 202.45.103.162
>>           leftnexthop = 202.45.103.161
>>           right = 119.225.115.131
>>           rightnexthop = %defaultroute
>>           ike = aes256-sha1-modp1536
>>           esp = aes256-sha1
>>           keyexchange = ike
>>           pfs = no
>>           auto = add
>>
>> but still get the error
>> packet from 119.225.115.131:500: ignoring unknown Vendor ID payload
>> [f4ed19e0c114eb516faaac0ee37daf2807b4381f000000010000138d50c0798a...]
>> packet from 119.225.115.131:500: initial Main Mode message received on
>> 103.29.172.40:500 but no connection has been authorized with
>> policy=PSK packet from 119.225.115.131:500: ignoring unknown Vendor ID
>> payload
>> [f4ed19e0c114eb516faaac0ee37daf2807b4381f000000010000138d50c0798a...]
>> packet from 119.225.115.131:500: initial Main Mode message received on
>> 103.29.172.40:500 but no connection has been authorized with
>> policy=PSK
>>
>> Also do you mean all IPV6 on all interfaces?
>>
>> Thanks for you help
>> Cheers
>> Adam
>>
>> 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
>>       link/ether 00:25:90:35:35:9e brd ff:ff:ff:ff:ff:ff
>>       inet 103.29.172.1/24 brd 103.29.172.255 scope global eth0
>>       inet 103.29.173.1/24 brd 103.29.173.255 scope global eth0:0
>>       inet 103.29.174.1/24 brd 103.29.174.255 scope global eth0:1
>>       inet 103.29.175.1/24 brd 103.29.175.255 scope global eth0:2
>>       inet 172.16.0.100/24 brd 172.16.0.255 scope global eth0:4
>>       inet 103.29.172.40/24 scope global secondary eth0
>>       inet6 fe80::225:90ff:fe35:359e/64 scope link
>>          valid_lft forever preferred_lft forever
>> 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
>>       link/ether 00:25:90:35:35:9f brd ff:ff:ff:ff:ff:ff
>>       inet 202.45.103.162/30 brd 202.45.103.163 scope global eth1
>>       inet6 fe80::225:90ff:fe35:359f/64 scope link
>>          valid_lft forever preferred_lft forever
>>
>>
>> I would like my external clients to connect to the IP 172.29.172.40
>>
>> firewall# ip route
>> 202.45.103.160/30 dev eth1  proto kernel  scope link  src
>> 202.45.103.162
>> 172.16.0.0/24 dev eth0  proto kernel  scope link  src 172.16.0.100
>> 103.29.174.0/24 dev eth0  proto kernel  scope link  src 103.29.174.1
>> 103.29.175.0/24 dev eth0  proto kernel  scope link  src 103.29.175.1
>> 103.29.172.0/24 dev eth0  proto kernel  scope link  src 103.29.172.1
>> 103.29.173.0/24 dev eth0  proto kernel  scope link  src 103.29.173.1
>> default via 202.45.103.161 dev eth1
>>
>>
>>
>>
>> -----Original Message-----
>> From: Elison Niven [mailto:elison.niven at elitecore.com]
>> Sent: Thursday, 6 December 2012 9:27 PM
>> To: adstar at genis-x.com
>> Cc: users at lists.openswan.org
>> Subject: Re: [Openswan Users] Problem with a simple connection.
>>
>> The address type of your host address (left) does not match with the address type of your nexthop (leftnexthop).
>> You can try removing leftnexthop=%defaultroute and put in the actual
>> IPv4 gateway, and do the same for rightnexthop.
>> You can also try disabling IPv6.
>>
>> On Thursday 06 December 2012 08:48:45 AM IST, adstar at genis-x.com wrote:
>>> Hi all,
>>>
>>> I’m having an issue setting up a tunnel that I need some help with.
>>>
>>> I have included the relevant files below
>>>
>>>
>>> My first issue is when I start ipsec I get the following error:
>>>
>>> Dec  6 13:51:30 firewall ipsec__plutorun: 023 address family
>>> inconsistency in this connection=2 host=2/nexthop=0
>>>
>>> Dec  6 13:51:30 firewall ipsec__plutorun: 037 attempt to load
>>> incomplete connection
>>>
>>> Dec  6 13:51:30 firewall ipsec__plutorun: 023 address family
>>> inconsistency in this connection=2 host=2/nexthop=0
>>>
>>> Dec  6 13:51:30 firewall ipsec__plutorun: 037 attempt to load
>>> incomplete connection
>>>
>>> My second issue is the right side can’t connect.
>>>
>>> packet from 119.225.115.131:500: ignoring unknown Vendor ID payload
>>> [f4ed19e0c114eb516faaac0ee37daf2807b4381f000000010000138d50c009ee...]
>>>
>>> packet from 119.225.115.131:500: initial Main Mode message received
>>> on
>>> 103.29.172.40:500 but no connection has been authorized with
>>> policy=PSK
>>>
>>> packet from 119.225.115.131:500: ignoring unknown Vendor ID payload
>>> [f4ed19e0c114eb516faaac0ee37daf2807b4381f000000010000138d50c009ee...]
>>>
>>> packet from 119.225.115.131:500: initial Main Mode message received
>>> on
>>> 103.29.172.40:500 but no connection has been authorized with
>>> policy=PSK
>>>
>>> Can anyone help me on where to go from here?
>>>
>>> Cheers
>>> Adam
>>>
>>> firewall# ipsec --version
>>>
>>> Linux Openswan 2.6.37 (klips)
>>>
>>>
>>> firewall# cat ipsec.conf
>>>
>>> # /etc/ipsec.conf - Openswan IPsec configuration file
>>>
>>> version 2.0     # conforms to second version of ipsec.conf specification
>>>
>>> # basic configuration
>>>
>>> config setup
>>>
>>>           #plutodebug = "all"
>>>
>>>           #klipsdebug = "all"
>>>
>>>           plutoopts="--perpeerlog"
>>>
>>>           dumpdir=/var/run/pluto/
>>>
>>>           nat_traversal=yes
>>>
>>>
>>> virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%
>>> v
>>> 4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
>>>
>>>           oe=off
>>>
>>>           protostack=klips
>>>
>>>           plutostderrlog=/var/log/pluto.log
>>>
>>>           interfaces="ipsec0=eth0"
>>>
>>>           listen=103.29.172.40
>>>
>>> # Add connections here
>>>
>>> conn multi-conn1
>>>
>>> rightsubnets={144.55.124.122/32,144.55.123.187/32,144.55.122.67/32,14
>>> 4
>>> .55.123.63/32,172.27.130.1/32,172.27.130.2/32,192.168.11.51/32,144.55.
>>> 124.206/32}
>>>
>>> leftsubnets={103.29.173.70/32,103.29.173.71/32,103.29.173.72/32,103.2
>>> 9
>>> .173.73/32,103.29.173.74/32,103.29.173.75/32,103.29.173.76/32,103.29.
>>> 1
>>> 73.80/32,103.29.173.81/32,103.29.173.82/32,103.29.173.83/32,103.29.17
>>> 3
>>> .84/32,103.29.173.85/32,103.29.173.86/32,103.29.173.60/32,103.29.173.
>>> 6 1/32,103.29.173.64/32,103.29.173.65/32}
>>>
>>> also=conn1
>>>
>>> conn conn1
>>>
>>>           type = tunnel
>>>
>>>           authby = secret
>>>
>>>           left = 103.29.172.40
>>>
>>>           leftnexthop = %defaultroute
>>>
>>>           right = 119.225.115.131
>>>
>>>           rightnexthop = %defaultroute
>>>
>>>           ike = aes256-sha1-modp1536
>>>
>>>           esp = aes256-sha1
>>>
>>>           keyexchange = ike
>>>
>>>           pfs = no
>>>
>>>           auto = add
>>>
>>> firewall# cat ipsec.secrets
>>>
>>> # This file holds shared secrets or RSA private keys for inter-Pluto
>>>
>>> # authentication.  See ipsec_pluto(8) manpage, and HTML documentation.
>>>
>>> 103.29.172.40 119.225.115.131: PSK "BLANK-BLANK-BLANK"
>>>
>>> firewall# ip addr
>>>
>>> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
>>>
>>>       link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>>>
>>>       inet 127.0.0.1/8 scope host lo
>>>
>>>       inet6 ::1/128 scope host
>>>
>>>          valid_lft forever preferred_lft forever
>>>
>>> 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
>>> state UP qlen 1000
>>>
>>>       link/ether 00:25:90:35:35:9e brd ff:ff:ff:ff:ff:ff
>>>
>>>       inet 103.29.172.1/24 brd 103.29.172.255 scope global eth0
>>>
>>>       inet 103.29.173.1/24 brd 103.29.173.255 scope global eth0:0
>>>
>>>       inet 103.29.174.1/24 brd 103.29.174.255 scope global eth0:1
>>>
>>>       inet 103.29.175.1/24 brd 103.29.175.255 scope global eth0:2
>>>
>>>       inet 172.16.0.100/24 brd 172.16.0.255 scope global eth0:4
>>>
>>>       inet 103.29.172.40/24 scope global secondary eth0
>>>
>>>       inet6 fe80::225:90ff:fe35:359e/64 scope link
>>>
>>>          valid_lft forever preferred_lft forever
>>>
>>> 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
>>> state UP qlen 1000
>>>
>>>       link/ether 00:25:90:35:35:9f brd ff:ff:ff:ff:ff:ff
>>>
>>>       inet 202.45.103.162/30 brd 202.45.103.163 scope global eth1
>>>
>>>       inet6 fe80::225:90ff:fe35:359f/64 scope link
>>>
>>>          valid_lft forever preferred_lft forever
>>>
>>> 82: ipsec0: <NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state
>>> UNKNOWN qlen 10
>>>
>>>       link/ether 00:25:90:35:35:9e brd ff:ff:ff:ff:ff:ff
>>>
>>>       inet 103.29.172.1/32 scope global ipsec0
>>>
>>>       inet 103.29.173.1/32 scope global ipsec0
>>>
>>>       inet 103.29.174.1/32 scope global ipsec0
>>>
>>>       inet 103.29.175.1/32 scope global ipsec0
>>>
>>>       inet 172.16.0.100/32 scope global ipsec0
>>>
>>>       inet 103.29.172.40/32 scope global ipsec0
>>>
>>>       inet6 fe80::225:90ff:fe35:359e/128 scope link
>>>
>>>          valid_lft forever preferred_lft forever
>>>
>>> 83: ipsec1: <NOARP> mtu 0 qdisc noop state DOWN qlen 10
>>>
>>>       link/void
>>>
>>> firewall# cat daemon.log
>>>
>>> Dec  6 13:51:29 firewall ipsec_setup: Starting Openswan IPsec 2.6.37...
>>>
>>> Dec  6 13:51:29 firewall ipsec_setup: Using KLIPS/legacy stack
>>>
>>> Dec  6 13:51:30 firewall ipsec_setup: KLIPS debug `none'
>>>
>>> Dec  6 13:51:30 firewall ipsec_setup: KLIPS ipsec0 on eth0
>>> 103.29.172.1/24 broadcast  mtu 1500
>>>
>>> Dec  6 13:51:30 firewall ipsec_setup: ipsec0 -> NULL mtu=0(0) -> 0
>>>
>>> Dec  6 13:51:30 firewall ipsec_setup: ...Openswan IPsec started
>>>
>>> Dec  6 13:51:30 firewall ipsec__plutorun: 023 address family
>>> inconsistency in this connection=2 host=2/nexthop=0
>>>
>>> Dec  6 13:51:30 firewall ipsec__plutorun: 037 attempt to load
>>> incomplete connection
>>>
>>> Dec  6 13:51:30 firewall ipsec__plutorun: 023 address family
>>> inconsistency in this connection=2 host=2/nexthop=0
>>>
>>> Dec  6 13:51:30 firewall ipsec__plutorun: 037 attempt to load
>>> incomplete connection
>>>
>>>
>>>
>>> _______________________________________________
>>> Users at lists.openswan.org
>>> https://lists.openswan.org/mailman/listinfo/users
>>> Micropayments:
>>> https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>>> Building and Integrating Virtual Private Networks with Openswan:
>>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283
>>> 1
>>> 55
>>
>> --
>> Best Regards,
>> Elison Niven
>>
>>
>>
>
> --
> Best Regards,
> Elison Niven
>
>
>

--
Best Regards,
Elison Niven


More information about the Users mailing list