[Openswan Users] Problem with a simple connection.
adstar at genis-x.com
adstar at genis-x.com
Thu Dec 6 07:07:08 EST 2012
Ha.... damn (it's late for me :(...)
But alas no go....
conn conn
type = tunnel
authby = secret
left = 103.29.172.140
right = 119.225.115.131
rightnexthop = %defaultroute
ike = aes256-sha1-modp1536
esp = aes256-sha1
keyexchange = ike
pfs = no
auto = add
also I notice
address family inconsistency in this connection=2 host=2/nexthop=0
attempt to load incomplete connection
address family inconsistency in this connection=2 host=2/nexthop=0
attempt to load incomplete connection
I'm not sure whats not complete.
Also and ifconfig -a shows
ipsec0 Link encap:Ethernet HWaddr 00:25:90:35:35:9E
inet addr:103.29.172.1 Mask:255.255.255.255
inet6 addr: fe80::225:90ff:fe35:359e/128 Scope:Link
UP RUNNING NOARP MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Shouldn't that have 103.29.172.40 on it? And if so where do I configure this?
Cheers
Adam
Plutorun started on Thu Dec 6 23:05:05 EDT 2012
adjusting ipsec.d to /etc/ipsec.d
bind() will be filtered for 103.29.172.40
Starting Pluto (Openswan Version 2.6.37; Vendor ID OEu\134d\134jy\134\134ap) pid:11545
LEAK_DETECTIVE support [disabled]
OCF support for IKE [disabled]
SAref support [disabled]: Protocol not available
SAbind support [disabled]: Protocol not available
NSS support [disabled]
HAVE_STATSD notification support not compiled in
Setting NAT-Traversal port-4500 floating to on
port floating activation criteria nat_t=1/port_float=1
NAT-Traversal support [enabled]
using /dev/urandom as source of random entropy
ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)
ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)
ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok (ret=0)
ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
ike_alg_register_enc(): Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)
ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)
ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)
starting up 1 cryptographic helpers
started helper pid=11549 (fd:4)
Using KLIPS IPsec interface code on 2.6.35.14-i686
using /dev/urandom as source of random entropy
Changed path to directory '/etc/ipsec.d/cacerts'
Changed path to directory '/etc/ipsec.d/aacerts'
Changed path to directory '/etc/ipsec.d/ocspcerts'
Changing to directory '/etc/ipsec.d/crls'
Warning: empty directory
address family inconsistency in this connection=2 host=2/nexthop=0
attempt to load incomplete connection
address family inconsistency in this connection=2 host=2/nexthop=0
attempt to load incomplete connection
listening for IKE messages
adding interface ipsec0/eth0 103.29.172.40:500
adding interface ipsec0/eth0 103.29.172.40:4500
skipping interface eth0:4 with 172.16.0.100
skipping interface eth0:2 with 103.29.175.1
skipping interface eth0:1 with 103.29.174.1
skipping interface eth0:0 with 103.29.173.1
skipping interface eth0 with 103.29.172.1
loading secrets from "/etc/ipsec.secrets"
packet from 119.225.115.131:500: ignoring unknown Vendor ID payload [f4ed19e0c114eb516faaac0ee37daf2807b4381f000000010000138d50c089ee...]
packet from 119.225.115.131:500: initial Main Mode message received on 103.29.172.40:500 but no connection has been authorized with policy=PSK
-----Original Message-----
From: Elison Niven [mailto:elison.niven at elitecore.com]
Sent: Thursday, 6 December 2012 10:41 PM
To: adstar at genis-x.com
Cc: users at lists.openswan.org
Subject: Re: [Openswan Users] Problem with a simple connection.
There's a typo. It should be left=103.29.172.40.
You have put left = 103.29.173.140
On Thursday 06 December 2012 05:09:11 PM IST, adstar at genis-x.com wrote:
> Hi Elison,
>
> Sorry I totally forgot to cc the list..
> I made the changes to my config but still have the issues with PSK
>
> # /etc/ipsec.conf - Openswan IPsec configuration file
> version 2.0 # conforms to second version of ipsec.conf specification
> # basic configuration
> config setup
> dumpdir=/var/run/pluto/
> nat_traversal=yes
> virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
> oe=off
> protostack=auto
> plutostderrlog=/var/log/pluto.log
> interfaces="ipsec0=eth0"
>
> conn multi-conn
> rightsubnets={144.55.124.122/32,144.55.123.187/32,144.55.122.67/32,144.55.123.63/32,172.27.130.1/32,172.27.130.2/32,192.168.11.51/32,144.55.124.206/32} leftsubnets={103.29.173.70/32,103.29.173.71/32,103.29.173.72/32,103.29.173.73/32,103.29.173.74/32,103.29.173.75/32,103.29.173.76/32,103.29.173.80/32,103.29.173.81/32,103.29.173.82/32,103.29.173.83/32,103.29.173.84/32,103.29.173.8
> also=conn
>
> conn conn
> type = tunnel
> authby = secret
> left = 103.29.173.140
> right = 119.225.115.131
> rightnexthop = %defaultroute
> ike = aes256-sha1-modp1536
> esp = aes256-sha1
> keyexchange = ike
> pfs = no
> auto = add
>
> My Pluto log
> Plutorun started on Thu Dec 6 22:36:06 EDT 2012 adjusting ipsec.d to
> /etc/ipsec.d Starting Pluto (Openswan Version 2.6.37; Vendor ID
> OEu\134d\134jy\134\134ap) pid:9770 LEAK_DETECTIVE support [disabled]
> OCF support for IKE [disabled] SAref support [disabled]: Protocol not
> available SAbind support [disabled]: Protocol not available NSS
> support [disabled] HAVE_STATSD notification support not compiled in
> Setting NAT-Traversal port-4500 floating to on
> port floating activation criteria nat_t=1/port_float=1
> NAT-Traversal support [enabled]
> using /dev/urandom as source of random entropy
> ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)
> ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)
> ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok (ret=0)
> ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
> ike_alg_register_enc(): Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)
> ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)
> ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)
> starting up 1 cryptographic helpers started helper pid=9773 (fd:4)
> Kernel interface auto-pick No Kernel NETKEY interface detected Using
> KLIPS IPsec interface code on 2.6.35.14-i686 using /dev/urandom as
> source of random entropy Changed path to directory
> '/etc/ipsec.d/cacerts'
> Changed path to directory '/etc/ipsec.d/aacerts'
> Changed path to directory '/etc/ipsec.d/ocspcerts'
> Changing to directory '/etc/ipsec.d/crls'
> Warning: empty directory
> address family inconsistency in this connection=2 host=2/nexthop=0
> attempt to load incomplete connection address family inconsistency in
> this connection=2 host=2/nexthop=0 attempt to load incomplete
> connection listening for IKE messages adding interface ipsec0/eth0
> 103.29.172.40:500 adding interface ipsec0/eth0 103.29.172.40:4500
> adding interface ipsec0/eth0:4 172.16.0.100:500 adding interface
> ipsec0/eth0:4 172.16.0.100:4500 adding interface ipsec0/eth0:2
> 103.29.175.1:500 adding interface ipsec0/eth0:2 103.29.175.1:4500
> adding interface ipsec0/eth0:1 103.29.174.1:500 adding interface
> ipsec0/eth0:1 103.29.174.1:4500 adding interface ipsec0/eth0:0
> 103.29.173.1:500 adding interface ipsec0/eth0:0 103.29.173.1:4500
> adding interface ipsec0/eth0 103.29.172.1:500 adding interface
> ipsec0/eth0 103.29.172.1:4500 loading secrets from
> "/etc/ipsec.secrets"
> packet from 119.225.115.131:500: ignoring unknown Vendor ID payload
> [f4ed19e0c114eb516faaac0ee37daf2807b4381f000000010000138d50c08322...]
> packet from 119.225.115.131:500: initial Main Mode message received on
> 103.29.172.40:500 but no connection has been authorized with
> policy=PSK packet from 119.225.115.131:500: ignoring unknown Vendor ID
> payload
> [f4ed19e0c114eb516faaac0ee37daf2807b4381f000000010000138d50c08322...]
> packet from 119.225.115.131:500: initial Main Mode message received on
> 103.29.172.40:500 but no connection has been authorized with
> policy=PSK
>
> Cheers
> Adam
>
>
>
> -----Original Message-----
> From: Elison Niven [mailto:elison.niven at elitecore.com]
> Sent: Thursday, 6 December 2012 10:08 PM
> To: adstar at genis-x.com
> Cc: users at lists.openswan.org
> Subject: Re: [Openswan Users] Problem with a simple connection.
>
>> Ok so my external interface is eth1 internal eth0
> You are receiving the main mode request on eth0.
>
> You are receiving packets on this interface :
>> packet from 119.225.115.131:500: initial Main Mode message received
>> on
>> 103.29.172.40:500 but no connection has been authorized with
>> policy=PSK
> Therefore you should have left=103.29.172.40 in your config. You can omit leftnexthop in the config.
>
> Restart your ipsec service or do ipsec auto --rereadall after doing the changes.
> Kindly do not take the discussion off-list.
>
> On Thursday 06 December 2012 04:26:57 PM IST, adstar at genis-x.com wrote:
>> Hi Elison,
>>
>> Ok so my external interface is eth1 internal eth0
>>
>> I'm not sure what to put as the left/leftnexthop.
>> I have tried
>> conn asic
>> type = tunnel
>> authby = secret
>> left = 202.45.103.162
>> leftnexthop = 202.45.103.161
>> right = 119.225.115.131
>> rightnexthop = %defaultroute
>> ike = aes256-sha1-modp1536
>> esp = aes256-sha1
>> keyexchange = ike
>> pfs = no
>> auto = add
>>
>> but still get the error
>> packet from 119.225.115.131:500: ignoring unknown Vendor ID payload
>> [f4ed19e0c114eb516faaac0ee37daf2807b4381f000000010000138d50c0798a...]
>> packet from 119.225.115.131:500: initial Main Mode message received
>> on
>> 103.29.172.40:500 but no connection has been authorized with
>> policy=PSK packet from 119.225.115.131:500: ignoring unknown Vendor
>> ID payload
>> [f4ed19e0c114eb516faaac0ee37daf2807b4381f000000010000138d50c0798a...]
>> packet from 119.225.115.131:500: initial Main Mode message received
>> on
>> 103.29.172.40:500 but no connection has been authorized with
>> policy=PSK
>>
>> Also do you mean all IPV6 on all interfaces?
>>
>> Thanks for you help
>> Cheers
>> Adam
>>
>> 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
>> link/ether 00:25:90:35:35:9e brd ff:ff:ff:ff:ff:ff
>> inet 103.29.172.1/24 brd 103.29.172.255 scope global eth0
>> inet 103.29.173.1/24 brd 103.29.173.255 scope global eth0:0
>> inet 103.29.174.1/24 brd 103.29.174.255 scope global eth0:1
>> inet 103.29.175.1/24 brd 103.29.175.255 scope global eth0:2
>> inet 172.16.0.100/24 brd 172.16.0.255 scope global eth0:4
>> inet 103.29.172.40/24 scope global secondary eth0
>> inet6 fe80::225:90ff:fe35:359e/64 scope link
>> valid_lft forever preferred_lft forever
>> 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
>> link/ether 00:25:90:35:35:9f brd ff:ff:ff:ff:ff:ff
>> inet 202.45.103.162/30 brd 202.45.103.163 scope global eth1
>> inet6 fe80::225:90ff:fe35:359f/64 scope link
>> valid_lft forever preferred_lft forever
>>
>>
>> I would like my external clients to connect to the IP 172.29.172.40
>>
>> firewall# ip route
>> 202.45.103.160/30 dev eth1 proto kernel scope link src
>> 202.45.103.162
>> 172.16.0.0/24 dev eth0 proto kernel scope link src 172.16.0.100
>> 103.29.174.0/24 dev eth0 proto kernel scope link src 103.29.174.1
>> 103.29.175.0/24 dev eth0 proto kernel scope link src 103.29.175.1
>> 103.29.172.0/24 dev eth0 proto kernel scope link src 103.29.172.1
>> 103.29.173.0/24 dev eth0 proto kernel scope link src 103.29.173.1
>> default via 202.45.103.161 dev eth1
>>
>>
>>
>>
>> -----Original Message-----
>> From: Elison Niven [mailto:elison.niven at elitecore.com]
>> Sent: Thursday, 6 December 2012 9:27 PM
>> To: adstar at genis-x.com
>> Cc: users at lists.openswan.org
>> Subject: Re: [Openswan Users] Problem with a simple connection.
>>
>> The address type of your host address (left) does not match with the address type of your nexthop (leftnexthop).
>> You can try removing leftnexthop=%defaultroute and put in the actual
>> IPv4 gateway, and do the same for rightnexthop.
>> You can also try disabling IPv6.
>>
>> On Thursday 06 December 2012 08:48:45 AM IST, adstar at genis-x.com wrote:
>>> Hi all,
>>>
>>> I’m having an issue setting up a tunnel that I need some help with.
>>>
>>> I have included the relevant files below
>>>
>>>
>>> My first issue is when I start ipsec I get the following error:
>>>
>>> Dec 6 13:51:30 firewall ipsec__plutorun: 023 address family
>>> inconsistency in this connection=2 host=2/nexthop=0
>>>
>>> Dec 6 13:51:30 firewall ipsec__plutorun: 037 attempt to load
>>> incomplete connection
>>>
>>> Dec 6 13:51:30 firewall ipsec__plutorun: 023 address family
>>> inconsistency in this connection=2 host=2/nexthop=0
>>>
>>> Dec 6 13:51:30 firewall ipsec__plutorun: 037 attempt to load
>>> incomplete connection
>>>
>>> My second issue is the right side can’t connect.
>>>
>>> packet from 119.225.115.131:500: ignoring unknown Vendor ID payload
>>> [f4ed19e0c114eb516faaac0ee37daf2807b4381f000000010000138d50c009ee...
>>> ]
>>>
>>> packet from 119.225.115.131:500: initial Main Mode message received
>>> on
>>> 103.29.172.40:500 but no connection has been authorized with
>>> policy=PSK
>>>
>>> packet from 119.225.115.131:500: ignoring unknown Vendor ID payload
>>> [f4ed19e0c114eb516faaac0ee37daf2807b4381f000000010000138d50c009ee...
>>> ]
>>>
>>> packet from 119.225.115.131:500: initial Main Mode message received
>>> on
>>> 103.29.172.40:500 but no connection has been authorized with
>>> policy=PSK
>>>
>>> Can anyone help me on where to go from here?
>>>
>>> Cheers
>>> Adam
>>>
>>> firewall# ipsec --version
>>>
>>> Linux Openswan 2.6.37 (klips)
>>>
>>>
>>> firewall# cat ipsec.conf
>>>
>>> # /etc/ipsec.conf - Openswan IPsec configuration file
>>>
>>> version 2.0 # conforms to second version of ipsec.conf specification
>>>
>>> # basic configuration
>>>
>>> config setup
>>>
>>> #plutodebug = "all"
>>>
>>> #klipsdebug = "all"
>>>
>>> plutoopts="--perpeerlog"
>>>
>>> dumpdir=/var/run/pluto/
>>>
>>> nat_traversal=yes
>>>
>>>
>>> virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,
>>> %
>>> v
>>> 4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
>>>
>>> oe=off
>>>
>>> protostack=klips
>>>
>>> plutostderrlog=/var/log/pluto.log
>>>
>>> interfaces="ipsec0=eth0"
>>>
>>> listen=103.29.172.40
>>>
>>> # Add connections here
>>>
>>> conn multi-conn1
>>>
>>> rightsubnets={144.55.124.122/32,144.55.123.187/32,144.55.122.67/32,1
>>> 4
>>> 4
>>> .55.123.63/32,172.27.130.1/32,172.27.130.2/32,192.168.11.51/32,144.55.
>>> 124.206/32}
>>>
>>> leftsubnets={103.29.173.70/32,103.29.173.71/32,103.29.173.72/32,103.
>>> 2
>>> 9
>>> .173.73/32,103.29.173.74/32,103.29.173.75/32,103.29.173.76/32,103.29.
>>> 1
>>> 73.80/32,103.29.173.81/32,103.29.173.82/32,103.29.173.83/32,103.29.1
>>> 7
>>> 3
>>> .84/32,103.29.173.85/32,103.29.173.86/32,103.29.173.60/32,103.29.173.
>>> 6 1/32,103.29.173.64/32,103.29.173.65/32}
>>>
>>> also=conn1
>>>
>>> conn conn1
>>>
>>> type = tunnel
>>>
>>> authby = secret
>>>
>>> left = 103.29.172.40
>>>
>>> leftnexthop = %defaultroute
>>>
>>> right = 119.225.115.131
>>>
>>> rightnexthop = %defaultroute
>>>
>>> ike = aes256-sha1-modp1536
>>>
>>> esp = aes256-sha1
>>>
>>> keyexchange = ike
>>>
>>> pfs = no
>>>
>>> auto = add
>>>
>>> firewall# cat ipsec.secrets
>>>
>>> # This file holds shared secrets or RSA private keys for inter-Pluto
>>>
>>> # authentication. See ipsec_pluto(8) manpage, and HTML documentation.
>>>
>>> 103.29.172.40 119.225.115.131: PSK "BLANK-BLANK-BLANK"
>>>
>>> firewall# ip addr
>>>
>>> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
>>>
>>> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>>>
>>> inet 127.0.0.1/8 scope host lo
>>>
>>> inet6 ::1/128 scope host
>>>
>>> valid_lft forever preferred_lft forever
>>>
>>> 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
>>> state UP qlen 1000
>>>
>>> link/ether 00:25:90:35:35:9e brd ff:ff:ff:ff:ff:ff
>>>
>>> inet 103.29.172.1/24 brd 103.29.172.255 scope global eth0
>>>
>>> inet 103.29.173.1/24 brd 103.29.173.255 scope global eth0:0
>>>
>>> inet 103.29.174.1/24 brd 103.29.174.255 scope global eth0:1
>>>
>>> inet 103.29.175.1/24 brd 103.29.175.255 scope global eth0:2
>>>
>>> inet 172.16.0.100/24 brd 172.16.0.255 scope global eth0:4
>>>
>>> inet 103.29.172.40/24 scope global secondary eth0
>>>
>>> inet6 fe80::225:90ff:fe35:359e/64 scope link
>>>
>>> valid_lft forever preferred_lft forever
>>>
>>> 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
>>> state UP qlen 1000
>>>
>>> link/ether 00:25:90:35:35:9f brd ff:ff:ff:ff:ff:ff
>>>
>>> inet 202.45.103.162/30 brd 202.45.103.163 scope global eth1
>>>
>>> inet6 fe80::225:90ff:fe35:359f/64 scope link
>>>
>>> valid_lft forever preferred_lft forever
>>>
>>> 82: ipsec0: <NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state
>>> UNKNOWN qlen 10
>>>
>>> link/ether 00:25:90:35:35:9e brd ff:ff:ff:ff:ff:ff
>>>
>>> inet 103.29.172.1/32 scope global ipsec0
>>>
>>> inet 103.29.173.1/32 scope global ipsec0
>>>
>>> inet 103.29.174.1/32 scope global ipsec0
>>>
>>> inet 103.29.175.1/32 scope global ipsec0
>>>
>>> inet 172.16.0.100/32 scope global ipsec0
>>>
>>> inet 103.29.172.40/32 scope global ipsec0
>>>
>>> inet6 fe80::225:90ff:fe35:359e/128 scope link
>>>
>>> valid_lft forever preferred_lft forever
>>>
>>> 83: ipsec1: <NOARP> mtu 0 qdisc noop state DOWN qlen 10
>>>
>>> link/void
>>>
>>> firewall# cat daemon.log
>>>
>>> Dec 6 13:51:29 firewall ipsec_setup: Starting Openswan IPsec 2.6.37...
>>>
>>> Dec 6 13:51:29 firewall ipsec_setup: Using KLIPS/legacy stack
>>>
>>> Dec 6 13:51:30 firewall ipsec_setup: KLIPS debug `none'
>>>
>>> Dec 6 13:51:30 firewall ipsec_setup: KLIPS ipsec0 on eth0
>>> 103.29.172.1/24 broadcast mtu 1500
>>>
>>> Dec 6 13:51:30 firewall ipsec_setup: ipsec0 -> NULL mtu=0(0) -> 0
>>>
>>> Dec 6 13:51:30 firewall ipsec_setup: ...Openswan IPsec started
>>>
>>> Dec 6 13:51:30 firewall ipsec__plutorun: 023 address family
>>> inconsistency in this connection=2 host=2/nexthop=0
>>>
>>> Dec 6 13:51:30 firewall ipsec__plutorun: 037 attempt to load
>>> incomplete connection
>>>
>>> Dec 6 13:51:30 firewall ipsec__plutorun: 023 address family
>>> inconsistency in this connection=2 host=2/nexthop=0
>>>
>>> Dec 6 13:51:30 firewall ipsec__plutorun: 037 attempt to load
>>> incomplete connection
>>>
>>>
>>>
>>> _______________________________________________
>>> Users at lists.openswan.org
>>> https://lists.openswan.org/mailman/listinfo/users
>>> Micropayments:
>>> https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>>> Building and Integrating Virtual Private Networks with Openswan:
>>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=28
>>> 3
>>> 1
>>> 55
>>
>> --
>> Best Regards,
>> Elison Niven
>>
>>
>>
>
> --
> Best Regards,
> Elison Niven
>
>
>
--
Best Regards,
Elison Niven
More information about the Users
mailing list