[Openswan Users] Problem with a simple connection.
adstar at genis-x.com
adstar at genis-x.com
Tue Dec 11 19:49:29 EST 2012
Hi Paul and list,
Ok thanks you for your help, things have moved a little bit better.
Removing the rightnexthop allows the vpn to come up now.
I'm now have an established VPN but I'm not seeing any traffic come out of my end of the link.
The other end shows traffic being sent over but I get nothing out my end.
I'm not showing any packets dropped on the firewall, but there just doesn't seem to be anything coming out my end of the VPN.
How do I go about debugging this?
I still get this error on startup
firewall# /etc/init.d/ipsec restart
ipsec_setup: Stopping Openswan IPsec...
ipsec_setup: Starting Openswan IPsec 2.6.37...
ipsec_setup: ipsec0 -> NULL mtu=0(0) -> 0
but at least I get
151: ipsec0: <NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 10
link/ether 00:25:90:35:35:9e brd ff:ff:ff:ff:ff:ff
inet 103.29.172.1/32 scope global ipsec0
inet 172.16.0.100/32 scope global ipsec0
inet 103.29.172.40/32 scope global ipsec0
The ip I want to listen on listed under ipsec0 now.
Also it is now dropping in the default route when the VPN comes up.
firewall# ip route
144.55.124.122 dev ipsec0 scope link
202.45.103.160/30 dev eth1 proto kernel scope link src 202.45.103.162
172.16.0.0/24 dev eth0 proto kernel scope link src 172.16.0.100
103.29.172.0/24 dev eth0 proto kernel scope link src 103.29.172.40
103.29.172.0/22 dev eth0 proto kernel scope link src 103.29.172.1
default via 202.45.103.161 dev eth1
My Current config
# bconn configuration
config setup
#plutodebug = "all"
#klipsdebug = "all"
#plutoopts="--perpeerlog"
dumpdir=/var/run/pluto/
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
oe=off
protostack=auto
plutostderrlog=/var/log/pluto.log
interfaces="ipsec0=eth0"
#listen=103.29.172.40
conn multi-conn
rightsubnets={144.55.124.122/32,144.55.123.187/32,144.55.122.67/32,144.55.123.63/32,172.27.130.1/32,172.27.130.2/32,192.168.11.51/32,144.55.124.206/32} leftsubnets={103.29.173.70/32,103.29.173.71/32,103.29.173.72/32,103.29.173.73/32,103.29.173.74/32,103.29.173.75/32,103.29.173.76/32,103.29.173.80/32,103.29.173.81/32,103.29.173.82/32,103.29.173.83/32,103.29.173.84/32,103.29.173.8
also=conn
conn conn
type = tunnel
authby = secret
left = 103.29.172.40
leftnexthop = 202.45.103.161
right = 119.225.115.131
ike = aes256-sha1-modp1536
esp = aes256-sha1
keyexchange = ike
pfs = no
auto = add
firewall# ipsec auto --status
000 using kernel interface: klips
000 interface ipsec0/eth0 103.29.172.1
000 interface ipsec0/eth0 103.29.172.1
000 interface ipsec0/eth0:2 172.16.0.100
000 interface ipsec0/eth0:2 172.16.0.100
000 interface ipsec0/eth0:1 103.29.172.40
000 interface ipsec0/eth0:1 103.29.172.40
000 %myid = (none)
000 debug none
000
000 virtual_private (%priv):
000 - allowed 6 subnets: 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 25.0.0.0/8, fd00::/8, fe80::/10
000 - disallowed 0 subnets:
000 WARNING: Disallowed subnets in virtual_private= is empty. If you have
000 private address space in internal use, it should be excluded!
000
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=64, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=128, keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC, keysizemin=128, keysizemax=128
000
000 algorithm IKE encrypt: id=3, name=OAKLEY_BLOWFISH_CBC, blocksize=8, keydeflen=128
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=65004, name=OAKLEY_SERPENT_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=65005, name=OAKLEY_TWOFISH_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=65289, name=OAKLEY_TWOFISH_CBC_SSH, blocksize=16, keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32
000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024
000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048
000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048
000
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0}
000
000 "conn": 103.29.172.40<103.29.172.40>[+S=C]---202.45.103.161...119.225.115.131<119.225.115.131>[+S=C]; unrouted; eroute owner: #0
000 "conn": myip=unset; hisip=unset;
000 "conn": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "conn": policy: PSK+ENCRYPT+TUNNEL+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 32,32; interface: eth0:1;
000 "conn": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "conn": IKE algorithms wanted: AES_CBC(7)_256-SHA1(2)_000-MODP1536(5); flags=-strict
000 "conn": IKE algorithms found: AES_CBC(7)_256-SHA1(2)_160-MODP1536(5)
000 "conn": ESP algorithms wanted: AES(12)_256-SHA1(2)_000; flags=-strict
000 "conn": ESP algorithms loaded: AES(12)_256-SHA1(2)_160<snip>
000 #2: "multi-conn/1x1":500 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 28373s; newest IPSEC; eroute owner; isakmp#1; idle; import:not set
000 #2: "multi-conn/1x1" esp.a4a1a941 at 119.225.115.131 esp.8ecfa2a9 at 103.29.172.40 tun.1001 at 119.225.115.131 tun.1002 at 103.29.172.40 ref=3 refhim=1
000 #1: "multi-conn/1x1":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 3173s; newest ISAKMP; nodpd; idle; import:not set
-----Original Message-----
From: Paul Wouters [mailto:paul at nohats.ca]
Sent: Saturday, 8 December 2012 9:10 AM
To: adstar at genis-x.com
Subject: RE: [Openswan Users] Problem with a simple connection.
On Sat, 8 Dec 2012, adstar at genis-x.com wrote:
Try removing the rightnexthop setting?
> I tried the alias side of things but I get errors on startup
Is there a reason you are using KLIPS and not NETKEY?
> ipsec_setup: ipsec0 -> NULL mtu=0(0) -> 0
That should be linked the eth0:1, so there might be a bug in openswan.
>
> ipsec_setup: Error: either "local" is duplicate, or "eth0" is a garbage.
This might be the rightnexthop, try removing it
> conn conn
> type = tunnel
> authby = secret
> left = 103.29.172.40
> leftnexthop = 103.29.172.1
> right = 119.225.115.131
> rightnexthop = %defaultroute
> ike = aes256-sha1-modp1536
> esp = aes256-sha1
> keyexchange = ike
> pfs = no
> auto = add
>
>
> -----Original Message-----
> From: Paul Wouters [mailto:paul at nohats.ca]
> Sent: Saturday, 8 December 2012 2:25 AM
> To: adstar at genis-x.com
> Subject: Re: [Openswan Users] Problem with a simple connection.
>
> On Fri, 7 Dec 2012, adstar at genis-x.com wrote:
>
>> If I switch to protostack=mast the vpn comes up, but I don't know enough about mast, does it place a route like klips? If so I'm not seeing a route when the connection comes up.
>
> If using mast, then you must configure mast using ifconfig to match your public ip with a /32 mask on it. But don't use mast unless you are using L2TP/IPsec.
>
>> With this config that works if I switch back to klips I get the
>> packet from 119.225.115.131:500: initial Main Mode message received
>> on
>> 103.29.172.40:500 but no connection has been authorized with
>> policy=PSK
>
> Looks like your connection just did not load or is misconfigured. run "ipsec auto --add connname" to see an error in loading?
>
> You also need to add interfaces for each "alias" device when using KLIPS, so interfaces="ipsec0=eth0, ipsec1=eth0:1" etc etc.
>
> Paul
>
>> packet from 119.225.115.131:500: ignoring unknown Vendor ID payload
>> [f4ed19e0c114eb516faaac0ee37daf2807b4381f000000010000138d50c08988...]
>>
>> error?
>>
>> Any advise guys?
>>
>> Plutorun started on Fri Dec 7 08:17:03 EDT 2012 adjusting ipsec.d to
>> /etc/ipsec.d
>> bind() will be filtered for 103.29.172.40 Starting Pluto (Openswan
>> Version 2.6.37; Vendor ID OEu\134d\134jy\134\134ap) pid:24066
>> LEAK_DETECTIVE support [disabled] OCF support for IKE [disabled]
>> SAref support [disabled]: Protocol not available SAbind support [disabled]:
>> Protocol not available NSS support [disabled] HAVE_STATSD
>> notification support not compiled in Setting NAT-Traversal port-4500 floating to on
>> port floating activation criteria nat_t=1/port_float=1
>> NAT-Traversal support [enabled]
>> using /dev/urandom as source of random entropy
>> ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)
>> ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)
>> ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok (ret=0)
>> ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
>> ike_alg_register_enc(): Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)
>> ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)
>> ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)
>> starting up 1 cryptographic helpers started helper pid=24070 (fd:4)
>> Using KLIPSng (mast) IPsec interface code on 2.6.35.14-i686 using
>> /dev/urandom as source of random entropy Changed path to directory
>> '/etc/ipsec.d/cacerts'
>> Changed path to directory '/etc/ipsec.d/aacerts'
>> Changed path to directory '/etc/ipsec.d/ocspcerts'
>> Changing to directory '/etc/ipsec.d/crls'
>> Warning: empty directory
>> listening for IKE messages
>> | useful mast device -1
>> skipping interface eth1 with 202.45.103.162
>> ERROR: PF_KEY K_SADB_X_PLUMBIF response for configure_mast_device
>> included errno 17: File exists adding interface mast0/eth0
>> 103.29.172.40:500 (fd=10) adding interface mast0/eth0
>> 103.29.172.40:4500 (fd=11) skipping interface eth0:4 with
>> 172.16.0.100 skipping interface eth0:2 with 103.29.175.1 skipping
>> interface eth0:1 with 103.29.174.1 skipping interface eth0:0 with
>> 103.29.173.1 skipping interface eth0 with 103.29.172.1
>> | useful mast device 0
>> | useful mast device 0
>> loading secrets from "/etc/ipsec.secrets"
>> packet from 119.225.115.131:500: ignoring unknown Vendor ID payload
>> [f4ed19e0c114eb516faaac0ee37daf2807b4381f000000010000138d50c10b74...]
>> "multi-conn/1x1" #1: responding to Main Mode "multi-conn/1x1" #1:
>> transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
>> "multi-conn/1x1" #1: STATE_MAIN_R1: sent MR1, expecting MI2
>> "multi-conn/1x1" #1: transition from state STATE_MAIN_R1 to state
>> STATE_MAIN_R2 "multi-conn/1x1" #1: STATE_MAIN_R2: sent MR2, expecting
>> MI3 "multi-conn/1x1" #1: Main mode peer ID is ID_IPV4_ADDR: '119.225.115.131'
>> "multi-conn/1x1" #1: transition from state STATE_MAIN_R2 to state
>> STATE_MAIN_R3 "multi-conn/1x1" #1: STATE_MAIN_R3: sent MR3, ISAKMP SA
>> established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha
>> group=modp1536} "multi-conn/1x1" #1: the peer proposed: 103.29.173.70/32:0/0 -> 144.55.124.122/32:0/0 "multi-conn/1x1" #2: responding to Quick Mode proposal {msgid:ed10f5ab}
>> "multi-conn/1x1" #2: us: 103.29.173.70/32===103.29.172.40<103.29.172.40>[+S=C]---202.45.103.161
>> "multi-conn/1x1" #2: them: 202.45.103.161---119.225.115.131<119.225.115.131>[+S=C]===144.55.124.122/32
>> | mast_raw_eroute called op=4 said=tun.1002 at 103.29.172.40
>> "multi-conn/1x1" #2: transition from state STATE_QUICK_R0 to state
>> STATE_QUICK_R1 "multi-conn/1x1" #2: STATE_QUICK_R1: sent QR1, inbound
>> IPsec SA installed, expecting QI2
>> | mast_sag_eroute called op=1/add
>> | mast_raw_eroute called op=1 said=tun.1001 at 119.225.115.131
>> "multi-conn/1x1" #2: transition from state STATE_QUICK_R1 to state
>> STATE_QUICK_R2 "multi-conn/1x1" #2: STATE_QUICK_R2: IPsec SA
>> established tunnel mode {ESP=>0x2a7072ec <0x1f27e374
>> xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=none DPD=none} "multi-conn/1x1"
>> #2: discarding duplicate packet; already STATE_QUICK_R2
>> "multi-conn/1x1" #2: discarding duplicate packet; already
>> STATE_QUICK_R2
>>
>>
>> # bconn configuration
>> config setup
>> # plutodebug = "all"
>> # klipsdebug = "all"
>> #plutoopts="--perpeerlog"
>> dumpdir=/var/run/pluto/
>> nat_traversal=yes
>> virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
>> oe=off
>> protostack=mast
>> plutostderrlog=/var/log/pluto.log
>> # interfaces="ipsec0=eth0"
>> listen=103.29.172.40
>>
>> conn multi-conn
>> rightsubnets={144.55.124.122/32,144.55.123.187/32,144.55.122.67/32,144.55.123.63/32,172.27.130.1/32,172.27.130.2/32,192.168.11.51/32,144.55.124.206/32} leftsubnets={103.29.173.70/32,103.29.173.71/32,103.29.173.72/32,103.29.173.73/32,103.29.173.74/32,103.29.173.75/32,103.29.173.76/32,103.29.173.80/32,103.29.173.81/32,103.29.173.82/32,103.29.173.83/32,103.29.173.84/32,103.29.173.8
>> also=conn
>>
>> conn conn
>> type = tunnel
>> authby = secret
>> left = 103.29.172.40
>> leftnexthop = %defaultroute
>> right = 119.225.115.131
>> rightnexthop = %defaultroute
>> ike = aes256-sha1-modp1536
>> esp = aes256-sha1
>> keyexchange = ike
>> pfs = no
>> auto = add
>>
>> -----Original Message-----
>> From: Elison Niven [mailto:elison.niven at elitecore.com]
>> Sent: Thursday, 6 December 2012 10:41 PM
>> To: adstar at genis-x.com
>> Cc: users at lists.openswan.org
>> Subject: Re: [Openswan Users] Problem with a simple connection.
>>
>> There's a typo. It should be left=103.29.172.40.
>> You have put left = 103.29.173.140
>>
>> On Thursday 06 December 2012 05:09:11 PM IST, adstar at genis-x.com wrote:
>>> Hi Elison,
>>>
>>> Sorry I totally forgot to cc the list..
>>> I made the changes to my config but still have the issues with PSK
>>>
>>> # /etc/ipsec.conf - Openswan IPsec configuration file
>>> version 2.0 # conforms to second version of ipsec.conf specification
>>> # bconn configuration
>>> config setup
>>> dumpdir=/var/run/pluto/
>>> nat_traversal=yes
>>> virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
>>> oe=off
>>> protostack=auto
>>> plutostderrlog=/var/log/pluto.log
>>> interfaces="ipsec0=eth0"
>>>
>>> conn multi-conn
>>> rightsubnets={144.55.124.122/32,144.55.123.187/32,144.55.122.67/32,144.55.123.63/32,172.27.130.1/32,172.27.130.2/32,192.168.11.51/32,144.55.124.206/32} leftsubnets={103.29.173.70/32,103.29.173.71/32,103.29.173.72/32,103.29.173.73/32,103.29.173.74/32,103.29.173.75/32,103.29.173.76/32,103.29.173.80/32,103.29.173.81/32,103.29.173.82/32,103.29.173.83/32,103.29.173.84/32,103.29.173.8
>>> also=conn
>>>
>>> conn conn
>>> type = tunnel
>>> authby = secret
>>> left = 103.29.173.140
>>> right = 119.225.115.131
>>> rightnexthop = %defaultroute
>>> ike = aes256-sha1-modp1536
>>> esp = aes256-sha1
>>> keyexchange = ike
>>> pfs = no
>>> auto = add
>>>
>>> My Pluto log
>>> Plutorun started on Thu Dec 6 22:36:06 EDT 2012 adjusting ipsec.d to
>>> /etc/ipsec.d Starting Pluto (Openswan Version 2.6.37; Vendor ID
>>> OEu\134d\134jy\134\134ap) pid:9770 LEAK_DETECTIVE support [disabled]
>>> OCF support for IKE [disabled] SAref support [disabled]: Protocol
>>> not available SAbind support [disabled]: Protocol not available NSS
>>> support [disabled] HAVE_STATSD notification support not compiled in
>>> Setting NAT-Traversal port-4500 floating to on
>>> port floating activation criteria nat_t=1/port_float=1
>>> NAT-Traversal support [enabled] using /dev/urandom as source of
>>> random entropy
>>> ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC_SSH: Ok
>>> (ret=0)
>>> ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)
>>> ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok (ret=0)
>>> ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
>>> ike_alg_register_enc(): Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)
>>> ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)
>>> ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)
>>> starting up 1 cryptographic helpers started helper pid=9773 (fd:4)
>>> Kernel interface auto-pick No Kernel NETKEY interface detected Using
>>> KLIPS IPsec interface code on 2.6.35.14-i686 using /dev/urandom as
>>> source of random entropy Changed path to directory
>>> '/etc/ipsec.d/cacerts'
>>> Changed path to directory '/etc/ipsec.d/aacerts'
>>> Changed path to directory '/etc/ipsec.d/ocspcerts'
>>> Changing to directory '/etc/ipsec.d/crls'
>>> Warning: empty directory
>>> address family inconsistency in this connection=2 host=2/nexthop=0
>>> attempt to load incomplete connection address family inconsistency
>>> in this connection=2 host=2/nexthop=0 attempt to load incomplete
>>> connection listening for IKE messages adding interface ipsec0/eth0
>>> 103.29.172.40:500 adding interface ipsec0/eth0 103.29.172.40:4500
>>> adding interface ipsec0/eth0:4 172.16.0.100:500 adding interface
>>> ipsec0/eth0:4 172.16.0.100:4500 adding interface ipsec0/eth0:2
>>> 103.29.175.1:500 adding interface ipsec0/eth0:2 103.29.175.1:4500
>>> adding interface ipsec0/eth0:1 103.29.174.1:500 adding interface
>>> ipsec0/eth0:1 103.29.174.1:4500 adding interface ipsec0/eth0:0
>>> 103.29.173.1:500 adding interface ipsec0/eth0:0 103.29.173.1:4500
>>> adding interface ipsec0/eth0 103.29.172.1:500 adding interface
>>> ipsec0/eth0 103.29.172.1:4500 loading secrets from
>>> "/etc/ipsec.secrets"
>>> packet from 119.225.115.131:500: ignoring unknown Vendor ID payload
>>> [f4ed19e0c114eb516faaac0ee37daf2807b4381f000000010000138d50c08322...
>>> ] packet from 119.225.115.131:500: initial Main Mode message
>>> received on
>>> 103.29.172.40:500 but no connection has been authorized with
>>> policy=PSK packet from 119.225.115.131:500: ignoring unknown Vendor
>>> ID payload
>>> [f4ed19e0c114eb516faaac0ee37daf2807b4381f000000010000138d50c08322...
>>> ] packet from 119.225.115.131:500: initial Main Mode message
>>> received on
>>> 103.29.172.40:500 but no connection has been authorized with
>>> policy=PSK
>>>
>>> Cheers
>>> Adam
>>>
>>>
>>>
>>> -----Original Message-----
>>> From: Elison Niven [mailto:elison.niven at elitecore.com]
>>> Sent: Thursday, 6 December 2012 10:08 PM
>>> To: adstar at genis-x.com
>>> Cc: users at lists.openswan.org
>>> Subject: Re: [Openswan Users] Problem with a simple connection.
>>>
>>>> Ok so my external interface is eth1 internal eth0
>>> You are receiving the main mode request on eth0.
>>>
>>> You are receiving packets on this interface :
>>>> packet from 119.225.115.131:500: initial Main Mode message received
>>>> on
>>>> 103.29.172.40:500 but no connection has been authorized with
>>>> policy=PSK
>>> Therefore you should have left=103.29.172.40 in your config. You can omit leftnexthop in the config.
>>>
>>> Restart your ipsec service or do ipsec auto --rereadall after doing the changes.
>>> Kindly do not take the discussion off-list.
>>>
>>> On Thursday 06 December 2012 04:26:57 PM IST, adstar at genis-x.com wrote:
>>>> Hi Elison,
>>>>
>>>> Ok so my external interface is eth1 internal eth0
>>>>
>>>> I'm not sure what to put as the left/leftnexthop.
>>>> I have tried
>>>> conn conn
>>>> type = tunnel
>>>> authby = secret
>>>> left = 202.45.103.162
>>>> leftnexthop = 202.45.103.161
>>>> right = 119.225.115.131
>>>> rightnexthop = %defaultroute
>>>> ike = aes256-sha1-modp1536
>>>> esp = aes256-sha1
>>>> keyexchange = ike
>>>> pfs = no
>>>> auto = add
>>>>
>>>> but still get the error
>>>> packet from 119.225.115.131:500: ignoring unknown Vendor ID payload
>>>> [f4ed19e0c114eb516faaac0ee37daf2807b4381f000000010000138d50c0798a...
>>>> ] packet from 119.225.115.131:500: initial Main Mode message
>>>> received on
>>>> 103.29.172.40:500 but no connection has been authorized with
>>>> policy=PSK packet from 119.225.115.131:500: ignoring unknown Vendor
>>>> ID payload
>>>> [f4ed19e0c114eb516faaac0ee37daf2807b4381f000000010000138d50c0798a...
>>>> ] packet from 119.225.115.131:500: initial Main Mode message
>>>> received on
>>>> 103.29.172.40:500 but no connection has been authorized with
>>>> policy=PSK
>>>>
>>>> Also do you mean all IPV6 on all interfaces?
>>>>
>>>> Thanks for you help
>>>> Cheers
>>>> Adam
>>>>
>>>> 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
>>>> link/ether 00:25:90:35:35:9e brd ff:ff:ff:ff:ff:ff
>>>> inet 103.29.172.1/24 brd 103.29.172.255 scope global eth0
>>>> inet 103.29.173.1/24 brd 103.29.173.255 scope global eth0:0
>>>> inet 103.29.174.1/24 brd 103.29.174.255 scope global eth0:1
>>>> inet 103.29.175.1/24 brd 103.29.175.255 scope global eth0:2
>>>> inet 172.16.0.100/24 brd 172.16.0.255 scope global eth0:4
>>>> inet 103.29.172.40/24 scope global secondary eth0
>>>> inet6 fe80::225:90ff:fe35:359e/64 scope link
>>>> valid_lft forever preferred_lft forever
>>>> 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
>>>> link/ether 00:25:90:35:35:9f brd ff:ff:ff:ff:ff:ff
>>>> inet 202.45.103.162/30 brd 202.45.103.163 scope global eth1
>>>> inet6 fe80::225:90ff:fe35:359f/64 scope link
>>>> valid_lft forever preferred_lft forever
>>>>
>>>>
>>>> I would like my external clients to connect to the IP 172.29.172.40
>>>>
>>>> firewall# ip route
>>>> 202.45.103.160/30 dev eth1 proto kernel scope link src
>>>> 202.45.103.162
>>>> 172.16.0.0/24 dev eth0 proto kernel scope link src 172.16.0.100
>>>> 103.29.174.0/24 dev eth0 proto kernel scope link src
>>>> 103.29.174.1
>>>> 103.29.175.0/24 dev eth0 proto kernel scope link src
>>>> 103.29.175.1
>>>> 103.29.172.0/24 dev eth0 proto kernel scope link src
>>>> 103.29.172.1
>>>> 103.29.173.0/24 dev eth0 proto kernel scope link src
>>>> 103.29.173.1 default via 202.45.103.161 dev eth1
>>>>
>>>>
>>>>
>>>>
>>>> -----Original Message-----
>>>> From: Elison Niven [mailto:elison.niven at elitecore.com]
>>>> Sent: Thursday, 6 December 2012 9:27 PM
>>>> To: adstar at genis-x.com
>>>> Cc: users at lists.openswan.org
>>>> Subject: Re: [Openswan Users] Problem with a simple connection.
>>>>
>>>> The address type of your host address (left) does not match with the address type of your nexthop (leftnexthop).
>>>> You can try removing leftnexthop=%defaultroute and put in the
>>>> actual
>>>> IPv4 gateway, and do the same for rightnexthop.
>>>> You can also try disabling IPv6.
>>>>
>>>> On Thursday 06 December 2012 08:48:45 AM IST, adstar at genis-x.com wrote:
>>>>> Hi all,
>>>>>
>>>>> I’m having an issue setting up a tunnel that I need some help with.
>>>>>
>>>>> I have included the relevant files below
>>>>>
>>>>>
>>>>> My first issue is when I start ipsec I get the following error:
>>>>>
>>>>> Dec 6 13:51:30 firewall ipsec__plutorun: 023 address family
>>>>> inconsistency in this connection=2 host=2/nexthop=0
>>>>>
>>>>> Dec 6 13:51:30 firewall ipsec__plutorun: 037 attempt to load
>>>>> incomplete connection
>>>>>
>>>>> Dec 6 13:51:30 firewall ipsec__plutorun: 023 address family
>>>>> inconsistency in this connection=2 host=2/nexthop=0
>>>>>
>>>>> Dec 6 13:51:30 firewall ipsec__plutorun: 037 attempt to load
>>>>> incomplete connection
>>>>>
>>>>> My second issue is the right side can’t connect.
>>>>>
>>>>> packet from 119.225.115.131:500: ignoring unknown Vendor ID
>>>>> payload [f4ed19e0c114eb516faaac0ee37daf2807b4381f000000010000138d50c009ee...
>>>>> ]
>>>>>
>>>>> packet from 119.225.115.131:500: initial Main Mode message
>>>>> received on
>>>>> 103.29.172.40:500 but no connection has been authorized with
>>>>> policy=PSK
>>>>>
>>>>> packet from 119.225.115.131:500: ignoring unknown Vendor ID
>>>>> payload [f4ed19e0c114eb516faaac0ee37daf2807b4381f000000010000138d50c009ee...
>>>>> ]
>>>>>
>>>>> packet from 119.225.115.131:500: initial Main Mode message
>>>>> received on
>>>>> 103.29.172.40:500 but no connection has been authorized with
>>>>> policy=PSK
>>>>>
>>>>> Can anyone help me on where to go from here?
>>>>>
>>>>> Cheers
>>>>> Adam
>>>>>
>>>>> firewall# ipsec --version
>>>>>
>>>>> Linux Openswan 2.6.37 (klips)
>>>>>
>>>>>
>>>>> firewall# cat ipsec.conf
>>>>>
>>>>> # /etc/ipsec.conf - Openswan IPsec configuration file
>>>>>
>>>>> version 2.0 # conforms to second version of ipsec.conf specification
>>>>>
>>>>> # bconn configuration
>>>>>
>>>>> config setup
>>>>>
>>>>> #plutodebug = "all"
>>>>>
>>>>> #klipsdebug = "all"
>>>>>
>>>>> plutoopts="--perpeerlog"
>>>>>
>>>>> dumpdir=/var/run/pluto/
>>>>>
>>>>> nat_traversal=yes
>>>>>
>>>>>
>>>>> virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/1
>>>>> 2
>>>>> ,
>>>>> %
>>>>> v
>>>>> 4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
>>>>>
>>>>> oe=off
>>>>>
>>>>> protostack=klips
>>>>>
>>>>> plutostderrlog=/var/log/pluto.log
>>>>>
>>>>> interfaces="ipsec0=eth0"
>>>>>
>>>>> listen=103.29.172.40
>>>>>
>>>>> # Add connections here
>>>>>
>>>>> conn multi-conn1
>>>>>
>>>>> rightsubnets={144.55.124.122/32,144.55.123.187/32,144.55.122.67/32
>>>>> ,
>>>>> 1
>>>>> 4
>>>>> 4
>>>>> .55.123.63/32,172.27.130.1/32,172.27.130.2/32,192.168.11.51/32,144.55.
>>>>> 124.206/32}
>>>>>
>>>>> leftsubnets={103.29.173.70/32,103.29.173.71/32,103.29.173.72/32,103.
>>>>> 2
>>>>> 9
>>>>> .173.73/32,103.29.173.74/32,103.29.173.75/32,103.29.173.76/32,103.29.
>>>>> 1
>>>>> 73.80/32,103.29.173.81/32,103.29.173.82/32,103.29.173.83/32,103.29.
>>>>> 1
>>>>> 7
>>>>> 3
>>>>> .84/32,103.29.173.85/32,103.29.173.86/32,103.29.173.60/32,103.29.173.
>>>>> 6 1/32,103.29.173.64/32,103.29.173.65/32}
>>>>>
>>>>> also=conn1
>>>>>
>>>>> conn conn1
>>>>>
>>>>> type = tunnel
>>>>>
>>>>> authby = secret
>>>>>
>>>>> left = 103.29.172.40
>>>>>
>>>>> leftnexthop = %defaultroute
>>>>>
>>>>> right = 119.225.115.131
>>>>>
>>>>> rightnexthop = %defaultroute
>>>>>
>>>>> ike = aes256-sha1-modp1536
>>>>>
>>>>> esp = aes256-sha1
>>>>>
>>>>> keyexchange = ike
>>>>>
>>>>> pfs = no
>>>>>
>>>>> auto = add
>>>>>
>>>>> firewall# cat ipsec.secrets
>>>>>
>>>>> # This file holds shared secrets or RSA private keys for
>>>>> inter-Pluto
>>>>>
>>>>> # authentication. See ipsec_pluto(8) manpage, and HTML documentation.
>>>>>
>>>>> 103.29.172.40 119.225.115.131: PSK "BLANK-BLANK-BLANK"
>>>>>
>>>>> firewall# ip addr
>>>>>
>>>>> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state
>>>>> UNKNOWN
>>>>>
>>>>> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>>>>>
>>>>> inet 127.0.0.1/8 scope host lo
>>>>>
>>>>> inet6 ::1/128 scope host
>>>>>
>>>>> valid_lft forever preferred_lft forever
>>>>>
>>>>> 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc
>>>>> pfifo_fast state UP qlen 1000
>>>>>
>>>>> link/ether 00:25:90:35:35:9e brd ff:ff:ff:ff:ff:ff
>>>>>
>>>>> inet 103.29.172.1/24 brd 103.29.172.255 scope global eth0
>>>>>
>>>>> inet 103.29.173.1/24 brd 103.29.173.255 scope global eth0:0
>>>>>
>>>>> inet 103.29.174.1/24 brd 103.29.174.255 scope global eth0:1
>>>>>
>>>>> inet 103.29.175.1/24 brd 103.29.175.255 scope global eth0:2
>>>>>
>>>>> inet 172.16.0.100/24 brd 172.16.0.255 scope global eth0:4
>>>>>
>>>>> inet 103.29.172.40/24 scope global secondary eth0
>>>>>
>>>>> inet6 fe80::225:90ff:fe35:359e/64 scope link
>>>>>
>>>>> valid_lft forever preferred_lft forever
>>>>>
>>>>> 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc
>>>>> pfifo_fast state UP qlen 1000
>>>>>
>>>>> link/ether 00:25:90:35:35:9f brd ff:ff:ff:ff:ff:ff
>>>>>
>>>>> inet 202.45.103.162/30 brd 202.45.103.163 scope global eth1
>>>>>
>>>>> inet6 fe80::225:90ff:fe35:359f/64 scope link
>>>>>
>>>>> valid_lft forever preferred_lft forever
>>>>>
>>>>> 82: ipsec0: <NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state
>>>>> UNKNOWN qlen 10
>>>>>
>>>>> link/ether 00:25:90:35:35:9e brd ff:ff:ff:ff:ff:ff
>>>>>
>>>>> inet 103.29.172.1/32 scope global ipsec0
>>>>>
>>>>> inet 103.29.173.1/32 scope global ipsec0
>>>>>
>>>>> inet 103.29.174.1/32 scope global ipsec0
>>>>>
>>>>> inet 103.29.175.1/32 scope global ipsec0
>>>>>
>>>>> inet 172.16.0.100/32 scope global ipsec0
>>>>>
>>>>> inet 103.29.172.40/32 scope global ipsec0
>>>>>
>>>>> inet6 fe80::225:90ff:fe35:359e/128 scope link
>>>>>
>>>>> valid_lft forever preferred_lft forever
>>>>>
>>>>> 83: ipsec1: <NOARP> mtu 0 qdisc noop state DOWN qlen 10
>>>>>
>>>>> link/void
>>>>>
>>>>> firewall# cat daemon.log
>>>>>
>>>>> Dec 6 13:51:29 firewall ipsec_setup: Starting Openswan IPsec 2.6.37...
>>>>>
>>>>> Dec 6 13:51:29 firewall ipsec_setup: Using KLIPS/legacy stack
>>>>>
>>>>> Dec 6 13:51:30 firewall ipsec_setup: KLIPS debug `none'
>>>>>
>>>>> Dec 6 13:51:30 firewall ipsec_setup: KLIPS ipsec0 on eth0
>>>>> 103.29.172.1/24 broadcast mtu 1500
>>>>>
>>>>> Dec 6 13:51:30 firewall ipsec_setup: ipsec0 -> NULL mtu=0(0) -> 0
>>>>>
>>>>> Dec 6 13:51:30 firewall ipsec_setup: ...Openswan IPsec started
>>>>>
>>>>> Dec 6 13:51:30 firewall ipsec__plutorun: 023 address family
>>>>> inconsistency in this connection=2 host=2/nexthop=0
>>>>>
>>>>> Dec 6 13:51:30 firewall ipsec__plutorun: 037 attempt to load
>>>>> incomplete connection
>>>>>
>>>>> Dec 6 13:51:30 firewall ipsec__plutorun: 023 address family
>>>>> inconsistency in this connection=2 host=2/nexthop=0
>>>>>
>>>>> Dec 6 13:51:30 firewall ipsec__plutorun: 037 attempt to load
>>>>> incomplete connection
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Users at lists.openswan.org
>>>>> https://lists.openswan.org/mailman/listinfo/users
>>>>> Micropayments:
>>>>> https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>>>>> Building and Integrating Virtual Private Networks with Openswan:
>>>>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=
>>>>> 2
>>>>> 8
>>>>> 3
>>>>> 1
>>>>> 55
>>>>
>>>> --
>>>> Best Regards,
>>>> Elison Niven
>>>>
>>>>
>>>>
>>>
>>> --
>>> Best Regards,
>>> Elison Niven
>>>
>>>
>>>
>>
>> --
>> Best Regards,
>> Elison Niven
>>
>> _______________________________________________
>> Users at lists.openswan.org
>> https://lists.openswan.org/mailman/listinfo/users
>> Micropayments:
>> https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>> Building and Integrating Virtual Private Networks with Openswan:
>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283
>> 155
>>
>
More information about the Users
mailing list