[Openswan Users] openswan + Win7 + pre-shared key

Den brusok at gmail.com
Fri Feb 10 06:28:01 EST 2012


Thanks for answer!
There is working configuration.
VPN is Ok if I use  protostack=netkey.
If I use protostack=klips VPN doesn't work.
But I'd like to use   protostack=klips, because I need ipsec
interface(ipsec0).
Is there a workaround?
I uesed Pavle's ipsec.conf configuration, only changed  'auto=route'  to
'auto=add' , because VPN with  protostack=klips didn't start at all.
Sorry for long listing.

I don't like theese lines (you can see full listing below)
13:02:50.166199 ARP, Request who-has 192.168.1.15 tell 192.168.1.38, length
46
13:02:51.165956 ARP, Request who-has 192.168.1.15 tell 192.168.1.38, length
46
13:02:52.165894 ARP, Request who-has 192.168.1.15 tell 192.168.1.38, length
46
13:02:55.165892 ARP, Request who-has 192.168.1.15 tell 192.168.1.38, length
46


PROTOSTACK=KLIPS

linux>ipsec auto --status
000 #2: "win-tun":500 STATE_QUICK_R2 (IPsec SA established);
EVENT_SA_REPLACE in 801s; newest IPSEC; eroute owner; isakmp#1; idle;
import:not set
000 #2: "win-tun" esp.9023a4eb at 192.168.1.38 esp.6ba38ad2 at 192.168.1.15 ref=2
refhim=1
000 #1: "win-tun":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established);
EVENT_SA_REPLACE in 7101s; newest ISAKMP; nodpd; idle; import:not set

linux,/var/log/secure
Feb 10 12:37:02 linux pluto[2997]: "win-tun" #1: responding to Main Mode
Feb 10 12:37:02 linux pluto[2997]: "win-tun" #1: transition from state
STATE_MAIN_R0 to state STATE_MAIN_R1
Feb 10 12:37:02 linux pluto[2997]: "win-tun" #1: STATE_MAIN_R1: sent MR1,
expecting MI2
Feb 10 12:37:02 linux pluto[2997]: "win-tun" #1: NAT-Traversal: Result
using RFC 3947 (NAT-Traversal): no NAT detected
Feb 10 12:37:02 linux pluto[2997]: "win-tun" #1: transition from state
STATE_MAIN_R1 to state STATE_MAIN_R2
Feb 10 12:37:02 linux pluto[2997]: "win-tun" #1: STATE_MAIN_R2: sent MR2,
expecting MI3
Feb 10 12:37:02 linux pluto[2997]: "win-tun" #1: Main mode peer ID is
ID_IPV4_ADDR: '192.168.1.38'
Feb 10 12:37:02 linux pluto[2997]: "win-tun" #1: transition from state
STATE_MAIN_R2 to state STATE_MAIN_R3
Feb 10 12:37:02 linux pluto[2997]: "win-tun" #1: STATE_MAIN_R3: sent MR3,
ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192
prf=oakley_sha group=modp1024}
Feb 10 12:37:02 linux pluto[2997]: "win-tun" #1: the peer proposed:
192.168.1.15/32:0/0 -> 192.168.1.38/32:0/0
Feb 10 12:37:02 linux pluto[2997]: "win-tun" #2: responding to Quick Mode
proposal {msgid:01000000}
Feb 10 12:37:02 linux pluto[2997]: "win-tun" #2: us:
192.168.1.15/32===192.168.1.15<192.168.1.15>[+S=C]
Feb 10 12:37:02 linux pluto[2997]: "win-tun" #2: them:
192.168.1.38<192.168.1.38>[+S=C]===192.168.1.38/32
Feb 10 12:37:02 linux pluto[2997]: "win-tun" #2: transition from state
STATE_QUICK_R0 to state STATE_QUICK_R1
Feb 10 12:37:02 linux pluto[2997]: "win-tun" #2: STATE_QUICK_R1: sent QR1,
inbound IPsec SA installed, expecting QI2
Feb 10 12:37:02 linux pluto[2997]: "win-tun" #2: transition from state
STATE_QUICK_R1 to state STATE_QUICK_R2
Feb 10 12:37:02 linux pluto[2997]: "win-tun" #2: STATE_QUICK_R2: IPsec SA
established tunnel mode {ESP=>0x9023a4eb <0x6ba38ad2 xfrm=3DES_0-HMAC_SHA1
NATOA=none NATD=none DPD=none}

linux>tcpdump -n -i eth0 host 192.168.1.38
device eth0 entered promiscuous mode
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
13:02:05.172050 IP 192.168.1.38 > 192.168.1.15:
ESP(spi=0x2ec052f8,seq=0x3), length 76
13:02:10.169239 IP 192.168.1.38 > 192.168.1.15:
ESP(spi=0x2ec052f8,seq=0x4), length 76
13:02:15.168938 IP 192.168.1.38 > 192.168.1.15:
ESP(spi=0x2ec052f8,seq=0x5), length 76
13:02:20.168511 IP 192.168.1.38 > 192.168.1.15:
ESP(spi=0x2ec052f8,seq=0x6), length 76
13:02:25.168122 IP 192.168.1.38 > 192.168.1.15:
ESP(spi=0x2ec052f8,seq=0x7), length 76
13:02:30.167715 IP 192.168.1.38 > 192.168.1.15:
ESP(spi=0x2ec052f8,seq=0x8), length 76
13:02:32.009961 ARP, Request who-has 192.168.1.90 tell 192.168.1.38, length
46
13:02:35.167311 IP 192.168.1.38 > 192.168.1.15:
ESP(spi=0x2ec052f8,seq=0x9), length 76
13:02:40.166957 IP 192.168.1.38 > 192.168.1.15:
ESP(spi=0x2ec052f8,seq=0xa), length 76
13:02:45.166405 ARP, Request who-has 192.168.1.15 (38:60:77:13:42:e8) tell
192.168.1.38, length 46
13:02:45.166416 IP 192.168.1.38 > 192.168.1.15:
ESP(spi=0x2ec052f8,seq=0xb), length 76
13:02:46.166340 ARP, Request who-has 192.168.1.15 (38:60:77:13:42:e8) tell
192.168.1.38, length 46
13:02:47.166251 ARP, Request who-has 192.168.1.15 (38:60:77:13:42:e8) tell
192.168.1.38, length 46
13:02:50.166199 ARP, Request who-has 192.168.1.15 tell 192.168.1.38, length
46
13:02:51.165956 ARP, Request who-has 192.168.1.15 tell 192.168.1.38, length
46
13:02:52.165894 ARP, Request who-has 192.168.1.15 tell 192.168.1.38, length
46
13:02:55.165892 ARP, Request who-has 192.168.1.15 tell 192.168.1.38, length
46
13:02:56.165612 ARP, Request who-has 192.168.1.15 tell 192.168.1.38, length
46
13:02:57.165531 ARP, Request who-has 192.168.1.15 tell 192.168.1.38, length
46

>tcpdump -n -i ipsec0 host 192.168.1.38
device ipsec0 entered promiscuous mode
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ipsec0, link-type EN10MB (Ethernet), capture size 65535 bytes
12:59:49.207724 IP 192.168.1.38 > 192.168.1.15: ICMP echo request, id 1,
seq 173, length 40

##################

 PROTOSTACK=NETKEY

linux>ipsec auto --status
000 #3: "win-tun":500 STATE_QUICK_I1 (sent QI1, expecting QR1);
EVENT_RETRANSMIT in 18s; nodpd; idle; import:local rekey
000 #2: "win-tun":500 STATE_QUICK_R2 (IPsec SA established);
EVENT_SA_REPLACE in 843s; newest IPSEC; eroute owner; isakmp#1; idle;
import:not set
000 #2: "win-tun" esp.fe035afe at 192.168.1.38 esp.85be7d3d at 192.168.1.15 ref=0
refhim=4294901761
000 #1: "win-tun":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established);
EVENT_SA_REPLACE in 7143s; newest ISAKMP; nodpd; idle; import:local rekey
000

linux,/var/log/secure
Feb 10 12:45:18 linux pluto[4370]: "win-tun" #1: responding to Main Mode
Feb 10 12:45:18 linux pluto[4370]: "win-tun" #1: transition from state
STATE_MAIN_R0 to state STATE_MAIN_R1
Feb 10 12:45:18 linux pluto[4370]: "win-tun" #1: STATE_MAIN_R1: sent MR1,
expecting MI2
Feb 10 12:45:18 linux pluto[4370]: "win-tun" #1: NAT-Traversal: Result
using RFC 3947 (NAT-Traversal): no NAT detected
Feb 10 12:45:18 linux pluto[4370]: "win-tun" #1: transition from state
STATE_MAIN_R1 to state STATE_MAIN_R2
Feb 10 12:45:18 linux pluto[4370]: "win-tun" #1: STATE_MAIN_R2: sent MR2,
expecting MI3
Feb 10 12:45:18 linux pluto[4370]: "win-tun" #1: Main mode peer ID is
ID_IPV4_ADDR: '192.168.1.38'
Feb 10 12:45:18 linux pluto[4370]: "win-tun" #1: transition from state
STATE_MAIN_R2 to state STATE_MAIN_R3
Feb 10 12:45:18 linux pluto[4370]: "win-tun" #1: STATE_MAIN_R3: sent MR3,
ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192
prf=oakley_sha group=modp1024}
Feb 10 12:45:18 linux pluto[4370]: "win-tun" #1: the peer proposed:
192.168.1.15/32:0/0 -> 192.168.1.38/32:0/0
Feb 10 12:45:18 linux pluto[4370]: "win-tun" #2: responding to Quick Mode
proposal {msgid:01000000}
Feb 10 12:45:18 linux pluto[4370]: "win-tun" #2: us:
192.168.1.15/32===192.168.1.15<192.168.1.15>[+S=C]
Feb 10 12:45:18 linux pluto[4370]: "win-tun" #2: them:
192.168.1.38<192.168.1.38>[+S=C]===192.168.1.38/32
Feb 10 12:45:18 linux pluto[4370]: "win-tun" #2: transition from state
STATE_QUICK_R0 to state STATE_QUICK_R1
Feb 10 12:45:18 linux pluto[4370]: "win-tun" #2: STATE_QUICK_R1: sent QR1,
inbound IPsec SA installed, expecting QI2
Feb 10 12:45:18 linux pluto[4370]: initiate on demand from 192.168.1.15:0to
192.168.1.38:0 proto=1 state: fos_start because: acquire
Feb 10 12:45:18 linux pluto[4370]: "win-tun" #3: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+PFS+IKEv2ALLOW+SAREFTRACK {using isakmp#1 msgid:52f4fba5
proposal=3DES(3)_192-SHA1(2)_160 pfsgroup=OAKLEY_GROUP_MODP1024}
Feb 10 12:45:18 linux pluto[4370]: "win-tun" #2: transition from state
STATE_QUICK_R1 to state STATE_QUICK_R2
Feb 10 12:45:18 linux pluto[4370]: "win-tun" #2: STATE_QUICK_R2: IPsec SA
established tunnel mode {ESP=>0xfe035afe <0x85be7d3d xfrm=3DES_0-HMAC_SHA1
NATOA=none NATD=none DPD=none}
Feb 10 12:45:18 linux pluto[4370]: "win-tun" #1: ignoring informational
payload, type INVALID_ID_INFORMATION msgid=00000000
Feb 10 12:45:18 linux pluto[4370]: "win-tun" #1: received and ignored
informational message

linux>tcpdump -n -i eth0 host 192.168.1.38
device eth0 entered promiscuous mode
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
12:48:15.854050 IP 192.168.1.38 > 192.168.1.15:
ESP(spi=0x85be7d3d,seq=0x16), length 76
12:48:15.854124 IP 192.168.1.15 > 192.168.1.38:
ESP(spi=0xfe035afe,seq=0x15), length 76
12:48:16.856592 IP 192.168.1.38 > 192.168.1.15:
ESP(spi=0x85be7d3d,seq=0x17), length 76
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.openswan.org/pipermail/users/attachments/20120210/84216ea8/attachment-0001.html>


More information about the Users mailing list