[Openswan Users] openswan + Win7 + pre-shared key

Paul Wouters pwouters at redhat.com
Fri Feb 10 07:58:15 EST 2012


On Fri, 10 Feb 2012, Den wrote:

> There is working configuration.
> VPN is Ok if I use  protostack=netkey.
> If I use protostack=klips VPN doesn't work.

Do you have an interfaces= line in "config setup" ?

> linux>ipsec auto --status
> 000 #2: "win-tun":500 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 801s; newest IPSEC; eroute
> owner; isakmp#1; idle; import:not set
> 000 #2: "win-tun" esp.9023a4eb at 192.168.1.38 esp.6ba38ad2 at 192.168.1.15 ref=2 refhim=1
> 000 #1: "win-tun":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 7101s; newest ISAKMP;
> nodpd; idle; import:not set

So this says there is a tunnel up?

> Feb 10 12:37:02 linux pluto[2997]: "win-tun" #1: the peer proposed: 192.168.1.15/32:0/0 -> 192.168.1.38/32:0/0
> Feb 10 12:37:02 linux pluto[2997]: "win-tun" #2: responding to Quick Mode proposal {msgid:01000000}
> Feb 10 12:37:02 linux pluto[2997]: "win-tun" #2: us: 192.168.1.15/32===192.168.1.15<192.168.1.15>[+S=C]
> Feb 10 12:37:02 linux pluto[2997]: "win-tun" #2: them: 192.168.1.38<192.168.1.38>[+S=C]===192.168.1.38/32
> Feb 10 12:37:02 linux pluto[2997]: "win-tun" #2: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
> Feb 10 12:37:02 linux pluto[2997]: "win-tun" #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting
> QI2
> Feb 10 12:37:02 linux pluto[2997]: "win-tun" #2: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
> Feb 10 12:37:02 linux pluto[2997]: "win-tun" #2: STATE_QUICK_R2: IPsec SA established tunnel mode
> {ESP=>0x9023a4eb <0x6ba38ad2 xfrm=3DES_0-HMAC_SHA1 NATOA=none NATD=none DPD=none}

This says the tunnel is up too

> linux>tcpdump -n -i eth0 host 192.168.1.38
> device eth0 entered promiscuous mode
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
> 13:02:05.172050 IP 192.168.1.38 > 192.168.1.15: ESP(spi=0x2ec052f8,seq=0x3), length 76

This shows crypted packets....

> Feb 10 12:45:18 linux pluto[4370]: "win-tun" #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting
> QI2
> Feb 10 12:45:18 linux pluto[4370]: initiate on demand from 192.168.1.15:0 to 192.168.1.38:0 proto=1 state:
> fos_start because: acquire
> Feb 10 12:45:18 linux pluto[4370]: "win-tun" #3: initiating Quick Mode
> PSK+ENCRYPT+TUNNEL+PFS+IKEv2ALLOW+SAREFTRACK {using isakmp#1 msgid:52f4fba5 proposal=3DES(3)_192-SHA1(2)_160
> pfsgroup=OAKLEY_GROUP_MODP1024}
> Feb 10 12:45:18 linux pluto[4370]: "win-tun" #2: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
> Feb 10 12:45:18 linux pluto[4370]: "win-tun" #2: STATE_QUICK_R2: IPsec SA established tunnel mode
> {ESP=>0xfe035afe <0x85be7d3d xfrm=3DES_0-HMAC_SHA1 NATOA=none NATD=none DPD=none}
> Feb 10 12:45:18 linux pluto[4370]: "win-tun" #1: ignoring informational payload, type INVALID_ID_INFORMATION
> msgid=00000000
> Feb 10 12:45:18 linux pluto[4370]: "win-tun" #1: received and ignored informational message

This shows as a tunnel up, but then it seems to race another connection
that is failing?

What does "ipsec verify" say for you?

Note that excluding NAT is slightly different on netkey and klips stacks
due to the difference interface.

Paul


More information about the Users mailing list