[Openswan Users] openswan + Win7 + pre-shared key

Den brusok at gmail.com
Fri Feb 10 10:05:58 EST 2012


2012/2/10 Paul Wouters <pwouters at redhat.com>

> On Fri, 10 Feb 2012, Den wrote:
>
>  There is working configuration.
>> VPN is Ok if I use  protostack=netkey.
>> If I use protostack=klips VPN doesn't work.
>>
>
> Do you have an interfaces= line in "config setup" ?

Yes if  protostack=klips. ( interfaces="ipsec0=eth0")


> linux>ipsec auto --status
> 000 #2: "win-tun":500 STATE_QUICK_R2 (IPsec SA established);
> EVENT_SA_REPLACE in 801s; newest IPSEC; eroute
> owner; isakmp#1; idle; import:not set
> 000 #2: "win-tun" esp.9023a4eb at 192.168.1.38 esp.6ba38ad2 at 192.168.1.15ref=2 refhim=1
> 000 #1: "win-tun":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established);
> EVENT_SA_REPLACE in 7101s; newest ISAKMP;
> nodpd; idle; import:not set
>

So this says there is a tunnel up?
>
>
>  Feb 10 12:37:02 linux pluto[2997]: "win-tun" #1: the peer proposed:
>> 192.168.1.15/32:0/0 -> 192.168.1.38/32:0/0
>> Feb 10 12:37:02 linux pluto[2997]: "win-tun" #2: responding to Quick Mode
>> proposal {msgid:01000000}
>> Feb 10 12:37:02 linux pluto[2997]: "win-tun" #2: us:
>> 192.168.1.15/32===192.168.1.15<192.168.1.15>[+S=C]
>> Feb 10 12:37:02 linux pluto[2997]: "win-tun" #2: them:
>> 192.168.1.38<192.168.1.38>[+S=C]===192.168.1.38/32
>> Feb 10 12:37:02 linux pluto[2997]: "win-tun" #2: transition from state
>> STATE_QUICK_R0 to state STATE_QUICK_R1
>> Feb 10 12:37:02 linux pluto[2997]: "win-tun" #2: STATE_QUICK_R1: sent
>> QR1, inbound IPsec SA installed, expecting
>> QI2
>> Feb 10 12:37:02 linux pluto[2997]: "win-tun" #2: transition from state
>> STATE_QUICK_R1 to state STATE_QUICK_R2
>> Feb 10 12:37:02 linux pluto[2997]: "win-tun" #2: STATE_QUICK_R2: IPsec SA
>> established tunnel mode
>> {ESP=>0x9023a4eb <0x6ba38ad2 xfrm=3DES_0-HMAC_SHA1 NATOA=none NATD=none
>> DPD=none}
>>
>
> This says the tunnel is up too
>
>
>  linux>tcpdump -n -i eth0 host 192.168.1.38
>> device eth0 entered promiscuous mode
>> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
>> listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
>> 13:02:05.172050 IP 192.168.1.38 > 192.168.1.15:
>> ESP(spi=0x2ec052f8,seq=0x3), length 76
>>
>
> This shows crypted packets....
>
>
>  Feb 10 12:45:18 linux pluto[4370]: "win-tun" #2: STATE_QUICK_R1: sent
>> QR1, inbound IPsec SA installed, expecting
>> QI2
>> Feb 10 12:45:18 linux pluto[4370]: initiate on demand from 192.168.1.15:0to
>> 192.168.1.38:0 proto=1 state:
>> fos_start because: acquire
>> Feb 10 12:45:18 linux pluto[4370]: "win-tun" #3: initiating Quick Mode
>> PSK+ENCRYPT+TUNNEL+PFS+IKEv2ALLOW+SAREFTRACK {using isakmp#1
>> msgid:52f4fba5 proposal=3DES(3)_192-SHA1(2)_160
>> pfsgroup=OAKLEY_GROUP_MODP1024}
>> Feb 10 12:45:18 linux pluto[4370]: "win-tun" #2: transition from state
>> STATE_QUICK_R1 to state STATE_QUICK_R2
>> Feb 10 12:45:18 linux pluto[4370]: "win-tun" #2: STATE_QUICK_R2: IPsec SA
>> established tunnel mode
>> {ESP=>0xfe035afe <0x85be7d3d xfrm=3DES_0-HMAC_SHA1 NATOA=none NATD=none
>> DPD=none}
>> Feb 10 12:45:18 linux pluto[4370]: "win-tun" #1: ignoring informational
>> payload, type INVALID_ID_INFORMATION
>> msgid=00000000
>> Feb 10 12:45:18 linux pluto[4370]: "win-tun" #1: received and ignored
>> informational message
>>
>
> This shows as a tunnel up, but then it seems to race another connection
> that is failing?
>
> What does "ipsec verify" say for you?
>
> Note that excluding NAT is slightly different on netkey and klips stacks
> due to the difference interface.
>
> Paul
>


NETKEY
>ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.6.24/K2.6.38.8 (netkey)
Checking for IPsec support in kernel [OK]
SAref kernel support [N/A]
NETKEY: Testing XFRM related proc values [FAILED]

Please disable /proc/sys/net/ipv4/conf/*/send_redirects
or NETKEY will cause the sending of bogus ICMP redirects!

[FAILED]

Please disable /proc/sys/net/ipv4/conf/*/accept_redirects
or NETKEY will accept bogus ICMP redirects!

[OK]
Testing against enforced SElinux mode [OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for NAT-T on udp 4500 [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing [OK]
Checking for 'ip' command [OK]
Checking /bin/sh is not /bin/dash [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]


KLIPS
>ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.6.24/K2.6.37 (klips)
Checking for IPsec support in kernel [OK]
KLIPS: checking for NAT Traversal support [OK]
KLIPS: checking for OCF crypto offload support [N/A]
SAref kernel support [N/A]
Testing against enforced SElinux mode [OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for NAT-T on udp 4500 [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing [OK]
Checking for 'ip' command [OK]
Checking /bin/sh is not /bin/dash [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.openswan.org/pipermail/users/attachments/20120210/ba89e067/attachment.html>


More information about the Users mailing list