[Openswan Users] the packets did not traffic under ESP tunnel on openswan

Ozai ozai.tien at gmail.com
Wed Mar 14 23:16:56 EDT 2012 

Dear Sirs,

I merged the openswan(2.6.37) into embedded linux(mips) and tried to make the connection with another ipsec system(ipsec-tools).The ESP tunnel can be built successfully.I tried to ping private client from ipsec-tools to openswan.It's OK.but from openswan to ipsec-tools,It's failed.I found that from openswan to ipsec-tools,the packets did not traffic under ESP tunnel.My settings are as below.Please help me to correct my procedure.thank's.


# cat ipsec.conf
# /etc/ipsec.conf - Openswan IPsec configuration file

# This file:  /usr/local/share/doc/openswan/ipsec.conf-sample
#
# Manual:     ipsec.conf.5


version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        # Do not set debug options to debug configuration issues!
        # plutodebug / klipsdebug = "all", "none" or a combation from below:
        # "raw crypt parsing emitting control klips pfkey natt x509 dpd private"

        # eg:
        # plutodebug="control parsing"
        # Again: only enable plutodebug or klipsdebug when asked by a developer
        #
        # enable to get logs per-peer
        # plutoopts="--perpeerlog"
        #
        # Enable core dumps (might require system changes, like ulimit -C)
        # This is required for abrtd to work properly
        # Note: incorrect SElinux policies might prevent pluto writing the core
        dumpdir=/var/run/pluto/
        #
        # NAT-TRAVERSAL support, see README.NAT-Traversal
        #nat_traversal=yes
        # exclude networks used on server side by adding %v4:!a.b.c.0/24
        # It seems that T-Mobile in the US and Rogers/Fido in Canada are
        # using 25/8 as "private" address space on their 3G network.
        # This range has not been announced via BGP (at least upto 2010-12-21)
        #virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4
:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
        interfaces=%defaultroute
        # OE is now off by default. Uncomment and change to on, to enable.
        oe=off
        # which IPsec stack to use. auto will try netkey, then klips then mast
        protostack=auto
        # Use this to log to a file, or disable logging on embedded systems (lik
e openwrt)
        #plutostderrlog=/dev/null

# Add connections here

# sample VPN connection
# for more examples, see /etc/ipsec.d/examples/
conn sample
#               # Left security gateway, subnet behind it, nexthop toward right.

                left=111.243.152.132
                leftsubnet=192.168.2.0/24
#               leftnexthop=10.22.33.44
#               # Right security gateway, subnet behind it, nexthop toward left.

                right=111.243.156.217
                rightsubnet=192.168.1.0/24
#               rightnexthop=10.101.102.103
#               # To authorize this connection, but not actually start it,
#               # at startup, uncomment this.
                type=tunnel
                authby=secret
                auto=start

#
# cat ipsec.secrets
111.243.156.217 111.243.152.132 : PSK "12345"
#


# ipsec setup start
/lib/libexec/ipsec/setup: 65: id: not found
[: 0: unknown operand
ipsec_setup: Starting Openswan IPsec U2.6.37/K2.6.30...
# Jan  1 00:09:11 pluto[2102]: Starting Pluto (Openswan Version 2.6.37; Vendor I
D OEu\134d\134jy\134\134ap) pid:2102
Jan  1 00:09:11 pluto[2102]: LEAK_DETECTIVE support [disabled]
Jan  1 00:09:11 pluto[2102]: OCF support for IKE [disabled]
Jan  1 00:09:11 pluto[2102]: SAref support [disabled]: Protocol not available
Jan  1 00:09:11 pluto[2102]: SAbind support [disabled]: Protocol not available
Jan  1 00:09:11 pluto[2102]: NSS support [disabled]
Jan  1 00:09:11 pluto[2102]: HAVE_STATSD notification support not compiled in
Jan  1 00:09:11 pluto[2102]: Setting NAT-Traversal port-4500 floating to off
Jan  1 00:09:11 pluto[2102]:    port floating activation criteria nat_t=0/port_f
loat=1
Jan  1 00:09:11 pluto[2102]:    NAT-Traversal support  [disabled]
Jan  1 00:09:11 pluto[2102]: using /dev/urandom as source of random entropy
Jan  1 00:09:11 pluto[2102]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC:
Ok (ret=0)
Jan  1 00:09:11 pluto[2102]: starting up 1 cryptographic helpers
Jan  1 00:09:11 pluto[2117]: using /dev/urandom as source of random entropy
Jan  1 00:09:11 pluto[2102]: started helper pid=2117 (fd:5)
Jan  1 00:09:11 pluto[2102]: Kernel interface auto-pick
Jan  1 00:09:11 pluto[2102]: Using Linux 2.6 IPsec interface code on 2.6.30 (exp
erimental code)
Jan  1 00:09:11 pluto[2102]: ike_alg_register_enc(): Activating aes_ccm_8: Ok (r
et=0)
Jan  1 00:09:11 pluto[2102]: ike_alg_add(): ERROR: Algorithm already exists
Jan  1 00:09:11 pluto[2102]: ike_alg_register_enc(): Activating aes_ccm_12: FAIL
ED (ret=-17)
Jan  1 00:09:11 pluto[2102]: ike_alg_add(): ERROR: Algorithm already exists
Jan  1 00:09:11 pluto[2102]: ike_alg_register_enc(): Activating aes_ccm_16: FAIL
ED (ret=-17)
Jan  1 00:09:11 pluto[2102]: ike_alg_add(): ERROR: Algorithm already exists
Jan  1 00:09:11 pluto[2102]: ike_alg_register_enc(): Activating aes_gcm_8: FAILE
D (ret=-17)
Jan  1 00:09:11 pluto[2102]: ike_alg_add(): ERROR: Algorithm already exists
Jan  1 00:09:11 pluto[2102]: ike_alg_register_enc(): Activating aes_gcm_12: FAIL
ED (ret=-17)
Jan  1 00:09:11 pluto[2102]: ike_alg_add(): ERROR: Algorithm already exists
Jan  1 00:09:11 pluto[2102]: ike_alg_register_enc(): Activating aes_gcm_16: FAIL
ED (ret=-17)
Jan  1 00:09:11 pluto[2102]: Could not change to directory '/var/ipsec.d/cacerts
': /var/run/pluto
Jan  1 00:09:12 pluto[2102]: Could not change to directory '/var/ipsec.d/aacerts
': /var/run/pluto
Jan  1 00:09:12 pluto[2102]: Could not change to directory '/var/ipsec.d/ocspcer
ts': /var/run/pluto
Jan  1 00:09:12 pluto[2102]: Could not change to directory '/var/ipsec.d/crls'
Jan  1 00:09:12 pluto[2102]: added connection description "sample"
Jan  1 00:09:12 pluto[2102]: listening for IKE messages
Jan  1 00:09:12 pluto[2102]: adding interface ppp0/ppp0 111.243.156.217:500
Jan  1 00:09:12 pluto[2102]: adding interface br0/br0 192.168.1.1:500
Jan  1 00:09:12 pluto[2102]: adding interface lo/lo 127.0.0.1:500
Jan  1 00:09:12 pluto[2102]: adding interface lo/lo ::1:500
Jan  1 00:09:12 pluto[2102]: ERROR: problem with secrets file "/var". Errno 9: B
ad file descriptor
Jan  1 00:09:12 pluto[2102]: loading secrets from "/var/ipsec.secrets"
Jan  1 00:09:13 pluto[2102]: "sample" #1: initiating Main Mode
Jan  1 00:09:13 pluto[2102]: "sample" #1: received Vendor ID payload [Dead Peer
Detection]
Jan  1 00:09:13 pluto[2102]: "sample" #1: transition from state STATE_MAIN_I1 to
 state STATE_MAIN_I2
Jan  1 00:09:13 pluto[2102]: "sample" #1: STATE_MAIN_I2: sent MI2, expecting MR2

Jan  1 00:09:13 pluto[2102]: "sample" #1: transition from state STATE_MAIN_I2 to
 state STATE_MAIN_I3
Jan  1 00:09:13 pluto[2102]: "sample" #1: STATE_MAIN_I3: sent MI3, expecting MR3

Jan  1 00:09:14 pluto[2102]: "sample" #1: Main mode peer ID is ID_IPV4_ADDR: '11
1.243.152.132'
Jan  1 00:09:14 pluto[2102]: "sample" #1: transition from state STATE_MAIN_I3 to
 state STATE_MAIN_I4
Jan  1 00:09:14 pluto[2102]: "sample" #1: STATE_MAIN_I4: ISAKMP SA established {
auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp10
24}
Jan  1 00:09:14 pluto[2102]: "sample" #2: initiating Quick Mode PSK+ENCRYPT+TUNN
EL+PFS+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#1 msgid:dbca98e7 proposal=defaults
 pfsgroup=OAKLEY_GROUP_MODP1024}
Jan  1 00:09:14 pluto[2102]: "sample" #1: ignoring informational payload, type I
PSEC_INITIAL_CONTACT msgid=00000000
Jan  1 00:09:14 pluto[2102]: "sample" #1: received and ignored informational mes
sage
Jan  1 00:09:14 pluto[2102]: "sample" #2: transition from state STATE_QUICK_I1 t
o state STATE_QUICK_I2
Jan  1 00:09:14 pluto[2102]: "sample" #2: STATE_QUICK_I2: sent QI2, IPsec SA est
ablished tunnel mode {ESP=>0x0f34cacc <0x8c632f64 xfrm=3DES_0-HMAC_MD5 NATOA=non
e NATD=none DPD=none}

#
# ip xfrm state
src 111.243.152.132 dst 111.243.156.217
        proto esp spi 0x8c632f64 reqid 16385 mode tunnel
        replay-window 32 flag 20
        auth hmac(md5) 0xaf8ba23ff005f262dfc3d5cf81c59ef9
        enc cbc(des3_ede) 0xb0559c9dd51e7cdfdedf34fb95439bb19b72751852fd6e34
src 111.243.156.217 dst 111.243.152.132
        proto esp spi 0x0f34cacc reqid 16385 mode tunnel
        replay-window 32 flag 20
        auth hmac(md5) 0xb7d5be9851d321710f47f94c93ea008b
        enc cbc(des3_ede) 0x35fe8cb1dbcbbdbbd1321a41191b493a4f189d351a0c9f71
#

Best Regards.
Ozai
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.openswan.org/pipermail/users/attachments/20120315/1c97d1c9/attachment.html>

More information about the Users mailing list