[Openswan Users] openswan encryption issue

Ozai ozai.tien at gmail.com
Fri Mar 23 06:55:35 EDT 2012


Dear Sirs,

Client A---------------openswan gateway------------------------------openswan gateway---------------------Client B
192.168.1.2         192.168.1.1     111.243.150.251                    111.243.158.170   192.168.2.1              192.168.2.2

I merged the openswan(2.6.37) into embedded linux(2.6.30 mips) and tried to make the connection with another ipsec system(openswan) as above.The tunnel seem to be built successfully and Client A can ping to Client B.But I would like to make the encryption for all packet to pass through the tunnel.It's failed.From the wireshark,All packet is not encryption.Please help on this issue,thank's. 

Best Regards,
Ozai


# cat /var/ipsec.conf
# /etc/ipsec.conf - Openswan IPsec configuration file

# This file:  /usr/local/share/doc/openswan/ipsec.conf-sample
#
# Manual:     ipsec.conf.5


version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        # Do not set debug options to debug configuration issues!
        # plutodebug / klipsdebug = "all", "none" or a combation from below:
        # "raw crypt parsing emitting control klips pfkey natt x509 dpd private"

        # eg:
        # plutodebug="control parsing"
        # Again: only enable plutodebug or klipsdebug when asked by a developer
        #
        # enable to get logs per-peer
        # plutoopts="--perpeerlog"
        #
        # Enable core dumps (might require system changes, like ulimit -C)
        # This is required for abrtd to work properly
        # Note: incorrect SElinux policies might prevent pluto writing the core
        dumpdir=/var/run/pluto/
        #
        # NAT-TRAVERSAL support, see README.NAT-Traversal
        nat_traversal=yes
        # exclude networks used on server side by adding %v4:!a.b.c.0/24
        # It seems that T-Mobile in the US and Rogers/Fido in Canada are
        # using 25/8 as "private" address space on their 3G network.
        # This range has not been announced via BGP (at least upto 2010-12-21)
        virtual_private=%v4:192.168.1.0/24,%v4:192.168.2.0/24
        interfaces=ipsec0=ppp0
        # OE is now off by default. Uncomment and change to on, to enable.
        oe=off
        # which IPsec stack to use. auto will try netkey, then klips then mast
        protostack=klips
        # Use this to log to a file, or disable logging on embedded systems (lik
e openwrt)
        #plutostderrlog=/dev/null

# Add connections here

# sample VPN connection
# for more examples, see /etc/ipsec.d/examples/
conn sample
#               # Left security gateway, subnet behind it, nexthop toward right.

                left=111.243.150.251
                leftsubnet=192.168.1.0/24
#               leftnexthop=192.168.1.1
#               # Right security gateway, subnet behind it, nexthop toward left.

                right=111.243.158.170
                rightsubnet=192.168.2.0/24
#               rightnexthop=192.168.2.1
#               # To authorize this connection, but not actually start it,
#               # at startup, uncomment this.
                pfs=yes
                keyexchange=ike
                ike=3des-md5-modp1024
                esp=3des-md5
                disablearrivalcheck=no
                compress=yes
                auth=esp
                type=tunnel
                authby=secret
                auto=start

#

# insmod ipsec.ko
klips_info:ipsec_init: KLIPS startup, Openswan KLIPS IPsec stack version: 2.6.37

NET: Registered protocol family 15
ipsec0 (): not using net_device_ops yet
ipsec1 (): not using net_device_ops yet
mast0 (): not using net_device_ops yet
registered KLIPS /proc/sys/net<6>klips_info:ipsec_alg_init: KLIPS alg v=0.8.1-0
(EALG_MAX=255, AALG_MAX=251)
klips_info:ipsec_alg_init: calling ipsec_alg_static_init()
ipsec_aes_init(alg_type=15 alg_id=12 name=aes): ret=0
ipsec_aes_init(alg_type=14 alg_id=9 name=aes_mac): ret=0
ipsec_3des_init(alg_type=15 alg_id=3 name=3des): ret=0
KLIPS cryptoapi interface: alg_type=15 alg_id=12 name=cbc(aes) keyminbits=128 ke
ymaxbits=256, found(0)
KLIPS: lookup for ciphername=cbc(twofish): not found
KLIPS: lookup for ciphername=cbc(serpent): not found
KLIPS: lookup for ciphername=cbc(cast5): not found
KLIPS: lookup for ciphername=cbc(blowfish): not found
KLIPS cryptoapi interface: alg_type=15 alg_id=3 name=cbc(des3_ede) keyminbits=19
2 keymaxbits=192, found(0)


# ipsec setup start
/lib/libexec/ipsec/setup: 65: id: not found
[: 0: unknown operand
ipsec_setup: Starting Openswan IPsec 2.6.37...
ipsec_setup: /lib/ipsec/_startklips: 31: head: not found
ipsec_setup: /lib/ipsec/_startklips: 32: head: not found
ipsec_setup: [: 1000: unknown operand

ipsec_setup: /lib/ipsec/_startklips: 451: cut: not found
ipsec_setup: /lib/ipsec/_startklips: 451: sort: not found
ipsec_setup: ipsec0 -> NULL mtu=0(0) -> 0
Jan  1 06:02:59 pluto[9574]: Starting Pluto (Openswan Version 2.6.37; Vendor ID
OEu\134d\134jy\134\134ap) pid:9574
Jan  1 06:02:59 pluto[9574]: LEAK_DETECTIVE support [disabled]
Jan  1 06:02:59 pluto[9574]: OCF support for IKE [disabled]
Jan  1 06:02:59 pluto[9574]: SAref support [disabled]: Protocol not available
Jan  1 06:02:59 pluto[9574]: SAbind support [disabled]: Protocol not available
Jan  1 06:02:59 pluto[9574]: NSS support [disabled]
Jan  1 06:02:59 pluto[9574]: HAVE_STATSD notification support not compiled in
Jan  1 06:02:59 pluto[9574]: Setting NAT-Traversal port-4500 floating to on
Jan  1 06:02:59 pluto[9574]:    port floating activation criteria nat_t=1/port_f
loat=1
Jan  1 06:02:59 pluto[9574]:    NAT-Traversal support  [enabled]
Jan  1 06:02:59 pluto[9574]: using /dev/urandom as source of random entropy
Jan  1 06:03:00 pluto[9574]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC:
Ok (ret=0)
Jan  1 06:03:00 pluto[9574]: starting up 1 cryptographic helpers
Jan  1 06:03:00 pluto[9579]: using /dev/urandom as source of random entropy
Jan  1 06:03:00 pluto[9574]: started helper pid=9579 (fd:5)
Jan  1 06:03:00 pluto[9574]: Using KLIPS IPsec interface code on 2.6.30
# Jan  1 06:03:00 pluto[9574]: Could not change to directory '/var/ipsec.d/cacer
ts': /var/run/pluto
Jan  1 06:03:00 pluto[9574]: Could not change to directory '/var/ipsec.d/aacerts
': /var/run/pluto
Jan  1 06:03:00 pluto[9574]: Could not change to directory '/var/ipsec.d/ocspcer
ts': /var/run/pluto
Jan  1 06:03:00 pluto[9574]: Could not change to directory '/var/ipsec.d/crls'
Jan  1 06:03:00 pluto[9574]: added connection description "sample"
Jan  1 06:03:00 pluto[9574]: listening for IKE messages
Jan  1 06:03:00 pluto[9574]: adding interface ipsec0/ppp0 111.243.150.251:500
Jan  1 06:03:00 pluto[9574]: adding interface ipsec0/ppp0 111.243.150.251:4500
Jan  1 06:03:00 pluto[9574]: ERROR: problem with secrets file "/var". Errno 9: B
ad file descriptor
Jan  1 06:03:00 pluto[9574]: loading secrets from "/var/ipsec.secrets"
Jan  1 06:03:01 pluto[9574]: "sample" #1: initiating Main Mode
Jan  1 06:03:01 pluto[9574]: "sample" #1: received Vendor ID payload [Openswan (
this version) 2.6.37 ]
Jan  1 06:03:01 pluto[9574]: "sample" #1: received Vendor ID payload [Dead Peer
Detection]
Jan  1 06:03:01 pluto[9574]: "sample" #1: received Vendor ID payload [RFC 3947]
method set to=109
Jan  1 06:03:01 pluto[9574]: "sample" #1: enabling possible NAT-traversal with m
ethod 4
Jan  1 06:03:01 pluto[9574]: "sample" #1: transition from state STATE_MAIN_I1 to
 state STATE_MAIN_I2
Jan  1 06:03:01 pluto[9574]: "sample" #1: STATE_MAIN_I2: sent MI2, expecting MR2

Jan  1 06:03:02 pluto[9574]: "sample" #1: NAT-Traversal: Result using RFC 3947 (
NAT-Traversal): no NAT detected
Jan  1 06:03:02 pluto[9574]: "sample" #1: transition from state STATE_MAIN_I2 to
 state STATE_MAIN_I3
Jan  1 06:03:02 pluto[9574]: "sample" #1: STATE_MAIN_I3: sent MI3, expecting MR3

Jan  1 06:03:02 pluto[9574]: "sample" #1: received Vendor ID payload [CAN-IKEv2]

Jan  1 06:03:02 pluto[9574]: "sample" #1: Main mode peer ID is ID_IPV4_ADDR: '11
1.243.158.170'
Jan  1 06:03:02 pluto[9574]: "sample" #1: transition from state STATE_MAIN_I3 to
 state STATE_MAIN_I4
Jan  1 06:03:02 pluto[9574]: "sample" #1: STATE_MAIN_I4: ISAKMP SA established {
auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp10
24}
Jan  1 06:03:02 pluto[9574]: "sample" #2: initiating Quick Mode PSK+ENCRYPT+COMP
RESS+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#1 msgid:24d66534 proposal
=3DES(3)_192-MD5(1)_128 pfsgroup=OAKLEY_GROUP_MODP1024}
Jan  1 06:03:02 pluto[9574]: "sample" #2: transition from state STATE_QUICK_I1 t
o state STATE_QUICK_I2
Jan  1 06:03:02 pluto[9574]: "sample" #2: STATE_QUICK_I2: sent QI2, IPsec SA est
ablished tunnel mode {ESP=>0x5df646a8 <0xdf3fcee9 xfrm=3DES_0-HMAC_MD5 IPCOMP=>0
x0000d84b <0x0000cf2e NATOA=none NATD=none DPD=none}
Jan  1 06:03:17 pluto[9574]: packet from 111.243.158.170:500: received Vendor ID
 payload [Openswan (this version) 2.6.37 ]
Jan  1 06:03:17 pluto[9574]: packet from 111.243.158.170:500: received Vendor ID
 payload [Dead Peer Detection]
Jan  1 06:03:17 pluto[9574]: packet from 111.243.158.170:500: received Vendor ID
 payload [RFC 3947] method set to=109
Jan  1 06:03:17 pluto[9574]: packet from 111.243.158.170:500: received Vendor ID
 payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 109
Jan  1 06:03:17 pluto[9574]: packet from 111.243.158.170:500: received Vendor ID
 payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 10
9
Jan  1 06:03:17 pluto[9574]: packet from 111.243.158.170:500: received Vendor ID
 payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109
Jan  1 06:03:17 pluto[9574]: packet from 111.243.158.170:500: received Vendor ID
 payload [draft-ietf-ipsec-nat-t-ike-00]
Jan  1 06:03:17 pluto[9574]: "sample" #3: responding to Main Mode
Jan  1 06:03:17 pluto[9574]: "sample" #3: transition from state STATE_MAIN_R0 to
 state STATE_MAIN_R1
Jan  1 06:03:17 pluto[9574]: "sample" #3: STATE_MAIN_R1: sent MR1, expecting MI2

Jan  1 06:03:17 pluto[9574]: "sample" #3: NAT-Traversal: Result using RFC 3947 (
NAT-Traversal): no NAT detected
Jan  1 06:03:18 pluto[9574]: "sample" #3: transition from state STATE_MAIN_R1 to
 state STATE_MAIN_R2
Jan  1 06:03:18 pluto[9574]: "sample" #3: STATE_MAIN_R2: sent MR2, expecting MI3

Jan  1 06:03:18 pluto[9574]: "sample" #3: Main mode peer ID is ID_IPV4_ADDR: '11
1.243.158.170'
Jan  1 06:03:18 pluto[9574]: "sample" #3: transition from state STATE_MAIN_R2 to
 state STATE_MAIN_R3
Jan  1 06:03:18 pluto[9574]: "sample" #3: STATE_MAIN_R3: sent MR3, ISAKMP SA est
ablished {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5 gr
oup=modp1024}
Jan  1 06:03:18 pluto[9574]: "sample" #3: the peer proposed: 192.168.1.0/24:0/0
-> 192.168.2.0/24:0/0
Jan  1 06:03:18 pluto[9574]: "sample" #4: responding to Quick Mode proposal {msg
id:89a57974}
Jan  1 06:03:18 pluto[9574]: "sample" #4:     us: 192.168.1.0/24===111.243.150.2
51<111.243.150.251>[+S=C]
Jan  1 06:03:18 pluto[9574]: "sample" #4:   them: 111.243.158.170<111.243.158.17
0>[+S=C]===192.168.2.0/24
Jan  1 06:03:18 pluto[9574]: "sample" #4: keeping refhim=1 during rekey
Jan  1 06:03:18 pluto[9574]: "sample" #4: transition from state STATE_QUICK_R0 t
o state STATE_QUICK_R1
Jan  1 06:03:18 pluto[9574]: "sample" #4: STATE_QUICK_R1: sent QR1, inbound IPse
c SA installed, expecting QI2
Jan  1 06:03:18 pluto[9574]: "sample" #4: transition from state STATE_QUICK_R1 t
o state STATE_QUICK_R2
Jan  1 06:03:18 pluto[9574]: "sample" #4: STATE_QUICK_R2: IPsec SA established t
unnel mode {ESP=>0x5df646a9 <0xdf3fceea xfrm=3DES_0-HMAC_MD5 IPCOMP=>0x0000d84c
<0x0000cf2f NATOA=none NATD=none DPD=none}


Openswan 2.6.37
# ipsec whack --status
000 using kernel interface: klips
000 interface ipsec0/ppp0 111.243.150.251
000 interface ipsec0/ppp0 111.243.150.251
000 %myid = (none)
000 debug none
000
000 virtual_private (%priv):
000 - allowed 2 subnets: 192.168.1.0/24, 192.168.2.0/24
000 - disallowed 0 subnets:
000 WARNING: Disallowed subnets in virtual_private= is empty. If you have
000          private address space in internal use, it should be excluded!
000
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=64, keysizemin=192, keysiz
emax=192
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=128, keysizemin=128, keysi
zemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128,
 keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160
, keysizemax=160
000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC, keysizemin=128,
keysizemax=128
000
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=19
2
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=12
8
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024
000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048
000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048
000
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,2,36} trans={0,2,180}
 attrs={0,2,240}
000
000 "sample": 192.168.1.0/24===111.243.150.251<111.243.150.251>[+S=C]...111.243.
158.170<111.243.158.170>[+S=C]===192.168.2.0/24; erouted; eroute owner: #4
000 "sample":     myip=unset; hisip=unset;
000 "sample":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_f
uzz: 100%; keyingtries: 0
000 "sample":   policy: PSK+ENCRYPT+COMPRESS+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK
+lKOD+rKOD; prio: 24,24; interface: ppp0;
000 "sample":   newest ISAKMP SA: #3; newest IPsec SA: #4;
000 "sample":   newest ISAKMP SA: #3; newest IPsec SA: #4;
lags=-strict
000 "sample":   IKE algorithms found:  3DES_CBC(5)_192-MD5(1)_128-MODP1024(2)
000 "sample":   IKE algorithm newest: 3DES_CBC_192-MD5-MODP1024
000 "sample":   ESP algorithms wanted: 3DES(3)_000-MD5(1)_000; flags=-strict
000 "sample":   ESP algorithms loaded: 3DES(3)_192-MD5(1)_128
000 "sample":   ESP algorithm newest: 3DES_000-HMAC_MD5; pfsgroup=<Phase1>
000
000 #2: "sample":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_R
EPLACE in 25529s; isakmp#1; idle; import:admin initiate
000 #2: "sample" esp.5df646a8 at 111.243.158.170 esp.df3fcee9 at 111.243.150.251 comp.
d84b at 111.243.158.170 comp.cf2e at 111.243.150.251 tun.1001 at 111.243.158.170 tun.1002
@111.243.150.251 ref=4 refhim=1
000 #1: "sample":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in
462s; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate
000 #4: "sample":500 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in
26094s; newest IPSEC; eroute owner; isakmp#3; idle; import:not set
000 #4: "sample" used 53s ago; esp.5df646a9 at 111.243.158.170 esp.df3fceea at 111.243
.150.251 comp.d84c at 111.243.158.170 comp.cf2f at 111.243.150.251 tun.1004 at 111.243.15
8.170 tun.1003 at 111.243.150.251 ref=7 refhim=1
000 #3: "sample":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_R
EPLACE in 894s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:not set

000
#





-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.openswan.org/pipermail/users/attachments/20120323/a91ab6b5/attachment-0001.html>


More information about the Users mailing list