[Openswan Users] openswan encryption issue
Ozai
ozai.tien at gmail.com
Fri Mar 23 06:55:35 EDT 2012
Dear Sirs,
Client A---------------openswan gateway------------------------------openswan gateway---------------------Client B
192.168.1.2 192.168.1.1 111.243.150.251 111.243.158.170 192.168.2.1 192.168.2.2
I merged the openswan(2.6.37) into embedded linux(2.6.30 mips) and tried to make the connection with another ipsec system(openswan) as above.The tunnel seem to be built successfully and Client A can ping to Client B.But I would like to make the encryption for all packet to pass through the tunnel.It's failed.From the wireshark,All packet is not encryption.Please help on this issue,thank's.
Best Regards,
Ozai
# cat /var/ipsec.conf
# /etc/ipsec.conf - Openswan IPsec configuration file
# This file: /usr/local/share/doc/openswan/ipsec.conf-sample
#
# Manual: ipsec.conf.5
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
# Do not set debug options to debug configuration issues!
# plutodebug / klipsdebug = "all", "none" or a combation from below:
# "raw crypt parsing emitting control klips pfkey natt x509 dpd private"
# eg:
# plutodebug="control parsing"
# Again: only enable plutodebug or klipsdebug when asked by a developer
#
# enable to get logs per-peer
# plutoopts="--perpeerlog"
#
# Enable core dumps (might require system changes, like ulimit -C)
# This is required for abrtd to work properly
# Note: incorrect SElinux policies might prevent pluto writing the core
dumpdir=/var/run/pluto/
#
# NAT-TRAVERSAL support, see README.NAT-Traversal
nat_traversal=yes
# exclude networks used on server side by adding %v4:!a.b.c.0/24
# It seems that T-Mobile in the US and Rogers/Fido in Canada are
# using 25/8 as "private" address space on their 3G network.
# This range has not been announced via BGP (at least upto 2010-12-21)
virtual_private=%v4:192.168.1.0/24,%v4:192.168.2.0/24
interfaces=ipsec0=ppp0
# OE is now off by default. Uncomment and change to on, to enable.
oe=off
# which IPsec stack to use. auto will try netkey, then klips then mast
protostack=klips
# Use this to log to a file, or disable logging on embedded systems (lik
e openwrt)
#plutostderrlog=/dev/null
# Add connections here
# sample VPN connection
# for more examples, see /etc/ipsec.d/examples/
conn sample
# # Left security gateway, subnet behind it, nexthop toward right.
left=111.243.150.251
leftsubnet=192.168.1.0/24
# leftnexthop=192.168.1.1
# # Right security gateway, subnet behind it, nexthop toward left.
right=111.243.158.170
rightsubnet=192.168.2.0/24
# rightnexthop=192.168.2.1
# # To authorize this connection, but not actually start it,
# # at startup, uncomment this.
pfs=yes
keyexchange=ike
ike=3des-md5-modp1024
esp=3des-md5
disablearrivalcheck=no
compress=yes
auth=esp
type=tunnel
authby=secret
auto=start
#
# insmod ipsec.ko
klips_info:ipsec_init: KLIPS startup, Openswan KLIPS IPsec stack version: 2.6.37
NET: Registered protocol family 15
ipsec0 (): not using net_device_ops yet
ipsec1 (): not using net_device_ops yet
mast0 (): not using net_device_ops yet
registered KLIPS /proc/sys/net<6>klips_info:ipsec_alg_init: KLIPS alg v=0.8.1-0
(EALG_MAX=255, AALG_MAX=251)
klips_info:ipsec_alg_init: calling ipsec_alg_static_init()
ipsec_aes_init(alg_type=15 alg_id=12 name=aes): ret=0
ipsec_aes_init(alg_type=14 alg_id=9 name=aes_mac): ret=0
ipsec_3des_init(alg_type=15 alg_id=3 name=3des): ret=0
KLIPS cryptoapi interface: alg_type=15 alg_id=12 name=cbc(aes) keyminbits=128 ke
ymaxbits=256, found(0)
KLIPS: lookup for ciphername=cbc(twofish): not found
KLIPS: lookup for ciphername=cbc(serpent): not found
KLIPS: lookup for ciphername=cbc(cast5): not found
KLIPS: lookup for ciphername=cbc(blowfish): not found
KLIPS cryptoapi interface: alg_type=15 alg_id=3 name=cbc(des3_ede) keyminbits=19
2 keymaxbits=192, found(0)
# ipsec setup start
/lib/libexec/ipsec/setup: 65: id: not found
[: 0: unknown operand
ipsec_setup: Starting Openswan IPsec 2.6.37...
ipsec_setup: /lib/ipsec/_startklips: 31: head: not found
ipsec_setup: /lib/ipsec/_startklips: 32: head: not found
ipsec_setup: [: 1000: unknown operand
ipsec_setup: /lib/ipsec/_startklips: 451: cut: not found
ipsec_setup: /lib/ipsec/_startklips: 451: sort: not found
ipsec_setup: ipsec0 -> NULL mtu=0(0) -> 0
Jan 1 06:02:59 pluto[9574]: Starting Pluto (Openswan Version 2.6.37; Vendor ID
OEu\134d\134jy\134\134ap) pid:9574
Jan 1 06:02:59 pluto[9574]: LEAK_DETECTIVE support [disabled]
Jan 1 06:02:59 pluto[9574]: OCF support for IKE [disabled]
Jan 1 06:02:59 pluto[9574]: SAref support [disabled]: Protocol not available
Jan 1 06:02:59 pluto[9574]: SAbind support [disabled]: Protocol not available
Jan 1 06:02:59 pluto[9574]: NSS support [disabled]
Jan 1 06:02:59 pluto[9574]: HAVE_STATSD notification support not compiled in
Jan 1 06:02:59 pluto[9574]: Setting NAT-Traversal port-4500 floating to on
Jan 1 06:02:59 pluto[9574]: port floating activation criteria nat_t=1/port_f
loat=1
Jan 1 06:02:59 pluto[9574]: NAT-Traversal support [enabled]
Jan 1 06:02:59 pluto[9574]: using /dev/urandom as source of random entropy
Jan 1 06:03:00 pluto[9574]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC:
Ok (ret=0)
Jan 1 06:03:00 pluto[9574]: starting up 1 cryptographic helpers
Jan 1 06:03:00 pluto[9579]: using /dev/urandom as source of random entropy
Jan 1 06:03:00 pluto[9574]: started helper pid=9579 (fd:5)
Jan 1 06:03:00 pluto[9574]: Using KLIPS IPsec interface code on 2.6.30
# Jan 1 06:03:00 pluto[9574]: Could not change to directory '/var/ipsec.d/cacer
ts': /var/run/pluto
Jan 1 06:03:00 pluto[9574]: Could not change to directory '/var/ipsec.d/aacerts
': /var/run/pluto
Jan 1 06:03:00 pluto[9574]: Could not change to directory '/var/ipsec.d/ocspcer
ts': /var/run/pluto
Jan 1 06:03:00 pluto[9574]: Could not change to directory '/var/ipsec.d/crls'
Jan 1 06:03:00 pluto[9574]: added connection description "sample"
Jan 1 06:03:00 pluto[9574]: listening for IKE messages
Jan 1 06:03:00 pluto[9574]: adding interface ipsec0/ppp0 111.243.150.251:500
Jan 1 06:03:00 pluto[9574]: adding interface ipsec0/ppp0 111.243.150.251:4500
Jan 1 06:03:00 pluto[9574]: ERROR: problem with secrets file "/var". Errno 9: B
ad file descriptor
Jan 1 06:03:00 pluto[9574]: loading secrets from "/var/ipsec.secrets"
Jan 1 06:03:01 pluto[9574]: "sample" #1: initiating Main Mode
Jan 1 06:03:01 pluto[9574]: "sample" #1: received Vendor ID payload [Openswan (
this version) 2.6.37 ]
Jan 1 06:03:01 pluto[9574]: "sample" #1: received Vendor ID payload [Dead Peer
Detection]
Jan 1 06:03:01 pluto[9574]: "sample" #1: received Vendor ID payload [RFC 3947]
method set to=109
Jan 1 06:03:01 pluto[9574]: "sample" #1: enabling possible NAT-traversal with m
ethod 4
Jan 1 06:03:01 pluto[9574]: "sample" #1: transition from state STATE_MAIN_I1 to
state STATE_MAIN_I2
Jan 1 06:03:01 pluto[9574]: "sample" #1: STATE_MAIN_I2: sent MI2, expecting MR2
Jan 1 06:03:02 pluto[9574]: "sample" #1: NAT-Traversal: Result using RFC 3947 (
NAT-Traversal): no NAT detected
Jan 1 06:03:02 pluto[9574]: "sample" #1: transition from state STATE_MAIN_I2 to
state STATE_MAIN_I3
Jan 1 06:03:02 pluto[9574]: "sample" #1: STATE_MAIN_I3: sent MI3, expecting MR3
Jan 1 06:03:02 pluto[9574]: "sample" #1: received Vendor ID payload [CAN-IKEv2]
Jan 1 06:03:02 pluto[9574]: "sample" #1: Main mode peer ID is ID_IPV4_ADDR: '11
1.243.158.170'
Jan 1 06:03:02 pluto[9574]: "sample" #1: transition from state STATE_MAIN_I3 to
state STATE_MAIN_I4
Jan 1 06:03:02 pluto[9574]: "sample" #1: STATE_MAIN_I4: ISAKMP SA established {
auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp10
24}
Jan 1 06:03:02 pluto[9574]: "sample" #2: initiating Quick Mode PSK+ENCRYPT+COMP
RESS+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#1 msgid:24d66534 proposal
=3DES(3)_192-MD5(1)_128 pfsgroup=OAKLEY_GROUP_MODP1024}
Jan 1 06:03:02 pluto[9574]: "sample" #2: transition from state STATE_QUICK_I1 t
o state STATE_QUICK_I2
Jan 1 06:03:02 pluto[9574]: "sample" #2: STATE_QUICK_I2: sent QI2, IPsec SA est
ablished tunnel mode {ESP=>0x5df646a8 <0xdf3fcee9 xfrm=3DES_0-HMAC_MD5 IPCOMP=>0
x0000d84b <0x0000cf2e NATOA=none NATD=none DPD=none}
Jan 1 06:03:17 pluto[9574]: packet from 111.243.158.170:500: received Vendor ID
payload [Openswan (this version) 2.6.37 ]
Jan 1 06:03:17 pluto[9574]: packet from 111.243.158.170:500: received Vendor ID
payload [Dead Peer Detection]
Jan 1 06:03:17 pluto[9574]: packet from 111.243.158.170:500: received Vendor ID
payload [RFC 3947] method set to=109
Jan 1 06:03:17 pluto[9574]: packet from 111.243.158.170:500: received Vendor ID
payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 109
Jan 1 06:03:17 pluto[9574]: packet from 111.243.158.170:500: received Vendor ID
payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 10
9
Jan 1 06:03:17 pluto[9574]: packet from 111.243.158.170:500: received Vendor ID
payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109
Jan 1 06:03:17 pluto[9574]: packet from 111.243.158.170:500: received Vendor ID
payload [draft-ietf-ipsec-nat-t-ike-00]
Jan 1 06:03:17 pluto[9574]: "sample" #3: responding to Main Mode
Jan 1 06:03:17 pluto[9574]: "sample" #3: transition from state STATE_MAIN_R0 to
state STATE_MAIN_R1
Jan 1 06:03:17 pluto[9574]: "sample" #3: STATE_MAIN_R1: sent MR1, expecting MI2
Jan 1 06:03:17 pluto[9574]: "sample" #3: NAT-Traversal: Result using RFC 3947 (
NAT-Traversal): no NAT detected
Jan 1 06:03:18 pluto[9574]: "sample" #3: transition from state STATE_MAIN_R1 to
state STATE_MAIN_R2
Jan 1 06:03:18 pluto[9574]: "sample" #3: STATE_MAIN_R2: sent MR2, expecting MI3
Jan 1 06:03:18 pluto[9574]: "sample" #3: Main mode peer ID is ID_IPV4_ADDR: '11
1.243.158.170'
Jan 1 06:03:18 pluto[9574]: "sample" #3: transition from state STATE_MAIN_R2 to
state STATE_MAIN_R3
Jan 1 06:03:18 pluto[9574]: "sample" #3: STATE_MAIN_R3: sent MR3, ISAKMP SA est
ablished {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5 gr
oup=modp1024}
Jan 1 06:03:18 pluto[9574]: "sample" #3: the peer proposed: 192.168.1.0/24:0/0
-> 192.168.2.0/24:0/0
Jan 1 06:03:18 pluto[9574]: "sample" #4: responding to Quick Mode proposal {msg
id:89a57974}
Jan 1 06:03:18 pluto[9574]: "sample" #4: us: 192.168.1.0/24===111.243.150.2
51<111.243.150.251>[+S=C]
Jan 1 06:03:18 pluto[9574]: "sample" #4: them: 111.243.158.170<111.243.158.17
0>[+S=C]===192.168.2.0/24
Jan 1 06:03:18 pluto[9574]: "sample" #4: keeping refhim=1 during rekey
Jan 1 06:03:18 pluto[9574]: "sample" #4: transition from state STATE_QUICK_R0 t
o state STATE_QUICK_R1
Jan 1 06:03:18 pluto[9574]: "sample" #4: STATE_QUICK_R1: sent QR1, inbound IPse
c SA installed, expecting QI2
Jan 1 06:03:18 pluto[9574]: "sample" #4: transition from state STATE_QUICK_R1 t
o state STATE_QUICK_R2
Jan 1 06:03:18 pluto[9574]: "sample" #4: STATE_QUICK_R2: IPsec SA established t
unnel mode {ESP=>0x5df646a9 <0xdf3fceea xfrm=3DES_0-HMAC_MD5 IPCOMP=>0x0000d84c
<0x0000cf2f NATOA=none NATD=none DPD=none}
Openswan 2.6.37
# ipsec whack --status
000 using kernel interface: klips
000 interface ipsec0/ppp0 111.243.150.251
000 interface ipsec0/ppp0 111.243.150.251
000 %myid = (none)
000 debug none
000
000 virtual_private (%priv):
000 - allowed 2 subnets: 192.168.1.0/24, 192.168.2.0/24
000 - disallowed 0 subnets:
000 WARNING: Disallowed subnets in virtual_private= is empty. If you have
000 private address space in internal use, it should be excluded!
000
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=64, keysizemin=192, keysiz
emax=192
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=128, keysizemin=128, keysi
zemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128,
keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160
, keysizemax=160
000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC, keysizemin=128,
keysizemax=128
000
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=19
2
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=12
8
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024
000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048
000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048
000
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,2,36} trans={0,2,180}
attrs={0,2,240}
000
000 "sample": 192.168.1.0/24===111.243.150.251<111.243.150.251>[+S=C]...111.243.
158.170<111.243.158.170>[+S=C]===192.168.2.0/24; erouted; eroute owner: #4
000 "sample": myip=unset; hisip=unset;
000 "sample": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_f
uzz: 100%; keyingtries: 0
000 "sample": policy: PSK+ENCRYPT+COMPRESS+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK
+lKOD+rKOD; prio: 24,24; interface: ppp0;
000 "sample": newest ISAKMP SA: #3; newest IPsec SA: #4;
000 "sample": newest ISAKMP SA: #3; newest IPsec SA: #4;
lags=-strict
000 "sample": IKE algorithms found: 3DES_CBC(5)_192-MD5(1)_128-MODP1024(2)
000 "sample": IKE algorithm newest: 3DES_CBC_192-MD5-MODP1024
000 "sample": ESP algorithms wanted: 3DES(3)_000-MD5(1)_000; flags=-strict
000 "sample": ESP algorithms loaded: 3DES(3)_192-MD5(1)_128
000 "sample": ESP algorithm newest: 3DES_000-HMAC_MD5; pfsgroup=<Phase1>
000
000 #2: "sample":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_R
EPLACE in 25529s; isakmp#1; idle; import:admin initiate
000 #2: "sample" esp.5df646a8 at 111.243.158.170 esp.df3fcee9 at 111.243.150.251 comp.
d84b at 111.243.158.170 comp.cf2e at 111.243.150.251 tun.1001 at 111.243.158.170 tun.1002
@111.243.150.251 ref=4 refhim=1
000 #1: "sample":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in
462s; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate
000 #4: "sample":500 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in
26094s; newest IPSEC; eroute owner; isakmp#3; idle; import:not set
000 #4: "sample" used 53s ago; esp.5df646a9 at 111.243.158.170 esp.df3fceea at 111.243
.150.251 comp.d84c at 111.243.158.170 comp.cf2f at 111.243.150.251 tun.1004 at 111.243.15
8.170 tun.1003 at 111.243.150.251 ref=7 refhim=1
000 #3: "sample":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_R
EPLACE in 894s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:not set
000
#
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.openswan.org/pipermail/users/attachments/20120323/a91ab6b5/attachment-0001.html>
More information about the Users
mailing list