[Openswan Users] openswan encryption issue
ozai Tien
ozai.tien at gmail.com
Sun Mar 25 14:12:23 EDT 2012
Dear Sirs,
How do I make the encryption for tunnel on openswan?I can not find any
informations.Please help.
Thank's & Best Regards,
Ozai
Ozai <ozai.tien at gmail.com> 於 2012年3月23日下午6:55 寫道:
> **
> Dear Sirs,
>
> Client A---------------openswan gateway-----------------------**-------openswan
> gateway---------------------Client B
> 192.168.1.2
> 192.168.1.1 111.243.150.251 111.243.158.170
> 192.168.2.1 192.168.2.2
>
> I merged the openswan(2.6.37) into embedded linux(2.6.30 mips) and tried
> to make the connection with another ipsec system(openswan) as
> above.The tunnel seem to be built successfully and Client A can ping to
> Client B.But I would like to make the encryption for all packet to pass
> through the tunnel.It's failed.From the wireshark,All packet is not
> encryption.Please help on this issue,thank's.
>
> Best Regards,
> Ozai
>
>
> # cat /var/ipsec.conf
> # /etc/ipsec.conf - Openswan IPsec configuration file
>
> # This file: /usr/local/share/doc/openswan/ipsec.conf-sample
> #
> # Manual: ipsec.conf.5
>
>
> version 2.0 # conforms to second version of ipsec.conf specification
>
> # basic configuration
> config setup
> # Do not set debug options to debug configuration issues!
> # plutodebug / klipsdebug = "all", "none" or a combation from
> below:
> # "raw crypt parsing emitting control klips pfkey natt x509 dpd
> private"
>
> # eg:
> # plutodebug="control parsing"
> # Again: only enable plutodebug or klipsdebug when asked by a
> developer
> #
> # enable to get logs per-peer
> # plutoopts="--perpeerlog"
> #
> # Enable core dumps (might require system changes, like ulimit -C)
> # This is required for abrtd to work properly
> # Note: incorrect SElinux policies might prevent pluto writing the
> core
> dumpdir=/var/run/pluto/
> #
> # NAT-TRAVERSAL support, see README.NAT-Traversal
> nat_traversal=yes
> # exclude networks used on server side by adding %v4:!a.b.c.0/24
> # It seems that T-Mobile in the US and Rogers/Fido in Canada are
> # using 25/8 as "private" address space on their 3G network.
> # This range has not been announced via BGP (at least upto
> 2010-12-21)
> virtual_private=%v4:192.168.1.0/24,%v4:192.168.2.0/24
> interfaces=ipsec0=ppp0
> # OE is now off by default. Uncomment and change to on, to enable.
> oe=off
> # which IPsec stack to use. auto will try netkey, then klips then
> mast
> protostack=klips
> # Use this to log to a file, or disable logging on embedded
> systems (lik
> e openwrt)
> #plutostderrlog=/dev/null
>
> # Add connections here
>
> # sample VPN connection
> # for more examples, see /etc/ipsec.d/examples/
> conn sample
> # # Left security gateway, subnet behind it, nexthop toward
> right.
>
> left=111.243.150.251
> leftsubnet=192.168.1.0/24
> # leftnexthop=192.168.1.1
> # # Right security gateway, subnet behind it, nexthop toward
> left.
>
> right=111.243.158.170
> rightsubnet=192.168.2.0/24
> # rightnexthop=192.168.2.1
> # # To authorize this connection, but not actually start it,
> # # at startup, uncomment this.
> pfs=yes
> keyexchange=ike
> ike=3des-md5-modp1024
> esp=3des-md5
> disablearrivalcheck=no
> compress=yes
> auth=esp
> type=tunnel
> authby=secret
> auto=start
>
> #
>
> # insmod ipsec.ko
> klips_info:ipsec_init: KLIPS startup, Openswan KLIPS IPsec stack version:
> 2.6.37
>
> NET: Registered protocol family 15
> ipsec0 (): not using net_device_ops yet
> ipsec1 (): not using net_device_ops yet
> mast0 (): not using net_device_ops yet
> registered KLIPS /proc/sys/net<6>klips_info:ipsec_alg_init: KLIPS alg
> v=0.8.1-0
> (EALG_MAX=255, AALG_MAX=251)
> klips_info:ipsec_alg_init: calling ipsec_alg_static_init()
> ipsec_aes_init(alg_type=15 alg_id=12 name=aes): ret=0
> ipsec_aes_init(alg_type=14 alg_id=9 name=aes_mac): ret=0
> ipsec_3des_init(alg_type=15 alg_id=3 name=3des): ret=0
> KLIPS cryptoapi interface: alg_type=15 alg_id=12 name=cbc(aes)
> keyminbits=128 ke
> ymaxbits=256, found(0)
> KLIPS: lookup for ciphername=cbc(twofish): not found
> KLIPS: lookup for ciphername=cbc(serpent): not found
> KLIPS: lookup for ciphername=cbc(cast5): not found
> KLIPS: lookup for ciphername=cbc(blowfish): not found
> KLIPS cryptoapi interface: alg_type=15 alg_id=3 name=cbc(des3_ede)
> keyminbits=19
> 2 keymaxbits=192, found(0)
>
>
> # ipsec setup start
> /lib/libexec/ipsec/setup: 65: id: not found
> [: 0: unknown operand
> ipsec_setup: Starting Openswan IPsec 2.6.37...
> ipsec_setup: /lib/ipsec/_startklips: 31: head: not found
> ipsec_setup: /lib/ipsec/_startklips: 32: head: not found
> ipsec_setup: [: 1000: unknown operand
>
> ipsec_setup: /lib/ipsec/_startklips: 451: cut: not found
> ipsec_setup: /lib/ipsec/_startklips: 451: sort: not found
> ipsec_setup: ipsec0 -> NULL mtu=0(0) -> 0
> Jan 1 06:02:59 pluto[9574]: Starting Pluto (Openswan Version 2.6.37;
> Vendor ID
> OEu\134d\134jy\134\134ap) pid:9574
> Jan 1 06:02:59 pluto[9574]: LEAK_DETECTIVE support [disabled]
> Jan 1 06:02:59 pluto[9574]: OCF support for IKE [disabled]
> Jan 1 06:02:59 pluto[9574]: SAref support [disabled]: Protocol not
> available
> Jan 1 06:02:59 pluto[9574]: SAbind support [disabled]: Protocol not
> available
> Jan 1 06:02:59 pluto[9574]: NSS support [disabled]
> Jan 1 06:02:59 pluto[9574]: HAVE_STATSD notification support not compiled
> in
> Jan 1 06:02:59 pluto[9574]: Setting NAT-Traversal port-4500 floating to on
> Jan 1 06:02:59 pluto[9574]: port floating activation criteria
> nat_t=1/port_f
> loat=1
> Jan 1 06:02:59 pluto[9574]: NAT-Traversal support [enabled]
> Jan 1 06:02:59 pluto[9574]: using /dev/urandom as source of random entropy
> Jan 1 06:03:00 pluto[9574]: ike_alg_register_enc(): Activating
> OAKLEY_AES_CBC:
> Ok (ret=0)
> Jan 1 06:03:00 pluto[9574]: starting up 1 cryptographic helpers
> Jan 1 06:03:00 pluto[9579]: using /dev/urandom as source of random entropy
> Jan 1 06:03:00 pluto[9574]: started helper pid=9579 (fd:5)
> Jan 1 06:03:00 pluto[9574]: Using KLIPS IPsec interface code on 2.6.30
> # Jan 1 06:03:00 pluto[9574]: Could not change to directory
> '/var/ipsec.d/cacer
> ts': /var/run/pluto
> Jan 1 06:03:00 pluto[9574]: Could not change to directory
> '/var/ipsec.d/aacerts
> ': /var/run/pluto
> Jan 1 06:03:00 pluto[9574]: Could not change to directory
> '/var/ipsec.d/ocspcer
> ts': /var/run/pluto
> Jan 1 06:03:00 pluto[9574]: Could not change to directory
> '/var/ipsec.d/crls'
> Jan 1 06:03:00 pluto[9574]: added connection description "sample"
> Jan 1 06:03:00 pluto[9574]: listening for IKE messages
> Jan 1 06:03:00 pluto[9574]: adding interface ipsec0/ppp0
> 111.243.150.251:500
> Jan 1 06:03:00 pluto[9574]: adding interface ipsec0/ppp0
> 111.243.150.251:4500
> Jan 1 06:03:00 pluto[9574]: ERROR: problem with secrets file "/var".
> Errno 9: B
> ad file descriptor
> Jan 1 06:03:00 pluto[9574]: loading secrets from "/var/ipsec.secrets"
> Jan 1 06:03:01 pluto[9574]: "sample" #1: initiating Main Mode
> Jan 1 06:03:01 pluto[9574]: "sample" #1: received Vendor ID payload
> [Openswan (
> this version) 2.6.37 ]
> Jan 1 06:03:01 pluto[9574]: "sample" #1: received Vendor ID payload [Dead
> Peer
> Detection]
> Jan 1 06:03:01 pluto[9574]: "sample" #1: received Vendor ID payload [RFC
> 3947]
> method set to=109
> Jan 1 06:03:01 pluto[9574]: "sample" #1: enabling possible NAT-traversal
> with m
> ethod 4
> Jan 1 06:03:01 pluto[9574]: "sample" #1: transition from state
> STATE_MAIN_I1 to
> state STATE_MAIN_I2
> Jan 1 06:03:01 pluto[9574]: "sample" #1: STATE_MAIN_I2: sent MI2,
> expecting MR2
>
> Jan 1 06:03:02 pluto[9574]: "sample" #1: NAT-Traversal: Result using RFC
> 3947 (
> NAT-Traversal): no NAT detected
> Jan 1 06:03:02 pluto[9574]: "sample" #1: transition from state
> STATE_MAIN_I2 to
> state STATE_MAIN_I3
> Jan 1 06:03:02 pluto[9574]: "sample" #1: STATE_MAIN_I3: sent MI3,
> expecting MR3
>
> Jan 1 06:03:02 pluto[9574]: "sample" #1: received Vendor ID payload
> [CAN-IKEv2]
>
> Jan 1 06:03:02 pluto[9574]: "sample" #1: Main mode peer ID is
> ID_IPV4_ADDR: '11
> 1.243.158.170'
> Jan 1 06:03:02 pluto[9574]: "sample" #1: transition from state
> STATE_MAIN_I3 to
> state STATE_MAIN_I4
> Jan 1 06:03:02 pluto[9574]: "sample" #1: STATE_MAIN_I4: ISAKMP SA
> established {
> auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5
> group=modp10
> 24}
> Jan 1 06:03:02 pluto[9574]: "sample" #2: initiating Quick Mode
> PSK+ENCRYPT+COMP
> RESS+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#1 msgid:24d66534
> proposal
> =3DES(3)_192-MD5(1)_128 pfsgroup=OAKLEY_GROUP_MODP1024}
> Jan 1 06:03:02 pluto[9574]: "sample" #2: transition from state
> STATE_QUICK_I1 t
> o state STATE_QUICK_I2
> Jan 1 06:03:02 pluto[9574]: "sample" #2: STATE_QUICK_I2: sent QI2, IPsec
> SA est
> ablished tunnel mode {ESP=>0x5df646a8 <0xdf3fcee9 xfrm=3DES_0-HMAC_MD5
> IPCOMP=>0
> x0000d84b <0x0000cf2e NATOA=none NATD=none DPD=none}
> Jan 1 06:03:17 pluto[9574]: packet from 111.243.158.170:500: received
> Vendor ID
> payload [Openswan (this version) 2.6.37 ]
> Jan 1 06:03:17 pluto[9574]: packet from 111.243.158.170:500: received
> Vendor ID
> payload [Dead Peer Detection]
> Jan 1 06:03:17 pluto[9574]: packet from 111.243.158.170:500: received
> Vendor ID
> payload [RFC 3947] method set to=109
> Jan 1 06:03:17 pluto[9574]: packet from 111.243.158.170:500: received
> Vendor ID
> payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using
> method 109
> Jan 1 06:03:17 pluto[9574]: packet from 111.243.158.170:500: received
> Vendor ID
> payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using
> method 10
> 9
> Jan 1 06:03:17 pluto[9574]: packet from 111.243.158.170:500: received
> Vendor ID
> payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using
> method 109
> Jan 1 06:03:17 pluto[9574]: packet from 111.243.158.170:500: received
> Vendor ID
> payload [draft-ietf-ipsec-nat-t-ike-00]
> Jan 1 06:03:17 pluto[9574]: "sample" #3: responding to Main Mode
> Jan 1 06:03:17 pluto[9574]: "sample" #3: transition from state
> STATE_MAIN_R0 to
> state STATE_MAIN_R1
> Jan 1 06:03:17 pluto[9574]: "sample" #3: STATE_MAIN_R1: sent MR1,
> expecting MI2
>
> Jan 1 06:03:17 pluto[9574]: "sample" #3: NAT-Traversal: Result using RFC
> 3947 (
> NAT-Traversal): no NAT detected
> Jan 1 06:03:18 pluto[9574]: "sample" #3: transition from state
> STATE_MAIN_R1 to
> state STATE_MAIN_R2
> Jan 1 06:03:18 pluto[9574]: "sample" #3: STATE_MAIN_R2: sent MR2,
> expecting MI3
>
> Jan 1 06:03:18 pluto[9574]: "sample" #3: Main mode peer ID is
> ID_IPV4_ADDR: '11
> 1.243.158.170'
> Jan 1 06:03:18 pluto[9574]: "sample" #3: transition from state
> STATE_MAIN_R2 to
> state STATE_MAIN_R3
> Jan 1 06:03:18 pluto[9574]: "sample" #3: STATE_MAIN_R3: sent MR3, ISAKMP
> SA est
> ablished {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192
> prf=oakley_md5 gr
> oup=modp1024}
> Jan 1 06:03:18 pluto[9574]: "sample" #3: the peer proposed:
> 192.168.1.0/24:0/0
> -> 192.168.2.0/24:0/0
> Jan 1 06:03:18 pluto[9574]: "sample" #4: responding to Quick Mode
> proposal {msg
> id:89a57974}
> Jan 1 06:03:18 pluto[9574]: "sample" #4: us:
> 192.168.1.0/24===111.243.150.2
> 51<111.243.150.251>[+S=C]
> Jan 1 06:03:18 pluto[9574]: "sample" #4: them:
> 111.243.158.170<111.243.158.17
> 0>[+S=C]===192.168.2.0/24
> Jan 1 06:03:18 pluto[9574]: "sample" #4: keeping refhim=1 during rekey
> Jan 1 06:03:18 pluto[9574]: "sample" #4: transition from state
> STATE_QUICK_R0 t
> o state STATE_QUICK_R1
> Jan 1 06:03:18 pluto[9574]: "sample" #4: STATE_QUICK_R1: sent QR1,
> inbound IPse
> c SA installed, expecting QI2
> Jan 1 06:03:18 pluto[9574]: "sample" #4: transition from state
> STATE_QUICK_R1 t
> o state STATE_QUICK_R2
> Jan 1 06:03:18 pluto[9574]: "sample" #4: STATE_QUICK_R2: IPsec SA
> established t
> unnel mode {ESP=>0x5df646a9 <0xdf3fceea xfrm=3DES_0-HMAC_MD5
> IPCOMP=>0x0000d84c
> <0x0000cf2f NATOA=none NATD=none DPD=none}
>
>
> Openswan 2.6.37
> # ipsec whack --status
> 000 using kernel interface: klips
> 000 interface ipsec0/ppp0 111.243.150.251
> 000 interface ipsec0/ppp0 111.243.150.251
> 000 %myid = (none)
> 000 debug none
> 000
> 000 virtual_private (%priv):
> 000 - allowed 2 subnets: 192.168.1.0/24, 192.168.2.0/24
> 000 - disallowed 0 subnets:
> 000 WARNING: Disallowed subnets in virtual_private= is empty. If you have
> 000 private address space in internal use, it should be excluded!
> 000
> 000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=64, keysizemin=192,
> keysiz
> emax=192
> 000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=128, keysizemin=128,
> keysi
> zemax=256
> 000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
> keysizemin=128,
> keysizemax=128
> 000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
> keysizemin=160
> , keysizemax=160
> 000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC,
> keysizemin=128,
> keysizemax=128
> 000
> 000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
> keydeflen=19
> 2
> 000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
> keydeflen=12
> 8
> 000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
> 000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
> 000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
> 000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
> 000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
> 000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
> 000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
> 000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
> 000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
> 000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024
> 000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048
> 000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048
> 000
> 000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,2,36}
> trans={0,2,180}
> attrs={0,2,240}
> 000
> 000 "sample": 192.168.1.0/24===111.243.150.251
> <111.243.150.251>[+S=C]...111.243.
> 158.170<111.243.158.170>[+S=C]===192.168.2.0/24; erouted; eroute owner: #4
> 000 "sample": myip=unset; hisip=unset;
> 000 "sample": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s;
> rekey_f
> uzz: 100%; keyingtries: 0
> 000 "sample": policy:
> PSK+ENCRYPT+COMPRESS+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK
> +lKOD+rKOD; prio: 24,24; interface: ppp0;
> 000 "sample": newest ISAKMP SA: #3; newest IPsec SA: #4;
> 000 "sample": newest ISAKMP SA: #3; newest IPsec SA: #4;
> lags=-strict
> 000 "sample": IKE algorithms found:
> 3DES_CBC(5)_192-MD5(1)_128-MODP1024(2)
> 000 "sample": IKE algorithm newest: 3DES_CBC_192-MD5-MODP1024
> 000 "sample": ESP algorithms wanted: 3DES(3)_000-MD5(1)_000;
> flags=-strict
> 000 "sample": ESP algorithms loaded: 3DES(3)_192-MD5(1)_128
> 000 "sample": ESP algorithm newest: 3DES_000-HMAC_MD5; pfsgroup=<Phase1>
> 000
> 000 #2: "sample":500 STATE_QUICK_I2 (sent QI2, IPsec SA established);
> EVENT_SA_R
> EPLACE in 25529s; isakmp#1; idle; import:admin initiate
> 000 #2: "sample" esp.5df646a8 at 111.243.158.170 esp.df3fcee9 at 111.243.150.251comp.
> d84b at 111.243.158.170 comp.cf2e at 111.243.150.251 tun.1001 at 111.243.158.170tun.1002
> @111.243.150.251 ref=4 refhim=1
> 000 #1: "sample":500 STATE_MAIN_I4 (ISAKMP SA established);
> EVENT_SA_REPLACE in
> 462s; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate
> 000 #4: "sample":500 STATE_QUICK_R2 (IPsec SA established);
> EVENT_SA_REPLACE in
> 26094s; newest IPSEC; eroute owner; isakmp#3; idle; import:not set
> 000 #4: "sample" used 53s ago; esp.5df646a9 at 111.243.158.170
> esp.df3fceea at 111.243
> .150.251 comp.d84c at 111.243.158.170 comp.cf2f at 111.243.150.251
> tun.1004 at 111.243.15
> 8.170 tun.1003 at 111.243.150.251 ref=7 refhim=1
> 000 #3: "sample":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established);
> EVENT_SA_R
> EPLACE in 894s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle;
> import:not set
>
> 000
> #
>
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.openswan.org/pipermail/users/attachments/20120326/351e4a6d/attachment-0001.html>
More information about the Users
mailing list