[Openswan Users] netkey openswan Hardware Acceleration

Thu May 24 04:06:31 EDT 2012

 Dear Sirs,

 About the openswan with netkey stack,I ever tried it before.But it's 
failed.
 PC1 can ping to PC2 but PC2 can not ping to PC1. I do not know what the
 procedures I lost. Could someone help me on this question?thank's.
 ====================================
 <My test environment>
 PC1----------------GW1(ipsec-tool)----------------GW2(openswan)-------------PC2192.168.6.1        172.17.21.87172.17.21.80             192.168.1.100 ================================ <ipsec.conf > config setup interfaces=%defaultroute oe=offprotostack=netkey conn %default  connaddrfamily=ipv4  keyexchange=ike  ike=3des-md5;modp1024  phase2alg=3des-md5;modp1024  auth=esp  type=tunnel  authby=secret  auto=start conn sample  left=172.17.21.80  leftsubnet=192.168.1.0/24  right=172.17.21.87  rightsubnet=192.168.6.0/24 ============================== <ipsec.secrets> 172.17.21.80 172.17.21.87 : PSK "12345" ======================================== <Kernel feature> CONFIG_XFRM=y CONFIG_XFRM_USER=m CONFIG_XFRM_MIGRATE=y CONFIG_NET_KEY=y CONFIG_NET_KEY_MIGRATE=y ========================================<log>Jan  1 00:02:30 daemon err ipsec_setup: Starting Openswan IPsecU2.6.38/K2.6.30...Jan  1 00:02:31 daemon err ipsec_setup: Using NETKEY(XFRM) stackJan  1 00:02:33 authpriv err ipsec__plu
 torun: Starting Pluto subsystem...Jan  1 00:02:33 daemon err ipsec_setup: ...Openswan IPsec startedJan  1 00:02:34 daemon err ipsec__plutorun: adjusting ipsec.d to/var/ipsec.dJan  1 00:02:34 user warn syslog: adjusting ipsec.d to /var/ipsec.dJan  1 00:02:34 authpriv warn pluto[1568]: LEAK_DETECTIVE support [disabled]Jan  1 00:02:34 authpriv warn pluto[1568]: OCF support for IKE [disabled]Jan  1 00:02:34 authpriv warn pluto[1568]: NSS support [disabled]Jan  1 00:02:34 authpriv warn pluto[1568]: HAVE_STATSD notification supportnot compiled inJan  1 00:02:34 authpriv warn pluto[1568]: Setting NAT-Traversal port-4500floating to offJan  1 00:02:34 authpriv warn pluto[1568]:    port floating activationcriteria nat_t=0/port_float=1Jan  1 00:02:34 authpriv warn pluto[1568]:    NAT-Traversal support[disabled]Jan  1 00:02:34 authpriv warn pluto[1568]: using /dev/urandom as source ofrandom entropyJan  1 00:02:34 authpriv warn pluto[1568]: ike_alg_register_enc():Activating OAKLEY_AES_CB
 C: Ok (ret=0)Jan  1 00:02:34 authpriv warn pluto[1568]: ike_alg_register_hash():Activating OAKLEY_SHA2_512: Ok (ret=0)Jan  1 00:02:34 authpriv warn pluto[1568]: ike_alg_register_hash():Activating OAKLEY_SHA2_256: Ok (ret=0)Jan  1 00:02:34 authpriv warn pluto[1568]: starting up 1 cryptographichelpersJan  1 00:02:34 authpriv warn pluto[1583]: using /dev/urandom as source ofrandom entropyJan  1 00:02:34 authpriv warn pluto[1568]: started helper pid=1583 (fd:6)Jan  1 00:02:34 authpriv warn pluto[1568]: Using Linux 2.6 IPsec interfacecode on 2.6.30 (experimental code)Jan  1 00:02:36 authpriv warn pluto[1568]: ike_alg_register_enc():Activating aes_ccm_8: Ok (ret=0)Jan  1 00:02:36 authpriv warn pluto[1568]: ike_alg_add(): ERROR: algo_type'0', algo_id '0', Algorithm type already existsJan  1 00:02:36 authpriv warn pluto[1568]: ike_alg_register_enc():Activating aes_ccm_12: FAILED (ret=-17)Jan  1 00:02:36 authpriv warn pluto[1568]: ike_alg_add(): ERROR: algo_type'0', algo_id '0', Algo
 rithm type already existsJan  1 00:02:36 authpriv warn pluto[1568]: ike_alg_register_enc():Activating aes_ccm_16: FAILED (ret=-17)Jan  1 00:02:36 authpriv warn pluto[1568]: ike_alg_add(): ERROR: algo_type'0', algo_id '0', Algorithm type already existsJan  1 00:02:36 authpriv warn pluto[1568]: ike_alg_register_enc():Activating aes_gcm_8: FAILED (ret=-17)Jan  1 00:02:36 authpriv warn pluto[1568]: ike_alg_add(): ERROR: algo_type'0', algo_id '0', Algorithm type already existsJan  1 00:02:36 authpriv warn pluto[1568]: ike_alg_register_enc():Activating aes_gcm_12: FAILED (ret=-17)Jan  1 00:02:36 authpriv warn pluto[1568]: ike_alg_add(): ERROR: algo_type'0', algo_id '0', Algorithm type already existsJan  1 00:02:36 authpriv warn pluto[1568]: ike_alg_register_enc():Activating aes_gcm_16: FAILED (ret=-17)Jan  1 00:02:37 authpriv warn pluto[1568]: Could not change to directory'/var/ipsec.d/cacerts': No such file or directoryJan  1 00:02:37 authpriv warn pluto[1568]: Could not change t
 o directory'/var/ipsec.d/aacerts': No such file or directoryJan  1 00:02:37 authpriv warn pluto[1568]: Could not change to directory'/var/ipsec.d/ocspcerts': No such file or directoryJan  1 00:02:37 authpriv warn pluto[1568]: Could not change to directory'/var/ipsec.d/crls': 2 No such file or directoryJan  1 00:02:37 authpriv warn pluto[1568]: added connection description"sample"Jan  1 00:02:37 daemon err ipsec__plutorun: 002 added connection description"sample"Jan  1 00:02:37 authpriv warn pluto[1568]: listening for IKE messagesJan  1 00:02:37 authpriv warn pluto[1568]: adding interface eth0.1/eth0.1172.17.21.80:500Jan  1 00:02:37 authpriv warn pluto[1568]: adding interface br0/br0192.168.1.254:500Jan  1 00:02:37 authpriv warn pluto[1568]: adding interface lo/lo127.0.0.1:500Jan  1 00:02:37 authpriv warn pluto[1568]: adding interface lo/lo ::1:500Jan  1 00:02:37 authpriv warn pluto[1568]: loading secrets from"/var/ipsec.secrets"Jan  1 00:02:38 authpriv warn pluto[1568]: "sam
 ple" #1: initiating Main ModeJan  1 00:02:38 daemon err ipsec__plutorun: 104 "sample" #1: STATE_MAIN_I1:initiateJan  1 00:02:38 authpriv warn pluto[1568]: "sample" #1: received Vendor IDpayload [Dead Peer Detection]Jan  1 00:02:38 authpriv warn pluto[1568]: "sample" #1: transition fromstate STATE_MAIN_I1 to state STATE_MAIN_I2Jan  1 00:02:38 authpriv warn pluto[1568]: "sample" #1: STATE_MAIN_I2: sentMI2, expecting MR2Jan  1 00:02:39 authpriv warn pluto[1568]: "sample" #1: transition fromstate STATE_MAIN_I2 to state STATE_MAIN_I3Jan  1 00:02:39 authpriv warn pluto[1568]: "sample" #1: STATE_MAIN_I3: sentMI3, expecting MR3Jan  1 00:02:39 authpriv warn pluto[1568]: "sample" #1: Main mode peer ID isID_IPV4_ADDR: '172.17.21.87'Jan  1 00:02:39 authpriv warn pluto[1568]: "sample" #1: transition fromstate STATE_MAIN_I3 to state STATE_MAIN_I4Jan  1 00:02:39 authpriv warn pluto[1568]: "sample" #1: STATE_MAIN_I4:ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192
 prf=oakley_md5 group=modp1024}Jan  1 00:02:39 authpriv warn pluto[1568]: "sample" #2: initiating QuickMode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#1msgid:eef2291d proposal=3DES(3)_192-MD5(1)_128pfsgroup=OAKLEY_GROUP_MODP1024}========================================== <test step> When wan interface up 1.configuration ipsec.conf 2.configuration ipsec.secrets 3.ipsec setup start Best Regards,Ozai