[Openswan Users] VPN connection established but ...

Durwin thecajun at nmia.com
Sun Nov 11 14:22:38 EST 2012


> Is rekeying enabled?
I did not have rekey=yes in connection.  I added it and retried with
same problem.

Here are the logs I collected.  I hope I collected all the logs
pertinent.

Thank You.

==== /var/log/secure

Nov 11 12:05:23 endpoint ipsec__plutorun: Starting Pluto subsystem...
Nov 11 12:05:23 endpoint pluto[1894]: nss directory plutomain: /etc/ipsec.d
Nov 11 12:05:23 endpoint pluto[1894]: NSS Initialized
Nov 11 12:05:23 endpoint pluto[1894]: Non-fips mode set in /proc/sys/crypto/fips_enabled
Nov 11 12:05:23 endpoint pluto[1894]: Starting Pluto (Openswan Version 2.6.37; Vendor ID OEu\134d\134jy\134\134ap) pid:1894
Nov 11 12:05:23 endpoint pluto[1894]: Non-fips mode set in /proc/sys/crypto/fips_enabled
Nov 11 12:05:23 endpoint pluto[1894]: LEAK_DETECTIVE support [disabled]
Nov 11 12:05:23 endpoint pluto[1894]: OCF support for IKE [disabled]
Nov 11 12:05:23 endpoint pluto[1894]: SAref support [disabled]: Protocol not available
Nov 11 12:05:23 endpoint pluto[1894]: SAbind support [disabled]: Protocol not available
Nov 11 12:05:23 endpoint pluto[1894]: NSS support [enabled]
Nov 11 12:05:23 endpoint pluto[1894]: HAVE_STATSD notification support not compiled in
Nov 11 12:05:23 endpoint pluto[1894]: Setting NAT-Traversal port-4500 floating to on
Nov 11 12:05:23 endpoint pluto[1894]:    port floating activation criteria nat_t=1/port_float=1
Nov 11 12:05:23 endpoint pluto[1894]:    NAT-Traversal support  [enabled] [Force KeepAlive]
Nov 11 12:05:23 endpoint pluto[1894]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Nov 11 12:05:23 endpoint pluto[1894]: starting up 1 cryptographic helpers
Nov 11 12:05:23 endpoint pluto[1894]: started helper (thread) pid=-1229763776 (fd:7)
Nov 11 12:05:23 endpoint pluto[1894]: Using Linux 2.6 IPsec interface code on 3.6.2-4.fc17.i686.PAE (experimental code)
Nov 11 12:05:24 endpoint pluto[1894]: ike_alg_register_enc(): Activating aes_ccm_8: Ok (ret=0)
Nov 11 12:05:24 endpoint pluto[1894]: ike_alg_add(): ERROR: Algorithm already exists
Nov 11 12:05:24 endpoint pluto[1894]: ike_alg_register_enc(): Activating aes_ccm_12: FAILED (ret=-17)
Nov 11 12:05:24 endpoint pluto[1894]: ike_alg_add(): ERROR: Algorithm already exists
Nov 11 12:05:24 endpoint pluto[1894]: ike_alg_register_enc(): Activating aes_ccm_16: FAILED (ret=-17)
Nov 11 12:05:24 endpoint pluto[1894]: ike_alg_add(): ERROR: Algorithm already exists
Nov 11 12:05:24 endpoint pluto[1894]: ike_alg_register_enc(): Activating aes_gcm_8: FAILED (ret=-17)
Nov 11 12:05:24 endpoint pluto[1894]: ike_alg_add(): ERROR: Algorithm already exists
Nov 11 12:05:24 endpoint pluto[1894]: ike_alg_register_enc(): Activating aes_gcm_12: FAILED (ret=-17)
Nov 11 12:05:24 endpoint pluto[1894]: ike_alg_add(): ERROR: Algorithm already exists
Nov 11 12:05:24 endpoint pluto[1894]: ike_alg_register_enc(): Activating aes_gcm_16: FAILED (ret=-17)
Nov 11 12:05:24 endpoint pluto[1894]: Could not change to directory '/etc/ipsec.d/cacerts': /
Nov 11 12:05:24 endpoint pluto[1894]: Could not change to directory '/etc/ipsec.d/aacerts': /
Nov 11 12:05:24 endpoint pluto[1894]: Could not change to directory '/etc/ipsec.d/ocspcerts': /
Nov 11 12:05:24 endpoint pluto[1894]: Could not change to directory '/etc/ipsec.d/crls'
Nov 11 12:05:24 endpoint pluto[1894]: Non-fips mode set in /proc/sys/crypto/fips_enabled
Nov 11 12:05:24 endpoint pluto[1894]: Non-fips mode set in /proc/sys/crypto/fips_enabled
Nov 11 12:05:24 endpoint pluto[1894]: added connection description "THECOMPANY"
Nov 11 12:05:24 endpoint pluto[1894]: listening for IKE messages
Nov 11 12:05:24 endpoint pluto[1894]: adding interface p3p1/p3p1 192.168.4.66:500
Nov 11 12:05:24 endpoint pluto[1894]: adding interface p3p1/p3p1 192.168.4.66:4500
Nov 11 12:05:24 endpoint pluto[1894]: adding interface lo/lo 127.0.0.1:500
Nov 11 12:05:24 endpoint pluto[1894]: adding interface lo/lo 127.0.0.1:4500
Nov 11 12:05:24 endpoint pluto[1894]: adding interface lo/lo ::1:500
Nov 11 12:05:24 endpoint pluto[1894]: loading secrets from "/etc/ipsec.secrets"
Nov 11 12:05:24 endpoint pluto[1894]: loading secrets from "/etc/ipsec.d/THECOMPANY.secrets"
Nov 11 12:05:24 endpoint pluto[1894]: "THECOMPANY" #1: initiating Main Mode
Nov 11 12:05:24 endpoint pluto[1894]: "THECOMPANY" #1: received Vendor ID payload [Dead Peer Detection]
Nov 11 12:05:24 endpoint pluto[1894]: "THECOMPANY" #1: ignoring Vendor ID payload [KAME/racoon]
Nov 11 12:05:24 endpoint pluto[1894]: "THECOMPANY" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
Nov 11 12:05:24 endpoint pluto[1894]: "THECOMPANY" #1: STATE_MAIN_I2: sent MI2, expecting MR2
Nov 11 12:05:24 endpoint pluto[1894]: "THECOMPANY" #1: ignoring Vendor ID payload [KAME/racoon]
Nov 11 12:05:24 endpoint pluto[1894]: "THECOMPANY" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Nov 11 12:05:24 endpoint pluto[1894]: "THECOMPANY" #1: STATE_MAIN_I3: sent MI3, expecting MR3
Nov 11 12:05:24 endpoint pluto[1894]: "THECOMPANY" #1: Main mode peer ID is ID_IPV4_ADDR: 'w.x.y.z'
Nov 11 12:05:24 endpoint pluto[1894]: "THECOMPANY" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
Nov 11 12:05:24 endpoint pluto[1894]: "THECOMPANY" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
Nov 11 12:05:24 endpoint pluto[1894]: "THECOMPANY" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#1 msgid:ed035a6f proposal=3DES(3)_192-SHA1(2)_160 pfsgroup=OAKLEY_GROUP_MODP1024}
Nov 11 12:05:25 endpoint pluto[1894]: "THECOMPANY" #1: ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000
Nov 11 12:05:25 endpoint pluto[1894]: "THECOMPANY" #1: received and ignored informational message
Nov 11 12:05:25 endpoint pluto[1894]: "THECOMPANY" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Nov 11 12:05:25 endpoint pluto[1894]: "THECOMPANY" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x040cbbe1 <0x8b5cc2cf xfrm=3DES_0-HMAC_SHA1 NATOA=none NATD=none DPD=none}
 

==== Output from systemctl status ipsec.service
ipsec.service - LSB: Start Openswan IPsec at boot time
	  Loaded: loaded (/etc/rc.d/init.d/ipsec)
	  Active: active (running) since Sun, 11 Nov 2012 11:57:37 -0700; 5min ago
	 Process: 1158 ExecStop=/etc/rc.d/init.d/ipsec stop (code=exited, status=0/SUCCESS)
	 Process: 1244 ExecStart=/etc/rc.d/init.d/ipsec start (code=exited, status=0/SUCCESS)
	  CGroup: name=systemd:/system/ipsec.service
		  + 1337 /bin/sh /usr/libexec/ipsec/_plutorun --debug --uni...
		  + 1338 logger -s -p daemon.error -t ipsec__plutorun
		  + 1341 /bin/sh /usr/libexec/ipsec/_plutorun --debug --uni...
		  + 1342 /bin/sh /usr/libexec/ipsec/_plutoload --wait no --...
		  + 1346 /usr/libexec/ipsec/pluto --nofork --secretsfile /e...
		  + 1375 _pluto_adns

Nov 11 11:57:38 endpoint pluto[1346]: "THECOMPANY" #1: transition from sta...I3
Nov 11 11:57:38 endpoint pluto[1346]: "THECOMPANY" #1: STATE_MAIN_I3: sent...R3
Nov 11 11:57:39 endpoint pluto[1346]: "THECOMPANY" #1: Main mode peer ID i...9'
Nov 11 11:57:39 endpoint pluto[1346]: "THECOMPANY" #1: transition from sta...I4
Nov 11 11:57:39 endpoint pluto[1346]: "THECOMPANY" #1: STATE_MAIN_I4: ISAK...4}
Nov 11 11:57:39 endpoint pluto[1346]: "THECOMPANY" #2: initiating Quick Mo...4}
Nov 11 11:57:39 endpoint pluto[1346]: "THECOMPANY" #1: ignoring informatio...00
Nov 11 11:57:39 endpoint pluto[1346]: "THECOMPANY" #1: received and ignore...ge
Nov 11 11:57:40 endpoint pluto[1346]: "THECOMPANY" #2: transition from sta...I2
Nov 11 11:57:40 endpoint pluto[1346]: "THECOMPANY" #2: STATE_QUICK_I2: sen...e}



==== Output from ipsec auto --status
000 using kernel interface: netkey
000 interface lo/lo ::1
000 interface lo/lo 127.0.0.1
000 interface lo/lo 127.0.0.1
000 interface p3p1/p3p1 192.168.4.66
000 interface p3p1/p3p1 192.168.4.66
000 %myid = (none)
000 debug none
000 
000 virtual_private (%priv):
000 - allowed 2 subnets: 192.168.4.0/24, 172.23.93.0/24
000 - disallowed 0 subnets: 
000 WARNING: Disallowed subnets in virtual_private= is empty. If you have 
000          private address space in internal use, it should be excluded!
000 
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, keysizemin=40, keysizemax=128
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8, keysizemin=160, keysizemax=288
000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=22, name=ESP_CAMELLIA, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=6, name=AUTH_ALGORITHM_HMAC_SHA2_384, keysizemin=384, keysizemax=384
000 algorithm ESP auth attr: id=7, name=AUTH_ALGORITHM_HMAC_SHA2_512, keysizemin=512, keysizemax=512
000 algorithm ESP auth attr: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0
000 
000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=131
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024
000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048
000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048
000 
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,2,36} trans={0,2,1536} attrs={0,2,2048} 
000 
000 "THECOMPANY": 192.168.4.0/24===192.168.4.66[+S=C]...w.x.y.z<w.x.y.z>[+S=C]===172.23.93.0/24; erouted; eroute owner: #2
000 "THECOMPANY":     myip=unset; hisip=unset;
000 "THECOMPANY":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "THECOMPANY":   policy: PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 24,24; interface: p3p1; 
000 "THECOMPANY":   newest ISAKMP SA: #1; newest IPsec SA: #2; 
000 "THECOMPANY":   IKE algorithms wanted: 3DES_CBC(5)_000-SHA1(2)_000-MODP1024(2); flags=-strict
000 "THECOMPANY":   IKE algorithms found:  3DES_CBC(5)_192-SHA1(2)_160-MODP1024(2)
000 "THECOMPANY":   IKE algorithm newest: 3DES_CBC_192-SHA1-MODP1024
000 "THECOMPANY":   ESP algorithms wanted: 3DES(3)_000-SHA1(2)_000; flags=-strict
000 "THECOMPANY":   ESP algorithms loaded: 3DES(3)_192-SHA1(2)_160
000 "THECOMPANY":   ESP algorithm newest: 3DES_000-HMAC_SHA1; pfsgroup=<Phase1>
000 
000 #2: "THECOMPANY":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 27734s; newest IPSEC; eroute owner; isakmp#1; idle; import:admin initiate
000 #2: "THECOMPANY" esp.586c998 at w.x.y.z esp.765b132c at 192.168.4.66 tun.0 at w.x.y.z tun.0 at 192.168.4.66 ref=0 refhim=4294901761
000 #1: "THECOMPANY":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 2292s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate
000 

==== Output from Netgear vpn logs
2012 Nov 11 12:05:26 [FVS336GV2] [IKE] IPsec-SA established: ESP/Tunnel w.x.y.z->75.161.94.153 with spi=2338112207(0x8b5cc2cf)_
2012 Nov 11 12:05:26 [FVS336GV2] [IKE] IPsec-SA established: ESP/Tunnel 75.161.94.153->w.x.y.z with spi=67943393(0x40cbbe1)_
2012 Nov 11 12:05:25 [FVS336GV2] [IKE] Using IPsec SA configuration: 172.23.93.0/24<->192.168.4.0/24_
2012 Nov 11 12:05:25 [FVS336GV2] [IKE] Responding to new phase 2 negotiation: w.x.y.z[0]<=>75.161.94.153[0]_
2012 Nov 11 12:05:25 [FVS336GV2] [IKE] Sending Informational Exchange: notify payload[INITIAL-CONTACT]_
2012 Nov 11 12:05:25 [FVS336GV2] [IKE] ISAKMP-SA established for w.x.y.z[500]-75.161.94.153[500] with spi:db8e8a17548c3eb5:eb550b0a15d71da4_
2012 Nov 11 12:05:24 [FVS336GV2] [IKE] Setting DPD Vendor ID_
                - Last output repeated twice -
2012 Nov 11 12:05:24 [FVS336GV2] [IKE] Received unknown Vendor ID_
2012 Nov 11 12:05:24 [FVS336GV2] [IKE] Received Vendor ID: draft-ietf-ipsec-nat-t-ike-02__
                - Last output repeated twice -
2012 Nov 11 12:05:24 [FVS336GV2] [IKE] Received unknown Vendor ID_
2012 Nov 11 12:05:24 [FVS336GV2] [IKE] DPD is Enabled_
2012 Nov 11 12:05:24 [FVS336GV2] [IKE] Received Vendor ID: DPD_
2012 Nov 11 12:05:24 [FVS336GV2] [IKE] Received unknown Vendor ID_
2012 Nov 11 12:05:24 [FVS336GV2] [IKE] Beginning Identity Protection mode._
2012 Nov 11 12:05:24 [FVS336GV2] [IKE] Received request for new phase 1 negotiation: w.x.y.z[500]<=>75.161.94.153[500]_
2012 Nov 11 12:05:24 [FVS336GV2] [IKE] Configuration found for 75.161.94.153[500]._
2012 Nov 11 12:05:23 [FVS336GV2] [IKE] ISAKMP-SA deleted for w.x.y.z[500]-75.161.94.153[500] with spi:ac7bb92199b5fca4:20059ea92ae6448e_
2012 Nov 11 12:05:22 [FVS336GV2] [IKE] Purged ISAKMP-SA with proto_id=ISAKMP and spi=ac7bb92199b5fca4:20059ea92ae6448e._
2012 Nov 11 12:05:22 [FVS336GV2] [IKE] Purged IPsec-SA with proto_id=ESP and spi=1985680172(0x765b132c)._
2012 Nov 11 12:05:22 [FVS336GV2] [IKE] an undead schedule has been deleted: 'pk_recvupdate'._


> What do your logs say?
> On Nov 11, 2012 12:52 AM, "Durwin" <thecajun at nmia.com> wrote:
> 
> > I have a connection established and I can enter commands when connected
> > one way, but when connected the other way, the commands will partially
> > output  before it locks.
> >
> > left public will be refered to as   a.b.c.d
> > left private subnet is 192.168.4.0/24
> > right public will be refered to as w.x.y.z
> > right private subnet is 172.23.93.0/24
> >
> > Left side I have a Fedora17 machine.  I have disabled selinux and
> > iptables for now.
> >
> > Right side is behind NETGEAR ProSafe VPN Firewall FVS336GV2.
> >
> >
> > From the left I can ssh to a machine inside the right.  I can do normal
> > work.  I can also ssh back to the left, and if I enter a command with
> > very little output it works.  But if for instance I enter 'ls -l' it
> > will start to list the directory, but then stop.  Does not respond to
> > any key press, even control-c.  Twice I saw it eventually complete the
> > list (after many minutes), but that is the exception.
> >
> > My configurations follow.
> >
> > === /etc/ipsec.conf ===
> > version    2.0 # conforms to second version of ipsec.conf specification
> >
> > # basic configuration
> > config setup
> >    # Debug-logging controls:  "none" for (almost) none, "all" for lots.
> >    # klipsdebug=none
> >    # plutodebug="control parsing"
> >    # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
> >    protostack=netkey
> >    nat_traversal=yes
> >    virtual_private=%v4:192.168.4.0/24,%v4:172.23.93.0/24
> >    oe=off
> >    # Enable this if you see "failed to find any available worker"
> >    # nhelpers=0
> >    force_keepalive=yes
> >    keep_alive=10
> >
> > #You may put your configuration (.conf) file in the "/etc/ipsec.d/"
> > include /etc/ipsec.d/*.conf
> >
> >
> > === /etc/ipsec.d/myconn.conf ===
> > conn myconn
> >    left=%defaultroute
> >    leftsubnet=192.168.4.0/24
> >    #leftnexthop=%defaultroute
> >    right=w.x.y.z
> >    #right=%defaultroute
> >    rightsubnet=172.23.93.0/24
> >    #rightnexthop=%defaultroute
> >    type=tunnel
> >    authby=secret
> >    keyexchange=ike
> >    auto=start
> >    pfs=yes
> >    ike=3des-sha1-modp1024
> >    esp=3des-sha1
> >
> > === /etc/ipsec.d/myconn.secrets  ===
> > a.b.c.d 192.168.4.66 192.168.4.1 w.x.y.z : PSK "mysecret"
> >
> > _______________________________________________
> > Users at lists.openswan.org
> > https://lists.openswan.org/mailman/listinfo/users
> > Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> > Building and Integrating Virtual Private Networks with Openswan:
> > http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
> >
> >

-- 
reality.sys corrupted. universe halted. reboot (y/n)?

Durwin F. De La Rue <thecajun at nmia.com>



More information about the Users mailing list