[Openswan Users] Using pure ipsec to test Linux-to-Linux VPN data not encrypted

Cisco Employee manfonly at gmail.com
Sat Feb 16 21:32:13 EST 2013 

Hi,

I have a problem with a pure ipsec VPN on ubuntu to ubuntu both in the local
network.
The ipsec connection has been established, but the data does not encrypted!

HOST1: 10.140.28.31
$ uname -vro
3.2.0-23-generic #36-Ubuntu SMP Tue Apr 10 20:41:14 UTC 2012 GNU/Linux

$ ipsec --version
Linux Openswan U2.6.37/K3.2.0-23-generic (netkey)
See `ipsec --copyright' for copyright information.

$ sudo ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                             [OK]
Linux Openswan U2.6.37/K3.2.0-23-generic (netkey)
Checking for IPsec support in kernel                        [OK]
 SAref kernel support                                       [N/A]
 NETKEY:  Testing XFRM related proc values                  [OK]
[OK]
[OK]
Checking that pluto is running                              [OK]
 Pluto listening for IKE on udp 500                         [OK]
 Pluto listening for NAT-T on udp 4500                      [OK]
Checking for 'ip' command                                   [OK]
Checking /bin/sh is not /bin/dash                           [WARNING]
Checking for 'iptables' command                             [OK]
Opportunistic Encryption Support                            [DISABLED]

$sudo cat /etc/ipsec.conf
version 2.0 # conforms to second version of ipsec.conf specification

# basic configuration
config setup
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
oe=off
protostack=netkey
conn L2TP-PSK-NAT
    rightsubnet=vhost:%priv
    also=L2TP-PSK-noNAT

conn L2TP-PSK-noNAT
    authby=secret
    pfs=no
    auto=add
    keyingtries=3
    rekey=no
    ikelifetime=8h
    keylife=1h
    type=transport
    left=%defaultroute
    leftprotoport=17/1701
    right=%any
    rightprotoport=17/%any

$ ifconfig
eth1      Link encap:Ethernet  HWaddr 08:00:27:4c:34:16
          inet addr:10.140.28.31  Bcast:10.140.28.255  Mask:255.255.255.0
          inet6 addr: fe80::a00:27ff:fe4c:3416/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1430  Metric:1
          RX packets:2715 errors:0 dropped:0 overruns:0 frame:0
          TX packets:944 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:432896 (432.8 KB)  TX bytes:134994 (134.9 KB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:30 errors:0 dropped:0 overruns:0 frame:0
          TX packets:30 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:2482 (2.4 KB)  TX bytes:2482 (2.4 KB)

$ sudo /etc/init.d/ipsec restart
ipsec_setup: Stopping Openswan IPsec...
ipsec_setup: Starting Openswan IPsec U2.6.37/K3.2.0-23-genericŠ

HOST2: 10.140.28.24
$uname ­vro
2.6.32-45-generic #102-Ubuntu SMP Wed Jan 2 21:53:06 UTC 2013 GNU/Linux

$ipsec ‹version
Linux Openswan U2.6.23/K2.6.32-45-generic (netkey)
See `ipsec --copyright' for copyright information.

$sudo ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                             [OK]
Linux Openswan U2.6.23/K2.6.32-45-generic (netkey)
Checking for IPsec support in kernel                        [OK]
NETKEY detected, testing for disabled ICMP send_redirects   [OK]
NETKEY detected, testing for disabled ICMP accept_redirects [OK]
Checking for RSA private key (/etc/ipsec.secrets)           [OK]
Checking that pluto is running                              [OK]
Pluto listening for IKE on udp 500                          [OK]
Pluto listening for NAT-T on udp 4500                       [OK]
Checking for 'ip' command                                   [OK]
Checking for 'iptables' command                             [OK]
Opportunistic Encryption Support                            [DISABLED]

$sudo cat /etc/ipsec.conf
version 2.0 # conforms to second version of ipsec.conf specification

# basic configuration
config setup
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
oe=off
protostack=netkey

conn ipsecVPN 
authby=secret
pfs=no
auto=add
rekey=yes
type=transport
left=%defaultroute
leftprotoport=17/1701
right=10.140.28.31
rightprotoport=17/1701

$ ifconfig
eth0      Link encap:Ethernet  HWaddr 00:21:5a:14:1c:f6
          inet addr:10.140.28.24  Bcast:10.140.28.255  Mask:255.255.255.0
          inet6 addr: fe80::221:5aff:fe14:1cf6/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1430  Metric:1
          RX packets:295957 errors:0 dropped:0 overruns:0 frame:0
          TX packets:65073 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:144176320 (144.1 MB)  TX bytes:4425554 (4.4 MB)
          Interrupt:26 Base address:0x8000

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:898 errors:0 dropped:0 overruns:0 frame:0
          TX packets:898 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:418304 (418.3 KB)  TX bytes:418304 (418.3 KB)

$ sudo /etc/init.d/ipsec restart
ipsec_setup: Stopping Openswan IPsec...
ipsec_setup: Starting Openswan IPsec U2.6.23/K2.6.32-45-generic...

$ sudo ipsec auto --up ipsecVPN
104 "ipsecVPN" #1: STATE_MAIN_I1: initiate
003 "ipsecVPN" #1: ignoring unknown Vendor ID payload
[4f45755c645c6a795c5c6170]
003 "ipsecVPN" #1: received Vendor ID payload [Dead Peer Detection]
003 "ipsecVPN" #1: received Vendor ID payload [RFC 3947] method set to=109
106 "ipsecVPN" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "ipsecVPN" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no
NAT detected
108 "ipsecVPN" #1: STATE_MAIN_I3: sent MI3, expecting MR3
003 "ipsecVPN" #1: received Vendor ID payload [CAN-IKEv2]
004 "ipsecVPN" #1: STATE_MAIN_I4: ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=aes_128 prf=oakley_sha group=modp2048}
117 "ipsecVPN" #2: STATE_QUICK_I1: initiate
004 "ipsecVPN" #2: STATE_QUICK_I2: sent QI2, IPsec SA established transport
mode {ESP=>0x3506b476 <0x3fb0df2c xfrm=AES_128-HMAC_SHA1 NATOA=none
NATD=none DPD=none}

$ sudo /etc/init.d/ipsec status
IPsec stopped
but...
has /var/run/pluto/ipsec.info file!
An normal Pluto is active?
some (1) eroutes exist!

$ sudo ipsec auto --status
000 using kernel interface: netkey
000 interface lo/lo ::1
000 interface lo/lo 127.0.0.1
000 interface lo/lo 127.0.0.1
000 interface eth0/eth0 10.140.28.24
000 interface eth0/eth0 10.140.28.24
000 %myid = (none)
000 debug none
000  
000 virtual_private (%priv):
000 - allowed 3 subnets: 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12
000 - disallowed 0 subnets:
000 WARNING: Either virtual_private= was not specified, or there was a
syntax 
000          error in that line. 'left/rightsubnet=%priv' will not work!
000  
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64,
keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192,
keysizemax=192
000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, keysizemin=40,
keysizemax=128
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40,
keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0,
keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128,
keysizemax=256
000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8, keysizemin=160,
keysizemax=288
000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=22, name=ESP_CAMELLIA, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256,
keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD,
keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC,
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0
000  
000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=131
000 algorithm IKE encrypt: id=3, name=OAKLEY_BLOWFISH_CBC, blocksize=8,
keydeflen=128
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
keydeflen=128
000 algorithm IKE encrypt: id=65004, name=OAKLEY_SERPENT_CBC, blocksize=16,
keydeflen=128
000 algorithm IKE encrypt: id=65005, name=OAKLEY_TWOFISH_CBC, blocksize=16,
keydeflen=128
000 algorithm IKE encrypt: id=65289, name=OAKLEY_TWOFISH_CBC_SSH,
blocksize=16, keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32
000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000  
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0}
trans={0,0,0} attrs={0,0,0}
000  
000 "ipsecVPN": 
10.140.28.24[+S=C]:17/1701...10.140.28.31<10.140.28.31>[+S=C]:17/1701;
erouted; eroute owner: #2
000 "ipsecVPN":     myip=unset; hisip=unset;
000 "ipsecVPN":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s;
rekey_fuzz: 100%; keyingtries: 0
000 "ipsecVPN":   policy: PSK+ENCRYPT+UP+IKEv2ALLOW+lKOD+rKOD; prio: 32,32;
interface: eth0; 
000 "ipsecVPN":   newest ISAKMP SA: #1; newest IPsec SA: #2;
000 "ipsecVPN":   IKE algorithm newest: AES_CBC_128-SHA1-MODP2048
000  
000 #2: "ipsecVPN":500 STATE_QUICK_I2 (sent QI2, IPsec SA established);
EVENT_SA_REPLACE in 27907s; newest IPSEC; eroute owner; isakmp#1; idle;
import:admin initiate
000 #2: "ipsecVPN" esp.3506b476 at 10.140.28.31 esp.3fb0df2c at 10.140.28.24 ref=0
refhim=4294901761
000 #1: "ipsecVPN":500 STATE_MAIN_I4 (ISAKMP SA established);
EVENT_SA_REPLACE in 2632s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle;
import:admin initiate
000  

$ ping 10.140.28.31
PING 10.140.28.31 (10.140.28.31) 56(84) bytes of data.
64 bytes from 10.140.28.31: icmp_seq=1 ttl=64 time=1.03 ms
64 bytes from 10.140.28.31: icmp_seq=2 ttl=64 time=0.668 ms
64 bytes from 10.140.28.31: icmp_seq=3 ttl=64 time=1.24 ms
64 bytes from 10.140.28.31: icmp_seq=4 ttl=64 time=0.890 ms
ŠŠ

More information about the Users mailing list