[Openswan Users] IPSec config and passthrough on Draytek 2820n
Daniel Cave
dan.cave at me.com
Wed Jan 9 17:43:01 EST 2013
Hi there ipsec'ers
I've been playing with a two host config
IPsec box 1: hostname FCS01 (on internet)
Internet IP Address.
Local ip 10.49.73.1/24
Centos 5.8. Linux Openswan U2.6.38/K2.6.18-308.4.1.el5debug (netkey)
It also has two other IPsec connections (another openSwan net and a net gear wifi router ipsec networks so I can ping the other two endpoints.) - this is my 'hub'
Ipsec box 2 - hostname centos62.
@Home - CentOS 6.2 sat behind a Draytek 2820n running Linux Openswan U2.6.32/K2.6.32-220.el6.x86_64 (netkey)
on the same lan. 192.168.72.0/24
I have setup port forwarding on my 2820 to forward UDP 500/4500 to the swan box.
When i set the respective configs, on Swan and fcs01 to bring up the tunnel at both ends, and they run up and i get this on both endpoints.
on fcs01 -
Jan 9 22:22:48 fcs01 pluto[16053]: "swan" #25: responding to Main Mode
Jan 9 22:22:48 fcs01 pluto[16053]: "swan" #25: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Jan 9 22:22:48 fcs01 pluto[16053]: "swan" #25: STATE_MAIN_R1: sent MR1, expecting MI2
Jan 9 22:22:48 fcs01 pluto[16053]: "swan" #25: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Jan 9 22:22:48 fcs01 pluto[16053]: "swan" #25: STATE_MAIN_R2: sent MR2, expecting MI3
Jan 9 22:22:48 fcs01 pluto[16053]: "swan" #25: Main mode peer ID is ID_IPV4_ADDR: 'xx.xx.56.206'
Jan 9 22:22:48 fcs01 pluto[16053]: "swan" #25: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Jan 9 22:22:48 fcs01 pluto[16053]: "swan" #25: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1536}
Jan 9 22:22:48 fcs01 pluto[16053]: "swan" #25: the peer proposed: 10.49.73.0/24:0/0 -> 192.168.72.0/24:0/0
Jan 9 22:22:48 fcs01 pluto[16053]: "swan" #26: responding to Quick Mode proposal {msgid:815f1190}
Jan 9 22:22:48 fcs01 pluto[16053]: "swan" #26: us: 10.49.73.0/24===xx..233.50.68
Jan 9 22:22:48 fcs01 pluto[16053]: "swan" #26: them: xxx.155.56.206<xx.155.56.206>===192.168.72.0/24
Jan 9 22:22:48 fcs01 pluto[16053]: "swan" #26: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Jan 9 22:22:48 fcs01 pluto[16053]: "swan" #26: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Jan 9 22:22:48 fcs01 pluto[16053]: "swan" #26: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Jan 9 22:22:48 fcs01 pluto[16053]: "swan" #26: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP=>0xb4f4c8de <0xa17e4de8 xfrm=3DES_0-HMAC_SHA1 NATOA=none NATD=none DPD=none}
[root at fcs01 ~]# Jan 9 22:23:10 fcs01 pluto[16053]: "swan" #24: ignoring unknown Vendor ID payload [4f4568794c64414365636661]
Jan 9 22:23:10 fcs01 pluto[16053]: "swan" #24: received Vendor ID payload [Dead Peer Detection]
Jan 9 22:23:10 fcs01 pluto[16053]: "swan" #24: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
Jan 9 22:23:10 fcs01 pluto[16053]: "swan" #24: STATE_MAIN_I2: sent MI2, expecting MR2
Jan 9 22:23:10 fcs01 pluto[16053]: "swan" #24: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Jan 9 22:23:10 fcs01 pluto[16053]: "swan" #24: STATE_MAIN_I3: sent MI3, expecting MR3
Jan 9 22:23:10 fcs01 pluto[16053]: "swan" #24: received Vendor ID payload [CAN-IKEv2]
Jan 9 22:23:10 fcs01 pluto[16053]: "swan" #24: Main mode peer ID is ID_IPV4_ADDR: 'xx.xx.56.206'
Jan 9 22:23:10 fcs01 pluto[16053]: "swan" #24: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
Jan 9 22:23:10 fcs01 pluto[16053]: "swan" #24: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1536}
Jan 9 22:23:10 fcs01 pluto[16053]: "swan" #27: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#24 msgid:dccc3a97 proposal=3DES(3)_192-SHA1(2)_160, DES(2)_064-MD5(1)_128 pfsgroup=OAKLEY_GROUP_MODP1536}
Jan 9 22:23:10 fcs01 pluto[16053]: "swan" #27: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Jan 9 22:23:10 fcs01 pluto[16053]: "swan" #27: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x6335e9b5 <0xb9337ef3 xfrm=3DES_0-HMAC_SHA1 NATOA=none NATD=none DPD=none}
On Centos62/swan, i see this
Jan 9 22:24:27 centos62 pluto[32740]: "fcs01" #1: ignoring unknown Vendor ID payload [4f4576795c6b677a57715c73]
Jan 9 22:24:27 centos62 pluto[32740]: "fcs01" #1: received Vendor ID payload [Dead Peer Detection]
Jan 9 22:24:27 centos62 pluto[32740]: "fcs01" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
Jan 9 22:24:27 centos62 pluto[32740]: "fcs01" #1: STATE_MAIN_I2: sent MI2, expecting MR2
Jan 9 22:24:27 centos62 pluto[32740]: "fcs01" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Jan 9 22:24:27 centos62 pluto[32740]: "fcs01" #1: STATE_MAIN_I3: sent MI3, expecting MR3
Jan 9 22:24:27 centos62 pluto[32740]: "fcs01" #1: received Vendor ID payload [CAN-IKEv2]
Jan 9 22:24:27 centos62 pluto[32740]: "fcs01" #1: Main mode peer ID is ID_IPV4_ADDR: 'xxx.xxx.50.68'
Jan 9 22:24:27 centos62 pluto[32740]: "fcs01" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
Jan 9 22:24:27 centos62 pluto[32740]: "fcs01" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1536}
Jan 9 22:24:27 centos62 pluto[32740]: "fcs01" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#1 msgid:815f1190 proposal=3DES(3)_192-SHA1(2)_160, DES(2)_064-MD5(1)_128 pfsgroup=OAKLEY_GROUP_MODP1536}
Jan 9 22:24:27 centos62 pluto[32740]: "fcs01" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Jan 9 22:24:27 centos62 pluto[32740]: "fcs01" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0xa17e4de8 <0xb4f4c8de xfrm=3DES_0-HMAC_SHA1 NATOA=none NATD=none DPD=none}
What do these mean?
Jan 9 22:24:49 centos62 pluto[32740]: packet from xx.xx.50.68:500: ignoring unknown Vendor ID payload [4f4576795c6b677a57715c73]
Jan 9 22:24:49 centos62 pluto[32740]: packet from xx.xx.50.68:500: received Vendor ID payload [Dead Peer Detection]
Jan 9 22:24:49 centos62 pluto[32740]: packet from xx.xx.50.68:500: received Vendor ID payload [RFC 3947] meth=109, but port floating is off
Jan 9 22:24:49 centos62 pluto[32740]: packet from xx.xx.50.68:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but port floating is off
Jan 9 22:24:49 centos62 pluto[32740]: packet from xx.xxx.50.68:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but port floating is off
Jan 9 22:24:49 centos62 pluto[32740]: packet from xx.xx.50.68:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but port floating is off
Jan 9 22:24:49 centos62 pluto[32740]: packet from xx.xx.50.68:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Jan 9 22:24:49 centos62 pluto[32740]: "fcs01" #3: responding to Main Mode
Jan 9 22:24:49 centos62 pluto[32740]: "fcs01" #3: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Jan 9 22:24:49 centos62 pluto[32740]: "fcs01" #3: STATE_MAIN_R1: sent MR1, expecting MI2
Jan 9 22:24:49 centos62 pluto[32740]: "fcs01" #3: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Jan 9 22:24:49 centos62 pluto[32740]: "fcs01" #3: STATE_MAIN_R2: sent MR2, expecting MI3
Jan 9 22:24:49 centos62 pluto[32740]: "fcs01" #3: Main mode peer ID is ID_IPV4_ADDR: 'xxx.xxx.50.68'
Jan 9 22:24:49 centos62 pluto[32740]: "fcs01" #3: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Jan 9 22:24:49 centos62 pluto[32740]: "fcs01" #3: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1536}
Jan 9 22:24:49 centos62 pluto[32740]: "fcs01" #3: the peer proposed: 192.168.72.0/24:0/0 -> 10.49.73.0/24:0/0
Jan 9 22:24:49 centos62 pluto[32740]: "fcs01" #4: responding to Quick Mode proposal {msgid:dccc3a97}
Jan 9 22:24:49 centos62 pluto[32740]: "fcs01" #4: us: 192.168.72.0/24===192.168.72.69[xx.xx.56.206,+S=C]
Jan 9 22:24:49 centos62 pluto[32740]: "fcs01" #4: them: xxx.xxx.50.68<xxx.xxx.50.68>[+S=C]===10.49.73.0/24
Jan 9 22:24:49 centos62 pluto[32740]: "fcs01" #4: keeping refhim=4294901761 during rekey
Jan 9 22:24:49 centos62 pluto[32740]: "fcs01" #4: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Jan 9 22:24:49 centos62 pluto[32740]: "fcs01" #4: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Jan 9 22:24:49 centos62 pluto[32740]: "fcs01" #4: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Jan 9 22:24:49 centos62 pluto[32740]: "fcs01" #4: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP=>0xb9337ef3 <0x6335e9b5 xfrm=3DES_0-HMAC_SHA1 NATOA=none NATD=none DPD=none}
I know the port forwarding is fine on the router as I use net cat pushing the udp ports 500/4500 as i see the net cat probe from i run from fcs01 to the public static ip i have on my home
# tcpdump -lnni eth0 port 500
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
22:22:31.893797 IP xx.xxx.50.68.51246 > 192.168.72.69.4500: [|isakmp]
22:22:31.893859 IP xx.xxx.50.68.51246 > 192.168.72.69.4500: [|isakmp]
22:22:32.895488 IP xx.xxx.50.68.51246 > 192.168.72.69.4500: [|isakmp]
22:22:33.896155 IP xx.xxx.50.68.51246 > 192.168.72.69.4500: [|isakmp]
22:22:34.897823 IP xx.xxx.50.68.51246 > 192.168.72.69.4500: [|isakmp]
[root at centos62 ~]# tcpdump -lnni eth0 port 500
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
22:23:19.926083 IP xxx.233.50.68.34727 > 192.168.72.69.500: [|isakmp]
22:23:19.926142 IP xxx.233.50.68.34727 > 192.168.72.69.500: [|isakmp]
22:23:20.926243 IP xxx.233.50.68.34727 > 192.168.72.69.500: [|isakmp]
22:23:21.927177 IP xxx.233.50.68.34727 > 192.168.72.69.500: [|isakmp]
22:23:22.928614 IP xxx.233.50.68.34727 > 192.168.72.69.500: [|isakmp]
The problem Im having is that I cannot ping 192.168.72.69 from fcs01 and vica versa, (like I can with my other connections)
I also don't believe I understand whether I should be using nat-traversal, as I've tried on both sides as I've tried :-/ Also have dropped the firewall rules on both linux hosts and reinitiated the tunnels but nothing changes.
Ive copied the config from one of my other openswan linux hosts and just modified the right hand side IP/networks to accommodate this connection.
I've also been able to terminate an ipsec tunnel from fcs01 on my draytek 2820n without any issues.
HAs someone come across this config before and point whether they can see a problem.
Configs below
(cents box being draytek @ home )
[root at centos62 ipsec.d]# cat fcs01.conf
# basic configuration
#config setup
# interfaces=eth0
# nat_traversal=yes
# oe=no
# protostack=netkey
# syslog=syslog.debug
conn fcs01
type=tunnel
connaddrfamily=ipv4
authby=secret
auto=start
#auto=route
compress=no
ike=3des-sha1,des-md5
phase2alg=3des-sha1,des-md5
phase2=esp
ikelifetime=3600s
keyexchange=ike
keylife=28800s
keyingtries=%forever
left=%defaultroute
leftid=xx.xx.56.206
leftsourceip=192.168.72.69
leftsubnet=192.168.72.0/24
pfs=yes
#dpdaction=restart
#dpdtimeout=30
#dpddelay=120
right=xx.xx.50.68
rightsourceip=10.49.73.1
rightid=xx.xx.50.68
rightsubnet=10.49.73.0/24
[root at fcs01 ipsec.d]# cat swan.conf
# basic configuration
#config setup
# interfaces=eth0
# oe=no
## protostack=netkey
# syslog=syslog.debug
virtual_private=%v4:10.49.73.0/24,%v4:192.168.72.0/24
conn swan
type=tunnel
connaddrfamily=ipv4
authby=secret
auto=start
#auto=route
compress=no
ike=3des-sha1,des-md5
phase2alg=3des-sha1,des-md5
phase2=esp
ikelifetime=3600s
keyexchange=ike
keylife=28800s
keyingtries=%forever
left=%defaultroute
leftsourceip=10.49.73.1
leftid=xx.x.50.68
leftsubnet=10.49.73.0/24
pfs=yes
# dpdaction=restart
# dpdtimeout=30
# dpddelay=120
right=xx.xx.56.206
rightid=xx.xx.56.206
rightsourceip=192.168.72.69
rightsubnet=192.168.72.0/24
Any ideas? Thanks in advance
More information about the Users
mailing list