[Openswan Users] IPSec config and passthrough on Draytek 2820n

Nick Howitt n1ck.h0w1tt at gmail.com
Thu Jan 10 13:21:33 EST 2013


Can I ask a stupid question? Why are you not terminating the IPSec in 
the 2820n? It is a great little router. Configure it with ESP with 
Encryption and Authentication, AES256/DH14, PFS and it will interoperate 
fine with Openswan.

Anyway, back to your question. I believe a blank line marks the end of a 
conn so it is not seeing your last four parameters. In the same way 
something at the beginning of the line marks a new conn - even if it is 
a #. An indented # will comment out a parameter OK.

Regards,

Nick

On 09/01/2013 22:43, Daniel Cave wrote:
> Hi there ipsec'ers
>
> I've been playing with a two host config
>
> IPsec box 1: hostname FCS01 (on internet)
>
> Internet IP Address.
> Local ip 10.49.73.1/24
> Centos 5.8.  Linux Openswan U2.6.38/K2.6.18-308.4.1.el5debug (netkey)
>
>
> It also has two other IPsec connections (another openSwan net and a net gear wifi router ipsec networks so I can ping the other two endpoints.)  - this is my 'hub'
>
> Ipsec box 2 - hostname centos62.
>
> @Home - CentOS 6.2 sat behind a Draytek 2820n running Linux Openswan U2.6.32/K2.6.32-220.el6.x86_64 (netkey)
> on the same lan. 192.168.72.0/24
>
> I have setup port forwarding on my 2820 to forward UDP 500/4500 to the swan box.
>
> When i set the respective configs, on Swan and fcs01 to bring up the tunnel at both ends,  and they run up and i get this on both endpoints.
>
> on fcs01 -
>
> Jan  9 22:22:48 fcs01 pluto[16053]: "swan" #25: responding to Main Mode
> Jan  9 22:22:48 fcs01 pluto[16053]: "swan" #25: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
> Jan  9 22:22:48 fcs01 pluto[16053]: "swan" #25: STATE_MAIN_R1: sent MR1, expecting MI2
> Jan  9 22:22:48 fcs01 pluto[16053]: "swan" #25: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
> Jan  9 22:22:48 fcs01 pluto[16053]: "swan" #25: STATE_MAIN_R2: sent MR2, expecting MI3
> Jan  9 22:22:48 fcs01 pluto[16053]: "swan" #25: Main mode peer ID is ID_IPV4_ADDR: 'xx.xx.56.206'
> Jan  9 22:22:48 fcs01 pluto[16053]: "swan" #25: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
> Jan  9 22:22:48 fcs01 pluto[16053]: "swan" #25: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1536}
> Jan  9 22:22:48 fcs01 pluto[16053]: "swan" #25: the peer proposed: 10.49.73.0/24:0/0 -> 192.168.72.0/24:0/0
> Jan  9 22:22:48 fcs01 pluto[16053]: "swan" #26: responding to Quick Mode proposal {msgid:815f1190}
> Jan  9 22:22:48 fcs01 pluto[16053]: "swan" #26:     us: 10.49.73.0/24===xx..233.50.68
> Jan  9 22:22:48 fcs01 pluto[16053]: "swan" #26:   them: xxx.155.56.206<xx.155.56.206>===192.168.72.0/24
> Jan  9 22:22:48 fcs01 pluto[16053]: "swan" #26: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
> Jan  9 22:22:48 fcs01 pluto[16053]: "swan" #26: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
> Jan  9 22:22:48 fcs01 pluto[16053]: "swan" #26: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
> Jan  9 22:22:48 fcs01 pluto[16053]: "swan" #26: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP=>0xb4f4c8de <0xa17e4de8 xfrm=3DES_0-HMAC_SHA1 NATOA=none NATD=none DPD=none}
>
> [root at fcs01 ~]# Jan  9 22:23:10 fcs01 pluto[16053]: "swan" #24: ignoring unknown Vendor ID payload [4f4568794c64414365636661]
> Jan  9 22:23:10 fcs01 pluto[16053]: "swan" #24: received Vendor ID payload [Dead Peer Detection]
> Jan  9 22:23:10 fcs01 pluto[16053]: "swan" #24: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
> Jan  9 22:23:10 fcs01 pluto[16053]: "swan" #24: STATE_MAIN_I2: sent MI2, expecting MR2
> Jan  9 22:23:10 fcs01 pluto[16053]: "swan" #24: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
> Jan  9 22:23:10 fcs01 pluto[16053]: "swan" #24: STATE_MAIN_I3: sent MI3, expecting MR3
> Jan  9 22:23:10 fcs01 pluto[16053]: "swan" #24: received Vendor ID payload [CAN-IKEv2]
> Jan  9 22:23:10 fcs01 pluto[16053]: "swan" #24: Main mode peer ID is ID_IPV4_ADDR: 'xx.xx.56.206'
> Jan  9 22:23:10 fcs01 pluto[16053]: "swan" #24: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
> Jan  9 22:23:10 fcs01 pluto[16053]: "swan" #24: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1536}
> Jan  9 22:23:10 fcs01 pluto[16053]: "swan" #27: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#24 msgid:dccc3a97 proposal=3DES(3)_192-SHA1(2)_160, DES(2)_064-MD5(1)_128 pfsgroup=OAKLEY_GROUP_MODP1536}
> Jan  9 22:23:10 fcs01 pluto[16053]: "swan" #27: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
> Jan  9 22:23:10 fcs01 pluto[16053]: "swan" #27: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x6335e9b5 <0xb9337ef3 xfrm=3DES_0-HMAC_SHA1 NATOA=none NATD=none DPD=none}
>
> On Centos62/swan, i see this
>
> Jan  9 22:24:27 centos62 pluto[32740]: "fcs01" #1: ignoring unknown Vendor ID payload [4f4576795c6b677a57715c73]
> Jan  9 22:24:27 centos62 pluto[32740]: "fcs01" #1: received Vendor ID payload [Dead Peer Detection]
> Jan  9 22:24:27 centos62 pluto[32740]: "fcs01" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
> Jan  9 22:24:27 centos62 pluto[32740]: "fcs01" #1: STATE_MAIN_I2: sent MI2, expecting MR2
> Jan  9 22:24:27 centos62 pluto[32740]: "fcs01" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
> Jan  9 22:24:27 centos62 pluto[32740]: "fcs01" #1: STATE_MAIN_I3: sent MI3, expecting MR3
> Jan  9 22:24:27 centos62 pluto[32740]: "fcs01" #1: received Vendor ID payload [CAN-IKEv2]
> Jan  9 22:24:27 centos62 pluto[32740]: "fcs01" #1: Main mode peer ID is ID_IPV4_ADDR: 'xxx.xxx.50.68'
> Jan  9 22:24:27 centos62 pluto[32740]: "fcs01" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
> Jan  9 22:24:27 centos62 pluto[32740]: "fcs01" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1536}
> Jan  9 22:24:27 centos62 pluto[32740]: "fcs01" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#1 msgid:815f1190 proposal=3DES(3)_192-SHA1(2)_160, DES(2)_064-MD5(1)_128 pfsgroup=OAKLEY_GROUP_MODP1536}
> Jan  9 22:24:27 centos62 pluto[32740]: "fcs01" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
> Jan  9 22:24:27 centos62 pluto[32740]: "fcs01" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0xa17e4de8 <0xb4f4c8de xfrm=3DES_0-HMAC_SHA1 NATOA=none NATD=none DPD=none}
>
> What do these mean?
>
> Jan  9 22:24:49 centos62 pluto[32740]: packet from xx.xx.50.68:500: ignoring unknown Vendor ID payload [4f4576795c6b677a57715c73]
> Jan  9 22:24:49 centos62 pluto[32740]: packet from xx.xx.50.68:500: received Vendor ID payload [Dead Peer Detection]
> Jan  9 22:24:49 centos62 pluto[32740]: packet from xx.xx.50.68:500: received Vendor ID payload [RFC 3947] meth=109, but port floating is off
> Jan  9 22:24:49 centos62 pluto[32740]: packet from xx.xx.50.68:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but port floating is off
> Jan  9 22:24:49 centos62 pluto[32740]: packet from xx.xxx.50.68:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but port floating is off
> Jan  9 22:24:49 centos62 pluto[32740]: packet from xx.xx.50.68:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but port floating is off
> Jan  9 22:24:49 centos62 pluto[32740]: packet from xx.xx.50.68:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
>
> Jan  9 22:24:49 centos62 pluto[32740]: "fcs01" #3: responding to Main Mode
> Jan  9 22:24:49 centos62 pluto[32740]: "fcs01" #3: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
> Jan  9 22:24:49 centos62 pluto[32740]: "fcs01" #3: STATE_MAIN_R1: sent MR1, expecting MI2
> Jan  9 22:24:49 centos62 pluto[32740]: "fcs01" #3: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
> Jan  9 22:24:49 centos62 pluto[32740]: "fcs01" #3: STATE_MAIN_R2: sent MR2, expecting MI3
> Jan  9 22:24:49 centos62 pluto[32740]: "fcs01" #3: Main mode peer ID is ID_IPV4_ADDR: 'xxx.xxx.50.68'
> Jan  9 22:24:49 centos62 pluto[32740]: "fcs01" #3: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
> Jan  9 22:24:49 centos62 pluto[32740]: "fcs01" #3: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1536}
> Jan  9 22:24:49 centos62 pluto[32740]: "fcs01" #3: the peer proposed: 192.168.72.0/24:0/0 -> 10.49.73.0/24:0/0
> Jan  9 22:24:49 centos62 pluto[32740]: "fcs01" #4: responding to Quick Mode proposal {msgid:dccc3a97}
> Jan  9 22:24:49 centos62 pluto[32740]: "fcs01" #4:     us: 192.168.72.0/24===192.168.72.69[xx.xx.56.206,+S=C]
> Jan  9 22:24:49 centos62 pluto[32740]: "fcs01" #4:   them: xxx.xxx.50.68<xxx.xxx.50.68>[+S=C]===10.49.73.0/24
> Jan  9 22:24:49 centos62 pluto[32740]: "fcs01" #4: keeping refhim=4294901761 during rekey
> Jan  9 22:24:49 centos62 pluto[32740]: "fcs01" #4: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
> Jan  9 22:24:49 centos62 pluto[32740]: "fcs01" #4: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
> Jan  9 22:24:49 centos62 pluto[32740]: "fcs01" #4: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
> Jan  9 22:24:49 centos62 pluto[32740]: "fcs01" #4: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP=>0xb9337ef3 <0x6335e9b5 xfrm=3DES_0-HMAC_SHA1 NATOA=none NATD=none DPD=none}
>
>
> I know the port forwarding is fine on the router as I use net cat pushing the udp ports 500/4500 as i see the net cat probe from i run from fcs01 to the public static ip i have on my home
>
> # tcpdump -lnni  eth0 port 500
>   tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
> 22:22:31.893797 IP xx.xxx.50.68.51246 > 192.168.72.69.4500: [|isakmp]
> 22:22:31.893859 IP xx.xxx.50.68.51246 > 192.168.72.69.4500: [|isakmp]
> 22:22:32.895488 IP xx.xxx.50.68.51246 > 192.168.72.69.4500: [|isakmp]
> 22:22:33.896155 IP xx.xxx.50.68.51246 > 192.168.72.69.4500: [|isakmp]
> 22:22:34.897823 IP xx.xxx.50.68.51246 > 192.168.72.69.4500: [|isakmp]
>   
> [root at centos62 ~]# tcpdump -lnni  eth0 port 500
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
> 22:23:19.926083 IP xxx.233.50.68.34727 > 192.168.72.69.500: [|isakmp]
> 22:23:19.926142 IP xxx.233.50.68.34727 > 192.168.72.69.500: [|isakmp]
> 22:23:20.926243 IP xxx.233.50.68.34727 > 192.168.72.69.500: [|isakmp]
> 22:23:21.927177 IP xxx.233.50.68.34727 > 192.168.72.69.500: [|isakmp]
> 22:23:22.928614 IP xxx.233.50.68.34727 > 192.168.72.69.500: [|isakmp]
>
> The problem Im having is that I cannot ping  192.168.72.69 from fcs01 and vica versa,  (like I can with my other connections)
>
> I also don't believe I understand whether I should be using nat-traversal, as I've tried on both sides as I've tried :-/   Also have dropped the firewall rules on both linux hosts and reinitiated the tunnels but nothing changes.
>
> Ive copied the config from one of my other openswan linux hosts and just modified the right hand side IP/networks to accommodate this connection.
>
> I've also been able to terminate an ipsec tunnel from fcs01 on my draytek 2820n  without any issues.
>
> HAs someone come across this config before and point whether they can see a problem.
>
> Configs below
>
> (cents box being draytek @ home )
>
> [root at centos62 ipsec.d]# cat fcs01.conf
> # basic configuration
> #config setup
> #    interfaces=eth0
> #    nat_traversal=yes
> #    oe=no
> #    protostack=netkey
> #   syslog=syslog.debug
>   
> conn fcs01
>      type=tunnel
>      connaddrfamily=ipv4
>      authby=secret
>      auto=start
>      #auto=route
>      compress=no
>      ike=3des-sha1,des-md5
>      phase2alg=3des-sha1,des-md5
>      phase2=esp
>      ikelifetime=3600s
>      keyexchange=ike
>      keylife=28800s
>      keyingtries=%forever
>      left=%defaultroute
>      leftid=xx.xx.56.206
>      leftsourceip=192.168.72.69
>      leftsubnet=192.168.72.0/24
>      pfs=yes
>      #dpdaction=restart
>      #dpdtimeout=30
>      #dpddelay=120
>
>      right=xx.xx.50.68
>      rightsourceip=10.49.73.1
>      rightid=xx.xx.50.68
>      rightsubnet=10.49.73.0/24
>
> [root at fcs01 ipsec.d]# cat swan.conf
> # basic configuration
> #config setup
> #    interfaces=eth0
> #    oe=no
> ##    protostack=netkey
> #    syslog=syslog.debug
>      virtual_private=%v4:10.49.73.0/24,%v4:192.168.72.0/24
>   
> conn swan
>      type=tunnel
>      connaddrfamily=ipv4
>      authby=secret
>      auto=start
>      #auto=route
>      compress=no
>      ike=3des-sha1,des-md5
>      phase2alg=3des-sha1,des-md5
>      phase2=esp
>      ikelifetime=3600s
>      keyexchange=ike
>      keylife=28800s
>      keyingtries=%forever
>      left=%defaultroute
>      leftsourceip=10.49.73.1
>      leftid=xx.x.50.68
>      leftsubnet=10.49.73.0/24
>      pfs=yes
> #    dpdaction=restart
>   #   dpdtimeout=30
>    #  dpddelay=120
>
>      right=xx.xx.56.206
>      rightid=xx.xx.56.206
>      rightsourceip=192.168.72.69
>      rightsubnet=192.168.72.0/24
>
>
> Any ideas? Thanks in advance
> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155



More information about the Users mailing list