[Openswan Users] IPSec config and passthrough on Draytek 2820n
Nick Howitt
n1ck.h0w1tt at gmail.com
Thu Jan 10 13:21:33 EST 2013
Can I ask a stupid question? Why are you not terminating the IPSec in
the 2820n? It is a great little router. Configure it with ESP with
Encryption and Authentication, AES256/DH14, PFS and it will interoperate
fine with Openswan.
Anyway, back to your question. I believe a blank line marks the end of a
conn so it is not seeing your last four parameters. In the same way
something at the beginning of the line marks a new conn - even if it is
a #. An indented # will comment out a parameter OK.
Regards,
Nick
On 09/01/2013 22:43, Daniel Cave wrote:
> Hi there ipsec'ers
>
> I've been playing with a two host config
>
> IPsec box 1: hostname FCS01 (on internet)
>
> Internet IP Address.
> Local ip 10.49.73.1/24
> Centos 5.8. Linux Openswan U2.6.38/K2.6.18-308.4.1.el5debug (netkey)
>
>
> It also has two other IPsec connections (another openSwan net and a net gear wifi router ipsec networks so I can ping the other two endpoints.) - this is my 'hub'
>
> Ipsec box 2 - hostname centos62.
>
> @Home - CentOS 6.2 sat behind a Draytek 2820n running Linux Openswan U2.6.32/K2.6.32-220.el6.x86_64 (netkey)
> on the same lan. 192.168.72.0/24
>
> I have setup port forwarding on my 2820 to forward UDP 500/4500 to the swan box.
>
> When i set the respective configs, on Swan and fcs01 to bring up the tunnel at both ends, and they run up and i get this on both endpoints.
>
> on fcs01 -
>
> Jan 9 22:22:48 fcs01 pluto[16053]: "swan" #25: responding to Main Mode
> Jan 9 22:22:48 fcs01 pluto[16053]: "swan" #25: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
> Jan 9 22:22:48 fcs01 pluto[16053]: "swan" #25: STATE_MAIN_R1: sent MR1, expecting MI2
> Jan 9 22:22:48 fcs01 pluto[16053]: "swan" #25: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
> Jan 9 22:22:48 fcs01 pluto[16053]: "swan" #25: STATE_MAIN_R2: sent MR2, expecting MI3
> Jan 9 22:22:48 fcs01 pluto[16053]: "swan" #25: Main mode peer ID is ID_IPV4_ADDR: 'xx.xx.56.206'
> Jan 9 22:22:48 fcs01 pluto[16053]: "swan" #25: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
> Jan 9 22:22:48 fcs01 pluto[16053]: "swan" #25: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1536}
> Jan 9 22:22:48 fcs01 pluto[16053]: "swan" #25: the peer proposed: 10.49.73.0/24:0/0 -> 192.168.72.0/24:0/0
> Jan 9 22:22:48 fcs01 pluto[16053]: "swan" #26: responding to Quick Mode proposal {msgid:815f1190}
> Jan 9 22:22:48 fcs01 pluto[16053]: "swan" #26: us: 10.49.73.0/24===xx..233.50.68
> Jan 9 22:22:48 fcs01 pluto[16053]: "swan" #26: them: xxx.155.56.206<xx.155.56.206>===192.168.72.0/24
> Jan 9 22:22:48 fcs01 pluto[16053]: "swan" #26: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
> Jan 9 22:22:48 fcs01 pluto[16053]: "swan" #26: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
> Jan 9 22:22:48 fcs01 pluto[16053]: "swan" #26: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
> Jan 9 22:22:48 fcs01 pluto[16053]: "swan" #26: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP=>0xb4f4c8de <0xa17e4de8 xfrm=3DES_0-HMAC_SHA1 NATOA=none NATD=none DPD=none}
>
> [root at fcs01 ~]# Jan 9 22:23:10 fcs01 pluto[16053]: "swan" #24: ignoring unknown Vendor ID payload [4f4568794c64414365636661]
> Jan 9 22:23:10 fcs01 pluto[16053]: "swan" #24: received Vendor ID payload [Dead Peer Detection]
> Jan 9 22:23:10 fcs01 pluto[16053]: "swan" #24: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
> Jan 9 22:23:10 fcs01 pluto[16053]: "swan" #24: STATE_MAIN_I2: sent MI2, expecting MR2
> Jan 9 22:23:10 fcs01 pluto[16053]: "swan" #24: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
> Jan 9 22:23:10 fcs01 pluto[16053]: "swan" #24: STATE_MAIN_I3: sent MI3, expecting MR3
> Jan 9 22:23:10 fcs01 pluto[16053]: "swan" #24: received Vendor ID payload [CAN-IKEv2]
> Jan 9 22:23:10 fcs01 pluto[16053]: "swan" #24: Main mode peer ID is ID_IPV4_ADDR: 'xx.xx.56.206'
> Jan 9 22:23:10 fcs01 pluto[16053]: "swan" #24: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
> Jan 9 22:23:10 fcs01 pluto[16053]: "swan" #24: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1536}
> Jan 9 22:23:10 fcs01 pluto[16053]: "swan" #27: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#24 msgid:dccc3a97 proposal=3DES(3)_192-SHA1(2)_160, DES(2)_064-MD5(1)_128 pfsgroup=OAKLEY_GROUP_MODP1536}
> Jan 9 22:23:10 fcs01 pluto[16053]: "swan" #27: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
> Jan 9 22:23:10 fcs01 pluto[16053]: "swan" #27: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x6335e9b5 <0xb9337ef3 xfrm=3DES_0-HMAC_SHA1 NATOA=none NATD=none DPD=none}
>
> On Centos62/swan, i see this
>
> Jan 9 22:24:27 centos62 pluto[32740]: "fcs01" #1: ignoring unknown Vendor ID payload [4f4576795c6b677a57715c73]
> Jan 9 22:24:27 centos62 pluto[32740]: "fcs01" #1: received Vendor ID payload [Dead Peer Detection]
> Jan 9 22:24:27 centos62 pluto[32740]: "fcs01" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
> Jan 9 22:24:27 centos62 pluto[32740]: "fcs01" #1: STATE_MAIN_I2: sent MI2, expecting MR2
> Jan 9 22:24:27 centos62 pluto[32740]: "fcs01" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
> Jan 9 22:24:27 centos62 pluto[32740]: "fcs01" #1: STATE_MAIN_I3: sent MI3, expecting MR3
> Jan 9 22:24:27 centos62 pluto[32740]: "fcs01" #1: received Vendor ID payload [CAN-IKEv2]
> Jan 9 22:24:27 centos62 pluto[32740]: "fcs01" #1: Main mode peer ID is ID_IPV4_ADDR: 'xxx.xxx.50.68'
> Jan 9 22:24:27 centos62 pluto[32740]: "fcs01" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
> Jan 9 22:24:27 centos62 pluto[32740]: "fcs01" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1536}
> Jan 9 22:24:27 centos62 pluto[32740]: "fcs01" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#1 msgid:815f1190 proposal=3DES(3)_192-SHA1(2)_160, DES(2)_064-MD5(1)_128 pfsgroup=OAKLEY_GROUP_MODP1536}
> Jan 9 22:24:27 centos62 pluto[32740]: "fcs01" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
> Jan 9 22:24:27 centos62 pluto[32740]: "fcs01" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0xa17e4de8 <0xb4f4c8de xfrm=3DES_0-HMAC_SHA1 NATOA=none NATD=none DPD=none}
>
> What do these mean?
>
> Jan 9 22:24:49 centos62 pluto[32740]: packet from xx.xx.50.68:500: ignoring unknown Vendor ID payload [4f4576795c6b677a57715c73]
> Jan 9 22:24:49 centos62 pluto[32740]: packet from xx.xx.50.68:500: received Vendor ID payload [Dead Peer Detection]
> Jan 9 22:24:49 centos62 pluto[32740]: packet from xx.xx.50.68:500: received Vendor ID payload [RFC 3947] meth=109, but port floating is off
> Jan 9 22:24:49 centos62 pluto[32740]: packet from xx.xx.50.68:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but port floating is off
> Jan 9 22:24:49 centos62 pluto[32740]: packet from xx.xxx.50.68:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but port floating is off
> Jan 9 22:24:49 centos62 pluto[32740]: packet from xx.xx.50.68:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but port floating is off
> Jan 9 22:24:49 centos62 pluto[32740]: packet from xx.xx.50.68:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
>
> Jan 9 22:24:49 centos62 pluto[32740]: "fcs01" #3: responding to Main Mode
> Jan 9 22:24:49 centos62 pluto[32740]: "fcs01" #3: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
> Jan 9 22:24:49 centos62 pluto[32740]: "fcs01" #3: STATE_MAIN_R1: sent MR1, expecting MI2
> Jan 9 22:24:49 centos62 pluto[32740]: "fcs01" #3: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
> Jan 9 22:24:49 centos62 pluto[32740]: "fcs01" #3: STATE_MAIN_R2: sent MR2, expecting MI3
> Jan 9 22:24:49 centos62 pluto[32740]: "fcs01" #3: Main mode peer ID is ID_IPV4_ADDR: 'xxx.xxx.50.68'
> Jan 9 22:24:49 centos62 pluto[32740]: "fcs01" #3: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
> Jan 9 22:24:49 centos62 pluto[32740]: "fcs01" #3: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1536}
> Jan 9 22:24:49 centos62 pluto[32740]: "fcs01" #3: the peer proposed: 192.168.72.0/24:0/0 -> 10.49.73.0/24:0/0
> Jan 9 22:24:49 centos62 pluto[32740]: "fcs01" #4: responding to Quick Mode proposal {msgid:dccc3a97}
> Jan 9 22:24:49 centos62 pluto[32740]: "fcs01" #4: us: 192.168.72.0/24===192.168.72.69[xx.xx.56.206,+S=C]
> Jan 9 22:24:49 centos62 pluto[32740]: "fcs01" #4: them: xxx.xxx.50.68<xxx.xxx.50.68>[+S=C]===10.49.73.0/24
> Jan 9 22:24:49 centos62 pluto[32740]: "fcs01" #4: keeping refhim=4294901761 during rekey
> Jan 9 22:24:49 centos62 pluto[32740]: "fcs01" #4: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
> Jan 9 22:24:49 centos62 pluto[32740]: "fcs01" #4: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
> Jan 9 22:24:49 centos62 pluto[32740]: "fcs01" #4: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
> Jan 9 22:24:49 centos62 pluto[32740]: "fcs01" #4: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP=>0xb9337ef3 <0x6335e9b5 xfrm=3DES_0-HMAC_SHA1 NATOA=none NATD=none DPD=none}
>
>
> I know the port forwarding is fine on the router as I use net cat pushing the udp ports 500/4500 as i see the net cat probe from i run from fcs01 to the public static ip i have on my home
>
> # tcpdump -lnni eth0 port 500
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
> 22:22:31.893797 IP xx.xxx.50.68.51246 > 192.168.72.69.4500: [|isakmp]
> 22:22:31.893859 IP xx.xxx.50.68.51246 > 192.168.72.69.4500: [|isakmp]
> 22:22:32.895488 IP xx.xxx.50.68.51246 > 192.168.72.69.4500: [|isakmp]
> 22:22:33.896155 IP xx.xxx.50.68.51246 > 192.168.72.69.4500: [|isakmp]
> 22:22:34.897823 IP xx.xxx.50.68.51246 > 192.168.72.69.4500: [|isakmp]
>
> [root at centos62 ~]# tcpdump -lnni eth0 port 500
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
> 22:23:19.926083 IP xxx.233.50.68.34727 > 192.168.72.69.500: [|isakmp]
> 22:23:19.926142 IP xxx.233.50.68.34727 > 192.168.72.69.500: [|isakmp]
> 22:23:20.926243 IP xxx.233.50.68.34727 > 192.168.72.69.500: [|isakmp]
> 22:23:21.927177 IP xxx.233.50.68.34727 > 192.168.72.69.500: [|isakmp]
> 22:23:22.928614 IP xxx.233.50.68.34727 > 192.168.72.69.500: [|isakmp]
>
> The problem Im having is that I cannot ping 192.168.72.69 from fcs01 and vica versa, (like I can with my other connections)
>
> I also don't believe I understand whether I should be using nat-traversal, as I've tried on both sides as I've tried :-/ Also have dropped the firewall rules on both linux hosts and reinitiated the tunnels but nothing changes.
>
> Ive copied the config from one of my other openswan linux hosts and just modified the right hand side IP/networks to accommodate this connection.
>
> I've also been able to terminate an ipsec tunnel from fcs01 on my draytek 2820n without any issues.
>
> HAs someone come across this config before and point whether they can see a problem.
>
> Configs below
>
> (cents box being draytek @ home )
>
> [root at centos62 ipsec.d]# cat fcs01.conf
> # basic configuration
> #config setup
> # interfaces=eth0
> # nat_traversal=yes
> # oe=no
> # protostack=netkey
> # syslog=syslog.debug
>
> conn fcs01
> type=tunnel
> connaddrfamily=ipv4
> authby=secret
> auto=start
> #auto=route
> compress=no
> ike=3des-sha1,des-md5
> phase2alg=3des-sha1,des-md5
> phase2=esp
> ikelifetime=3600s
> keyexchange=ike
> keylife=28800s
> keyingtries=%forever
> left=%defaultroute
> leftid=xx.xx.56.206
> leftsourceip=192.168.72.69
> leftsubnet=192.168.72.0/24
> pfs=yes
> #dpdaction=restart
> #dpdtimeout=30
> #dpddelay=120
>
> right=xx.xx.50.68
> rightsourceip=10.49.73.1
> rightid=xx.xx.50.68
> rightsubnet=10.49.73.0/24
>
> [root at fcs01 ipsec.d]# cat swan.conf
> # basic configuration
> #config setup
> # interfaces=eth0
> # oe=no
> ## protostack=netkey
> # syslog=syslog.debug
> virtual_private=%v4:10.49.73.0/24,%v4:192.168.72.0/24
>
> conn swan
> type=tunnel
> connaddrfamily=ipv4
> authby=secret
> auto=start
> #auto=route
> compress=no
> ike=3des-sha1,des-md5
> phase2alg=3des-sha1,des-md5
> phase2=esp
> ikelifetime=3600s
> keyexchange=ike
> keylife=28800s
> keyingtries=%forever
> left=%defaultroute
> leftsourceip=10.49.73.1
> leftid=xx.x.50.68
> leftsubnet=10.49.73.0/24
> pfs=yes
> # dpdaction=restart
> # dpdtimeout=30
> # dpddelay=120
>
> right=xx.xx.56.206
> rightid=xx.xx.56.206
> rightsourceip=192.168.72.69
> rightsubnet=192.168.72.0/24
>
>
> Any ideas? Thanks in advance
> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
More information about the Users
mailing list