[Openswan Users] phase2 failed on 0.0.0.0/0 case
Ozai
ozai.tien at gmail.com
Fri Jan 18 01:39:37 EST 2013
Dear Sirs,
Could someone help me this question,Please.Thank's.
Best Regards,
Ozai
----- Original Message -----
From: Ozai
To: users at lists.openswan.org
Sent: Thursday, January 17, 2013 10:55 AM
Subject: [Openswan Users] phase2 failed on 0.0.0.0/0 case
Dear Sirs,
My test environment openswan 2.6.38 with embedded linux is as below.
192.168.1.x---------test1(openswan 172.17.21.80)-----------test2(openswan 172.17.21.81)--------192.168.2.x
I can not make the VPN tunnel on 0.0.0.0/0 case.The phase 1 already worked and Phase2 seem to be failed.It seem that test2 had sent 'Quick Mode' request to test1,but always could not get response from test1.I have no idea in it.Do I need to change my ipsec.conf?Does openswan support 0.0.0.0/0 case?or ..what.Please help me on this question.Thank's.
Best Regards,
Ozai
syslog on test2==============================================
Jan 1 00:45:47 daemon err ipsec_setup: Starting Openswan IPsec U2.6.38/K2.6.30...
Jan 1 00:45:47 daemon err ipsec_setup: Using NETKEY(XFRM) stack
Jan 1 00:45:49 authpriv err ipsec__plutorun: Starting Pluto subsystem...
Jan 1 00:45:49 daemon err ipsec_setup: ...Openswan IPsec started
Jan 1 00:45:49 daemon err ipsec__plutorun: adjusting ipsec.d to /var/ipsec.d
Jan 1 00:45:49 user warn syslog: adjusting ipsec.d to /var/ipsec.d
Jan 1 00:45:49 authpriv warn pluto[1993]: WARNING: 1DES is enabled
Jan 1 00:45:49 authpriv warn pluto[1993]: LEAK_DETECTIVE support [disabled]
Jan 1 00:45:49 authpriv warn pluto[1993]: OCF support for IKE [disabled]
Jan 1 00:45:49 authpriv warn pluto[1993]: NSS support [disabled]
Jan 1 00:45:49 authpriv warn pluto[1993]: HAVE_STATSD notification support not compiled in
Jan 1 00:45:50 authpriv warn pluto[1993]: Setting NAT-Traversal port-4500 floating to off
Jan 1 00:45:50 authpriv warn pluto[1993]: port floating activation criteria nat_t=0/port_float=1
Jan 1 00:45:50 authpriv warn pluto[1993]: NAT-Traversal support [disabled]
Jan 1 00:45:50 authpriv warn pluto[1993]: using /dev/urandom as source of random entropy
Jan 1 00:45:50 authpriv warn pluto[1993]: starting up 1 cryptographic helpers
Jan 1 00:45:50 authpriv warn pluto[2011]: using /dev/urandom as source of random entropy
Jan 1 00:45:50 authpriv warn pluto[1993]: started helper pid=2011 (fd:6)
Jan 1 00:45:52 authpriv warn pluto[1993]: Could not change to directory '/var/ipsec.d/cacerts': No such file or directory
Jan 1 00:45:52 authpriv warn pluto[1993]: Could not change to directory '/var/ipsec.d/aacerts': No such file or directory
Jan 1 00:45:52 authpriv warn pluto[1993]: Could not change to directory '/var/ipsec.d/ocspcerts': No such file or directory
Jan 1 00:45:52 authpriv warn pluto[1993]: Could not change to directory '/var/ipsec.d/crls': 2 No such file or directory
Jan 1 00:45:52 authpriv warn pluto[1993]: added connection description "test"
Jan 1 00:45:52 daemon err ipsec__plutorun: 002 added connection description "test"
Jan 1 00:45:52 authpriv warn pluto[1993]: added connection description "passthr"
Jan 1 00:45:52 daemon err ipsec__plutorun: 002 added connection description "passthr"
Jan 1 00:45:52 authpriv warn pluto[1993]: listening for IKE messages
Jan 1 00:45:52 authpriv warn pluto[1993]: adding interface eth0.1/eth0.1 172.17.21.81:500
Jan 1 00:45:52 authpriv warn pluto[1993]: adding interface br0/br0 192.168.2.254:500
Jan 1 00:45:52 authpriv warn pluto[1993]: adding interface lo/lo 127.0.0.1:500
Jan 1 00:45:52 authpriv warn pluto[1993]: adding interface lo/lo ::1:500
Jan 1 00:45:52 authpriv warn pluto[1993]: loading secrets from "/var/ipsec.secrets"
Jan 1 00:45:53 authpriv warn pluto[1993]: "test": deleting connection
Jan 1 00:45:53 authpriv warn pluto[1993]: added connection description "test"
Jan 1 00:45:55 authpriv warn pluto[1993]: "test" #1: initiating Main Mode
Jan 1 00:45:55 authpriv warn pluto[1993]: "test" #1: received Vendor ID payload [Dead Peer Detection]
Jan 1 00:45:55 authpriv warn pluto[1993]: "test" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
Jan 1 00:45:55 authpriv warn pluto[1993]: "test" #1: STATE_MAIN_I2: sent MI2, expecting MR2
Jan 1 00:45:56 authpriv warn pluto[1993]: "test" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Jan 1 00:45:56 authpriv warn pluto[1993]: "test" #1: STATE_MAIN_I3: sent MI3, expecting MR3
Jan 1 00:45:56 authpriv warn pluto[1993]: "test" #1: Main mode peer ID is ID_IPV4_ADDR: '172.17.21.80'
Jan 1 00:45:56 authpriv warn pluto[1993]: "test" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
Jan 1 00:45:56 authpriv warn pluto[1993]: "test" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1024}
Jan 1 00:45:56 authpriv warn pluto[1993]: "test" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#1 msgid:509d2931 proposal=3DES(3)_192-MD5(1)_128 pfsgroup=OAKLEY_GROUP_MODP1024}
Jan 1 00:45:56 authpriv warn pluto[1993]: "test" #1: ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000
Jan 1 00:45:56 authpriv warn pluto[1993]: "test" #1: received and ignored informational message
Jan 1 00:47:06 authpriv warn pluto[1993]: "test" #2: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
Jan 1 00:47:06 authpriv warn pluto[1993]: "test" #2: starting keying attempt 2 of an unlimited number, but releasing whack
Jan 1 00:47:06 authpriv warn pluto[1993]: "test" #3: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK to replace #2 {using isakmp#1 msgid:98d416b7 proposal=3DES(3)_192-MD5(1)_128 pfsgroup=OAKLEY_GROUP_MODP1024}
Jan 1 00:48:16 authpriv warn pluto[1993]: "test" #3: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
Jan 1 00:48:16 authpriv warn pluto[1993]: "test" #3: starting keying attempt 3 of an unlimited number
Jan 1 00:48:16 authpriv warn pluto[1993]: "test" #4: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK to replace #3 {using isakmp#1 msgid:88f89afc proposal=3DES(3)_192-MD5(1)_128 pfsgroup=OAKLEY_GROUP_MODP1024}
Jan 1 00:49:26 authpriv warn pluto[1993]: "test" #4: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
Jan 1 00:49:26 authpriv warn pluto[1993]: "test" #4: starting keying attempt 4 of an unlimited number
Jan 1 00:49:26 authpriv warn pluto[1993]: "test" #5: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK to replace #4 {using isakmp#1 msgid:f62f9485 proposal=3DES(3)_192-MD5(1)_128 pfsgroup=OAKLEY_GROUP_MODP1024}
Jan 1 00:50:36 authpriv warn pluto[1993]: "test" #5: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
Jan 1 00:50:36 authpriv warn pluto[1993]: "test" #5: starting keying attempt 5 of an unlimited number
Jan 1 00:50:36 authpriv warn pluto[1993]: "test" #6: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK to replace #5 {using isakmp#1 msgid:94452273 proposal=3DES(3)_192-MD5(1)_128 pfsgroup=OAKLEY_GROUP_MODP1024}
Jan 1 00:51:46 authpriv warn pluto[1993]: "test" #6: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
Jan 1 00:51:46 authpriv warn pluto[1993]: "test" #6: starting keying attempt 6 of an unlimited number
Jan 1 00:51:46 authpriv warn pluto[1993]: "test" #7: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK to replace #6 {using isakmp#1 msgid:aa7aeb59 proposal=3DES(3)_192-MD5(1)_128 pfsgroup=OAKLEY_GROUP_MODP1024}
Jan 1 00:52:56 authpriv warn pluto[1993]: "test" #7: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
Jan 1 00:52:56 authpriv warn pluto[1993]: "test" #7: starting keying attempt 7 of an unlimited number
Jan 1 00:52:56 authpriv warn pluto[1993]: "test" #8: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK to replace #7 {using isakmp#1 msgid:db655c5c proposal=3DES(3)_192-MD5(1)_128 pfsgroup=OAKLEY_GROUP_MODP1024}
Jan 1 00:54:06 authpriv warn pluto[1993]: "test" #8: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
Jan 1 00:54:06 authpriv warn pluto[1993]: "test" #8: starting keying attempt 8 of an unlimited number
Jan 1 00:54:06 authpriv warn pluto[1993]: "test" #9: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK to replace #8 {using isakmp#1 msgid:99a28411 proposal=3DES(3)_192-MD5(1)_128 pfsgroup=OAKLEY_GROUP_MODP1024}
Jan 1 00:55:16 authpriv warn pluto[1993]: "test" #9: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
Jan 1 00:55:16 authpriv warn pluto[1993]: "test" #9: starting keying attempt 9 of an unlimited number
Jan 1 00:55:16 authpriv warn pluto[1993]: "test" #10: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK to replace #9 {using isakmp#1 msgid:cb114d82 proposal=3DES(3)_192-MD5(1)_128 pfsgroup=OAKLEY_GROUP_MODP1024}
Jan 1 00:56:26 authpriv warn pluto[1993]: "test" #10: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
Jan 1 00:56:26 authpriv warn pluto[1993]: "test" #10: starting keying attempt 10 of an unlimited number
Jan 1 00:56:26 authpriv warn pluto[1993]: "test" #11: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK to replace #10 {using isakmp#1 msgid:19f75bce proposal=3DES(3)_192-MD5(1)_128 pfsgroup=OAKLEY_GROUP_MODP1024}
Jan 1 00:57:36 authpriv warn pluto[1993]: "test" #11: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
Jan 1 00:57:36 authpriv warn pluto[1993]: "test" #11: starting keying attempt 11 of an unlimited number
Jan 1 00:57:36 authpriv warn pluto[1993]: "test" #12: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK to replace #11 {using isakmp#1 msgid:6842cdda proposal=3DES(3)_192-MD5(1)_128 pfsgroup=OAKLEY_GROUP_MODP1024}
Jan 1 00:58:46 authpriv warn pluto[1993]: "test" #12: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
Jan 1 00:58:46 authpriv warn pluto[1993]: "test" #12: starting keying attempt 12 of an unlimited number
Jan 1 00:58:46 authpriv warn pluto[1993]: "test" #13: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK to replace #12 {using isakmp#1 msgid:e93ea2dd proposal=3DES(3)_192-MD5(1)_128 pfsgroup=OAKLEY_GROUP_MODP1024}
Jan 1 00:59:56 authpriv warn pluto[1993]: "test" #13: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
Jan 1 00:59:56 authpriv warn pluto[1993]: "test" #13: starting keying attempt 13 of an unlimited number
Jan 1 00:59:56 authpriv warn pluto[1993]: "test" #14: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK to replace #13 {using isakmp#1 msgid:481c615c proposal=3DES(3)_192-MD5(1)_128 pfsgroup=OAKLEY_GROUP_MODP1024}
==================================
#
# ipsec auto --status
000 using kernel interface: netkey
000 interface lo/lo ::1
000 interface lo/lo 127.0.0.1
000 interface br0/br0 192.168.2.254
000 interface eth0.1/eth0.1 172.17.21.81
000 %myid = (none)
000 debug none
000
000 virtual_private (%priv):
000 - allowed 0 subnets:
000 - disallowed 0 subnets:
000 WARNING: Either virtual_private= is not specified, or there is a syntax
000 error in that line. 'left/rightsubnet=vhost:%priv' will not work!
000 WARNING: Disallowed subnets in virtual_private= is empty. If you have
000 private address space in internal use, it should be excluded!
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizema
x=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysize
max=192
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizem
ax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysize
max=256
000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8, keysizemin=128, k
eysizemax=256
000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8, keysizemin=128, k
eysizemax=256
000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8, keysizemin=128, k
eysizemax=256
000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8, keysizemin=128, k
eysizemax=256
000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=8, keysizemin=128, k
eysizemax=256
000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=8, keysizemin=128, k
eysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128,
keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160
, keysizemax=160
000 algorithm ESP auth attr: id=251, name=AUTH_ALGORITHM_NULL_KAME, keysizemin=0
, keysizemax=0
000
000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=131
000 algorithm IKE encrypt: id=1, name=OAKLEY_DES_CBC, blocksize=8, keydeflen=64
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=19
2
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=12
8
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32
000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64
000 algorithm IKE dh group: id=1, name=OAKLEY_GROUP_MODP768, bits=768
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024
000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048
000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048
000
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,19,36} trans={0,19,36
0} attrs={0,19,480}
000
000 "passthr": 192.168.2.0/24===172.17.21.81<172.17.21.81>...%any===192.168.2.0/
24; prospective erouted; eroute owner: #0
000 "passthr": myip=unset; hisip=unset;
000 "passthr": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_
fuzz: 100%; keyingtries: 0
000 "passthr": policy: PFS+IKEv2ALLOW+SAREFTRACK+PASS+NEVER_NEGOTIATE+lKOD+rKO
D; prio: 24,24; interface: eth0.1;
000 "passthr": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "test": 192.168.2.0/24===172.17.21.81<172.17.21.81>...172.17.21.80<172.17.21
.80>===0.0.0.0/0; unrouted; eroute owner: #0
000 "test": myip=unset; hisip=unset;
000 "test": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuz
z: 100%; keyingtries: 0
000 "test": policy: PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD;
prio: 24,0; interface: eth0.1;
000 "test": newest ISAKMP SA: #1; newest IPsec SA: #0;
000 "test": IKE algorithms wanted: 3DES_CBC(5)_000-MD5(1)_000-MODP1024(2); fla
gs=strict
000 "test": IKE algorithms found: 3DES_CBC(5)_192-MD5(1)_128-MODP1024(2)
000 "test": IKE algorithm newest: 3DES_CBC_192-MD5-MODP1024
000 "test": ESP algorithms wanted: 3DES(3)_000-MD5(1)_000; pfsgroup=MODP1024(2
); flags=strict
000 "test": ESP algorithms loaded: 3DES(3)_192-MD5(1)_128
000
000 #19: "test":500 STATE_QUICK_I1 (sent QI1, expecting QR1); EVENT_RETRANSMIT i
n 2s; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate
000 #1: "test":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 12
81s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate
Configuration for test2=========================================
# cat ipsec.conf
config setup
nat_traversal=no
oe=off
protostack=netkey
interfaces=%defaultroute
conn test
left=172.17.21.81
leftsubnet=192.168.2.0/24
rightsubnet=0.0.0.0/0
connaddrfamily=ipv4
right=172.17.21.80
keyexchange=ike
ike=3des-md5;modp1024!
salifetime=480m
phase2=esp
phase2alg=3des-hmac_md5!;modp1024
pfs=yes
ikelifetime=60m
type=tunnel
authby=secret
auto=add
conn passthr
left=172.17.21.81
right=0.0.0.0
leftsubnet=192.168.2.0/24
rightsubnet=192.168.2.0/24
type=passthrough
authby=never
auto=route
#
# cat ipsec.secrets
172.17.21.81 172.17.21.80 : PSK "123"
#
Configuration for test1=========================================
# cat ipsec.conf
config setup
nat_traversal=no
oe=off
protostack=netkey
interfaces=%defaultroute
conn test
left=172.17.21.80
leftsubnet=192.168.1.0/24
rightsubnet=192.168.2.0/24
connaddrfamily=ipv4
right=172.17.21.81
keyexchange=ike
ike=3des-md5;modp1024!
salifetime=480m
phase2=esp
phase2alg=3des-hmac_md5!;modp1024
pfs=yes
ikelifetime=60m
type=tunnel
authby=secret
auto=add
# cat ipsec.secrets
172.17.21.80 172.17.21.81 : PSK "123"
#
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20130118/d94fb3aa/attachment-0001.html>
More information about the Users
mailing list