[Openswan Users] phase2 failed on 0.0.0.0/0 case

Ozai ozai.tien at gmail.com
Fri Jan 18 01:39:37 EST 2013


Dear Sirs,

Could someone help me this question,Please.Thank's.

Best Regards,
Ozai
  ----- Original Message ----- 
  From: Ozai 
  To: users at lists.openswan.org 
  Sent: Thursday, January 17, 2013 10:55 AM
  Subject: [Openswan Users] phase2 failed on 0.0.0.0/0 case


  Dear Sirs,

  My test environment openswan 2.6.38 with embedded linux is as below.
  192.168.1.x---------test1(openswan 172.17.21.80)-----------test2(openswan 172.17.21.81)--------192.168.2.x

  I can not make the VPN tunnel on 0.0.0.0/0 case.The phase 1 already worked and Phase2 seem to be failed.It seem that test2 had sent 'Quick Mode' request to test1,but always could not get response from test1.I have no idea in it.Do I need to change my ipsec.conf?Does openswan support 0.0.0.0/0 case?or ..what.Please help me on this question.Thank's.

  Best Regards,
  Ozai

  syslog on test2==============================================
  Jan  1 00:45:47 daemon err ipsec_setup: Starting Openswan IPsec U2.6.38/K2.6.30...
  Jan  1 00:45:47 daemon err ipsec_setup: Using NETKEY(XFRM) stack
  Jan  1 00:45:49 authpriv err ipsec__plutorun: Starting Pluto subsystem...
  Jan  1 00:45:49 daemon err ipsec_setup: ...Openswan IPsec started
  Jan  1 00:45:49 daemon err ipsec__plutorun: adjusting ipsec.d to /var/ipsec.d
  Jan  1 00:45:49 user warn syslog: adjusting ipsec.d to /var/ipsec.d
  Jan  1 00:45:49 authpriv warn pluto[1993]: WARNING: 1DES is enabled
  Jan  1 00:45:49 authpriv warn pluto[1993]: LEAK_DETECTIVE support [disabled]
  Jan  1 00:45:49 authpriv warn pluto[1993]: OCF support for IKE [disabled]
  Jan  1 00:45:49 authpriv warn pluto[1993]: NSS support [disabled]
  Jan  1 00:45:49 authpriv warn pluto[1993]: HAVE_STATSD notification support not compiled in
  Jan  1 00:45:50 authpriv warn pluto[1993]: Setting NAT-Traversal port-4500 floating to off
  Jan  1 00:45:50 authpriv warn pluto[1993]:    port floating activation criteria nat_t=0/port_float=1
  Jan  1 00:45:50 authpriv warn pluto[1993]:    NAT-Traversal support  [disabled]
  Jan  1 00:45:50 authpriv warn pluto[1993]: using /dev/urandom as source of random entropy
  Jan  1 00:45:50 authpriv warn pluto[1993]: starting up 1 cryptographic helpers
  Jan  1 00:45:50 authpriv warn pluto[2011]: using /dev/urandom as source of random entropy
  Jan  1 00:45:50 authpriv warn pluto[1993]: started helper pid=2011 (fd:6)
  Jan  1 00:45:52 authpriv warn pluto[1993]: Could not change to directory '/var/ipsec.d/cacerts': No such file or directory
  Jan  1 00:45:52 authpriv warn pluto[1993]: Could not change to directory '/var/ipsec.d/aacerts': No such file or directory
  Jan  1 00:45:52 authpriv warn pluto[1993]: Could not change to directory '/var/ipsec.d/ocspcerts': No such file or directory
  Jan  1 00:45:52 authpriv warn pluto[1993]: Could not change to directory '/var/ipsec.d/crls': 2 No such file or directory
  Jan  1 00:45:52 authpriv warn pluto[1993]: added connection description "test"
  Jan  1 00:45:52 daemon err ipsec__plutorun: 002 added connection description "test"
  Jan  1 00:45:52 authpriv warn pluto[1993]: added connection description "passthr"
  Jan  1 00:45:52 daemon err ipsec__plutorun: 002 added connection description "passthr"
  Jan  1 00:45:52 authpriv warn pluto[1993]: listening for IKE messages
  Jan  1 00:45:52 authpriv warn pluto[1993]: adding interface eth0.1/eth0.1 172.17.21.81:500
  Jan  1 00:45:52 authpriv warn pluto[1993]: adding interface br0/br0 192.168.2.254:500
  Jan  1 00:45:52 authpriv warn pluto[1993]: adding interface lo/lo 127.0.0.1:500
  Jan  1 00:45:52 authpriv warn pluto[1993]: adding interface lo/lo ::1:500
  Jan  1 00:45:52 authpriv warn pluto[1993]: loading secrets from "/var/ipsec.secrets"
  Jan  1 00:45:53 authpriv warn pluto[1993]: "test": deleting connection
  Jan  1 00:45:53 authpriv warn pluto[1993]: added connection description "test"
  Jan  1 00:45:55 authpriv warn pluto[1993]: "test" #1: initiating Main Mode
  Jan  1 00:45:55 authpriv warn pluto[1993]: "test" #1: received Vendor ID payload [Dead Peer Detection]
  Jan  1 00:45:55 authpriv warn pluto[1993]: "test" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
  Jan  1 00:45:55 authpriv warn pluto[1993]: "test" #1: STATE_MAIN_I2: sent MI2, expecting MR2
  Jan  1 00:45:56 authpriv warn pluto[1993]: "test" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
  Jan  1 00:45:56 authpriv warn pluto[1993]: "test" #1: STATE_MAIN_I3: sent MI3, expecting MR3
  Jan  1 00:45:56 authpriv warn pluto[1993]: "test" #1: Main mode peer ID is ID_IPV4_ADDR: '172.17.21.80'
  Jan  1 00:45:56 authpriv warn pluto[1993]: "test" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
  Jan  1 00:45:56 authpriv warn pluto[1993]: "test" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1024}
  Jan  1 00:45:56 authpriv warn pluto[1993]: "test" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#1 msgid:509d2931 proposal=3DES(3)_192-MD5(1)_128 pfsgroup=OAKLEY_GROUP_MODP1024}
  Jan  1 00:45:56 authpriv warn pluto[1993]: "test" #1: ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000
  Jan  1 00:45:56 authpriv warn pluto[1993]: "test" #1: received and ignored informational message
  Jan  1 00:47:06 authpriv warn pluto[1993]: "test" #2: max number of retransmissions (2) reached STATE_QUICK_I1.  No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
  Jan  1 00:47:06 authpriv warn pluto[1993]: "test" #2: starting keying attempt 2 of an unlimited number, but releasing whack
  Jan  1 00:47:06 authpriv warn pluto[1993]: "test" #3: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK to replace #2 {using isakmp#1 msgid:98d416b7 proposal=3DES(3)_192-MD5(1)_128 pfsgroup=OAKLEY_GROUP_MODP1024}
  Jan  1 00:48:16 authpriv warn pluto[1993]: "test" #3: max number of retransmissions (2) reached STATE_QUICK_I1.  No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
  Jan  1 00:48:16 authpriv warn pluto[1993]: "test" #3: starting keying attempt 3 of an unlimited number
  Jan  1 00:48:16 authpriv warn pluto[1993]: "test" #4: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK to replace #3 {using isakmp#1 msgid:88f89afc proposal=3DES(3)_192-MD5(1)_128 pfsgroup=OAKLEY_GROUP_MODP1024}
  Jan  1 00:49:26 authpriv warn pluto[1993]: "test" #4: max number of retransmissions (2) reached STATE_QUICK_I1.  No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
  Jan  1 00:49:26 authpriv warn pluto[1993]: "test" #4: starting keying attempt 4 of an unlimited number
  Jan  1 00:49:26 authpriv warn pluto[1993]: "test" #5: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK to replace #4 {using isakmp#1 msgid:f62f9485 proposal=3DES(3)_192-MD5(1)_128 pfsgroup=OAKLEY_GROUP_MODP1024}
  Jan  1 00:50:36 authpriv warn pluto[1993]: "test" #5: max number of retransmissions (2) reached STATE_QUICK_I1.  No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
  Jan  1 00:50:36 authpriv warn pluto[1993]: "test" #5: starting keying attempt 5 of an unlimited number
  Jan  1 00:50:36 authpriv warn pluto[1993]: "test" #6: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK to replace #5 {using isakmp#1 msgid:94452273 proposal=3DES(3)_192-MD5(1)_128 pfsgroup=OAKLEY_GROUP_MODP1024}
  Jan  1 00:51:46 authpriv warn pluto[1993]: "test" #6: max number of retransmissions (2) reached STATE_QUICK_I1.  No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
  Jan  1 00:51:46 authpriv warn pluto[1993]: "test" #6: starting keying attempt 6 of an unlimited number
  Jan  1 00:51:46 authpriv warn pluto[1993]: "test" #7: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK to replace #6 {using isakmp#1 msgid:aa7aeb59 proposal=3DES(3)_192-MD5(1)_128 pfsgroup=OAKLEY_GROUP_MODP1024}
  Jan  1 00:52:56 authpriv warn pluto[1993]: "test" #7: max number of retransmissions (2) reached STATE_QUICK_I1.  No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
  Jan  1 00:52:56 authpriv warn pluto[1993]: "test" #7: starting keying attempt 7 of an unlimited number
  Jan  1 00:52:56 authpriv warn pluto[1993]: "test" #8: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK to replace #7 {using isakmp#1 msgid:db655c5c proposal=3DES(3)_192-MD5(1)_128 pfsgroup=OAKLEY_GROUP_MODP1024}
  Jan  1 00:54:06 authpriv warn pluto[1993]: "test" #8: max number of retransmissions (2) reached STATE_QUICK_I1.  No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
  Jan  1 00:54:06 authpriv warn pluto[1993]: "test" #8: starting keying attempt 8 of an unlimited number
  Jan  1 00:54:06 authpriv warn pluto[1993]: "test" #9: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK to replace #8 {using isakmp#1 msgid:99a28411 proposal=3DES(3)_192-MD5(1)_128 pfsgroup=OAKLEY_GROUP_MODP1024}
  Jan  1 00:55:16 authpriv warn pluto[1993]: "test" #9: max number of retransmissions (2) reached STATE_QUICK_I1.  No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
  Jan  1 00:55:16 authpriv warn pluto[1993]: "test" #9: starting keying attempt 9 of an unlimited number
  Jan  1 00:55:16 authpriv warn pluto[1993]: "test" #10: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK to replace #9 {using isakmp#1 msgid:cb114d82 proposal=3DES(3)_192-MD5(1)_128 pfsgroup=OAKLEY_GROUP_MODP1024}
  Jan  1 00:56:26 authpriv warn pluto[1993]: "test" #10: max number of retransmissions (2) reached STATE_QUICK_I1.  No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
  Jan  1 00:56:26 authpriv warn pluto[1993]: "test" #10: starting keying attempt 10 of an unlimited number
  Jan  1 00:56:26 authpriv warn pluto[1993]: "test" #11: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK to replace #10 {using isakmp#1 msgid:19f75bce proposal=3DES(3)_192-MD5(1)_128 pfsgroup=OAKLEY_GROUP_MODP1024}
  Jan  1 00:57:36 authpriv warn pluto[1993]: "test" #11: max number of retransmissions (2) reached STATE_QUICK_I1.  No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
  Jan  1 00:57:36 authpriv warn pluto[1993]: "test" #11: starting keying attempt 11 of an unlimited number
  Jan  1 00:57:36 authpriv warn pluto[1993]: "test" #12: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK to replace #11 {using isakmp#1 msgid:6842cdda proposal=3DES(3)_192-MD5(1)_128 pfsgroup=OAKLEY_GROUP_MODP1024}
  Jan  1 00:58:46 authpriv warn pluto[1993]: "test" #12: max number of retransmissions (2) reached STATE_QUICK_I1.  No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
  Jan  1 00:58:46 authpriv warn pluto[1993]: "test" #12: starting keying attempt 12 of an unlimited number
  Jan  1 00:58:46 authpriv warn pluto[1993]: "test" #13: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK to replace #12 {using isakmp#1 msgid:e93ea2dd proposal=3DES(3)_192-MD5(1)_128 pfsgroup=OAKLEY_GROUP_MODP1024}
  Jan  1 00:59:56 authpriv warn pluto[1993]: "test" #13: max number of retransmissions (2) reached STATE_QUICK_I1.  No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
  Jan  1 00:59:56 authpriv warn pluto[1993]: "test" #13: starting keying attempt 13 of an unlimited number
  Jan  1 00:59:56 authpriv warn pluto[1993]: "test" #14: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK to replace #13 {using isakmp#1 msgid:481c615c proposal=3DES(3)_192-MD5(1)_128 pfsgroup=OAKLEY_GROUP_MODP1024}
  ==================================
  #
  # ipsec auto --status
  000 using kernel interface: netkey
  000 interface lo/lo ::1
  000 interface lo/lo 127.0.0.1
  000 interface br0/br0 192.168.2.254
  000 interface eth0.1/eth0.1 172.17.21.81
  000 %myid = (none)
  000 debug none
  000
  000 virtual_private (%priv):
  000 - allowed 0 subnets:
  000 - disallowed 0 subnets:
  000 WARNING: Either virtual_private= is not specified, or there is a syntax
  000          error in that line. 'left/rightsubnet=vhost:%priv' will not work!
  000 WARNING: Disallowed subnets in virtual_private= is empty. If you have
  000          private address space in internal use, it should be excluded!
  000
  000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizema
  x=64
  000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysize
  max=192
  000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizem
  ax=0
  000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysize
  max=256
  000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8, keysizemin=128, k
  eysizemax=256
  000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8, keysizemin=128, k
  eysizemax=256
  000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8, keysizemin=128, k
  eysizemax=256
  000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8, keysizemin=128, k
  eysizemax=256
  000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=8, keysizemin=128, k
  eysizemax=256
  000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=8, keysizemin=128, k
  eysizemax=256
  000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128,
   keysizemax=128
  000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160
  , keysizemax=160
  000 algorithm ESP auth attr: id=251, name=AUTH_ALGORITHM_NULL_KAME, keysizemin=0
  , keysizemax=0
  000
  000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=131
  000 algorithm IKE encrypt: id=1, name=OAKLEY_DES_CBC, blocksize=8, keydeflen=64
  000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=19
  2
  000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=12
  8
  000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
  000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
  000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32
  000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64
  000 algorithm IKE dh group: id=1, name=OAKLEY_GROUP_MODP768, bits=768
  000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
  000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
  000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
  000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
  000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
  000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
  000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
  000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024
  000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048
  000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048
  000
  000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,19,36} trans={0,19,36
  0} attrs={0,19,480}
  000
  000 "passthr": 192.168.2.0/24===172.17.21.81<172.17.21.81>...%any===192.168.2.0/
  24; prospective erouted; eroute owner: #0
  000 "passthr":     myip=unset; hisip=unset;
  000 "passthr":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_
  fuzz: 100%; keyingtries: 0
  000 "passthr":   policy: PFS+IKEv2ALLOW+SAREFTRACK+PASS+NEVER_NEGOTIATE+lKOD+rKO
  D; prio: 24,24; interface: eth0.1;
  000 "passthr":   newest ISAKMP SA: #0; newest IPsec SA: #0;
  000 "test": 192.168.2.0/24===172.17.21.81<172.17.21.81>...172.17.21.80<172.17.21
  .80>===0.0.0.0/0; unrouted; eroute owner: #0
  000 "test":     myip=unset; hisip=unset;
  000 "test":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuz
  z: 100%; keyingtries: 0
  000 "test":   policy: PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD;
   prio: 24,0; interface: eth0.1;
  000 "test":   newest ISAKMP SA: #1; newest IPsec SA: #0;
  000 "test":   IKE algorithms wanted: 3DES_CBC(5)_000-MD5(1)_000-MODP1024(2); fla
  gs=strict
  000 "test":   IKE algorithms found:  3DES_CBC(5)_192-MD5(1)_128-MODP1024(2)
  000 "test":   IKE algorithm newest: 3DES_CBC_192-MD5-MODP1024
  000 "test":   ESP algorithms wanted: 3DES(3)_000-MD5(1)_000; pfsgroup=MODP1024(2
  ); flags=strict
  000 "test":   ESP algorithms loaded: 3DES(3)_192-MD5(1)_128
  000
  000 #19: "test":500 STATE_QUICK_I1 (sent QI1, expecting QR1); EVENT_RETRANSMIT i
  n 2s; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate
  000 #1: "test":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 12
  81s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate

  Configuration for test2=========================================
  # cat ipsec.conf
  config setup
                  nat_traversal=no
                  oe=off
                  protostack=netkey
                  interfaces=%defaultroute

  conn test
                  left=172.17.21.81
                  leftsubnet=192.168.2.0/24
                  rightsubnet=0.0.0.0/0
                  connaddrfamily=ipv4
                  right=172.17.21.80
                  keyexchange=ike
                  ike=3des-md5;modp1024!
                  salifetime=480m
                  phase2=esp
                  phase2alg=3des-hmac_md5!;modp1024
                  pfs=yes
                  ikelifetime=60m
                  type=tunnel
                  authby=secret
                  auto=add

  conn passthr
                  left=172.17.21.81
                  right=0.0.0.0
                  leftsubnet=192.168.2.0/24
                  rightsubnet=192.168.2.0/24
                  type=passthrough
                  authby=never
                  auto=route
  #
  # cat ipsec.secrets
  172.17.21.81 172.17.21.80 : PSK "123"
  #

  Configuration for test1=========================================
  # cat ipsec.conf
  config setup
                  nat_traversal=no
                  oe=off
                  protostack=netkey
                  interfaces=%defaultroute

  conn test
                  left=172.17.21.80
                  leftsubnet=192.168.1.0/24
                  rightsubnet=192.168.2.0/24
                  connaddrfamily=ipv4
                  right=172.17.21.81
                  keyexchange=ike
                  ike=3des-md5;modp1024!
                  salifetime=480m
                  phase2=esp
                  phase2alg=3des-hmac_md5!;modp1024
                  pfs=yes
                  ikelifetime=60m
                  type=tunnel
                  authby=secret
                  auto=add

  # cat ipsec.secrets
  172.17.21.80 172.17.21.81 : PSK "123"
  #
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20130118/d94fb3aa/attachment-0001.html>


More information about the Users mailing list