[Openswan Users] Openswan to Juniper Netscreen, the peer proposed: 0.0.0.0/0:0/0 -> 0.0.0.0/0:0/0

Axel Starck axelstarck134 at gmail.com
Sat Nov 23 01:38:58 UTC 2013 

Hi,
I am trying to setup a route base VPN to a Juniper Netscreen.
It is a host to subnet connection, where I realy need to connect to only one host in the peer subnet.

It seems to go for a bit but somehow the tunnel does not get established.
At some point I get:
  the peer proposed: 0.0.0.0/0:0/0 -> 0.0.0.0/0:0/0
and thing don't move forward.
Below is the configuration and the log.
Any hint what could be wrong here is appreciated.
Thanxs

--Axel-- 


-----------------------------------------------------------------------------------------
config setup
        # Debug-logging controls:  "none" for (almost) none, "all" for lots.
        # klipsdebug=none
        # plutodebug="control parsing"
        # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
        protostack=netkey
        nat_traversal=yes
        virtual_private=
        oe=off
        # Enable this if you see "failed to find any available worker"
        # nhelpers=0

#You may put your configuration (.conf) file in the "/etc/ipsec.d/" and uncomment this.
include /etc/ipsec.d/*.conf

-----------------------------------------------------------------------------------------
conn juniper
        ike=3des-sha1
        esp=3des-sha1
        authby=secret
        keyingtries=0
        left=213.xxx.168.7
        leftsubnet= 192.168.158.0/24
        # leftsubnet= 192.168.158.70/32
        leftnexthop=%defaultroute
        right=91.xxx.165.136
        # rightsubnet=91.xxx.165.136/32
        rightnexthop=%defaultroute
        compress=no
        auto=start

-----------------------------------------------------------------------------------------
213.xxx.168.7 91.xxx.165.136 : PSK "verysecret"

-----------------------------------------------------------------------------------------
[root at rs2 etc]# /etc/init.d/ipsec restart
ipsec_setup: Stopping Openswan IPsec...
ipsec_setup: Starting Openswan IPsec U2.6.32/K3.8.13-xxxx-grs-ipv6-64...
ipsec_setup: /usr/libexec/ipsec/addconn Not able to open /proc/sys/crypto/fips_enabled, returning non-fips mode

[root at rs2 etc]# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan U2.6.32/K3.8.13-xxxx-grs-ipv6-64 (netkey)
Checking for IPsec support in kernel                            [OK]
 SAref kernel support                                           [N/A]
 NETKEY:  Testing for disabled ICMP send_redirects              [OK]
NETKEY detected, testing for disabled ICMP accept_redirects     [OK]
Checking that pluto is running                                  [OK]
 Pluto listening for IKE on udp 500                             [OK]
 Pluto listening for NAT-T on udp 4500                          [OK]
Two or more interfaces found, checking IP forwarding            [OK]
Checking NAT and MASQUERADEing                                  [OK]
Checking for 'ip' command                                       [OK]
Checking /bin/sh is not /bin/dash                               [OK]
Checking for 'iptables' command                                 [OK]
Opportunistic Encryption Support                                [DISABLED]

-----------------------------------------------------------------------------------------
[root at rs2 etc]# ipsec auto --status
000 using kernel interface: netkey
000 interface lo/lo ::1
000 interface eth0/eth0 2001:42d0:1:e688::1
000 interface lo/lo 127.0.0.1
000 interface lo/lo 127.0.0.1
000 interface eth0/eth0 91.xxx.165.136
000 interface eth0/eth0 91.xxx.165.136
000 %myid = (none)
000 debug none
000
000 virtual_private (%priv):
000 - allowed 0 subnets:
000 - disallowed 0 subnets:
000 WARNING: Either virtual_private= is not specified, or there is a syntax
000          error in that line. 'left/rightsubnet=vhost:%priv' will not work!
000 WARNING: Disallowed subnets in virtual_private= is empty. If you have
000          private address space in internal use, it should be excluded!
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, keysizemin=40, keysizemax=128
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=6, name=AUTH_ALGORITHM_HMAC_SHA2_384, keysizemin=384, keysizemax=384
000 algorithm ESP auth attr: id=7, name=AUTH_ALGORITHM_HMAC_SHA2_512, keysizemin=512, keysizemax=512
000 algorithm ESP auth attr: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC, keysizemin=128, keysizemax=128
000
000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=131
000 algorithm IKE encrypt: id=3, name=OAKLEY_BLOWFISH_CBC, blocksize=8, keydeflen=128
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=65004, name=OAKLEY_SERPENT_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=65005, name=OAKLEY_TWOFISH_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=65289, name=OAKLEY_TWOFISH_CBC_SSH, blocksize=16, keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32
000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024
000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048
000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048
000
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,3,64} trans={0,3,2184} attrs={0,3,1456}
000
000 "juniper": 91.xxx.165.136<91.xxx.165.136>[+S=C]---91.xxx.165.254...91.xxx.165.254---213.xxx.168.7<213.xxx.168.7>[+S=C]===192.168.158.0/24; prospective erouted; eroute owner: #0
000 "juniper":     myip=unset; hisip=unset;
000 "juniper":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "juniper":   policy: PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 24,32; interface: eth0;
000 "juniper":   newest ISAKMP SA: #5; newest IPsec SA: #0;
000 "juniper":   IKE algorithms wanted: 3DES_CBC(5)_000-SHA1(2)_000-MODP1536(5), 3DES_CBC(5)_000-SHA1(2)_000-MODP1024(2); flags=-strict
000 "juniper":   IKE algorithms found:  3DES_CBC(5)_192-SHA1(2)_160-MODP1536(5), 3DES_CBC(5)_192-SHA1(2)_160-MODP1024(2)
000 "juniper":   IKE algorithm newest: 3DES_CBC_192-SHA1-MODP1024
000 "juniper":   ESP algorithms wanted: 3DES(3)_000-SHA1(2)_000; flags=-strict
000 "juniper":   ESP algorithms loaded: 3DES(3)_192-SHA1(2)_160
000
000 #5: "juniper":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 3293s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:not set
000 #4: "juniper":500 STATE_QUICK_I1 (sent QI1, expecting QR1); EVENT_RETRANSMIT in 22s; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate
000 #3: "juniper":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 3253s; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate
000
[root at rs2 etc]#

-----------------------------------------------------------------------------------------
Nov 23 01:14:23 rs2 ipsec__plutorun: Starting Pluto subsystem...
Nov 23 01:14:23 rs2 pluto[9120]: nss directory plutomain: /etc/ipsec.d
Nov 23 01:14:23 rs2 pluto[9120]: NSS Initialized
Nov 23 01:14:23 rs2 pluto[9120]: Not able to open /proc/sys/crypto/fips_enabled, returning non-fips mode
Nov 23 01:14:23 rs2 pluto[9120]: Starting Pluto (Openswan Version 2.6.32; Vendor ID OEhyLdACecfa) pid:9120
Nov 23 01:14:23 rs2 pluto[9120]: Not able to open /proc/sys/crypto/fips_enabled, returning non-fips mode
Nov 23 01:14:23 rs2 pluto[9120]: LEAK_DETECTIVE support [disabled]
Nov 23 01:14:23 rs2 pluto[9120]: OCF support for IKE [disabled]
Nov 23 01:14:23 rs2 pluto[9120]: SAref support [disabled]: Protocol not available
Nov 23 01:14:23 rs2 pluto[9120]: SAbind support [disabled]: Protocol not available
Nov 23 01:14:23 rs2 pluto[9120]: NSS support [enabled]
Nov 23 01:14:23 rs2 pluto[9120]: HAVE_STATSD notification support not compiled in
Nov 23 01:14:23 rs2 pluto[9120]: Setting NAT-Traversal port-4500 floating to on
Nov 23 01:14:23 rs2 pluto[9120]:    port floating activation criteria nat_t=1/port_float=1
Nov 23 01:14:23 rs2 pluto[9120]:    NAT-Traversal support  [enabled]
Nov 23 01:14:23 rs2 pluto[9120]: 1 bad entries in virtual_private - none loaded
Nov 23 01:14:23 rs2 pluto[9120]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)
Nov 23 01:14:23 rs2 pluto[9120]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)
Nov 23 01:14:23 rs2 pluto[9120]: ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok (ret=0)
Nov 23 01:14:23 rs2 pluto[9120]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Nov 23 01:14:23 rs2 pluto[9120]: ike_alg_register_enc(): Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)
Nov 23 01:14:23 rs2 pluto[9120]: ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)
Nov 23 01:14:23 rs2 pluto[9120]: ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)
Nov 23 01:14:23 rs2 pluto[9120]: starting up 3 cryptographic helpers
Nov 23 01:14:23 rs2 pluto[9120]: started helper (thread) pid=139938386654976 (fd:8)
Nov 23 01:14:23 rs2 pluto[9120]: started helper (thread) pid=139938378262272 (fd:10)
Nov 23 01:14:23 rs2 pluto[9120]: started helper (thread) pid=139938369869568 (fd:12)
Nov 23 01:14:23 rs2 pluto[9120]: Using Linux 2.6 IPsec interface code on 3.8.13-xxxx-grs-ipv6-64 (experimental code)
Nov 23 01:14:23 rs2 pluto[9120]: ike_alg_register_enc(): Activating aes_ccm_8: Ok (ret=0)
Nov 23 01:14:23 rs2 pluto[9120]: ike_alg_add(): ERROR: Algorithm already exists
Nov 23 01:14:23 rs2 pluto[9120]: ike_alg_register_enc(): Activating aes_ccm_12: FAILED (ret=-17)
Nov 23 01:14:23 rs2 pluto[9120]: ike_alg_add(): ERROR: Algorithm already exists
Nov 23 01:14:23 rs2 pluto[9120]: ike_alg_register_enc(): Activating aes_ccm_16: FAILED (ret=-17)
Nov 23 01:14:23 rs2 pluto[9120]: ike_alg_add(): ERROR: Algorithm already exists
Nov 23 01:14:23 rs2 pluto[9120]: ike_alg_register_enc(): Activating aes_gcm_8: FAILED (ret=-17)
Nov 23 01:14:23 rs2 pluto[9120]: ike_alg_add(): ERROR: Algorithm already exists
Nov 23 01:14:23 rs2 pluto[9120]: ike_alg_register_enc(): Activating aes_gcm_12: FAILED (ret=-17)
Nov 23 01:14:23 rs2 pluto[9120]: ike_alg_add(): ERROR: Algorithm already exists
Nov 23 01:14:23 rs2 pluto[9120]: ike_alg_register_enc(): Activating aes_gcm_16: FAILED (ret=-17)
Nov 23 01:14:23 rs2 pluto[9120]: Could not change to directory '/etc/ipsec.d/cacerts': /
Nov 23 01:14:23 rs2 pluto[9120]: Could not change to directory '/etc/ipsec.d/aacerts': /
Nov 23 01:14:23 rs2 pluto[9120]: Could not change to directory '/etc/ipsec.d/ocspcerts': /
Nov 23 01:14:23 rs2 pluto[9120]: Could not change to directory '/etc/ipsec.d/crls'
Nov 23 01:14:23 rs2 pluto[9120]: | selinux support is NOT enabled.
Nov 23 01:14:23 rs2 pluto[9120]: added connection description "juniper"
Nov 23 01:14:23 rs2 pluto[9120]: listening for IKE messages
Nov 23 01:14:23 rs2 pluto[9120]: adding interface eth0/eth0 91.xxx.165.136:500
Nov 23 01:14:23 rs2 pluto[9120]: adding interface eth0/eth0 91.xxx.165.136:4500
Nov 23 01:14:23 rs2 pluto[9120]: adding interface lo/lo 127.0.0.1:500
Nov 23 01:14:23 rs2 pluto[9120]: adding interface lo/lo 127.0.0.1:4500
Nov 23 01:14:23 rs2 pluto[9120]: adding interface eth0/eth0 2001:41d0:1:e688::1:500
Nov 23 01:14:23 rs2 pluto[9120]: adding interface lo/lo ::1:500
Nov 23 01:14:23 rs2 pluto[9120]: loading secrets from "/etc/ipsec.secrets"
Nov 23 01:14:23 rs2 pluto[9120]: loading secrets from "/etc/ipsec.d/djezzy.secrets"
Nov 23 01:14:23 rs2 pluto[9120]: "juniper": route-host output: Cannot flush routing cache
Nov 23 01:14:23 rs2 pluto[9120]: "juniper" #1: initiating Main Mode
Nov 23 01:14:23 rs2 pluto[9120]: "juniper" #1: ignoring unknown Vendor ID payload [a601e645e2e8e15239409664fdeb5a9000cf9cad0000000e0000061e]
Nov 23 01:14:23 rs2 pluto[9120]: "juniper" #1: received Vendor ID payload [Dead Peer Detection]
Nov 23 01:14:23 rs2 pluto[9120]: "juniper" #1: ignoring Vendor ID payload [HeartBeat Notify 386b0100]
Nov 23 01:14:23 rs2 pluto[9120]: "juniper" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
Nov 23 01:14:23 rs2 pluto[9120]: "juniper" #1: STATE_MAIN_I2: sent MI2, expecting MR2
Nov 23 01:14:23 rs2 pluto[9120]: "juniper" #1: I will NOT send an initial contact payload
Nov 23 01:14:23 rs2 pluto[9120]: "juniper" #1: Not sending INITIAL_CONTACT
Nov 23 01:14:23 rs2 pluto[9120]: "juniper" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Nov 23 01:14:23 rs2 pluto[9120]: "juniper" #1: STATE_MAIN_I3: sent MI3, expecting MR3
Nov 23 01:14:23 rs2 pluto[9120]: "juniper" #1: Main mode peer ID is ID_IPV4_ADDR: '213.xxx.168.7'
Nov 23 01:14:23 rs2 pluto[9120]: "juniper" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
Nov 23 01:14:23 rs2 pluto[9120]: "juniper" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
Nov 23 01:14:23 rs2 pluto[9120]: "juniper" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#1 msgid:8f2ebae4 proposal=3DES(3)_192-SHA1(2)_160 pfsgroup=OAKLEY_GROUP_MODP1024}
Nov 23 01:14:24 rs2 pluto[9120]: "juniper" #1: the peer proposed: 0.0.0.0/0:0/0 -> 0.0.0.0/0:0/0
Nov 23 01:14:24 rs2 pluto[9120]: "juniper" #1: cannot respond to IPsec SA request because no connection is known for 0.0.0.0/0===91.xxx.165.136<91.xxx.165.136>[+S=C]...213.xxx.168.7<213.xxx.168.7>[+S=C]===0.0.0.0/0
Nov 23 01:14:24 rs2 pluto[9120]: "juniper" #1: sending encrypted notification INVALID_ID_INFORMATION to 213.xxx.168.7:500
Nov 23 01:14:28 rs2 pluto[9120]: "juniper" #1: the peer proposed: 0.0.0.0/0:0/0 -> 0.0.0.0/0:0/0
Nov 23 01:14:28 rs2 pluto[9120]: "juniper" #1: cannot respond to IPsec SA request because no connection is known for 0.0.0.0/0===91.xxx.165.136<91.xxx.165.136>[+S=C]...213.xxx.168.7<213.xxx.168.7>[+S=C]===0.0.0.0/0
Nov 23 01:14:28 rs2 pluto[9120]: "juniper" #1: sending encrypted notification INVALID_ID_INFORMATION to 213.xxx.168.7:500
Nov 23 01:14:32 rs2 pluto[9120]: "juniper" #1: the peer proposed: 0.0.0.0/0:0/0 -> 0.0.0.0/0:0/0
Nov 23 01:14:32 rs2 pluto[9120]: "juniper" #1: cannot respond to IPsec SA request because no connection is known for 0.0.0.0/0===91.xxx.165.136<91.xxx.165.136>[+S=C]...213.xxx.168.7<213.xxx.168.7>[+S=C]===0.0.0.0/0
Nov 23 01:14:32 rs2 pluto[9120]: "juniper" #1: sending encrypted notification INVALID_ID_INFORMATION to 213.xxx.168.7:500
Nov 23 01:14:36 rs2 pluto[9120]: "juniper" #1: the peer proposed: 0.0.0.0/0:0/0 -> 0.0.0.0/0:0/0
Nov 23 01:14:36 rs2 pluto[9120]: "juniper" #1: cannot respond to IPsec SA request because no connection is known for 0.0.0.0/0===91.xxx.165.136<91.xxx.165.136>[+S=C]...213.xxx.168.7<213.xxx.168.7>[+S=C]===0.0.0.0/0
Nov 23 01:14:36 rs2 pluto[9120]: "juniper" #1: sending encrypted notification INVALID_ID_INFORMATION to 213.xxx.168.7:500
Nov 23 01:14:40 rs2 pluto[9120]: "juniper" #1: the peer proposed: 0.0.0.0/0:0/0 -> 0.0.0.0/0:0/0
Nov 23 01:14:40 rs2 pluto[9120]: "juniper" #1: cannot respond to IPsec SA request because no connection is known for 0.0.0.0/0===91.xxx.165.136<91.xxx.165.136>[+S=C]...213.xxx.168.7<213.xxx.168.7>[+S=C]===0.0.0.0/0
Nov 23 01:14:40 rs2 pluto[9120]: "juniper" #1: sending encrypted notification INVALID_ID_INFORMATION to 213.xxx.168.7:500

More information about the Users mailing list