[Openswan Users] Openswan: Connection Problem

Mohsen B.Sarmadi mohsen.bsarmadi at gmail.com
Fri Nov 29 14:36:09 UTC 2013 

Hi,

Thanks for your invaluable help, I am using Amazon EC2 to set up Openswan,
but it is not working, can you give me a hint?
the client cannot connect to Openswan.

$ cat /etc/ipsec.conf
config setup
   protostack=netkey
   interfaces=%defaultroute
   nat_traversal=yes
# this will force openswan to use IPSec over UDP - required for EC2
   force_keepalive=yes
   keep_alive=60
   virtual_private=%v4:172.16.0.0/16
# this Subnet must include range provided in the xl2tpd config file
   oe=no
   nhelpers=0
conn RWConn # road warrior connection description
   type=transport
   authby=secret
   pfs=no
   rekey=no
   ikelifetime=8h
   keylife=1h
   leftprotoport=17/1701
   left=%defaultroute
   leftid=myElasticIP
   leftsourceip=myElasticIP
   forceencaps=yes
   rightprotoport=17/%any
   right=%any
   rightsubnet=vhost:%priv,%no,%v4:
10.0.0.0/8,%v4:192.168.0.0/16,%4:172.16.0.0/16
   auto=add
# Apple iOS doesn't send delete notify so we need dead peer detection
    # to detect vanishing clients
    dpddelay=30
    dpdtimeout=120
    dpdaction=clear

$ cat /etc/ipsec.secrets
cat: /etc/ipsec.secrets: Permission denied
ubuntu at ip-10-164-25-201:~$ sudo cat /etc/ipsec.secrets
# This file holds shared secrets or RSA private keys for inter-Pluto
# authentication.  See ipsec_pluto(8) manpage, and HTML documentation.

# RSA private key for this host, authenticating it to any other host
# which knows the public part.  Suitable public keys, for ipsec.conf, DNS,
# or configuration of other implementations, can be extracted conveniently
# with "ipsec showhostkey".

# this file is managed with debconf and will contain the automatically
created RSA keys
#include /var/lib/openswan/ipsec.secrets.inc
myElasticIP 0.0.0.0 %any: PSK "123"

$ sudo cat /etc/xl2tpd/xl2tpd.conf
[global]
ipsec saref = yes
; this must be the private EC2 address allocated to eth0
listen-addr = myElasticIP
[lns default]
; addresses to road road warriors will be allocated from this range
ip range = 172.16.100.1-172.16.100.254
; GW virtual address (must be outside of the above range)
local ip = 172.16.0.150
refuse pap = yes
require authentication = yes
require chap = yes
ppp debug = yes
name = MyGW
; points to PPP config file (you can choose your own name)
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes

$ sudo cat /etc/ppp/options.xl2tpd
name MyGW # this must be identical to the name given in the xl2tpd file

ipcp-accept-local
ipcp-accept-remote
noccp
auth
crtscts
idle 1800
mtu 1280
mru 1280
defaultroute
lock
proxyarp
connect-delay 5000
$ tail -n 70 /var/log/auth.log

Nov 29 13:59:37 ip-10-164-25-201 pluto[5667]: packet from myClientIP:33690:
received Vendor ID payload [RFC 3947] method set to=109
Nov 29 13:59:37 ip-10-164-25-201 pluto[5667]: packet from myClientIP:33690:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike] method set to=110
Nov 29 13:59:37 ip-10-164-25-201 pluto[5667]: packet from myClientIP:33690:
ignoring unknown Vendor ID payload [8f8d83826d246b6fc7a8a6a428c11de8]
Nov 29 13:59:37 ip-10-164-25-201 pluto[5667]: packet from myClientIP:33690:
ignoring unknown Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]
Nov 29 13:59:37 ip-10-164-25-201 pluto[5667]: packet from myClientIP:33690:
ignoring unknown Vendor ID payload [4d1e0e136deafa34c4f3ea9f02ec7285]
Nov 29 13:59:37 ip-10-164-25-201 pluto[5667]: packet from myClientIP:33690:
ignoring unknown Vendor ID payload [80d0bb3def54565ee84645d4c85ce3ee]
Nov 29 13:59:37 ip-10-164-25-201 pluto[5667]: packet from myClientIP:33690:
ignoring unknown Vendor ID payload [9909b64eed937c6573de52ace952fa6b]
Nov 29 13:59:37 ip-10-164-25-201 pluto[5667]: packet from myClientIP:33690:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but
already using method 110
Nov 29 13:59:37 ip-10-164-25-201 pluto[5667]: packet from myClientIP:33690:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but
already using method 110
Nov 29 13:59:37 ip-10-164-25-201 pluto[5667]: packet from myClientIP:33690:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but
already using method 110
Nov 29 13:59:37 ip-10-164-25-201 pluto[5667]: packet from myClientIP:33690:
ignoring Vendor ID payload [FRAGMENTATION 80000000]
Nov 29 13:59:37 ip-10-164-25-201 pluto[5667]: packet from myClientIP:33690:
received Vendor ID payload [Dead Peer Detection]
Nov 29 13:59:37 ip-10-164-25-201 pluto[5667]: "RWConn"[3] myClientIP #3:
responding to Main Mode from unknown peer myClientIP
Nov 29 13:59:37 ip-10-164-25-201 pluto[5667]: "RWConn"[3] myClientIP #3:
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Nov 29 13:59:37 ip-10-164-25-201 pluto[5667]: "RWConn"[3] myClientIP #3:
STATE_MAIN_R1: sent MR1, expecting MI2
Nov 29 13:59:37 ip-10-164-25-201 pluto[5667]: "RWConn"[3] myClientIP #3:
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): both are
NATed
Nov 29 13:59:37 ip-10-164-25-201 pluto[5667]: "RWConn"[3] myClientIP #3:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Nov 29 13:59:37 ip-10-164-25-201 pluto[5667]: "RWConn"[3] myClientIP #3:
STATE_MAIN_R2: sent MR2, expecting MI3
Nov 29 13:59:37 ip-10-164-25-201 pluto[5667]: "RWConn"[3] myClientIP #3:
ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000
Nov 29 13:59:37 ip-10-164-25-201 pluto[5667]: "RWConn"[3] myClientIP #3:
Main mode peer ID is ID_IPV4_ADDR: '192.168.43.179'
Nov 29 13:59:37 ip-10-164-25-201 pluto[5667]: "RWConn"[3] myClientIP #3:
switched from "RWConn" to "RWConn"
Nov 29 13:59:37 ip-10-164-25-201 pluto[5667]: "RWConn"[4] myClientIP #3:
deleting connection "RWConn" instance with peer myClientIP
{isakmp=#0/ipsec=#0}
Nov 29 13:59:37 ip-10-164-25-201 pluto[5667]: "RWConn"[4] myClientIP #3:
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Nov 29 13:59:37 ip-10-164-25-201 pluto[5667]: "RWConn"[4] myClientIP #3:
new NAT mapping for #3, was myClientIP:33690, now myClientIP:17370
Nov 29 13:59:37 ip-10-164-25-201 pluto[5667]: "RWConn"[4] myClientIP #3:
STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
cipher=aes_256 prf=oakley_sha group=modp1024}
Nov 29 13:59:37 ip-10-164-25-201 pluto[5667]: "RWConn"[4] myClientIP #3:
Dead Peer Detection (RFC 3706): enabled
Nov 29 13:59:38 ip-10-164-25-201 pluto[5667]: "RWConn"[4] myClientIP #3:
Applying workaround for Mac OS X NAT-OA bug, ignoring proposed subnet
Nov 29 13:59:38 ip-10-164-25-201 pluto[5667]: "RWConn"[4] myClientIP #3:
the peer proposed: myElasticIP/32:17/1701 -> myClientIP/32:17/0
Nov 29 13:59:38 ip-10-164-25-201 pluto[5667]: "RWConn"[4] myClientIP #4:
responding to Quick Mode proposal {msgid:47e78293}
Nov 29 13:59:38 ip-10-164-25-201 pluto[5667]: "RWConn"[4] myClientIP #4:
  us: myElasticIP/32===10.164.25.201[myElasticIP,+S=C]:17/1701
Nov 29 13:59:38 ip-10-164-25-201 pluto[5667]: "RWConn"[4] myClientIP #4:
them: myClientIP[192.168.43.179,+S=C]:17/54867
Nov 29 13:59:38 ip-10-164-25-201 pluto[5667]: "RWConn"[4] myClientIP #4:
transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Nov 29 13:59:38 ip-10-164-25-201 pluto[5667]: "RWConn"[4] myClientIP #4:
STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Nov 29 13:59:38 ip-10-164-25-201 pluto[5667]: "RWConn"[4] myClientIP #4:
Dead Peer Detection (RFC 3706): enabled
Nov 29 13:59:38 ip-10-164-25-201 pluto[5667]: "RWConn"[4] myClientIP #4:
transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Nov 29 13:59:38 ip-10-164-25-201 pluto[5667]: "RWConn"[4] myClientIP #4:
STATE_QUICK_R2: IPsec SA established transport mode {ESP/NAT=>0x02ceb265
<0xafbcefd3 xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=myClientIP:17370
DPD=enabled}
Nov 29 13:59:58 ip-10-164-25-201 pluto[5667]: "RWConn"[4] myClientIP #3:
received Delete SA(0x02ceb265) payload: deleting IPSEC State #4
Nov 29 13:59:58 ip-10-164-25-201 pluto[5667]: "RWConn"[4] myClientIP #3:
received and ignored informational message
Nov 29 13:59:58 ip-10-164-25-201 pluto[5667]: "RWConn"[4] myClientIP #3:
received Delete SA payload: deleting ISAKMP State #3
Nov 29 13:59:58 ip-10-164-25-201 pluto[5667]: "RWConn"[4] myClientIP:
deleting connection "RWConn" instance with peer myClientIP
{isakmp=#0/ipsec=#0}
Nov 29 13:59:58 ip-10-164-25-201 pluto[5667]: packet from myClientIP:17370:
received and ignored informational message

$ sudo ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                             [OK]
Linux Openswan U2.6.37/K3.2.0-54-virtual (netkey)
Checking for IPsec support in kernel                         [OK]
 SAref kernel support                                       [N/A]
 NETKEY:  Testing XFRM related proc values                   [OK]
 [OK]
[OK]
Checking that pluto is running                               [OK]
 Pluto listening for IKE on udp 500                         [OK]
 Pluto listening for NAT-T on udp 4500                       [OK]
Checking for 'ip' command                                   [OK]
Checking /bin/sh is not /bin/dash                           [WARNING]
Checking for 'iptables' command                             [OK]
Opportunistic Encryption Support                             [DISABLED]

$ sudo cat /etc/ppp/chap-secrets
# Secrets for authentication using CHAP
# client server secret IP addresses
alice   MyGW PASSWORD *
bob   MyGW PASSWORD   *

Thank you
Mohsen
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20131129/61a06dc7/attachment.html>

More information about the Users mailing list