[Openswan Users] IPSec on Centos6.5

David Fowler david at powercreations.com.au
Tue Feb 11 21:00:46 EST 2014


Hi Nick

Thanks for your reply.

Have made the required changes, and still no go.  Unfortunately I need 
to have the Centos server establishing the connection.  A lot of the 
settings in the conf came from reading umpteen docs / configs on the net 
- this isn't my usual area of specialty, I've just been given the task :)

New *ipsec.conf*
config setup
      klipsdebug=all
      plutodebug=all
      protostack=netkey
      interfaces=%defaultroute

conn testconnection
      type=tunnel
      left=1.1.1.1
      leftsourceip=192.168.3.195
      leftsubnet=192.168.3.0/24
      right=3.3.3.3
      rightsubnet=192.168.3.0/24
      auth=esp
      keyexchange=ike
      auto=add
      pfs=yes
      rekey=no
      authby=secret

Doing a tcpdump when doing the ipsec auto --add testconnection I can see 
the server sending the request (thishost and endhost replacing the 
actual hostnames)

tcpdump -vv -x -X -s 1500 -i eth0 'port 500'
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 
1500 bytes
01:55:31.099277 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto 
UDP (17), length 520)
     thishost.isakmp > endhost.isakmp: [bad udp cksum afb2!] isakmp 1.0 
msgid 00000000 cookie 0a1a31b314914bbb->0000000000000000: phase 1 I ident:
     (sa: doi=ipsec situation=identity
         (p: #0 protoid=isakmp transform=12
             (t: #0 id=ike (type=lifetype value=sec)(type=lifeduration 
value=0e10)(type=enc value=aes)(type=hash value=sha1)(type=auth 
value=preshared)(type=group desc value=modp2048)(type=keylen value=0080))
             (t: #1 id=ike (type=lifetype value=sec)(type=lifeduration 
value=0e10)(type=enc value=aes)(type=hash value=md5)(type=auth 
value=preshared)(type=group desc value=modp2048)(type=keylen value=0080))
             (t: #2 id=ike (type=lifetype value=sec)(type=lifeduration 
value=0e10)(type=enc value=3des)(type=hash value=sha1)(type=auth 
value=preshared)(type=group desc value=modp2048))
             (t: #3 id=ike (type=lifetype value=sec)(type=lifeduration 
value=0e10)(type=enc value=3des)(type=hash value=md5)(type=auth 
value=preshared)(type=group desc value=modp2048))
             (t: #4 id=ike (type=lifetype value=sec)(type=lifeduration 
value=0e10)(type=enc value=aes)(type=hash value=sha1)(type=auth 
value=preshared)(type=group desc value=modp1536)(type=keylen value=0080))
             (t: #5 id=ike (type=lifetype value=sec)(type=lifeduration 
value=0e10)(type=enc value=aes)(type=hash value=md5)(type=auth 
value=preshared)(type=group desc value=modp1536)(type=keylen value=0080))
             (t: #6 id=ike (type=lifetype value=sec)(type=lifeduration 
value=0e10)(type=enc value=3des)(type=hash value=sha1)(type=auth 
value=preshared)(type=group desc value=modp1536))
             (t: #7 id=ike (type=lifetype value=sec)(type=lifeduration 
value=0e10)(type=enc value=3des)(type=hash value=md5)(type=auth 
value=preshared)(type=group desc value=modp1536))
             (t: #8 id=ike (type=lifetype value=sec)(type=lifeduration 
value=0e10)(type=enc value=aes)(type=hash value=sha1)(type=auth 
value=preshared)(type=group desc value=modp1024)(type=keylen value=0080))
             (t: #9 id=ike (type=lifetype value=sec)(type=lifeduration 
value=0e10)(type=enc value=aes)(type=hash value=md5)(type=auth 
value=preshared)(type=group desc value=modp1024)(type=keylen value=0080))
             (t: #10 id=ike (type=lifetype value=sec)(type=lifeduration 
value=0e10)(type=enc value=3des)(type=hash value=sha1)(type=auth 
value=preshared)(type=group desc value=modp1024))
             (t: #11 id=ike (type=lifetype value=sec)(type=lifeduration 
value=0e10)(type=enc value=3des)(type=hash value=md5)(type=auth 
value=preshared)(type=group desc value=modp1024))))
     (vid: len=12)
     (vid: len=16)

This is more of a 'test' as part of a bigger project, but wanted to try 
and get everything ready first.  I'm not sure of the end requirements 
for the actual 'live' system - so may wait for those and see how I go.

Dave



On 11/02/2014 4:42 PM, Nick Howitt wrote:
>
> What settings do you have in the Draytek (including the advanced 
> settings)?
>
> Can you check your subnets (although it is not the issue) as your 
> virtual_private subnets do not match te rightsubnet (/16 is not 
> 255.255.255.0). Anyway you should not need virtual_private or 
> nat_traversal.
>
> In your conn, you will probably also want a leftsubet and 
> leftsoureceip. Also to get the tunnel up and running I'd remove the 
> esp line, change auto to add and have the Draytek initiate the connection.
>
> Have you opened the CentOS firewall to udp:500 and the esp protocol? 
> Is there any reason you are not using PFS?
>
> Regards,
>
> Nick
>
> BTW I have a DrayTek 2710 and 2820 calling me (ClearOS).
>
> On 2014-02-11 05:29, David Fowler wrote:
>
>> Hi all
>>
>> I'm having some issues getting Openswan running on a Centos6.5 box to 
>> connect to a Draytek router (or even another Centos box) using an 
>> IPSec connection
>>
>> Here are all my settings (IP addresses have been changed - but 
>> consistent here)
>> 1.1.1.1 - CentOS server
>> 2.2.2.2 - CentOS server bcast
>> 3.3.3.3 - router on the other end
>>
>> When I run an 'ipsec --up testconenction', I get the following
>>
>> ipsec auto --up testconnection
>> 104 "testconnection" #3: STATE_MAIN_I1: initiate
>> 010 "testconnection" #3: STATE_MAIN_I1: retransmission; will wait 20s 
>> for response
>> 010 "testconnection" #3: STATE_MAIN_I1: retransmission; will wait 40s 
>> for response
>>
>> The /var/log/secure file shows
>> Feb 11 05:26:29 host pluto[31976]: | processing connection testconnection
>> Feb 11 05:26:29 host pluto[31976]: | handling event EVENT_RETRANSMIT 
>> for 3.3.3.3 "testconnection" #3
>> Feb 11 05:26:29 host pluto[31976]: | sending 592 bytes for 
>> EVENT_RETRANSMIT through eth0:500 to 3.3.3.3:500 (using #3)
>>
>> Config files and outputs are below
>>
>> ----------
>> *ifconfig*
>> eth0      Link encap:Ethernet  HWaddr 00:16:3E:38:7B:2C
>>           inet addr:1.1.1.1  Bcast:2.2.2.2  Mask:255.255.248.0
>>
>> -----------
>> */etc/ipsec.conf*
>> config setup
>>      klipsdebug=all
>>      plutodebug=all
>>      protostack=netkey
>>      nat_traversal=yes
>>      virtual_private=%v4:192.168.0.0/16,%v4:192.168.3.0/16
>>      interfaces=%defaultroute
>>
>> conn testconnection
>>      type=tunnel
>>      left=1.1.1.1
>>      right=3.3.3.3
>>      rightsubnet=192.168.3.0/255.255.255.0
>>      auth=esp
>>      esp=3des-168
>>      keyexchange=ike
>>      auto=start
>>      pfs=no
>>      rekey=no
>>      authby=secret
>>
>> ----------
>> */etc/ip.secrets*
>> 1.1.1.1 3.3.3.3: PSK "mykeyhere"
>>
>> ----------
>> *ipsec verify*
>> Checking your system to see if IPsec got installed and started correctly:
>> Version check and ipsec on-path [OK]
>> Linux Openswan U2.6.32/K2.6.32-431.3.1.el6.x86_64 (netkey)
>> Checking for IPsec support in kernel [OK]
>>  SAref kernel support [N/A]
>>  NETKEY:  Testing for disabled ICMP send_redirects [OK]
>> NETKEY detected, testing for disabled ICMP accept_redirects [OK]
>> Checking that pluto is running [OK]
>>  Pluto listening for IKE on udp 500 [OK]
>>  Pluto listening for NAT-T on udp 4500 [OK]
>> Checking for 'ip' command [OK]
>> Checking /bin/sh is not /bin/dash [OK]
>> Checking for 'iptables' command [OK]
>>
>> ----------
>>
>> Any help would be appreciated.
>>
>> Dave
>>
>>
>>
>>
>>
>> _______________________________________________
>> Users at lists.openswan.org  <mailto:Users at lists.openswan.org>
>> https://lists.openswan.org/mailman/listinfo/users
>> Micropayments:https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>> Building and Integrating Virtual Private Networks with Openswan:
>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
>
> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
>
> No virus found in this message.
> Checked by AVG - www.avg.com <http://www.avg.com>
> Version: 2014.0.4259 / Virus Database: 3697/7081 - Release Date: 02/10/14
>


-- 

David Fowler

General Manager
Power Creations
Ph : 1300 737 268
Mb : 041 791 0960
Fx : 08 9386 8561
Wb : www.powercreations.com.au

Please note I am not in the office on Wednesdays.  For anything urgent
please call the office or my mobile.

-----------------------------------------------------------------------
This Email may contain confidential and/or privileged information and
is intended solely for the addressee(s) named. If you have received
this information in error, or are advised that you have been posted
thisvEmail by accident, please notify the sender by return Email,
do not redistribute it, delete the Email and keep no copies.
-----------------------------------------------------------------------

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20140212/4e7010e9/attachment.html>


More information about the Users mailing list