[Openswan Users] Openswan 2.4.12 fails handshake
Patrick Naubert
patrickn at xelerance.com
Wed Jan 15 17:38:45 EST 2014
Rescued from the spam bucket. Please remember to subscribe to the mailing list before posting to it.
From: Ted Victorio <tvan5bee at yahoo.com>
Subject: Openswan 2.4.12 fails handshake
Date: January 15, 2014 at 5:06:24 PM EST
To: "users at lists.openswan.org" <users at lists.openswan.org>
Reply-To: Ted Victorio <tvan5bee at yahoo.com>
Our existing uClinux-dist-20080808 (kernel 2.6.25-uc0) build includes openswan 2.4.12 (which came with the distro)
Problem: The unit neither initiates nor responds to the remote IPsec Main Mode handshake.
Wireshark monitor has shown the remote ubuntu PC initiated ISAKMP-Identity Protection (Main Mode)
but the local unit replied with ICMP-Destination unreachable (Port unreachable).
Can someone advise me on how to proceed next?
Details shown below. Thank you in advance for your help.
Ted
The relevant IPsec modules were verified.
/> lsmod
Module Size Used by
af_key 29216 - - Live 0x41490000
xfrm_user 15092 - - Live 0x415b8000
xfrm4_tunnel 640 - - Live 0x414a2800
tunnel4 852 - - Live 0x414a2c00
ipcomp 2748 - - Live 0x41422000
esp4 3764 - - Live 0x41d20000
ah4 2824 - - Live 0x41c4c000
-----------------------------
I executed the following commands (uClinux unit) since the build has no ipsec scripting utilities:
/>pluto --nofork --noklips --use-netkey --secretsfile /mnt/ipsec.secrets --debug-all &
/>whack --listen &
/>whack --name link2 --host 90.0.0.3 --to --host 90.0.0.9 --client 209.0.0.0/24 --psk --encrypt --tunnel --pfs &
/>whack --name link2 --initiate &
/>
Pluto initialized
Nov 30 00:01:51 pluto[30]: Starting Pluto (Openswan Version 2.4.12
PLUTO_SENDS_VENDORID; Vendor ID OEzufdtpHjOA)
Nov 30 00:01:51 pluto[30]: | opening /dev/urandom
Nov 30 00:01:51 pluto[30]: | inserting event EVENT_REINIT_SECRET,
timeout in 3600 seconds
Nov 30 00:01:51 pluto[30]: | inserting event EVENT_PENDING_PHASE2,
timeout in 120 seconds
Nov 30 00:01:51 pluto[30]: ike_alg_register_enc(): Activating
OAKLEY_AES_CBC: Ok(ret=0)
Nov 30 00:01:51 pluto[30]: starting up 1 cryptographic helpers
Nov 30 00:03:55 pluto[31]: | opening /dev/urandom
Nov 30 00:03:55 pluto[31]: ! helper 0 waiting on fd: 6
Note: Using similar pluto & whack commands above, I was able to have 2 Ubuntu PCs etablish IPsec communication.
-----------------------------
I executed the following commands (On Ubuntu side):
# ipsec auto --add link2
# ipsec auto --up link2
Additional IPsec build configuration options:
Networking options
CONFIG_XFRM_USER=m
CONFIG_NET_KEY=m
CONFIG_INET_AH=m
CONFIG_INET_ESP=m
CONFIG_INET_IPCOMP=m
CONFIG_INET_XFRM_MODE_TRANSPORT=m
CONFIG_INET_XFRM_MODE_TUNNEL=m
Cryptographic API
CONFIG_CRYPTO_NULL=y
CONFIG_CRYPTO_HMAC=y
CONFIG_CRYPTO_MD5=y
CONFIG_CRYPTO_SHA1=y
CONFIG_CRYPTO_AES=y
CONFIG_CRYPTO_DES=y
CONFIG_CRYPTO_DEFLATE=y
uClinux to ubunutu test configuration
Ubuntu setup:
-------------
ipsec.conf:
config setup
plutodebug=all
klipsdebug=all
#nat_traversal=yes
conn link2
type=tunnel
authby=secret
left=90.0.0.3
right=90.0.0.9
rightsubnet=209.0.0.0/24
ipsec.secrets:
90.0.0.3 90.0.0.9 : PSK "testing12345"
uClinux setup:
--------------
/mnt/ipsec.secrets:
90.0.0.3 90.0.0.9 : PSK "testing12345"
(uClinux) 90.0.0.3====================90.0.0.9 (Ubuntu) ---- 209.0.0.9
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20140115/574caf6c/attachment.html>
More information about the Users
mailing list