[Openswan Users] Ipsec vpn host-to-host between openswan and Cisco device
Nick Howitt
nick at howitts.co.uk
Mon Jul 14 10:32:14 EDT 2014
What are the real LAN subnets at either end of the tunnel?
On 2014-07-14 13:51, Piotr Pawłowski wrote:
> Indeed... Typo in networks (facepalm)... That's the result of debugging
> too long. Thanks for the tip.
> Now VPN is established, however there is no possibility to reach any
> end
> (from openswan I am not able to reach 10.0.0.2/32 and from Cisco I
> cannot reach 10.0.100.1).
> Route on openswan side is added by the software. Route on Cisco side
> looks like this:
> ip route 10.0.100.1 255.255.255.255 $ciscoPublicIP
>
> Any kind of tip will be helpful.
>
> Regards
> Piotr
>
>
> Dnia 2014-07-14, pon o godzinie 09:02 +0100, Nick Howitt pisze:
>> I don't know if your configs are edited, but you must not have any
>> blank
>> lines in a conn. A blank line signifies the end of a conn. It probably
>> also applies to config setup. If you want, you can use an indented #
>> rather than a totally blank line.
>>
>> I can't read Cisco configs but it also seems that your
>> left/rightsubnets
>> don't match your access-list. Is this correct or do you specify
>> subnets
>> elsewhere in the Cisco config?
>>
>> Nick
>>
>> On 2014-07-14 08:36, Piotr Pawłowski wrote:
>> > Dear all,
>> >
>> > From two weeks I am trying to setup ipsec vpn connection between two
>> > hosts. One of them is openswan on linux, other is Cisco device. Without
>> > luck.
>> > Openswan configuration below:
>> >
>> > config setup
>> > interfaces=%defaultroute
>> > plutodebug=none
>> > klipsdebug=none
>> > plutoopts="--perpeerlog"
>> >
>> > nat_traversal=yes
>> > virtual_private=%v4:10.0.100.1/32,%v4:10.0.0.2/32
>> > oe=off
>> > protostack=netkey
>> > plutostderrlog=/var/log/pluto.log
>> > conn testConnection
>> > auto=start
>> > type=tunnel
>> > aggrmode=no
>> >
>> > left=$openswanPublicIP
>> > leftsubnet=10.0.100.1/32
>> > leftsourceip=10.0.100.1
>> >
>> > right=$ciscoPublicIP
>> > rightsubnet=10.0.0.2/32
>> >
>> > keyexchange=ike
>> > ike=3des-md5-modp1024
>> >
>> > authby=secret
>> >
>> > phase2=esp
>> > phase2alg=3des-md5
>> > pfs=yes
>> >
>> >
>> > Cisco configuration:
>> >
>> > crypto isakmp policy 1
>> > encr 3des
>> > hash md5
>> > authentication pre-share
>> > group 2
>> > lifetime 28800
>> > crypto isakmp key TestKey address $openswanPublicIP
>> > crypto ipsec transform-set OPENSWAN esp-3des esp-md5-hmac
>> > mode tunnel
>> > crypto map openswan-map 1 ipsec-isakmp
>> > set peer $openswanPublicIP
>> > set transform-set OPENSWAN
>> > match address 190
>> > access-list 190 permit ip 10.0.0.0 0.0.1.255 10.0.100.0 0.0.0.255
>> >
>> >
>> >
>> > IMHO everything looks fine. Openswan thinks different. Below output
>> > from
>> > pluto.log.
>> >
>> > Plutorun started on Mon Jul 14 07:01:57 UTC 2014
>> > adjusting ipsec.d to /etc/ipsec.d
>> > Starting Pluto (Openswan Version 2.6.28; Vendor ID OEQ{O\177nez{CQ)
>> > pid:23920
>> > SAref support [disabled]: Protocol not available
>> > SAbind support [disabled]: Protocol not available
>> > Setting NAT-Traversal port-4500 floating to on
>> > port floating activation criteria nat_t=1/port_float=1
>> > NAT-Traversal support [enabled]
>> > using /dev/urandom as source of random entropy
>> > ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)
>> > ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)
>> > ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok (ret=0)
>> > ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
>> > ike_alg_register_enc(): Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)
>> > ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)
>> > ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)
>> > starting up 1 cryptographic helpers
>> > started helper pid=23924 (fd:4)
>> > Using Linux 2.6 IPsec interface code on 2.6.32-5-amd64 (experimental
>> > code)
>> > using /dev/urandom as source of random entropy
>> > ike_alg_register_enc(): Activating aes_ccm_8: Ok (ret=0)
>> > ike_alg_add(): ERROR: Algorithm already exists
>> > ike_alg_register_enc(): Activating aes_ccm_12: FAILED (ret=-17)
>> > ike_alg_add(): ERROR: Algorithm already exists
>> > ike_alg_register_enc(): Activating aes_ccm_16: FAILED (ret=-17)
>> > ike_alg_add(): ERROR: Algorithm already exists
>> > ike_alg_register_enc(): Activating aes_gcm_8: FAILED (ret=-17)
>> > ike_alg_add(): ERROR: Algorithm already exists
>> > ike_alg_register_enc(): Activating aes_gcm_12: FAILED (ret=-17)
>> > ike_alg_add(): ERROR: Algorithm already exists
>> > ike_alg_register_enc(): Activating aes_gcm_16: FAILED (ret=-17)
>> > Changed path to directory '/etc/ipsec.d/cacerts'
>> > Changed path to directory '/etc/ipsec.d/aacerts'
>> > Changed path to directory '/etc/ipsec.d/ocspcerts'
>> > Changing to directory '/etc/ipsec.d/crls'
>> > Warning: empty directory
>> > added connection description "testConnection"
>> > listening for IKE messages
>> > NAT-Traversal: Trying new style NAT-T
>> > NAT-Traversal: ESPINUDP(1) setup failed for new style NAT-T family IPv4
>> > (errno=19)
>> > NAT-Traversal: Trying old style NAT-T
>> > adding interface eth0/eth0 $openswanPublicIP:500
>> > adding interface eth0/eth0 $openswanPublicIP:4500
>> > adding interface lo:1/lo:1 10.0.100.1:500
>> > adding interface lo:1/lo:1 10.0.100.1:4500
>> > adding interface lo/lo 127.0.0.1:500
>> > adding interface lo/lo 127.0.0.1:4500
>> > adding interface lo/lo ::1:500
>> > loading secrets from "/etc/ipsec.secrets"
>> > loading secrets from "/var/lib/openswan/ipsec.secrets.inc"
>> > "testConnection" #1: initiating Main Mode
>> > "testConnection" #1: received Vendor ID payload [RFC 3947] method set
>> > to=109
>> > "testConnection" #1: enabling possible NAT-traversal with method 4
>> > "testConnection" #1: transition from state STATE_MAIN_I1 to state
>> > STATE_MAIN_I2
>> > "testConnection" #1: STATE_MAIN_I2: sent MI2, expecting MR2
>> > "testConnection" #1: received Vendor ID payload [Cisco-Unity]
>> > "testConnection" #1: received Vendor ID payload [Dead Peer Detection]
>> > "testConnection" #1: ignoring unknown Vendor ID payload
>> > [9df211f6d27b7ea9251edca1d227fdd5]
>> > "testConnection" #1: received Vendor ID payload [XAUTH]
>> > "testConnection" #1: NAT-Traversal: Result using RFC 3947
>> > (NAT-Traversal): no NAT detected
>> > "testConnection" #1: transition from state STATE_MAIN_I2 to state
>> > STATE_MAIN_I3
>> > "testConnection" #1: STATE_MAIN_I3: sent MI3, expecting MR3
>> > "testConnection" #1: Main mode peer ID is ID_IPV4_ADDR:
>> > '$ciscoPublicIP'
>> > "testConnection" #1: transition from state STATE_MAIN_I3 to state
>> > STATE_MAIN_I4
>> > "testConnection" #1: STATE_MAIN_I4: ISAKMP SA established
>> > {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5
>> > group=modp1024}
>> > "testConnection" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP
>> > +IKEv2ALLOW {using isakmp#1 msgid:b73ac6a6
>> > proposal=3DES(3)_192-MD5(1)_128 pfsgroup=OAKLEY_GROUP_MODP1024}
>> > "testConnection" #1: ignoring informational payload, type
>> > NO_PROPOSAL_CHOSEN msgid=00000000
>> > "testConnection" #1: received and ignored informational message
>> > :testConnection" #2: max number of retransmissions (2) reached
>> > STATE_QUICK_I1. No acceptable response to our first Quick Mode
>> > message:
>> > perhaps peer likes no proposal
>> >
>> > I also tried with 'transform-set esp-aes 256 esp-sha-hmac' on Cisco
>> > side
>> > and keyexchange=ike , ike=3des-md5-modp1024 , phase2=esp ,
>> > phase2alg=3des-md5;modp1024 on openswan side. Also with same error as
>> > shown in pluto.log .
>> >
>> > Can anybody point the area, where I am doing something wrong?
>> > Thank you in advance.
>> >
>> > Regards
>> > Piotr
>> > _______________________________________________
>> > Users at lists.openswan.org
>> > https://lists.openswan.org/mailman/listinfo/users
>> > Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>> > Building and Integrating Virtual Private Networks with Openswan:
>> > http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
More information about the Users
mailing list