[Openswan Users] ipsec verify failed
Patrick Naubert
patrickn at xelerance.com
Tue Jun 24 07:02:34 EDT 2014
Rescued from the Spam bucket. Please remember to subscribe to the mailing list before posting to it.
From: Tian You <axqd001 at gmail.com>
Subject: ipsec verify failed
Date: June 22, 2014 at 2:47:36 PM EDT
To: users at lists.openswan.org
Hi all, I’m new to opwnswan and I have no idea how to debug this and go further. Please kindly help.
This is for xl2tpd + ipsec VPN solution.
==========================
$ sudo ipsec verify
Checking if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Openswan U2.6.40/K3.14.5-x86_64-linode42 (netkey)
See `ipsec --copyright' for copyright information.
Checking for IPsec support in kernel [OK]
NETKEY: Testing XFRM related proc values
ICMP default/send_redirects [OK]
ICMP default/accept_redirects [OK]
XFRM larval drop [OK]
Hardware random device check [N/A]
Two or more interfaces found, checking IP forwarding [OK]
Checking rp_filter [OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [FAILED]
Pluto listening for IKE on tcp 500 [NOT IMPLEMENTED]
Pluto listening for IKE/NAT-T on udp 4500 [DISABLED]
Pluto listening for IKE/NAT-T on tcp 4500 [NOT IMPLEMENTED]
Pluto listening for IKE on tcp 10000 (cisco) [NOT IMPLEMENTED]
Checking NAT and MASQUERADEing [TEST INCOMPLETE]
Checking 'ip' command [IP XFRM BROKEN]
Checking 'iptables' command [OK]
ipsec verify: encountered errors
===================
$ sudo netstat -nlp | grep pluto
udp 0 0 127.0.0.1:4500 0.0.0.0:* 14487/pluto
udp 0 0 <server public ip>:4500 0.0.0.0:* 14487/pluto
udp 0 0 127.0.0.1:500 0.0.0.0:* 14487/pluto
udp 0 0 <server public ip>:500 0.0.0.0:* 14487/pluto
udp6 0 0 ::1:500 :::* 14487/pluto
udp6 0 0 2400:8900::f03c:91f:500 :::* 14487/pluto
unix 2 [ ACC ] STREAM LISTENING 26091 14487/pluto /var/run/pluto/pluto.ctl
$ sudo ls -l /var/run/pluto/
total 12
-rw-r--r-- 1 root root 109 Jun 23 00:23 ipsec.info
-rw-r--r-- 1 root root 6 Jun 23 00:23 ipsec_setup.pid
srwx------ 1 root root 0 Jun 23 00:23 pluto.ctl
-r--r--r-- 1 root root 6 Jun 23 00:23 pluto.pid
$ uname -a
Linux force 3.14.5-x86_64-linode42 #1 SMP Thu Jun 5 15:22:13 EDT 2014 x86_64 GNU/Linux
$ cat /etc/issue
Debian GNU/Linux 6.0 \n \l
$ sudo ipsec whack --status
000 using kernel interface: netkey
000 interface lo/lo ::1
000 interface eth0/eth0 2400:8900::f03c:91ff:feae:27f1
000 interface lo/lo 127.0.0.1
000 interface lo/lo 127.0.0.1
000 interface eth0/eth0 <server public ip>
000 interface eth0/eth0 <server public ip>
000 %myid = (none)
000 debug none
000
000 virtual_private (%priv):
000 - allowed 6 subnets: 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 25.0.0.0/8, fd00::/8, fe80::/10
000 - disallowed 0 subnets:
000 WARNING: Disallowed subnets in virtual_private= is empty. If you have
000 private address space in internal use, it should be excluded!
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, keysizemin=40, keysizemax=128
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8, keysizemin=160, keysizemax=288
000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8, keysizemin=160, keysizemax=288
000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=12, keysizemin=160, keysizemax=288
000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=16, keysizemin=160, keysizemax=288
000 algorithm ESP encrypt: id=22, name=ESP_CAMELLIA, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=6, name=AUTH_ALGORITHM_HMAC_SHA2_384, keysizemin=384, keysizemax=384
000 algorithm ESP auth attr: id=7, name=AUTH_ALGORITHM_HMAC_SHA2_512, keysizemin=512, keysizemax=512
000 algorithm ESP auth attr: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=251, name=AUTH_ALGORITHM_NULL_KAME, keysizemin=0, keysizemax=0
000
000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=131
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32
000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024
000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048
000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048
000
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0}
000
000 "L2TP-PSK-NAT": <server public ip>/32===<server public ip><<server public ip>>:17/%any...%any:17/%any; unrouted; eroute owner: #0
000 "L2TP-PSK-NAT": myip=unset; hisip=unset;
000 "L2TP-PSK-NAT": ike_life: 28800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3
000 "L2TP-PSK-NAT": policy: PSK+ENCRYPT+DONTREKEY+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 32,32; interface: eth0;
000 "L2TP-PSK-NAT": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "L2TP-PSK-noNAT": <server public ip><<server public ip>>:17/%any...%any:17/%any; unrouted; eroute owner: #0
000 "L2TP-PSK-noNAT": myip=unset; hisip=unset;
000 "L2TP-PSK-noNAT": ike_life: 28800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3
000 "L2TP-PSK-noNAT": policy: PSK+ENCRYPT+DONTREKEY+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 32,32; interface: eth0;
000 "L2TP-PSK-noNAT": newest ISAKMP SA: #0; newest IPsec SA: #0;
000
000
================
Jun 22 12:23:24 localhost sudo: axqd : TTY=pts/1 ; PWD=/home/axqd ; USER=root ; COMMAND=/etc/init.d/ipsec restart
Jun 22 12:23:24 localhost pluto[14204]: shutting down
Jun 22 12:23:24 localhost pluto[14204]: forgetting secrets
Jun 22 12:23:24 localhost pluto[14204]: "L2TP-PSK-noNAT": deleting connection
Jun 22 12:23:24 localhost pluto[14204]: "L2TP-PSK-NAT": deleting connection
Jun 22 12:23:24 localhost pluto[14204]: shutting down interface lo/lo ::1:500
Jun 22 12:23:24 localhost pluto[14204]: shutting down interface eth0/eth0 2400:8900::f03c:91ff:feae:27f1:500
Jun 22 12:23:24 localhost pluto[14204]: shutting down interface lo/lo 127.0.0.1:4500
Jun 22 12:23:24 localhost pluto[14204]: shutting down interface lo/lo 127.0.0.1:500
Jun 22 12:23:24 localhost pluto[14204]: shutting down interface eth0/eth0 <server public ip>:4500
Jun 22 12:23:24 localhost pluto[14204]: shutting down interface eth0/eth0 <server public ip>:500
Jun 22 12:23:24 localhost pluto[14205]: pluto_crypto_helper: helper (0) is normal exiting
Jun 22 12:23:25 localhost ipsec__plutorun: Starting Pluto subsystem...
Jun 22 12:23:25 localhost pluto[14487]: Starting Pluto (Openswan Version 2.6.40; Vendor ID OSWvfazocUPZ) pid:14487
Jun 22 12:23:25 localhost pluto[14487]: LEAK_DETECTIVE support [disabled]
Jun 22 12:23:25 localhost pluto[14487]: OCF support for IKE [disabled]
Jun 22 12:23:25 localhost pluto[14487]: SAref support [disabled]: Protocol not available
Jun 22 12:23:25 localhost pluto[14487]: SAbind support [disabled]: Protocol not available
Jun 22 12:23:25 localhost pluto[14487]: NSS support [disabled]
Jun 22 12:23:25 localhost pluto[14487]: HAVE_STATSD notification support not compiled in
Jun 22 12:23:25 localhost pluto[14487]: Setting NAT-Traversal port-4500 floating to on
Jun 22 12:23:25 localhost pluto[14487]: port floating activation criteria nat_t=1/port_float=1
Jun 22 12:23:25 localhost pluto[14487]: NAT-Traversal support [enabled]
Jun 22 12:23:25 localhost pluto[14487]: using /dev/urandom as source of random entropy
Jun 22 12:23:25 localhost pluto[14487]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Jun 22 12:23:25 localhost pluto[14487]: ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)
Jun 22 12:23:25 localhost pluto[14487]: ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)
Jun 22 12:23:25 localhost pluto[14487]: starting up 1 cryptographic helpers
Jun 22 12:23:25 localhost pluto[14487]: started helper pid=14489 (fd:6)
Jun 22 12:23:25 localhost pluto[14487]: Using Linux XFRM/NETKEY IPsec interface code on 3.14.5-x86_64-linode42
Jun 22 12:23:25 localhost pluto[14489]: using /dev/urandom as source of random entropy
Jun 22 12:23:25 localhost pluto[14487]: ike_alg_register_enc(): Activating aes_ccm_8: Ok (ret=0)
Jun 22 12:23:25 localhost pluto[14487]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
Jun 22 12:23:25 localhost pluto[14487]: ike_alg_register_enc(): Activating aes_ccm_12: FAILED (ret=-17)
Jun 22 12:23:25 localhost pluto[14487]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
Jun 22 12:23:25 localhost pluto[14487]: ike_alg_register_enc(): Activating aes_ccm_16: FAILED (ret=-17)
Jun 22 12:23:25 localhost pluto[14487]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
Jun 22 12:23:25 localhost pluto[14487]: ike_alg_register_enc(): Activating aes_gcm_8: FAILED (ret=-17)
Jun 22 12:23:25 localhost pluto[14487]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
Jun 22 12:23:25 localhost pluto[14487]: ike_alg_register_enc(): Activating aes_gcm_12: FAILED (ret=-17)
Jun 22 12:23:25 localhost pluto[14487]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
Jun 22 12:23:25 localhost pluto[14487]: ike_alg_register_enc(): Activating aes_gcm_16: FAILED (ret=-17)
Jun 22 12:23:25 localhost pluto[14487]: added connection description "L2TP-PSK-NAT"
Jun 22 12:23:25 localhost pluto[14487]: added connection description "L2TP-PSK-noNAT"
Jun 22 12:23:25 localhost pluto[14487]: listening for IKE messages
Jun 22 12:23:25 localhost pluto[14487]: adding interface eth0/eth0 <server public ip>:500
Jun 22 12:23:25 localhost pluto[14487]: adding interface eth0/eth0 <server public ip>:4500
Jun 22 12:23:25 localhost pluto[14487]: adding interface lo/lo 127.0.0.1:500
Jun 22 12:23:25 localhost pluto[14487]: adding interface lo/lo 127.0.0.1:4500
Jun 22 12:23:25 localhost pluto[14487]: adding interface eth0/eth0 2400:8900::f03c:91ff:feae:27f1:500
Jun 22 12:23:25 localhost pluto[14487]: adding interface lo/lo ::1:500
Jun 22 12:23:25 localhost pluto[14487]: loading secrets from "/etc/ipsec.secrets”
================
$ cat /etc/ipsec.conf
# /etc/ipsec.conf - Openswan IPsec configuration file
# This file: /usr/local/share/doc/openswan/ipsec.conf-sample
#
# Manual: ipsec.conf.5
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
# Do not set debug options to debug configuration issues!
# plutodebug / klipsdebug = "all", "none" or a combation from below:
# "raw crypt parsing emitting control klips pfkey natt x509 dpd private"
# eg:
# plutodebug="control parsing"
# Again: only enable plutodebug or klipsdebug when asked by a developer
#
# enable to get logs per-peer
# plutoopts="--perpeerlog"
#
# Enable core dumps (might require system changes, like ulimit -C)
# This is required for abrtd to work properly
# Note: incorrect SElinux policies might prevent pluto writing the core
dumpdir=/var/run/pluto/
#
# NAT-TRAVERSAL support, see README.NAT-Traversal
nat_traversal=yes
# exclude networks used on server side by adding %v4:!a.b.c.0/24
# It seems that T-Mobile in the US and Rogers/Fido in Canada are
# using 25/8 as "private" address space on their 3G network.
# This range has not been announced via BGP (at least upto 2010-12-21)
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
# OE is now off by default. Uncomment and change to on, to enable.
oe=off
# which IPsec stack to use. auto will try netkey, then klips then mast
protostack=netkey
# Use this to log to a file, or disable logging on embedded systems (like openwrt)
#plutostderrlog=/dev/null
# Add connections here
# sample VPN connection
# for more examples, see /etc/ipsec.d/examples/
#conn sample
# # Left security gateway, subnet behind it, nexthop toward right.
# left=10.0.0.1
# leftsubnet=172.16.0.0/24
# leftnexthop=10.22.33.44
# # Right security gateway, subnet behind it, nexthop toward left.
# right=10.12.12.1
# rightsubnet=192.168.0.0/24
# rightnexthop=10.101.102.103
# # To authorize this connection, but not actually start it,
# # at startup, uncomment this.
# #auto=add
conn L2TP-PSK-NAT
rightsubnet=vhost:%priv
also=L2TP-PSK-noNAT
conn L2TP-PSK-noNAT
authby=secret
pfs=no
auto=add
keyingtries=3
rekey=no
ikelifetime=8h
keylife=1h
type=transport
left=<server public ip>
leftprotoport=17/%any
#leftprotoport=17/1701
right=%any
rightprotoport=17/%any
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20140624/54713af4/attachment-0001.html>
More information about the Users
mailing list