[Openswan Users] Assistance with configuration

Neal Murphy neal.p.murphy at alum.wpi.edu
Thu Apr 23 14:50:11 EDT 2015


Try a more minimal config:

---
config setup
        protostack=klips
        interfaces=%defaultroute
        klipsdebug=none
        plutodebug=none
        plutowait=no
        uniqueids=yes

conn tj-vpn
        authby=secret
        esp=aes256-sha1
        ike=aes256-sha1
        keyexchange=ike
        pfs=no
        left=x.x.x.x
        leftsubnet=10.0.0.0/16
        leftnexthop=%defaultroute
        right=y.y.y.y
        rightsubnet=z.z.z.z/32
        rightnexthop=%defaultroute
        auto=start
---

Come to think of it, you might just be missing rightnexthop.

N



On Thursday, April 23, 2015 02:31:10 PM Ian Barnes wrote:
> Hi All
> 
> Apologies for the probable stupid question - but I am having some problems
> getting an IPSEC tunnel up and running to a provider.
> 
> Here is my network config:
> 
> *Connecting Server*
> Connecting Server has two interfaces
> eth0: x.x.x.x/28
> eth1: 10.0.64.150/24
> 
> Connecting server is running CentOS 6.6, OpenSwan (2.6.32-37.el6)
> 
> Here is a verify:
> # ipsec verify
> Checking your system to see if IPsec got installed and started correctly:
> Version check and ipsec on-path                             [OK]
> Linux Openswan U2.6.32/K2.6.32-504.el6.x86_64 (netkey)
> Checking for IPsec support in kernel                         [OK]
>  SAref kernel support                                       [N/A]
>  NETKEY:  Testing for disabled ICMP send_redirects           [OK]
> NETKEY detected, testing for disabled ICMP accept_redirects [OK]
> Testing against enforced SElinux mode                       [OK]
> Checking that pluto is running                               [OK]
>  Pluto listening for IKE on udp 500                         [OK]
>  Pluto listening for NAT-T on udp 4500                       [OK]
> Two or more interfaces found, checking IP forwarding         [OK]
> Checking NAT and MASQUERADEing                               [OK]
> Checking for 'ip' command                                   [OK]
> Checking /bin/sh is not /bin/dash                           [OK]
> Checking for 'iptables' command                             [OK]
> Opportunistic Encryption Support                             [DISABLED]
> 
> 
> *Remote Server*
> Here are the connection details of the remote connection i've been given:
> Remote IP: y.y.y.y
> Internal IP: z.z.z.z
> 
> *Phase 1:*
> Cipher: AES-256
> MD Algorithm: SHA1
> LifeTime: 86400sec
> DH Group: 2
> IKE Mode: Main
> Auth Mode: PSK
> 
> *Phase 2:*
> IPSec Type: ESP
> Cipher: AES-256
> MD Algorithm: SHA1
> PFS: NO
> LifeTime: 3600seconds
> Granularity: Host
> 
> 
> *My Config*
> conn tj-vpn
>         type=tunnel
>         auth=esp
>         authby=secret
>         ikelifetime=86400m
>         rekeymargin=10m
>         rekeyfuzz=0%
>         keylife=3600s
>         esp=aes256-sha1
>         ike=aes256-sha1
>         keyexchange=ike
>         pfs=no
>         left=x.x.x.x
>         leftsubnet=10.0.0.0/16
>         leftnexthop=%defaultroute
>         right=y.y.y.y
>         rightsubnet=z.z.z.z/32
>         auto=start
> 
> Startup shows the following:
> 
> # ipsec auto --up tj-vpn
> 104 "tj-vpn" #2: STATE_MAIN_I1: initiate
> 003 "tj-vpn" #2: received Vendor ID payload [RFC 3947] method set to=109
> 003 "tj-vpn" #2: ignoring Vendor ID payload [FRAGMENTATION c0000000]
> 003 "tj-vpn" #2: peer requested 5184000 seconds which exceeds our limit
> 86400 seconds.  Attribute OAKLEY_LIFE_DURATION (variable length)
> 003 "tj-vpn" #2: no acceptable Oakley Transform
> 214 "tj-vpn" #2: STATE_MAIN_I1: NO_PROPOSAL_CHOSEN
> *JUST HANGS THERE*
> 
> # ipsec --status
> 000 using kernel interface: netkey
> 000 interface lo/lo ::1
> 000 interface lo/lo 127.0.0.1
> 000 interface lo/lo 127.0.0.1
> 000 interface eth0/eth0 x.x.x.x
> 000 interface eth0/eth0 x.x.x.x
> 000 interface eth1/eth1 10.0.64.150
> 000 interface eth1/eth1 10.0.64.150
> 000 %myid = (none)
> 000 debug none
> 000
> 000 virtual_private (%priv):
> 000 - allowed 0 subnets:
> 000 - disallowed 0 subnets:
> 000 WARNING: Either virtual_private= is not specified, or there is a syntax
> 000          error in that line. 'left/rightsubnet=vhost:%priv' will not
> work!
> 000 WARNING: Disallowed subnets in virtual_private= is empty. If you have
> 000          private address space in internal use, it should be excluded!
> 000
> 000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192,
> keysizemax=192
> 000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, keysizemin=128,
> keysizemax=128
> 000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40,
> keysizemax=448
> 000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0,
> keysizemax=0
> 000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128,
> keysizemax=256
> 000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8,
> keysizemin=128, keysizemax=256
> 000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8,
> keysizemin=128, keysizemax=256
> 000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=12,
> keysizemin=128, keysizemax=256
> 000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=16,
> keysizemin=128, keysizemax=256
> 000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8,
> keysizemin=128, keysizemax=256
> 000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=12,
> keysizemin=128, keysizemax=256
> 000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=16,
> keysizemin=128, keysizemax=256
> 000 algorithm ESP encrypt: id=22, name=(null), ivlen=8, keysizemin=128,
> keysizemax=256
> 000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8,
> keysizemin=128, keysizemax=256
> 000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8,
> keysizemin=128, keysizemax=256
> 000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
> keysizemin=128, keysizemax=128
> 000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
> keysizemin=160, keysizemax=160
> 000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256,
> keysizemin=256, keysizemax=256
> 000 algorithm ESP auth attr: id=6, name=AUTH_ALGORITHM_HMAC_SHA2_384,
> keysizemin=384, keysizemax=384
> 000 algorithm ESP auth attr: id=7, name=AUTH_ALGORITHM_HMAC_SHA2_512,
> keysizemin=512, keysizemax=512
> 000 algorithm ESP auth attr: id=8, name=(null), keysizemin=160,
> keysizemax=160
> 000 algorithm ESP auth attr: id=9, name=(null), keysizemin=128,
> keysizemax=128
> 000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0,
> keysizemax=0 000
> 000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=128
> 000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=128
> 000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=128
> 000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=128
> 000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=128
> 000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=128
> 000 algorithm IKE encrypt: id=3, name=OAKLEY_BLOWFISH_CBC, blocksize=8,
> keydeflen=128
> 000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
> keydeflen=192
> 000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
> keydeflen=128
> 000 algorithm IKE encrypt: id=65004, name=OAKLEY_SERPENT_CBC, blocksize=16,
> keydeflen=128
> 000 algorithm IKE encrypt: id=65005, name=OAKLEY_TWOFISH_CBC, blocksize=16,
> keydeflen=128
> 000 algorithm IKE encrypt: id=65289, name=OAKLEY_TWOFISH_CBC_SSH,
> blocksize=16, keydeflen=128
> 000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
> 000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
> 000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32
> 000 algorithm IKE hash: id=5, name=OAKLEY_SHA2_384, hashsize=48
> 000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64
> 000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
> 000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
> 000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
> 000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
> 000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
> 000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
> 000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
> 000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024
> 000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048
> 000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048
> 000
> 000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,2,64}
> trans={0,2,3072} attrs={0,2,2048}
> 000
> 000 "tj-vpn":
> 10.0.0.0/16===x.x.x.x<x.x.x.x>[+S=C]...y.y.y.y<y.y.y.y>[+S=C]===z.z.z.z/32
> ; prospective erouted; eroute owner: #0
> 000 "tj-vpn":     myip=unset; hisip=unset;
> 000 "tj-vpn":   ike_life: 5184000s; ipsec_life: 3600s; rekey_margin: 600s;
> rekey_fuzz: 0%; keyingtries: 0; nat_keepalive: yes
> 000 "tj-vpn":   policy:
> PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 16,32;
> interface: eth0;
> 000 "tj-vpn":   newest ISAKMP SA: #0; newest IPsec SA: #0;
> 000 "tj-vpn":   IKE algorithms wanted:
> AES_CBC(7)_256-SHA1(2)_000-MODP1536(5),
> AES_CBC(7)_256-SHA1(2)_000-MODP1024(2)
> 000 "tj-vpn":   IKE algorithms found:
>  AES_CBC(7)_256-SHA1(2)_160-MODP1536(5),
> AES_CBC(7)_256-SHA1(2)_160-MODP1024(2)
> 000 "tj-vpn":   ESP algorithms wanted: AES(12)_256-SHA1(2)_000
> 000 "tj-vpn":   ESP algorithms loaded: AES(12)_256-SHA1(2)_160
> 000
> 000 #2: "tj-vpn":500 STATE_MAIN_I1 (sent MI1, expecting MR1); none in -1s;
> nodpd; idle; import:admin initiate
> 000 #2: pending Phase 2 for "tj-vpn" replacing #0
> 000
> 
> # cat ipsec.secrets
> x.x.x.x y.y.y.y: PSK "PSKGOESHERE"
> 
> Anyone have any ideas what i'm doing wrong? I'd appreciate all assistance.
> Thanks so much in advance!
> 
> Cheers
> Ian


More information about the Users mailing list