[Openswan Users] Connection to Huawei VRP

Ian Barnes ian.lidtech at gmail.com
Wed Nov 2 03:42:01 EDT 2016


Hey Samir,

Thanks for the help - i've gone back to them asking for more logs on their
end to try figure out what is happening.

Regards
Ian

On Tue, Nov 1, 2016 at 10:25 PM Samir Hussain <shussain at xelerance.com>
wrote:

> Hello Ian,
>   It certainly looks like that there is a misconfiguration on the remote
> side.
>
>   In addition to confirming the parameters at the remote end, I would
> check if they are allowing IKEv1 connections.
>
>
> Samir
>
>
> On 2016-10-30 02:43 PM, Ian Barnes wrote:
> > Hi All,
> >
> > First, many thanks to Samir for the assistance so far - but i've hit
> > another wall and need some more assistance. Upon instruction from the
> > company im connecting to I set the leftid and rightid to what they
> > configured but am now getting the following
> > logs: http://pastebin.com/ddfLM29C
> >
> > My config now looks as follows:
> > conn host-prd
> >         ##### Local
> >         left=externalIP
> > leftid=@LEFTID
> >         leftsubnet=externalIP/32
> > leftnexthop=%defaultroute
> >
> >         ##### Remote
> > right=RIGHTIP/ID
> > rightid=RIGHTIP/ID
> >         rightsubnets={172.25.48.43/32 <http://172.25.48.43/32>
> > 172.25.48.36/32 <http://172.25.48.36/32>}
> >         rightnexthop=%defaultroute
> >
> > ##### Auth Options
> >         authby=secret
> >         rekey=no
> >
> >         ##### Phase 1
> > ike=3des-sha1-modp1024
> >         ikelifetime="14400"
> >
> >         ##### Phase 2
> >         esp=3des-sha1
> >         keylife="3600"
> >         pfs=no
> >
> >         ##### Connection Options
> >         type=tunnel
> >         auto=start
> >         compress=no
> >
> >         disablearrivalcheck=no
> > dpddelay=10
> >         dpdtimeout=30
> >         dpdaction=restart
> >
> > My secrets as follows
> >
> > # cat /etc/ipsec.d/ipsec.secrets
> > @LEFTIDRIGHTIP/ID: PSK "PSKHERE"
> >
> > I see this line in the logs:
> > | inserting event EVENT_CRYPTO_FAILED, timeout in 300 seconds for #1
> >
> > I assume this to mean the PSK failed? From what I can see thats not
> > because it didnt match on my end, they are rejecting the PSK correct?
> >
> > The remote party provided the following logs:
> > Oct 27 2016 14:39:24.660.20 HOST IKE/7/DEBUG:Slot=1/2,Vcpu=0;Enter
> > m_responder_recv_ID_AUTH
> > [HOST-diagnose]
> > Oct 27 2016 14:39:24.670.1 HOST IKE/7/DEBUG:Slot=1/2,Vcpu=0;recv ID:
> > find ike peer by ID failed !
> > [HOST-diagnose]
> > Oct 27 2016 14:39:24.670.2 HOST IKE/7/DEBUG:Slot=1/2,Vcpu=0;Leave
> > m_responder_recv_ID_AUTH: recv_ID run err!
> > Oct 27 2016 14:39:54.680.20 HOST IKE/7/DEBUG:Slot=1/2,Vcpu=0;check
> > message duplicate: dropping dup
> >
> > Looking at the second line it appears to be a configuration error on
> > their end correct?
> >
> > Regards
> > Ian
> >
> >
> > On Tue, Oct 25, 2016 at 8:31 AM, Ian Barnes <ian.lidtech at gmail.com
> > <mailto:ian.lidtech at gmail.com>> wrote:
> >
> >     Hey Samir,
> >
> >     Many many thanks for the quick response, helping me out hugely here!
> >
> >     I have contacted the provider to ask what the ID is that they are
> >     expecting, hopefully I get some joy :)
> >
> >     Will keep you posted on resolution thanks!
> >
> >     Regards
> >     Ian
> >
> >     On Mon, Oct 24, 2016 at 11:10 PM, Samir Hussain
> >     <shussain at xelerance.com <mailto:shussain at xelerance.com>> wrote:
> >
> >         Hello Ian,
> >           Thank you for providing a paste bin link. It was very helpful.
> >
> >           Your issue seems to be with your id. In your original
> >         ipsec.conf, I
> >         did not see a leftid or a rightid. If you have added them,
> please be
> >         sure to:
> >
> >         1) Have the same leftid and rightid in your secrets file
> (normally
> >         /etc/ipsec.secrets)
> >         2) Have the same id as what the remote peer expects.
> >
> >         Samir
> >
> >         On 2016-10-24 04:07 PM, Ian Barnes wrote:
> >         > Hi Samir,
> >         >
> >         > Thanks so much for the response - very much appreciated. I've
> >         made the
> >         > changes you suggested and have had zero joy. Here are the
> >         > logs: http://pastebin.com/tycfF6JN. The only thing I can see
> >         is this:
> >         >
> >         > got payload 0x800(ISAKMP_NEXT_N) needed: 0x0 opt: 0x0
> >         > | ***parse ISAKMP Notification Payload:
> >         > |    next payload type: ISAKMP_NEXT_NONE
> >         > |    length: 12
> >         > |    DOI: ISAKMP_DOI_IPSEC
> >         > |    protocol ID: 1
> >         > |    SPI size: 0
> >         > |    Notify Message Type: INVALID_ID_INFORMATION
> >         > | removing 4 bytes of padding
> >         > "host-prd/0x2" #1: ignoring informational payload, type
> >         > INVALID_ID_INFORMATION msgid=00000000
> >         > | info:
> >         > | processing informational INVALID_ID_INFORMATION (18)
> >         > "host-prd/0x2" #1: received and ignored informational message
> >         > | complete state transition with STF_IGNORE
> >         > | * processed 0 messages from cryptographic helpers
> >         > | next event EVENT_RETRANSMIT in 10 seconds for #3
> >         > | next event EVENT_RETRANSMIT in 10 seconds for #3
> >         >
> >         > But I cant find much about that error.
> >         >
> >         > Any ideas?
> >         >
> >         > Cheers
> >         > Ian
> >         >
> >         >
> >         > On Mon, Oct 24, 2016 at 9:53 PM, Samir Hussain
> >         <shussain at xelerance.com <mailto:shussain at xelerance.com>
> >         > <mailto:shussain at xelerance.com
> >         <mailto:shussain at xelerance.com>>> wrote:
> >         >
> >         >     One quick question: You have explicitly set pfs to no.
> >         Does the other
> >         >     side not expect PFS? what happens if you enable PFS?
> >         >
> >         >     Samir
> >         >
> >         >     On 2016-10-24 12:17 PM, Samir Hussain wrote:
> >         >     > Hello,
> >         >     >   A couple of comments:
> >         >     > * ikelifetime and phasetime do not need to be quoted
> >         >     > * is your leftsourceip the same as the IP assigned to
> >         left? If it is,
> >         >     > then you can remove leftsourceip
> >         >     > * keyexchange and aut=esp should be removed
> >         >     >
> >         >     > If you are still experiencing problems, what do the logs
> >         show? You can
> >         >     > enable it by adding the following in "config setup"
> section:
> >         >     >
> >         >     > plutodebug="control parsing"
> >         >     > plutostderrlog=/var/log/ipsec.log
> >         >     >
> >         >     > Samir
> >         >     >
> >         >     > On 2016-10-23 03:33 PM, Ian Barnes wrote:
> >         >     >> Hi,
> >         >     >>
> >         >     >> I am having trouble setting up a connection to a
> >         provider (and am
> >         >     also
> >         >     >> running into delays getting logs from them) so I was
> >         wondering if
> >         >     anyone
> >         >     >> can spot a glaring error or point me in the possible
> right
> >         >     direction as
> >         >     >> to why my tunnel isnt coming up.
> >         >     >>
> >         >     >> First off - the connection details (as provided by the
> >         remote party):
> >         >     >> *Remote:*
> >         >     >> Remote Device: Huawei VRP
> >         >     >> Auth Method: Pre-Shared Key
> >         >     >> Encryption: IKE
> >         >     >> IKE PFS: 3DES
> >         >     >> IKE Encryption Algorithm: SHA1
> >         >     >> IKE Hashing Algorithm: Group 2 (1024)
> >         >     >> IKE SA Lifetime: 14400
> >         >     >> Transform (IPSec Protocol): IKE
> >         >     >> IPSEC Perfect Forward Secrecy: ESP
> >         >     >> IPSEC Encryption Algorithm: 3DES
> >         >     >> IPSEC Hashing Algorithm: SHA1
> >         >     >> IPSEC SA Lifetime: 3600
> >         >     >> Hosts: 172.25.48.43, 172.25.48.36
> >         >     >>
> >         >     >> Here is my config:
> >         >     >> *[root at server ~]# cat /etc/ipsec.conf*
> >         >     >> # /etc/ipsec.conf - Openswan IPsec configuration file
> >         >     >> version2.0# conforms to second version of ipsec.conf
> >         specification
> >         >     >>
> >         >     >> # basic configuration
> >         >     >> config setup
> >         >     >> nat_traversal=yes
> >         >     >> virtual_private=%v:10.0.0.0/16 <http://10.0.0.0/16>
> >         <http://10.0.0.0/16>
> >         >     <http://10.0.0.0/16>
> >         >     >> protostack=netkey
> >         >     >> interfaces=%defaultroute
> >         >     >> klipsdebug=none
> >         >     >> plutodebug=none
> >         >     >> plutowait=no
> >         >     >> uniqueids=yes
> >         >     >> include /etc/ipsec.d/*.conf
> >         >     >>
> >         >     >> *[root at server ~]# cat /etc/ipsec.d/host-prd.conf*
> >         >     >>
> >         >
> >
> #######################################################################
> >         >     >> # VPN to HOST
> >         >     >> #
> >         >     >> #remoteEndPoint/32        (Production)
>  externalIP/32
> >         >     >> #
> >         >     >> conn host-prd
> >         >     >>         ##### Local
> >         >     >>         left=externalIP
> >         >     >>         leftsourceip=externalIP
> >         >     >>         leftsubnet=externalIP/32
> >         >     >> leftnexthop=%defaultroute
> >         >     >>
> >         >     >>         ##### Remote
> >         >     >> right=remoteEndPoint
> >         >     >>         rightsubnets={172.25.48.43/32
> >         <http://172.25.48.43/32> <http://172.25.48.43/32>
> >         >     <http://172.25.48.43/32>
> >         >     >> 172.25.48.36/32 <http://172.25.48.36/32>
> >         <http://172.25.48.36/32> <http://172.25.48.36/32>}
> >         >     >>         rightnexthop=%defaultroute
> >         >     >>
> >         >     >> ##### Auth Options
> >         >     >>         authby=secret
> >         >     >>         rekey=no
> >         >     >>
> >         >     >>         ##### Phase 1
> >         >     >>         keyexchange=ike
> >         >     >> ike=3des-sha1-modp1024
> >         >     >>         ikelifetime="14400"
> >         >     >>
> >         >     >>         ##### Phase 2
> >         >     >>         auth=esp
> >         >     >>         esp=3des-sha1
> >         >     >>         keylife="3600"
> >         >     >>         pfs=no
> >         >     >>
> >         >     >>         ##### Connection Options
> >         >     >>         type=tunnel
> >         >     >>         auto=start
> >         >     >>         compress=no
> >         >     >>
> >         >     >>         disablearrivalcheck=no
> >         >     >> dpddelay=10
> >         >     >>         dpdtimeout=30
> >         >     >>         dpdaction=restart
> >         >     >>
> >         >     >>
> >         >     >> Here are the logs of when I try connect:
> >         >     >> [root at server ~]# ipsec status
> >         >     >> 000 using kernel interface: netkey
> >         >     >> 000 interface lo/lo ::1
> >         >     >> 000 interface lo/lo 127.0.0.1
> >         >     >> 000 interface lo/lo 127.0.0.1
> >         >     >> 000 interface eth0/eth0 externalIP
> >         >     >> 000 interface eth0/eth0 externalIP
> >         >     >> 000 interface eth1/eth1 10.0.64.10
> >         >     >> 000 interface eth1/eth1 10.0.64.10
> >         >     >> 000 %myid = (none)
> >         >     >> 000 debug none
> >         >     >> 000
> >         >     >> 000 virtual_private (%priv):
> >         >     >> 000 - allowed 0 subnets:
> >         >     >> 000 - disallowed 0 subnets:
> >         >     >> 000 WARNING: Either virtual_private= is not specified,
> >         or there
> >         >     is a syntax
> >         >     >> 000          error in that line.
> >         'left/rightsubnet=vhost:%priv'
> >         >     will not
> >         >     >> work!
> >         >     >> 000 WARNING: Disallowed subnets in virtual_private= is
> >         empty. If
> >         >     you have
> >         >     >> 000          private address space in internal use, it
> >         should be
> >         >     excluded!
> >         >     >> 000
> >         >     >> 000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8,
> >         >     keysizemin=192,
> >         >     >> keysizemax=192
> >         >     >> 000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8,
> >         >     keysizemin=128,
> >         >     >> keysizemax=128
> >         >     >> 000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH,
> >         ivlen=8,
> >         >     >> keysizemin=40, keysizemax=448
> >         >     >> 000 algorithm ESP encrypt: id=11, name=ESP_NULL,
> ivlen=0,
> >         >     keysizemin=0,
> >         >     >> keysizemax=0
> >         >     >> 000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8,
> >         >     keysizemin=128,
> >         >     >> keysizemax=256
> >         >     >> 000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR,
> >         ivlen=8,
> >         >     >> keysizemin=128, keysizemax=256
> >         >     >> 000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A,
> >         ivlen=8,
> >         >     >> keysizemin=128, keysizemax=256
> >         >     >> 000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B,
> >         ivlen=12,
> >         >     >> keysizemin=128, keysizemax=256
> >         >     >> 000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C,
> >         ivlen=16,
> >         >     >> keysizemin=128, keysizemax=256
> >         >     >> 000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A,
> >         ivlen=8,
> >         >     >> keysizemin=128, keysizemax=256
> >         >     >> 000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B,
> >         ivlen=12,
> >         >     >> keysizemin=128, keysizemax=256
> >         >     >> 000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C,
> >         ivlen=16,
> >         >     >> keysizemin=128, keysizemax=256
> >         >     >> 000 algorithm ESP encrypt: id=22, name=(null), ivlen=8,
> >         >     keysizemin=128,
> >         >     >> keysizemax=256
> >         >     >> 000 algorithm ESP encrypt: id=252, name=ESP_SERPENT,
> >         ivlen=8,
> >         >     >> keysizemin=128, keysizemax=256
> >         >     >> 000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH,
> >         ivlen=8,
> >         >     >> keysizemin=128, keysizemax=256
> >         >     >> 000 algorithm ESP auth attr: id=1,
> >         name=AUTH_ALGORITHM_HMAC_MD5,
> >         >     >> keysizemin=128, keysizemax=128
> >         >     >> 000 algorithm ESP auth attr: id=2,
> >         name=AUTH_ALGORITHM_HMAC_SHA1,
> >         >     >> keysizemin=160, keysizemax=160
> >         >     >> 000 algorithm ESP auth attr: id=5,
> >         name=AUTH_ALGORITHM_HMAC_SHA2_256,
> >         >     >> keysizemin=256, keysizemax=256
> >         >     >> 000 algorithm ESP auth attr: id=6,
> >         name=AUTH_ALGORITHM_HMAC_SHA2_384,
> >         >     >> keysizemin=384, keysizemax=384
> >         >     >> 000 algorithm ESP auth attr: id=7,
> >         name=AUTH_ALGORITHM_HMAC_SHA2_512,
> >         >     >> keysizemin=512, keysizemax=512
> >         >     >> 000 algorithm ESP auth attr: id=8, name=(null),
> >         keysizemin=160,
> >         >     >> keysizemax=160
> >         >     >> 000 algorithm ESP auth attr: id=9, name=(null),
> >         keysizemin=128,
> >         >     >> keysizemax=128
> >         >     >> 000 algorithm ESP auth attr: id=251, name=(null),
> >         keysizemin=0,
> >         >     keysizemax=0
> >         >     >> 000
> >         >     >> 000 algorithm IKE encrypt: id=0, name=(null),
> blocksize=16,
> >         >     keydeflen=128
> >         >     >> 000 algorithm IKE encrypt: id=0, name=(null),
> blocksize=16,
> >         >     keydeflen=128
> >         >     >> 000 algorithm IKE encrypt: id=0, name=(null),
> blocksize=16,
> >         >     keydeflen=128
> >         >     >> 000 algorithm IKE encrypt: id=0, name=(null),
> blocksize=16,
> >         >     keydeflen=128
> >         >     >> 000 algorithm IKE encrypt: id=0, name=(null),
> blocksize=16,
> >         >     keydeflen=128
> >         >     >> 000 algorithm IKE encrypt: id=0, name=(null),
> blocksize=16,
> >         >     keydeflen=128
> >         >     >> 000 algorithm IKE encrypt: id=3,
> name=OAKLEY_BLOWFISH_CBC,
> >         >     blocksize=8,
> >         >     >> keydeflen=128
> >         >     >> 000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC,
> >         blocksize=8,
> >         >     >> keydeflen=192
> >         >     >> 000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC,
> >         blocksize=16,
> >         >     >> keydeflen=128
> >         >     >> 000 algorithm IKE encrypt: id=65004,
> >         name=OAKLEY_SERPENT_CBC,
> >         >     >> blocksize=16, keydeflen=128
> >         >     >> 000 algorithm IKE encrypt: id=65005,
> >         name=OAKLEY_TWOFISH_CBC,
> >         >     >> blocksize=16, keydeflen=128
> >         >     >> 000 algorithm IKE encrypt: id=65289,
> >         name=OAKLEY_TWOFISH_CBC_SSH,
> >         >     >> blocksize=16, keydeflen=128
> >         >     >> 000 algorithm IKE hash: id=1, name=OAKLEY_MD5,
> hashsize=16
> >         >     >> 000 algorithm IKE hash: id=2, name=OAKLEY_SHA1,
> hashsize=20
> >         >     >> 000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256,
> >         hashsize=32
> >         >     >> 000 algorithm IKE hash: id=5, name=OAKLEY_SHA2_384,
> >         hashsize=48
> >         >     >> 000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512,
> >         hashsize=64
> >         >     >> 000 algorithm IKE dh group: id=2,
> >         name=OAKLEY_GROUP_MODP1024,
> >         >     bits=1024
> >         >     >> 000 algorithm IKE dh group: id=5,
> >         name=OAKLEY_GROUP_MODP1536,
> >         >     bits=1536
> >         >     >> 000 algorithm IKE dh group: id=14,
> >         name=OAKLEY_GROUP_MODP2048,
> >         >     bits=2048
> >         >     >> 000 algorithm IKE dh group: id=15,
> >         name=OAKLEY_GROUP_MODP3072,
> >         >     bits=3072
> >         >     >> 000 algorithm IKE dh group: id=16,
> >         name=OAKLEY_GROUP_MODP4096,
> >         >     bits=4096
> >         >     >> 000 algorithm IKE dh group: id=17,
> >         name=OAKLEY_GROUP_MODP6144,
> >         >     bits=6144
> >         >     >> 000 algorithm IKE dh group: id=18,
> >         name=OAKLEY_GROUP_MODP8192,
> >         >     bits=8192
> >         >     >> 000 algorithm IKE dh group: id=22,
> >         name=OAKLEY_GROUP_DH22, bits=1024
> >         >     >> 000 algorithm IKE dh group: id=23,
> >         name=OAKLEY_GROUP_DH23, bits=2048
> >         >     >> 000 algorithm IKE dh group: id=24,
> >         name=OAKLEY_GROUP_DH24, bits=2048
> >         >     >> 000
> >         >     >> 000 stats db_ops: {curr_cnt, total_cnt, maxsz}
> >         :context={0,8064,64}
> >         >     >> trans={0,8064,3072} attrs={0,8064,2048}
> >         >     >> 000
> >         >     >> 000 "host-prd/0x1":
> >         >     >>
> >         >
> >
> externalIP/32===externalIP<externalIP>[+S=C]---defGateway...defGateway---remoteEndPoint<remoteEndPoint>[+S=C]===
> 172.25.48.43/32
> >         <http://172.25.48.43/32>
> >         >     <http://172.25.48.43/32>
> >         >     >> <http://172.25.48.43/32>; unrouted; eroute owner: #0
> >         >     >> 000 "host-prd/0x1":     myip=externalIP; hisip=unset;
> >         >     >> 000 "host-prd/0x1":   ike_life: 14400s; ipsec_life:
> 3600s;
> >         >     rekey_margin:
> >         >     >> 540s; rekey_fuzz: 100%; keyingtries: 0; nat_keepalive:
> yes
> >         >     >> 000 "host-prd/0x1":   policy:
> >         >     >>
> >         PSK+ENCRYPT+TUNNEL+DONTREKEY+UP+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD;
> >         >     prio:
> >         >     >> 32,32; interface: eth0;
> >         >     >> 000 "host-prd/0x1":   newest ISAKMP SA: #0; newest
> >         IPsec SA: #0;
> >         >     >> 000 "host-prd/0x1":   aliases: host-prd
> >         >     >> 000 "host-prd/0x1":   IKE algorithms wanted:
> >         >     >> 3DES_CBC(5)_000-SHA1(2)_000-MODP1024(2)
> >         >     >> 000 "host-prd/0x1":   IKE algorithms found:
> >         >     >>  3DES_CBC(5)_192-SHA1(2)_160-MODP1024(2)
> >         >     >> 000 "host-prd/0x1":   ESP algorithms wanted:
> >         3DES(3)_000-SHA1(2)_000
> >         >     >> 000 "host-prd/0x1":   ESP algorithms loaded:
> >         3DES(3)_192-SHA1(2)_160
> >         >     >> 000 "host-prd/0x2":
> >         >     >>
> >         >
> >
> externalIP/32===externalIP<externalIP>[+S=C]---defGateway...defGateway---remoteEndPoint<remoteEndPoint>[+S=C]===
> 172.25.48.36/32
> >         <http://172.25.48.36/32>
> >         >     <http://172.25.48.36/32>
> >         >     >> <http://172.25.48.36/32>; unrouted; eroute owner: #0
> >         >     >> 000 "host-prd/0x2":     myip=externalIP; hisip=unset;
> >         >     >> 000 "host-prd/0x2":   ike_life: 14400s; ipsec_life:
> 3600s;
> >         >     rekey_margin:
> >         >     >> 540s; rekey_fuzz: 100%; keyingtries: 0; nat_keepalive:
> yes
> >         >     >> 000 "host-prd/0x2":   policy:
> >         >     >>
> >         PSK+ENCRYPT+TUNNEL+DONTREKEY+UP+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD;
> >         >     prio:
> >         >     >> 32,32; interface: eth0;
> >         >     >> 000 "host-prd/0x2":   newest ISAKMP SA: #7757; newest
> >         IPsec SA: #0;
> >         >     >> 000 "host-prd/0x2":   aliases: host-prd
> >         >     >> 000 "host-prd/0x2":   IKE algorithms wanted:
> >         >     >> 3DES_CBC(5)_000-SHA1(2)_000-MODP1024(2)
> >         >     >> 000 "host-prd/0x2":   IKE algorithms found:
> >         >     >>  3DES_CBC(5)_192-SHA1(2)_160-MODP1024(2)
> >         >     >> 000 "host-prd/0x2":   IKE algorithm newest:
> >         >     3DES_CBC_192-SHA1-MODP1024
> >         >     >> 000 "host-prd/0x2":   ESP algorithms wanted:
> >         3DES(3)_000-SHA1(2)_000
> >         >     >> 000 "host-prd/0x2":   ESP algorithms loaded:
> >         3DES(3)_192-SHA1(2)_160
> >         >     >> 000
> >         >     >> 000 #8083: "host-prd/0x1":500 STATE_QUICK_I1 (sent QI1,
> >         expecting
> >         >     QR1);
> >         >     >> EVENT_RETRANSMIT in 4s; nodpd; idle; import:admin
> initiate
> >         >     >> 000 #8082: "host-prd/0x2":500 STATE_QUICK_I1 (sent QI1,
> >         expecting
> >         >     QR1);
> >         >     >> EVENT_RETRANSMIT in 4s; nodpd; idle; import:admin
> initiate
> >         >     >> 000 #7757: "host-prd/0x2":500 STATE_MAIN_I4 (ISAKMP SA
> >         established);
> >         >     >> EVENT_SA_REPLACE_IF_USED in 2380s; newest ISAKMP;
> >         nodpd; idle;
> >         >     >> import:admin initiate
> >         >     >> 000
> >         >     >>
> >         >     >> *Here is an ipsec verify:*
> >         >     >> [root at server ~]# ipsec verify
> >         >     >> Checking your system to see if IPsec got installed and
> >         started
> >         >     correctly:
> >         >     >> Version check and ipsec on-path
> >              [OK]
> >         >     >> Linux Openswan U2.6.32/K2.6.32-504.16.2.el6.x86_64
> (netkey)
> >         >     >> Checking for IPsec support in kernel
> >             [OK]
> >         >     >>  SAref kernel support
> >              [N/A]
> >         >     >>  NETKEY:  Testing for disabled ICMP send_redirects
> >             [OK]
> >         >     >> NETKEY detected, testing for disabled ICMP
> >         accept_redirects [OK]
> >         >     >> Checking that pluto is running
> >             [OK]
> >         >     >>  Pluto listening for IKE on udp 500
> >              [OK]
> >         >     >>  Pluto listening for NAT-T on udp 4500
> >             [OK]
> >         >     >> Two or more interfaces found, checking IP forwarding
> >             [OK]
> >         >     >> Checking NAT and MASQUERADEing
> >             [OK]
> >         >     >> Checking for 'ip' command
> >              [OK]
> >         >     >> Checking /bin/sh is not /bin/dash
> >              [OK]
> >         >     >> Checking for 'iptables' command
> >              [OK]
> >         >     >> Opportunistic Encryption Support
> >         >     [DISABLED]
> >         >     >>
> >         >     >> Any ideas would be very welcome! Apologies if i'm
> >         missing something
> >         >     >> silly - i think i cant see the wood for the trees at
> >         the moment!
> >         >     >>
> >         >     >> Regards
> >         >     >> Ian
> >         >     >>
> >         >     >>
> >         >     >>
> >         >     >> _______________________________________________
> >         >     >> Users at lists.openswan.org
> >         <mailto:Users at lists.openswan.org>
> >         <mailto:Users at lists.openswan.org <mailto:
> Users at lists.openswan.org>>
> >         >     >> https://lists.openswan.org/mailman/listinfo/users
> >         <https://lists.openswan.org/mailman/listinfo/users>
> >         >     <https://lists.openswan.org/mailman/listinfo/users
> >         <https://lists.openswan.org/mailman/listinfo/users>>
> >         >     >> Micropayments:
> >         >     https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> >         <https://flattr.com/thing/38387/IPsec-for-Linux-made-easy>
> >         >     <https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> >         <https://flattr.com/thing/38387/IPsec-for-Linux-made-easy>>
> >         >     >> Building and Integrating Virtual Private Networks with
> Openswan:
> >         >     >>
> >         >
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
> >         <
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155>
> >         >
> >          <
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
> >         <
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155>>
> >         >     >>
> >         >
> >         >
> >
> >
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20161102/bbf8b760/attachment-0001.html>


More information about the Users mailing list