[Openswan Users] Fwd: Question after building vpn site to site

Samir Hussain shussain at xelerance.com
Sat Nov 19 21:04:57 EST 2016


Rescued from the spam bucket.  Please remember to subscribe to the
mailing list before posting to it.


-------- Forwarded Message --------
Subject: 	Question after building vpn site to site
Date: 	Sat, 19 Nov 2016 20:45:46 +0100
From: 	Fraj KALLEL <frajkallel at gmail.com>
To: 	users at lists.openswan.org



Hello,


I build a vpn ipsec between openswan and cisco ASA 5510.


After execution of /etc/init.d/ipsec restart, i have these line in log.

 

| handling event EVENT_RETRANSMIT for 2.2.2.2 "VPN-site-to-site" #1

| sending 220 bytes for EVENT_RETRANSMIT through eth0:500 to 2.2.2.2:500
<http://2.2.2.2:500> (using #1)

|   b2 d3 09 d7  1a 62 b2 e3  00 00 00 00  00 00 00 00

|   01 10 02 00  00 00 00 00  00 00 00 dc  0d 00 00 38

|   00 00 00 01  00 00 00 01  00 00 00 2c  00 01 00 01

|   00 00 00 24  00 01 00 00  80 0b 00 01  80 0c 70 80

|   80 01 00 07  80 02 00 02  80 03 00 01  80 04 00 02

|   80 0e 01 00  0d 00 00 10  4f 45 76 79  5c 6b 67 7a

|   57 71 5c 73  0d 00 00 14  af ca d7 13  68 a1 f1 c9

|   6b 86 96 fc  77 57 01 00  0d 00 00 14  4a 13 1c 81

|   07 03 58 45  5c 57 28 f2  0e 95 45 2f  0d 00 00 14

|   7d 94 19 a6  53 10 ca 6f  2c 17 9d 92  15 52 9d 56

|   0d 00 00 14  90 cb 80 91  3e bb 69 6e  08 63 81 b5

|   ec 42 7b 1f  0d 00 00 14  cd 60 46 43  35 df 21 f8

|   7c fd b2 fc  68 b6 a4 48  00 00 00 14  44 85 15 2d

|   18 b6 bb cd  0b e8 a8 46  95 79 dd cc

| inserting event EVENT_RETRANSMIT, timeout in 20 seconds for #1

| event added at head of queue

| next event EVENT_RETRANSMIT in 20 seconds for #1

| 

| rejected packet:

|   b2 d3 09 d7  1a 62 b2 e3  00 00 00 00  00 00 00 00

|   01 10 02 00  00 00 00 00  00 00 00 dc  0d 00 00 38

|   00 00 00 01  00 00 00 01  00 00 00 2c  00 01 00 01

|   00 00 00 24  00 01 00 00  80 0b 00 01  80 0c 70 80

|   80 01 00 07  80 02 00 02  80 03 00 01  80 04 00 02

|   80 0e 01 00  0d 00 00 10  4f 45 76 79  5c 6b 67 7a

|   57 71 5c 73  0d 00 00 14  af ca d7 13  68 a1 f1 c9

|   6b 86 96 fc  77 57 01 00  0d 00 00 14  4a 13 1c 81

|   07 03 58 45  5c 57 28 f2  0e 95 45 2f  0d 00 00 14

|   7d 94 19 a6  53 10 ca 6f  2c 17 9d 92  15 52 9d 56

|   0d 00 00 14  90 cb 80 91  3e bb 69 6e  08 63 81 b5

|   ec 42 7b 1f  0d 00 00 14  cd 60 46 43  35 df 21 f8

|   7c fd b2 fc  68 b6 a4 48  00 00 00 14  44 85 15 2d

|   18 b6 bb cd  0b e8 a8 46  95 79 dd cc

| control:

|   1c 00 00 00  00 00 00 00  00 00 00 00  08 00 00 00

|   00 00 00 00  00 00 00 00  d5 20 43 e3  eb 7f 00 00

|   30 00 00 00  00 00 00 00  00 00 00 00  0b 00 00 00

|   71 00 00 00  02 03 01 00  00 00 00 00  00 00 00 00

|   02 00 00 00  d5 20 43 e3  00 00 00 00  00 00 00 00

| name:

|   02 00 01 f4  81 b9 1e 01  00 00 00 00  00 00 00 00

 

"VPN-site-to-site" #1: ERROR: asynchronous network error report on eth0
(sport=500) for message to 2.2.2.2 port 500, complainant 1.1.1.1
<http://1.1.1.1>: No route to host [errno 113, origin ICMP type 3 code 1
(not authenticated)]

| * processed 0 messages from cryptographic helpers

| next event EVENT_RETRANSMIT in 17 seconds for #1

| next event EVENT_RETRANSMIT in 17 seconds for #1



 

Openswan IP : 1.1.1.1

Cisco asa 5510 IP : 2.2.2.2

IP of VM behind cisco : 172.27.51.9/32 <http://172.27.51.9/32>


Ipsec.secrets :

1.1.1.1 2.2.2.2 <http://2.2.2.2>: PSK "azerty"


Ipsec.conf :

version 2.0     # conforms to second version of ipsec.conf specification

 

config setup

        # Do not set debug options to debug configuration issues!

        # plutodebug / klipsdebug = "all", "none" or a combation from below:

        # "raw crypt parsing emitting control klips pfkey natt x509 dpd
private"

        # eg:

        # plutodebug="control parsing"

        # Again: only enable plutodebug or klipsdebug when asked by a
developer

        #

        # enable to get logs per-peer

        # plutoopts="--perpeerlog"

        #

        # Enable core dumps (might require system changes, like ulimit -C)

        # This is required for abrtd to work properly

        # Note: incorrect SElinux policies might prevent pluto writing
the core

        dumpdir=/var/run/pluto/

        #

        # NAT-TRAVERSAL support, see README.NAT-Traversal

        nat_traversal=yes

        # exclude networks used on server side by adding %v4:!a.b.c.0/24

        # It seems that T-Mobile in the US and Rogers/Fido in Canada are

        # using 25/8 as "private" address space on their 3G network.

        # This range has not been announced via BGP (at least upto
2010-12-21)

       
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
<http://10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10>

        # OE is now off by default. Uncomment and change to on, to enable.

        oe=off

        # which IPsec stack to use. auto will try netkey, then klips
then mast

        protostack=netkey

        # Use this to log to a file, or disable logging on embedded
systems (like openwrt)

        #plutostderrlog=/dev/null

        plutodebug=all

        plutostderrlog=/var/log/openswan.log

# Add connections here

conn VPN-site-to-site

        type=tunnel

        left=1.1.1.1

        right=2.2.2.2

        rightsubnet=172.27.51.9/32 <http://172.27.51.9/32>

        authby=secret

        auto=start

        keyexchange=ike

        #type=tunnel

        ike=aes256-sha1;modp1024!

        ikelifetime=28800s

        aggrmode=no

        phase2=esp

        phase2alg=aes256-sha1

        keylife=3600s

        forceencaps=yes

 


-- 
Sincerly yours
Fraj KALLEL.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20161119/112faec7/attachment.html>


More information about the Users mailing list