[Openswan Users] Question after building vpn site to site

Fraj KALLEL frajkallel at gmail.com
Sun Nov 20 06:41:56 EST 2016 

Hello,

I build a vpn ipsec between openswan and cisco ASA 5510.

After execution of /etc/init.d/ipsec restart, i have these line in log.



| handling event EVENT_RETRANSMIT for 2.2.2.2 "VPN-site-to-site" #1

| sending 220 bytes for EVENT_RETRANSMIT through eth0:500 to 2.2.2.2:500
(using #1)

|   b2 d3 09 d7  1a 62 b2 e3  00 00 00 00  00 00 00 00

|   01 10 02 00  00 00 00 00  00 00 00 dc  0d 00 00 38

|   00 00 00 01  00 00 00 01  00 00 00 2c  00 01 00 01

|   00 00 00 24  00 01 00 00  80 0b 00 01  80 0c 70 80

|   80 01 00 07  80 02 00 02  80 03 00 01  80 04 00 02

|   80 0e 01 00  0d 00 00 10  4f 45 76 79  5c 6b 67 7a

|   57 71 5c 73  0d 00 00 14  af ca d7 13  68 a1 f1 c9

|   6b 86 96 fc  77 57 01 00  0d 00 00 14  4a 13 1c 81

|   07 03 58 45  5c 57 28 f2  0e 95 45 2f  0d 00 00 14

|   7d 94 19 a6  53 10 ca 6f  2c 17 9d 92  15 52 9d 56

|   0d 00 00 14  90 cb 80 91  3e bb 69 6e  08 63 81 b5

|   ec 42 7b 1f  0d 00 00 14  cd 60 46 43  35 df 21 f8

|   7c fd b2 fc  68 b6 a4 48  00 00 00 14  44 85 15 2d

|   18 b6 bb cd  0b e8 a8 46  95 79 dd cc

| inserting event EVENT_RETRANSMIT, timeout in 20 seconds for #1

| event added at head of queue

| next event EVENT_RETRANSMIT in 20 seconds for #1

|

| rejected packet:

|   b2 d3 09 d7  1a 62 b2 e3  00 00 00 00  00 00 00 00

|   01 10 02 00  00 00 00 00  00 00 00 dc  0d 00 00 38

|   00 00 00 01  00 00 00 01  00 00 00 2c  00 01 00 01

|   00 00 00 24  00 01 00 00  80 0b 00 01  80 0c 70 80

|   80 01 00 07  80 02 00 02  80 03 00 01  80 04 00 02

|   80 0e 01 00  0d 00 00 10  4f 45 76 79  5c 6b 67 7a

|   57 71 5c 73  0d 00 00 14  af ca d7 13  68 a1 f1 c9

|   6b 86 96 fc  77 57 01 00  0d 00 00 14  4a 13 1c 81

|   07 03 58 45  5c 57 28 f2  0e 95 45 2f  0d 00 00 14

|   7d 94 19 a6  53 10 ca 6f  2c 17 9d 92  15 52 9d 56

|   0d 00 00 14  90 cb 80 91  3e bb 69 6e  08 63 81 b5

|   ec 42 7b 1f  0d 00 00 14  cd 60 46 43  35 df 21 f8

|   7c fd b2 fc  68 b6 a4 48  00 00 00 14  44 85 15 2d

|   18 b6 bb cd  0b e8 a8 46  95 79 dd cc

| control:

|   1c 00 00 00  00 00 00 00  00 00 00 00  08 00 00 00

|   00 00 00 00  00 00 00 00  d5 20 43 e3  eb 7f 00 00

|   30 00 00 00  00 00 00 00  00 00 00 00  0b 00 00 00

|   71 00 00 00  02 03 01 00  00 00 00 00  00 00 00 00

|   02 00 00 00  d5 20 43 e3  00 00 00 00  00 00 00 00

| name:

|   02 00 01 f4  81 b9 1e 01  00 00 00 00  00 00 00 00



"VPN-site-to-site" #1: ERROR: asynchronous network error report on eth0
(sport=500) for message to 2.2.2.2 port 500, complainant 1.1.1.1: No route
to host [errno 113, origin ICMP type 3 code 1 (not authenticated)]

| * processed 0 messages from cryptographic helpers

| next event EVENT_RETRANSMIT in 17 seconds for #1

| next event EVENT_RETRANSMIT in 17 seconds for #1



Openswan IP : 1.1.1.1

Cisco asa 5510 IP : 2.2.2.2

IP of VM behind cisco : 172.27.51.9/32

Ipsec.secrets :

1.1.1.1 2.2.2.2: PSK "azerty"

Ipsec.conf :

version 2.0     # conforms to second version of ipsec.conf specification



config setup

        # Do not set debug options to debug configuration issues!

        # plutodebug / klipsdebug = "all", "none" or a combation from below:

        # "raw crypt parsing emitting control klips pfkey natt x509 dpd
private"

        # eg:

        # plutodebug="control parsing"

        # Again: only enable plutodebug or klipsdebug when asked by a
developer

        #

        # enable to get logs per-peer

        # plutoopts="--perpeerlog"

        #

        # Enable core dumps (might require system changes, like ulimit -C)

        # This is required for abrtd to work properly

        # Note: incorrect SElinux policies might prevent pluto writing the
core

        dumpdir=/var/run/pluto/

        #

        # NAT-TRAVERSAL support, see README.NAT-Traversal

        nat_traversal=yes

        # exclude networks used on server side by adding %v4:!a.b.c.0/24

        # It seems that T-Mobile in the US and Rogers/Fido in Canada are

        # using 25/8 as "private" address space on their 3G network.

        # This range has not been announced via BGP (at least upto
2010-12-21)

        virtual_private=%v4:
10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10

        # OE is now off by default. Uncomment and change to on, to enable.

        oe=off

        # which IPsec stack to use. auto will try netkey, then klips then
mast

        protostack=netkey

        # Use this to log to a file, or disable logging on embedded systems
(like openwrt)

        #plutostderrlog=/dev/null

        plutodebug=all

        plutostderrlog=/var/log/openswan.log

# Add connections here

conn VPN-site-to-site

        type=tunnel

        left=1.1.1.1

        right=2.2.2.2

        rightsubnet=172.27.51.9/32

        authby=secret

        auto=start

        keyexchange=ike

        #type=tunnel

        ike=aes256-sha1;modp1024!

        ikelifetime=28800s

        aggrmode=no

        phase2=esp

        phase2alg=aes256-sha1

        keylife=3600s

        forceencaps=yes



--
Sincerly yours
Fraj KALLEL.


-- 
Bien cordialement.
Fraj KALLEL.
GSM: 21 90 05 74
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20161120/04549b6c/attachment-0001.html>

More information about the Users mailing list