[Openswan Users] tunnel ok, ping cannot work

zheng.man zheng.man at feitian-tech.com
Mon Oct 10 04:26:18 EDT 2016 

Hi,
 
I'm using openswan2.6.46 on a device with embedded linux kernel 3.10.20. 
The device has a 4G interface usb1 connecting to internet.
 
The network config:
10.67.8.0/24===10.29.19.62<%usb1>[@feitian]...THEIR_PUBLIC_IP<vpn.railfi.com>[@server]===192.168.17.0/24
 
 ~ # cat ipsec.conf 
version 2.0     # conforms to second version of ipsec.conf specification
# basic configuration
config setup
        dumpdir=/var/run/pluto/
        oe=off
        nat_traversal=yes
        protostack=klips
        interfaces="ipsec1=usb1"
conn ipsec
        auto=add        
        ikelifetime=24h
        salifetime=24h   
 
        authby=secret
        pfs=no
        rekey=yes
        keyingtries=3
        type=tunnel
 
        left=%usb1
        leftid=@feitian
        leftsubnets={10.67.8.0/24}
        leftsourceip=10.67.8.1
 
        right=vpn.railfi.com
        rightid=@server
        rightsubnet=192.168.17.0/24
 
        dpddelay=10
        dpdtimeout=60
        dpdaction=hold
 
 
 
The tunnel is created successfully.
 
~ # tail /var/log/secure -n50
Sep 29 15:39:32 (none) ipsec__plutorun: Starting Pluto subsystem...
Sep 29 15:39:32 (none) pluto[15819]: Starting Pluto (Openswan Version 2.6.46; Vendor ID OSWqwPd@^IAE) pid:15819
Sep 29 15:39:32 (none) pluto[15819]: LEAK_DETECTIVE support [enabled]
Sep 29 15:39:32 (none) pluto[15819]: OCF support for IKE [disabled]
Sep 29 15:39:32 (none) pluto[15819]: SAref support [disabled]: Protocol not available
Sep 29 15:39:32 (none) pluto[15819]: SAbind support [disabled]: Protocol not available
Sep 29 15:39:32 (none) pluto[15819]: NSS support [disabled]
Sep 29 15:39:32 (none) pluto[15819]: HAVE_STATSD notification support not compiled in
Sep 29 15:39:32 (none) pluto[15819]: Setting NAT-Traversal port-4500 floating to on
Sep 29 15:39:32 (none) pluto[15819]:    port floating activation criteria nat_t=1/port_float=1
Sep 29 15:39:32 (none) pluto[15819]:    NAT-Traversal support  [enabled]
Sep 29 15:39:32 (none) pluto[15819]: using /dev/urandom as source of random entropy
Sep 29 15:39:32 (none) pluto[15819]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Sep 29 15:39:32 (none) pluto[15819]: ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)
Sep 29 15:39:32 (none) pluto[15819]: ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)
Sep 29 15:39:32 (none) pluto[15819]: starting up 1 cryptographic helpers
Sep 29 15:39:32 (none) pluto[15819]: started helper pid=15825 (fd:6)
Sep 29 15:39:32 (none) pluto[15819]: Using KLIPS IPsec interface code on 3.10.20-rt14-Cavium-Octeon+
Sep 29 15:39:32 (none) pluto[15825]: using /dev/urandom as source of random entropy
Sep 29 15:39:32 (none) pluto[15819]: adding connection: "ipsec/1x0"
Sep 29 15:39:32 (none) pluto[15819]: listening for IKE messages
Sep 29 15:39:32 (none) pluto[15819]: adding interface ipsec1/usb1 10.29.19.62:500
Sep 29 15:39:32 (none) pluto[15819]: adding interface ipsec1/usb1 10.29.19.62:4500
Sep 29 15:39:32 (none) pluto[15819]: loading secrets from "/etc/ipsec.secrets"
Sep 29 15:39:33 (none) pluto[15819]: initiating all conns with alias='ipsec' 
Sep 29 15:39:33 (none) pluto[15819]: "ipsec/1x0" #1: initiating Main Mode
Sep 29 15:39:33 (none) pluto[15819]: "ipsec/1x0" #1: received Vendor ID payload [Dead Peer Detection]
Sep 29 15:39:33 (none) pluto[15819]: "ipsec/1x0" #1: received Vendor ID payload [RFC 3947] method set to=115 
Sep 29 15:39:33 (none) pluto[15819]: "ipsec/1x0" #1: enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal)
Sep 29 15:39:33 (none) pluto[15819]: "ipsec/1x0" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
Sep 29 15:39:33 (none) pluto[15819]: "ipsec/1x0" #1: STATE_MAIN_I2: sent MI2, expecting MR2
Sep 29 15:39:33 (none) pluto[15819]: "ipsec/1x0" #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): both are NATed
Sep 29 15:39:33 (none) pluto[15819]: "ipsec/1x0" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Sep 29 15:39:33 (none) pluto[15819]: "ipsec/1x0" #1: STATE_MAIN_I3: sent MI3, expecting MR3
Sep 29 15:39:33 (none) pluto[15819]: "ipsec/1x0" #1: Main mode peer ID is ID_FQDN: '@server'
Sep 29 15:39:33 (none) pluto[15819]: "ipsec/1x0" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
Sep 29 15:39:33 (none) pluto[15819]: "ipsec/1x0" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_128 prf=oakley_sha group=modp1024}
Sep 29 15:39:33 (none) pluto[15819]: "ipsec/1x0" #1: Dead Peer Detection (RFC 3706): enabled
Sep 29 15:39:33 (none) pluto[15819]: "ipsec/1x0" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#1 msgid:19bbd8b7 proposal=defaults pfsgroup=no-pfs}
Sep 29 15:39:33 (none) pluto[15819]: "ipsec/1x0" #2: ignoring informational payload, type IPSEC_RESPONDER_LIFETIME msgid=19bbd8b7
Sep 29 15:39:33 (none) pluto[15819]: "ipsec/1x0" #2: up-client output: /usr/local/lib/ipsec/_updown.klips: changesource `ip route change 192.168.17.0/24 dev ipsec1 src 10.67.8.1' failed (RTNETLINK answers: No such file or directory)
Sep 29 15:39:33 (none) pluto[15819]: "ipsec/1x0" #2: Dead Peer Detection (RFC 3706): enabled
Sep 29 15:39:33 (none) pluto[15819]: "ipsec/1x0" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Sep 29 15:39:33 (none) pluto[15819]: "ipsec/1x0" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x32269a98 <0x26f68275 xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=THEIR_PUBLIC_IP:4500 DPD=enabled}
 
 
~ # ipsec auto status
ipsec auto: warning: obsolete command syntax used
000 using kernel interface: klips
000 interface ipsec1/usb1 10.29.19.62
000 interface ipsec1/usb1 10.29.19.62
000 %myid = (none)
000 debug none
000  
000 virtual_private (%priv):
000 - allowed 0 subnets: 
000 - disallowed 0 subnets: 
000 WARNING: Either virtual_private= is not specified, or there is a syntax 
000          error in that line. 'left/rightsubnet=vhost:%priv' will not work!
000 WARNING: Disallowed subnets in virtual_private= is empty. If you have 
000          private address space in internal use, it should be excluded!
000  
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=64, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=64, keysizemin=96, keysizemax=448
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=128, keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC, keysizemin=128, keysizemax=128
000  
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32
000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024
000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048
000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048
000  
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0} 
000  
000 "ipsec/1x0": 10.67.8.0/24===10.29.19.62<%usb1>[@feitian]...THEIR_PUBLIC_IP <vpn.railfi.com>[@server]===192.168.17.0/24; unrouted; eroute owner: #2
000 "ipsec/1x0":     myip=10.67.8.1; hisip=unset;
000 "ipsec/1x0":   ike_life: 86400s; ipsec_life: 86400s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3 
000 "ipsec/1x0":   policy: PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 24,24; interface: usb1; kind=CK_PERMANENT
000 "ipsec/1x0":   dpd: action:hold; delay:10; timeout:60;  
000 "ipsec/1x0":   newest ISAKMP SA: #1; newest IPsec SA: #2; eroute owner: #2;
000 "ipsec/1x0":   aliases: ipsec 
000 "ipsec/1x0":   IKE algorithm newest: AES_CBC_128-SHA1-MODP1024
000  
000 #2: "ipsec/1x0":4500 IKEv1.0 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 81957s; newest IPSEC; eroute owner; isakmp#1; idle; import:admin initiate
000 #2: "ipsec/1x0" esp.32269a98 at THEIR_PUBLIC_IP esp.26f68275 at 10.29.19.62 tun.1001 at THEIR_PUBLIC_IP tun.1002 at 10.29.19.62 ref=3 refhim=1
000 #1: "ipsec/1x0":4500 IKEv1.0 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 81793s; newest ISAKMP; lastdpd=4s(seq in:2632 out:0); idle; import:admin initiate
000  
 
 
 
But ping private address of vpn server failed. 
 
/etc # ping 192.168.17.4
PING 192.168.17.4 (192.168.17.4) 56(84) bytes of data.
^C
--- 192.168.17.4 ping statistics ---
8 packets transmitted, 0 received, 100% packet loss, time 7011ms
 
~ # tcpdump -i ipsec1 -n icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ipsec1, link-type EN10MB (Ethernet), capture size 65535 bytes
16:36:12.780793 IP 10.67.8.1 > 192.168.17.4: ICMP echo request, id 14248, seq 1, length 64
16:36:13.781654 IP 10.67.8.1 > 192.168.17.4: ICMP echo request, id 14248, seq 2, length 64
16:36:14.787813 IP 10.67.8.1 > 192.168.17.4: ICMP echo request, id 14248, seq 3, length 64
 
 
As output below, ICMP echo reply seem to come back, but couldn’t be decrypted successfully.
 
~ # tcpdump -i usb1 -n port 4500
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on usb1, link-type EN10MB (Ethernet), capture size 65535 bytes
16:36:35.430282 IP 10.29.19.62.4500 > THEIR_PUBLIC_IP.4500: UDP-encap: ESP(spi=0x32269a98,seq=0x118), length 132
16:36:35.509216 IP THEIR_PUBLIC_IP.4500 > 10.29.19.62.4500: UDP-encap: ESP(spi=0x26f68275,seq=0x21c), length 132
16:36:36.437868 IP 10.29.19.62.4500 > THEIR_PUBLIC_IP.4500: UDP-encap: ESP(spi=0x32269a98,seq=0x119), length 132
16:36:36.518809 IP THEIR_PUBLIC_IP.4500 > 10.29.19.62.4500: UDP-encap: ESP(spi=0x26f68275,seq=0x21d), length 132
16:36:38.437798 IP 10.29.19.62.4500 > THEIR_PUBLIC_IP.4500: UDP-encap: ESP(spi=0x32269a98,seq=0x11b), length 132
16:36:38.479313 IP THEIR_PUBLIC_IP.4500 > 10.29.19.62.4500: UDP-encap: ESP(spi=0x26f68275,seq=0x21f), length 132
 
 

Could anyone give some ideas?
 
Best regards
 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20161010/b0b9aa75/attachment-0001.html>

More information about the Users mailing list