<br><div class="gmail_quote">2012/2/10 Paul Wouters <span dir="ltr"><<a href="mailto:pwouters@redhat.com">pwouters@redhat.com</a>></span><br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div class="im">On Fri, 10 Feb 2012, Den wrote:<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
There is working configuration.<br>
VPN is Ok if I use protostack=netkey.<br>
If I use protostack=klips VPN doesn't work.<br>
</blockquote>
<br></div>
Do you have an interfaces= line in "config setup" ?</blockquote><div>Yes if protostack=klips. ( interfaces="ipsec0=eth0") </div><div> <br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
linux>ipsec auto --status<br>
000 #2: "win-tun":500 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 801s; newest IPSEC; eroute<br>
owner; isakmp#1; idle; import:not set<br>
000 #2: "win-tun" <a href="mailto:esp.9023a4eb@192.168.1.38" target="_blank">esp.9023a4eb@192.168.1.38</a> <a href="mailto:esp.6ba38ad2@192.168.1.15" target="_blank">esp.6ba38ad2@192.168.1.15</a> ref=2 refhim=1<br>
000 #1: "win-tun":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 7101s; newest ISAKMP;<br>
nodpd; idle; import:not set<br>
</blockquote>
<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
So this says there is a tunnel up?<div class="im"><br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Feb 10 12:37:02 linux pluto[2997]: "win-tun" #1: the peer proposed: <a href="http://192.168.1.15/32:0/0" target="_blank">192.168.1.15/32:0/0</a> -> <a href="http://192.168.1.38/32:0/0" target="_blank">192.168.1.38/32:0/0</a><br>
Feb 10 12:37:02 linux pluto[2997]: "win-tun" #2: responding to Quick Mode proposal {msgid:01000000}<br>
Feb 10 12:37:02 linux pluto[2997]: "win-tun" #2: us: <a href="http://192.168.1.15/32===192.168.1.15" target="_blank">192.168.1.15/32===192.168.1.15</a><192.168.1.15>[+S=C]<br>
Feb 10 12:37:02 linux pluto[2997]: "win-tun" #2: them: 192.168.1.38<192.168.1.38>[+S=C]===<a href="http://192.168.1.38/32" target="_blank">192.168.1.38/32</a><br>
Feb 10 12:37:02 linux pluto[2997]: "win-tun" #2: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1<br>
Feb 10 12:37:02 linux pluto[2997]: "win-tun" #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting<br>
QI2<br>
Feb 10 12:37:02 linux pluto[2997]: "win-tun" #2: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2<br>
Feb 10 12:37:02 linux pluto[2997]: "win-tun" #2: STATE_QUICK_R2: IPsec SA established tunnel mode<br>
{ESP=>0x9023a4eb <0x6ba38ad2 xfrm=3DES_0-HMAC_SHA1 NATOA=none NATD=none DPD=none}<br>
</blockquote>
<br></div>
This says the tunnel is up too<div class="im"><br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
linux>tcpdump -n -i eth0 host 192.168.1.38<br>
device eth0 entered promiscuous mode<br>
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode<br>
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes<br>
13:02:05.172050 IP 192.168.1.38 > <a href="http://192.168.1.15" target="_blank">192.168.1.15</a>: ESP(spi=0x2ec052f8,seq=0x3), length 76<br>
</blockquote>
<br></div>
This shows crypted packets....<div class="im"><br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Feb 10 12:45:18 linux pluto[4370]: "win-tun" #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting<br>
QI2<br>
Feb 10 12:45:18 linux pluto[4370]: initiate on demand from <a href="http://192.168.1.15:0" target="_blank">192.168.1.15:0</a> to <a href="http://192.168.1.38:0" target="_blank">192.168.1.38:0</a> proto=1 state:<br>
fos_start because: acquire<br>
Feb 10 12:45:18 linux pluto[4370]: "win-tun" #3: initiating Quick Mode<br>
PSK+ENCRYPT+TUNNEL+PFS+IKEv2ALLOW+SAREFTRACK {using isakmp#1 msgid:52f4fba5 proposal=3DES(3)_192-SHA1(2)_160<br>
pfsgroup=OAKLEY_GROUP_MODP1024}<br>
Feb 10 12:45:18 linux pluto[4370]: "win-tun" #2: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2<br>
Feb 10 12:45:18 linux pluto[4370]: "win-tun" #2: STATE_QUICK_R2: IPsec SA established tunnel mode<br>
{ESP=>0xfe035afe <0x85be7d3d xfrm=3DES_0-HMAC_SHA1 NATOA=none NATD=none DPD=none}<br>
Feb 10 12:45:18 linux pluto[4370]: "win-tun" #1: ignoring informational payload, type INVALID_ID_INFORMATION<br>
msgid=00000000<br>
Feb 10 12:45:18 linux pluto[4370]: "win-tun" #1: received and ignored informational message<br>
</blockquote>
<br></div>
This shows as a tunnel up, but then it seems to race another connection<br>
that is failing?<br>
<br>
What does "ipsec verify" say for you?<br>
<br>
Note that excluding NAT is slightly different on netkey and klips stacks<br>
due to the difference interface.<br><font color="#888888">
<br>
Paul<br>
</font></blockquote></div><div><br></div><div><br></div><div>NETKEY<br></div><div>>ipsec verify<br>Checking your system to see if IPsec got installed and started correctly:<br>Version check and ipsec on-path [OK]<br>
Linux Openswan U2.6.24/K2.6.38.8 (netkey)<br>Checking for IPsec support in kernel [OK]<br> SAref kernel support [N/A]<br> NETKEY: Testing XFRM related proc values [FAILED]<br>
<br> Please disable /proc/sys/net/ipv4/conf/*/send_redirects<br> or NETKEY will cause the sending of bogus ICMP redirects!<br><br> [FAILED]<br><br> Please disable /proc/sys/net/ipv4/conf/*/accept_redirects<br> or NETKEY will accept bogus ICMP redirects!<br>
<br> [OK]<br>Testing against enforced SElinux mode [OK]<br>Checking that pluto is running [OK]<br> Pluto listening for IKE on udp 500 [OK]<br>
Pluto listening for NAT-T on udp 4500 [OK]<br>Two or more interfaces found, checking IP forwarding [OK]<br>Checking NAT and MASQUERADEing [OK]<br>Checking for 'ip' command [OK]<br>
Checking /bin/sh is not /bin/dash [OK]<br>Checking for 'iptables' command [OK]<br>Opportunistic Encryption Support [DISABLED]<br>
</div><div><br></div><div><br></div><div>KLIPS</div><div>>ipsec verify<br>Checking your system to see if IPsec got installed and started correctly:<br>Version check and ipsec on-path [OK]<br>
Linux Openswan U2.6.24/K2.6.37 (klips)<br>Checking for IPsec support in kernel [OK]<br> KLIPS: checking for NAT Traversal support [OK]<br> KLIPS: checking for OCF crypto offload support [N/A]<br>
SAref kernel support [N/A]<br>Testing against enforced SElinux mode [OK]<br>Checking that pluto is running [OK]<br> Pluto listening for IKE on udp 500 [OK]<br>
Pluto listening for NAT-T on udp 4500 [OK]<br>Two or more interfaces found, checking IP forwarding [OK]<br>Checking NAT and MASQUERADEing [OK]<br>Checking for 'ip' command [OK]<br>
Checking /bin/sh is not /bin/dash [OK]<br>Checking for 'iptables' command [OK]<br>Opportunistic Encryption Support [DISABLED]<br>
</div>