<br><div class="gmail_quote">2012/2/10 Paul Wouters <span dir="ltr">&lt;<a href="mailto:pwouters@redhat.com">pwouters@redhat.com</a>&gt;</span><br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div class="im">On Fri, 10 Feb 2012, Den wrote:<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
There is working configuration.<br>
VPN is Ok if I use  protostack=netkey.<br>
If I use protostack=klips VPN doesn&#39;t work.<br>
</blockquote>
<br></div>
Do you have an interfaces= line in &quot;config setup&quot; ?</blockquote><div>Yes if  protostack=klips. ( interfaces=&quot;ipsec0=eth0&quot;) </div><div> <br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
linux&gt;ipsec auto --status<br>
000 #2: &quot;win-tun&quot;:500 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 801s; newest IPSEC; eroute<br>
owner; isakmp#1; idle; import:not set<br>
000 #2: &quot;win-tun&quot; <a href="mailto:esp.9023a4eb@192.168.1.38" target="_blank">esp.9023a4eb@192.168.1.38</a> <a href="mailto:esp.6ba38ad2@192.168.1.15" target="_blank">esp.6ba38ad2@192.168.1.15</a> ref=2 refhim=1<br>

000 #1: &quot;win-tun&quot;:500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 7101s; newest ISAKMP;<br>
nodpd; idle; import:not set<br>
</blockquote>
<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
So this says there is a tunnel up?<div class="im"><br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Feb 10 12:37:02 linux pluto[2997]: &quot;win-tun&quot; #1: the peer proposed: <a href="http://192.168.1.15/32:0/0" target="_blank">192.168.1.15/32:0/0</a> -&gt; <a href="http://192.168.1.38/32:0/0" target="_blank">192.168.1.38/32:0/0</a><br>

Feb 10 12:37:02 linux pluto[2997]: &quot;win-tun&quot; #2: responding to Quick Mode proposal {msgid:01000000}<br>
Feb 10 12:37:02 linux pluto[2997]: &quot;win-tun&quot; #2: us: <a href="http://192.168.1.15/32===192.168.1.15" target="_blank">192.168.1.15/32===192.168.1.15</a>&lt;192.168.1.15&gt;[+S=C]<br>
Feb 10 12:37:02 linux pluto[2997]: &quot;win-tun&quot; #2: them: 192.168.1.38&lt;192.168.1.38&gt;[+S=C]===<a href="http://192.168.1.38/32" target="_blank">192.168.1.38/32</a><br>
Feb 10 12:37:02 linux pluto[2997]: &quot;win-tun&quot; #2: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1<br>
Feb 10 12:37:02 linux pluto[2997]: &quot;win-tun&quot; #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting<br>
QI2<br>
Feb 10 12:37:02 linux pluto[2997]: &quot;win-tun&quot; #2: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2<br>
Feb 10 12:37:02 linux pluto[2997]: &quot;win-tun&quot; #2: STATE_QUICK_R2: IPsec SA established tunnel mode<br>
{ESP=&gt;0x9023a4eb &lt;0x6ba38ad2 xfrm=3DES_0-HMAC_SHA1 NATOA=none NATD=none DPD=none}<br>
</blockquote>
<br></div>
This says the tunnel is up too<div class="im"><br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
linux&gt;tcpdump -n -i eth0 host 192.168.1.38<br>
device eth0 entered promiscuous mode<br>
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode<br>
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes<br>
13:02:05.172050 IP 192.168.1.38 &gt; <a href="http://192.168.1.15" target="_blank">192.168.1.15</a>: ESP(spi=0x2ec052f8,seq=0x3), length 76<br>
</blockquote>
<br></div>
This shows crypted packets....<div class="im"><br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Feb 10 12:45:18 linux pluto[4370]: &quot;win-tun&quot; #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting<br>
QI2<br>
Feb 10 12:45:18 linux pluto[4370]: initiate on demand from <a href="http://192.168.1.15:0" target="_blank">192.168.1.15:0</a> to <a href="http://192.168.1.38:0" target="_blank">192.168.1.38:0</a> proto=1 state:<br>
fos_start because: acquire<br>
Feb 10 12:45:18 linux pluto[4370]: &quot;win-tun&quot; #3: initiating Quick Mode<br>
PSK+ENCRYPT+TUNNEL+PFS+IKEv2ALLOW+SAREFTRACK {using isakmp#1 msgid:52f4fba5 proposal=3DES(3)_192-SHA1(2)_160<br>
pfsgroup=OAKLEY_GROUP_MODP1024}<br>
Feb 10 12:45:18 linux pluto[4370]: &quot;win-tun&quot; #2: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2<br>
Feb 10 12:45:18 linux pluto[4370]: &quot;win-tun&quot; #2: STATE_QUICK_R2: IPsec SA established tunnel mode<br>
{ESP=&gt;0xfe035afe &lt;0x85be7d3d xfrm=3DES_0-HMAC_SHA1 NATOA=none NATD=none DPD=none}<br>
Feb 10 12:45:18 linux pluto[4370]: &quot;win-tun&quot; #1: ignoring informational payload, type INVALID_ID_INFORMATION<br>
msgid=00000000<br>
Feb 10 12:45:18 linux pluto[4370]: &quot;win-tun&quot; #1: received and ignored informational message<br>
</blockquote>
<br></div>
This shows as a tunnel up, but then it seems to race another connection<br>
that is failing?<br>
<br>
What does &quot;ipsec verify&quot; say for you?<br>
<br>
Note that excluding NAT is slightly different on netkey and klips stacks<br>
due to the difference interface.<br><font color="#888888">
<br>
Paul<br>
</font></blockquote></div><div><br></div><div><br></div><div>NETKEY<br></div><div>&gt;ipsec verify<br>Checking your system to see if IPsec got installed and started correctly:<br>Version check and ipsec on-path                                 [OK]<br>
Linux Openswan U2.6.24/K2.6.38.8 (netkey)<br>Checking for IPsec support in kernel                            [OK]<br> SAref kernel support                                           [N/A]<br> NETKEY:  Testing XFRM related proc values                      [FAILED]<br>
<br>  Please disable /proc/sys/net/ipv4/conf/*/send_redirects<br>  or NETKEY will cause the sending of bogus ICMP redirects!<br><br>        [FAILED]<br><br>  Please disable /proc/sys/net/ipv4/conf/*/accept_redirects<br>  or NETKEY will accept bogus ICMP redirects!<br>
<br>        [OK]<br>Testing against enforced SElinux mode                           [OK]<br>Checking that pluto is running                                  [OK]<br> Pluto listening for IKE on udp 500                             [OK]<br>
 Pluto listening for NAT-T on udp 4500                          [OK]<br>Two or more interfaces found, checking IP forwarding            [OK]<br>Checking NAT and MASQUERADEing                                  [OK]<br>Checking for &#39;ip&#39; command                                       [OK]<br>
Checking /bin/sh is not /bin/dash                               [OK]<br>Checking for &#39;iptables&#39; command                                 [OK]<br>Opportunistic Encryption Support                                [DISABLED]<br>
</div><div><br></div><div><br></div><div>KLIPS</div><div>&gt;ipsec verify<br>Checking your system to see if IPsec got installed and started correctly:<br>Version check and ipsec on-path                                 [OK]<br>
Linux Openswan U2.6.24/K2.6.37 (klips)<br>Checking for IPsec support in kernel                            [OK]<br> KLIPS: checking for NAT Traversal support                      [OK]<br> KLIPS: checking for OCF crypto offload support                 [N/A]<br>
 SAref kernel support                                           [N/A]<br>Testing against enforced SElinux mode                           [OK]<br>Checking that pluto is running                                  [OK]<br> Pluto listening for IKE on udp 500                             [OK]<br>
 Pluto listening for NAT-T on udp 4500                          [OK]<br>Two or more interfaces found, checking IP forwarding            [OK]<br>Checking NAT and MASQUERADEing                                  [OK]<br>Checking for &#39;ip&#39; command                                       [OK]<br>
Checking /bin/sh is not /bin/dash                               [OK]<br>Checking for &#39;iptables&#39; command                                 [OK]<br>Opportunistic Encryption Support                                [DISABLED]<br>
</div>