| View previous topic :: View next topic |
| Author |
Message |
mallchin
l33t
Joined: 21 Jan 2003
Posts: 655
Location: United Kingdom
|
 Posted: Mon Aug 22, 2005 9:28 pm Post subject: OpenSwan - can't ping remote subnet :( |
 |
|
Someone please help me diagnose a VPN setup issue with OpenSwan -- It says connection established but I am unable to ping the remote subnet 
I used this guide: http://gentoo-wiki.com/HOWTO_OpenSwan_2.6_kernel
Here's my setup (sorry for the long post):
| Code: |
# /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.13 2004/03/24 04:14:39 ken Exp $
# This file: /usr/share/doc/openswan-2.3.1/ipsec.conf-sample
#
# Manual: ipsec.conf.5
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
#forwardcontrol=no
klipsdebug=all
plutodebug=all
#nat_traversal=yes
#Disable Opportunistic Encryption
include /etc/ipsec/ipsec.d/examples/no_oe.conf
include /etc/ipsec/openswana-openswanb.conf
|
| Code: |
/etc/ipsec/ipsec.d/examples/no_oe.conf
# 'include' this file to disable Opportunistic Encryption.
# See /usr/share/doc/openswan-2.3.1/policygroups.html for details.
#
# RCSID $Id: no_oe.conf.in,v 1.2 2004/10/03 19:33:10 paul Exp $
conn block
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear-or-private
auto=ignore
conn clear
auto=ignore
conn packetdefault
auto=ignore
|
| Code: |
/etc/ipsec/openswana-openswanb.conf
conn openswana-openswanb
left=80.194.34.18
leftsubnet=192.168.214.0/24
leftnexthop=80.194.34.17
leftid=@basildon.technowaste.com
leftrsasigkey=0sAQNmKCKh...
right=86.132.10.115
rightsubnet=192.168.1.0/24
rightnexthop=217.47.66.140
rightid=@brighton.technowaste.com
rightrsasigkey=0sAQN7M7S3...
authby=rsasig
auto=start
|
| Code: |
/etc/racoon/racoon.conf
# $KAME: racoon.conf.in,v 1.18 2001/08/16 06:33:40 itojun Exp $
# "path" must be placed before it should be used.
# You can overwrite which you defined, but it should not use due to confusing.
path include "/etc/racoon";
#include "remote.conf";
# search this file for pre_shared_key with various ID key.
path pre_shared_key "/etc/racoon/psk.txt";
# racoon will look for certificate file in the directory,
# if the certificate/certificate request payload is received.
path certificate "/etc/cert";
# "log" specifies logging level. It is followed by either "notify", "debug"
# or "debug2".
#log debug;
# "padding" defines some parameter of padding. You should not touch these.
padding
{
maximum_length 20; # maximum padding length.
randomize off; # enable randomize length.
strict_check off; # enable strict check.
exclusive_tail off; # extract last one octet.
}
# if no listen directive is specified, racoon will listen to all
# available interface addresses.
listen
{
#isakmp ::1 [7000];
#isakmp 202.249.11.124 [500];
#admin [7002]; # administrative's port by kmpstat.
#strict_address; # required all addresses must be bound.
}
# Specification of default various timer.
timer
{
# These value can be changed per remote node.
counter 5; # maximum trying count to send.
interval 20 sec; # maximum interval to resend.
persend 1; # the number of packets per a send.
# timer for waiting to complete each phase.
phase1 30 sec;
phase2 15 sec;
}
remote anonymous
{
exchange_mode main,aggressive;
doi ipsec_doi;
situation identity_only;
my_identifier asn1dn;
certificate_type x509 "my.cert.pem" "my.key.pem";
nonce_size 16;
initial_contact on;
proposal_check obey; # obey, strict or claim
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method rsasig;
dh_group 2;
}
}
remote ::1 [8000]
{
#exchange_mode main,aggressive;
exchange_mode aggressive,main;
doi ipsec_doi;
situation identity_only;
my_identifier user_fqdn "sakane@kame.net";
peers_identifier user_fqdn "sakane@kame.net";
#certificate_type x509 "mycert" "mypriv";
nonce_size 16;
lifetime time 1 min; # sec,min,hour
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
}
sainfo anonymous
{
pfs_group 2;
encryption_algorithm 3des;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
sainfo address 203.178.141.209 any address 203.178.141.218 any
{
pfs_group 2;
lifetime time 30 sec;
encryption_algorithm des;
authentication_algorithm hmac_md5;
compression_algorithm deflate;
}
sainfo address ::1 icmp6 address ::1 icmp6
{
pfs_group 3;
lifetime time 60 sec;
encryption_algorithm 3des, blowfish, aes;
authentication_algorithm hmac_sha1, hmac_md5;
compression_algorithm deflate;
}
|
Still with me... I hope so...
Here's the log when I start ipsec:
| Code: |
Aug 22 19:37:27 [ipsec_setup] Starting Openswan IPsec U2.3.1/K2.6.12-gentoo-r6...
Aug 22 19:37:27 [ipsec_setup] insmod /lib/modules/2.6.12-gentoo-r6/kernel/net/ipv4/xfrm4_tunnel.ko
Aug 22 19:37:27 [ipsec_setup] insmod /lib/modules/2.6.12-gentoo-r6/kernel/crypto/sha1.ko
Aug 22 19:37:27 [ipsec_setup] insmod /lib/modules/2.6.12-gentoo-r6/kernel/crypto/md5.ko
Aug 22 19:37:27 [ipsec_setup] insmod /lib/modules/2.6.12-gentoo-r6/kernel/crypto/des.ko
Aug 22 19:37:27 [ipsec_setup] insmod /lib/modules/2.6.12-gentoo-r6/kernel/arch/i386/crypto/aes-i586.ko
Aug 22 19:37:27 [ipsec_setup] KLIPS ipsec0 on eth1 80.194.34.18/255.255.255.240 broadcast 80.194.34.255
Aug 22 19:37:28 [ipsec__plutorun] Starting Pluto subsystem...
Aug 22 19:37:28 [ipsec_setup] ...Openswan IPsec started
Aug 22 19:37:28 [pluto] Starting Pluto (Openswan Version 2.3.1 X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID OEExalF{_o`m)
Aug 22 19:37:28 [pluto] Setting port floating to on
Aug 22 19:37:28 [pluto] port floating activate 1/1
Aug 22 19:37:28 [pluto] including NAT-Traversal patch (Version 0.6c)
Aug 22 19:37:28 [pluto] ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Aug 22 19:37:28 [pluto] starting up 1 cryptographic helpers
Aug 22 19:37:28 [pluto] started helper pid=7233 (fd:6)
Aug 22 19:37:28 [pluto] Using Linux 2.6 IPsec interface code
Aug 22 19:37:28 [pluto] Changing to directory '/etc/ipsec/ipsec.d/cacerts'
Aug 22 19:37:28 [pluto] Changing to directory '/etc/ipsec/ipsec.d/aacerts'
Aug 22 19:37:28 [pluto] Changing to directory '/etc/ipsec/ipsec.d/ocspcerts'
Aug 22 19:37:28 [pluto] Changing to directory '/etc/ipsec/ipsec.d/crls'
Aug 22 19:37:28 [pluto] Warning: empty directory
Aug 22 19:37:28 [pluto] added connection description "openswana-openswanb"
Aug 22 19:37:28 [pluto] listening for IKE messages
Aug 22 19:37:28 [pluto] adding interface lo/lo 127.0.0.1:500
Aug 22 19:37:28 [pluto] adding interface lo/lo 127.0.0.1:4500
Aug 22 19:37:28 [pluto] adding interface eth1:3/eth1:3 80.194.34.22:500
Aug 22 19:37:28 [pluto] adding interface eth1:3/eth1:3 80.194.34.22:4500
Aug 22 19:37:28 [pluto] adding interface eth1:2/eth1:2 80.194.34.21:500
Aug 22 19:37:28 [pluto] adding interface eth1:2/eth1:2 80.194.34.21:4500
Aug 22 19:37:28 [pluto] adding interface eth1:1/eth1:1 80.194.34.20:500
Aug 22 19:37:28 [pluto] adding interface eth1:1/eth1:1 80.194.34.20:4500
Aug 22 19:37:28 [pluto] adding interface eth1:0/eth1:0 80.194.34.19:500
Aug 22 19:37:28 [pluto] adding interface eth1:0/eth1:0 80.194.34.19:4500
Aug 22 19:37:28 [pluto] adding interface eth1/eth1 80.194.34.18:500
Aug 22 19:37:28 [pluto] adding interface eth1/eth1 80.194.34.18:4500
Aug 22 19:37:28 [pluto] adding interface eth0/eth0 192.168.214.5:500
Aug 22 19:37:28 [pluto] adding interface eth0/eth0 192.168.214.5:4500
Aug 22 19:37:28 [pluto] loading secrets from "/etc/ipsec/ipsec.secrets"
Aug 22 19:37:28 [pluto] "openswana-openswanb" #1: initiating Main Mode
Aug 22 19:37:28 [ipsec__plutorun] 104 "openswana-openswanb" #1: STATE_MAIN_I1: initiate
Aug 22 19:37:28 [ipsec__plutorun] ...could not start conn "openswana-openswanb"
Aug 22 19:37:29 [pluto] unknown cmsg: level 0, type 8, len 24
Aug 22 19:37:29 [pluto] "openswana-openswanb" #1: ERROR: asynchronous network error report on eth1 for message to 86.132.10.115 port 500, complainant 86.132.10.115: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
Aug 22 19:37:38 [pluto] unknown cmsg: level 0, type 8, len 24
Aug 22 19:37:38 [pluto] "openswana-openswanb" #1: ERROR: asynchronous network error report on eth1 for message to 86.132.10.115 port 500, complainant 86.132.10.115: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
Aug 22 19:37:55 [pluto] packet from 86.132.10.115:500: received Vendor ID payload [Openswan (this version) 2.3.1 X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR]
Aug 22 19:37:55 [pluto] packet from 86.132.10.115:500: received Vendor ID payload [Dead Peer Detection]
Aug 22 19:37:55 [pluto] packet from 86.132.10.115:500: received Vendor ID payload [RFC 3947] method set to=109
Aug 22 19:37:55 [pluto] packet from 86.132.10.115:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 109
Aug 22 19:37:55 [pluto] packet from 86.132.10.115:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109
Aug 22 19:37:55 [pluto] packet from 86.132.10.115:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Aug 22 19:37:55 [pluto] "openswana-openswanb" #2: responding to Main Mode
Aug 22 19:37:55 [pluto] "openswana-openswanb" #2: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Aug 22 19:37:55 [pluto] "openswana-openswanb" #2: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected
Aug 22 19:37:55 [pluto] "openswana-openswanb" #2: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Aug 22 19:37:55 [pluto] "openswana-openswanb" #2: Main mode peer ID is ID_FQDN: '@brighton.technowaste.com'
Aug 22 19:37:55 [pluto] "openswana-openswanb" #2: I did not send a certificate because I do not have one.
Aug 22 19:37:55 [pluto] "openswana-openswanb" #2: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Aug 22 19:37:55 [pluto] "openswana-openswanb" #2: sent MR3, ISAKMP SA established
Aug 22 19:37:56 [pluto] "openswana-openswanb" #3: responding to Quick Mode {msgid:d2bd715c}
Aug 22 19:37:56 [pluto] "openswana-openswanb" #3: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Aug 22 19:37:56 [pluto] "openswana-openswanb" #3: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Aug 22 19:37:56 [pluto] "openswana-openswanb" #3: IPsec SA established {ESP=>0xa6e8fb7d <0xcea24f00 xfrm=AES_0-HMAC_SHA1}
Aug 22 19:37:58 [pluto] "openswana-openswanb" #1: received Vendor ID payload [Openswan (this version) 2.3.1 X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR]
Aug 22 19:37:58 [pluto] "openswana-openswanb" #1: received Vendor ID payload [Dead Peer Detection]
Aug 22 19:37:58 [pluto] "openswana-openswanb" #1: received Vendor ID payload [RFC 3947] method set to=109
Aug 22 19:37:58 [pluto] "openswana-openswanb" #1: enabling possible NAT-traversal with method 3
Aug 22 19:37:58 [pluto] "openswana-openswanb" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
Aug 22 19:37:58 [pluto] "openswana-openswanb" #1: I did not send a certificate because I do not have one.
Aug 22 19:37:58 [pluto] "openswana-openswanb" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected
Aug 22 19:37:58 [pluto] "openswana-openswanb" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Aug 22 19:37:58 [pluto] "openswana-openswanb" #1: Main mode peer ID is ID_FQDN: '@brighton.technowaste.com'
Aug 22 19:37:58 [pluto] "openswana-openswanb" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
Aug 22 19:37:58 [pluto] "openswana-openswanb" #1: ISAKMP SA established
Aug 22 19:37:58 [pluto] "openswana-openswanb" #4: initiating Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1}
Aug 22 19:37:58 [pluto] "openswana-openswanb" #4: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Aug 22 19:37:58 [pluto] "openswana-openswanb" #4: sent QI2, IPsec SA established {ESP=>0xf1c2b16f <0x8110c882 xfrm=AES_0-HMAC_SHA1}
|
Now, the connection seems to go okay and I get the all important 'IPsec SA established' on both sides, but if I try to ping from one subnet to the other I get this in the logs:
| Code: |
Aug 22 21:35:56 [kernel] PING:IN=eth1 OUT= MAC=00:02:b3:d7:e2:f3:00:0e:84:d7:14:87:08:00 SRC=80.191.151.11 DST=80.194.34.18 LEN=92 TOS=0x00 PREC=0x00 TTL=108 ID=28778 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=27868
Aug 22 21:35:56 [kernel] PING:IN=eth1 OUT= MAC=00:02:b3:d7:e2:f3:00:0e:84:d7:14:87:08:00 SRC=80.191.151.11 DST=80.194.34.19 LEN=92 TOS=0x00 PREC=0x00 TTL=108 ID=28779 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=28124
Aug 22 21:35:56 [kernel] PING:IN=eth1 OUT= MAC=00:02:b3:d7:e2:f3:00:0e:84:d7:14:87:08:00 SRC=80.191.151.11 DST=80.194.34.20 LEN=92 TOS=0x00 PREC=0x00 TTL=108 ID=28781 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=28380
Aug 22 21:35:56 [kernel] PING:IN=eth1 OUT= MAC=00:02:b3:d7:e2:f3:00:0e:84:d7:14:87:08:00 SRC=80.191.151.11 DST=80.194.34.21 LEN=92 TOS=0x00 PREC=0x00 TTL=108 ID=28782 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=28636
|
It all appears to work fine except I can't ping the other side (I'm pinging properly, not using the gateways)... Ipsec starts fine, 'ipsec verify' says all is okay, can't figure it out...
I think it might be a firewall/routing issue. Unsure what the kernel error is above, though I only get it when the firewall is up (I can't ping if it's up or down), and I've added the required ports...
If anyone can spot a mistake or have any suggestions as to the kernel error message please post...
Many thanks,
M
_________________
6700 @ 2.66GHz, 4Gb RAM, 2 x 500Gb, 8800 GTX, PhysX, X-Fi, 24" Widescreen, Tux mascot |
|
| Back to top |
|
 |
kayvis
n00b
Joined: 22 Aug 2005
Posts: 6
|
| Posted: Tue Aug 23, 2005 10:16 am Post subject: |
|
|
I didn't know if this could help, but it seems to be not a problem of OpenSwan.
Your firewalling blocks the packages. What kind of firewall are you using?
I prefer the shorewall scripts. Because there are usefull ipsec-parts for kernel 2.6.
With kernel 2.4 you have an extra interface (ipsecX) so the routing gets through this interface.
In kernel 2.6 this interface no longer exists so you need to match the ipsec-trafic and allow it
to pass the interface (in your case eth1).
Hope this points you in the right direction
Greetings
Kayvis |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
