This list is for general questions regarding OpenSWAN (and older freeswan) deployment and configuration. ()

headers

Den | 8 Feb 13:23

[Openswan Users] openswan + Win7 + pre-shared key

Hello!

I can't setup VPN

Windows 7 client 192.168.1.38 <--> Linux sever Openswan 192.168.1.15

I think that VPN is established.

But I can't access Linux server from Windows 7 client.

I setup VPN on Win7 in "ip security policies on local computer"

Windows's firewall is turned off.

Can somebody help me?

Thank you

>ipsec --version

Linux Openswan U2.6.37/K(no kernel code presently loaded)

/var/log/secure:

Feb 8 14:04:40 linux pluto[836]: "lnx-win" #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
Feb 8 14:04:40 linux pluto[836]: "lnx-win" #1: Dead Peer Detection (RFC 3706): not enabled because peer did not advertise it
Feb 8 14:04:40 linux pluto[836]: "lnx-win" #1: the peer proposed: 192.168.1.15/32:0/0 -> 192.168.1.38/32:0/0
Feb 8 14:04:40 linux pluto[836]: "lnx-win" #1: NAT-Traversal: received 2 NAT-OA. using first, ignoring others
Feb 8 14:04:40 linux pluto[836]: "lnx-win" #2: responding to Quick Mode proposal {msgid:01000000}
Feb 8 14:04:40 linux pluto[836]: "lnx-win" #2: us: 192.168.1.15<192.168.1.15>[+S=C]
Feb 8 14:04:40 linux pluto[836]: "lnx-win" #2: them: 192.168.1.38<192.168.1.38>[+S=C]
Feb 8 14:04:40 linux pluto[836]: "lnx-win" #2: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Feb 8 14:04:40 linux pluto[836]: "lnx-win" #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Feb 8 14:04:40 linux pluto[836]: "lnx-win" #2: Dead Peer Detection (RFC 3706): not enabled because peer did not advertise it
Feb 8 14:04:40 linux pluto[836]: "lnx-win" #2: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Feb 8 14:04:40 linux pluto[836]: "lnx-win" #2: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP/NAT=>0x89c5ef96 <0x3d6e53aa xfrm=3DES_0-HMAC_SHA1 NATOA=192.168.1.38 NATD=192.168.1.38:4500 DPD=none}

/etc/ipsec.conf:

version 2.0 # conforms to second version of ipsec.conf specification

# basic configuration
config setup
interfaces="ipsec0=eth0"
protostack=klips
nat_traversal=yes
virtual_private=
oe=off
nhelpers=0

conn lnx-win
type=tunnel
auto=add
pfs=yes
right=192.168.1.38
left=192.168.1.15
auth=esp
authby=secret
forceencaps=yes
esp=3des-sha1-96
rekey=no
dpdaction=clear
dpddelay=30
dpdtimeout=30

_______________________________________________
Users <at> lists.openswan.org
http://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

headers

Zhiping Liu | 7 Feb 09:42

[Openswan Users] UDP 4500 CAN'T reach after some time

HI,All:

I configured a net2net ipsec tunnel with openswan 2.6.31 on both side.here's two connection topology:

1. Connection topology

connection 1: Server A-->GWA-----INTERNET------------Server B.

connection 2: Server C-->GWB-----INTERNET------------GWA-->ServerA

2. Connection 1 config file on Server A:

conn STEST2

type = tunnel

auto = start

keyexchange = ike

authby = secret

auth = esp

esp = 3DES-MD5

ike = 3DES-MD5-MODP1024

aggrmode = yes

pfs = yes

left = %defaultroute

right = #SERVER B IP#

leftid = <at> y

rightid = <at> x

dpddelay = 30

dpdtimeout = 120

dpdaction = restart_by_peer

leftsubnets = {x.x.x.x/x.x.x.x}

rightsubnets = { x.x.x.x/x.x.x.x }

#

3. Connection 1 config file on Server B:

conn STEST2

type = tunnel

auto = add

keyexchange = ike

authby = secret

auth = esp

esp = 3DES-MD5

ike = 3DES-MD5-MODP1024

aggrmode = yes

pfs = yes

left = %defaultroute

right = 0.0.0.0

leftid = <at> x

rightid = <at> y

dpddelay = 30

dpdtimeout = 120

dpdaction = hold

leftsubnets = { {x.x.x.x/x.x.x.x }

rightsubnets = { {x.x.x.x/x.x.x.x }

Because Server C have to connect to Server A,so I have natted port 500 and 4500 to Server A on GWA.

In the begging,everything is fine,IPSEC SA Established,ping success from each side to other side,but after a day or two,connection 1 is down.

4. I checked the tunnel status on Server A and Server B.

Server A shows ipsec phase2

Server B show ipsec phase1.

5. log file on both side

on Server A:

Jan 12 08:10:02 (none) authpriv.warn pluto[1517]: "STEST1/1x1" #9561: initiating Aggressive Mode #9561, connection "changxingdao/1x1"

Jan 12 08:10:02 (none) authpriv.warn pluto[1517]: " STEST1 /1x1" #9561: received Vendor ID payload [Dead Peer Detection]

Jan 12 08:10:02 (none) authpriv.warn pluto[1517]: " STEST1 /1x1" #9561: received Vendor ID payload [RFC 3947] method set to=109

Jan 12 08:10:02 (none) authpriv.warn pluto[1517]: " STEST1 /1x1" #9561: Aggressive mode peer ID is ID_FQDN: ' <at> c'

Jan 12 08:10:02 (none) authpriv.warn pluto[1517]: " STEST1 /1x1" #9561: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): i am NATed

Jan 12 08:10:02 (none) authpriv.warn pluto[1517]: " STEST1 /1x1" #9561: transition from state STATE_AGGR_I1 to state STATE_AGGR_I2

Jan 12 08:10:02 (none) authpriv.warn pluto[1517]: " STEST1 /1x1" #9561: STATE_AGGR_I2: sent AI2, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1024}

Jan 12 08:10:02 (none) authpriv.warn pluto[1517]: " STEST1 /1x1" #9561: Dead Peer Detection (RFC 3706): enabled

Jan 12 08:10:02 (none) authpriv.warn pluto[1517]: " STEST1 /1x1" #9562: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+AGGRESSIVE+IKEv2ALLOW {using isakmp#9561 msgid:d74d6729 proposal=3DES(3)_192-MD5(1)_128 pfsgroup=OAKLEY_GROUP_MODP1024}

Jan 12 08:10:12 (none) authpriv.warn pluto[1517]: " STEST1 /1x1" #9561: retransmitting in response to duplicate packet; already STATE_AGGR_I2

Jan 12 08:10:32 (none) authpriv.warn pluto[1517]: " STEST1 /1x1" #9561: retransmitting in response to duplicate packet; already STATE_AGGR_I2

Jan 12 08:11:13 (none) authpriv.warn pluto[1517]: " STEST1 /1x1" #9562: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal

Jan 12 08:11:13 (none) authpriv.warn pluto[1517]: " STEST1 /1x1" #9562: starting keying attempt 2 of an unlimited number

Jan 12 08:11:13 (none) authpriv.warn pluto[1517]: " STEST1 /1x1" #9563: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+AGGRESSIVE+IKEv2ALLOW to replace #9562 {using isakmp#9561 msgid:8ae153af proposal=3DES(3)_192-MD5(1)_128 pfsgroup=OAKLEY_GROUP_MODP1024}

Jan 12 08:12:23 (none) authpriv.warn pluto[1517]: " STEST1 /1x1" #9563: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal

Jan 12 08:12:23 (none) authpriv.warn pluto[1517]: " STEST1 /1x1" #9563: starting keying attempt 3 of an unlimited number

Jan 12 08:12:23 (none) authpriv.warn pluto[1517]: " STEST1 /1x1" #9564: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+AGGRESSIVE+IKEv2ALLOW to replace #9563 {using isakmp#9561 msgid:0d7aa774 proposal=3DES(3)_192-MD5(1)_128 pfsgroup=OAKLEY_GROUP_MODP1024}

Jan 12 08:12:32 (none) authpriv.warn pluto[1517]: " STEST1 /1x1" #9561: DPD: No response from peer - declaring peer dead

Jan 12 08:12:32 (none) authpriv.warn pluto[1517]: " STEST1 /1x1" #9561: DPD: Restarting all connections that share this peer

Jan 12 08:12:32 (none) authpriv.warn pluto[1517]: " STEST1 /1x1" #9561: terminating SAs using this connection

Jan 12 08:12:32 (none) authpriv.warn pluto[1517]: " STEST1 /1x1" #9564: deleting state (STATE_QUICK_I1)

Jan 12 08:12:32 (none) authpriv.warn pluto[1517]: " STEST1 /1x1" #9561: deleting state (STATE_AGGR_I2)

on Server B:

Jan 12 09:08:21 (none) authpriv.warn pluto[1200]: packet from X:500: received Vendor ID payload [Dead Peer Detection]

Jan 12 09:08:21 (none) authpriv.warn pluto[1200]: packet from X:500: received Vendor ID payload [RFC 3947] method set to=109

Jan 12 09:08:21 (none) authpriv.warn pluto[1200]: packet from X:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 109

Jan 12 09:08:21 (none) authpriv.warn pluto[1200]: packet from X:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109

Jan 12 09:08:21 (none) authpriv.warn pluto[1200]: packet from X:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109

Jan 12 09:08:21 (none) authpriv.warn pluto[1200]: packet from X:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]

Jan 12 09:08:21 (none) authpriv.warn pluto[1200]: "STEST1/1x1"[191] X #273: Aggressive mode peer ID is ID_FQDN: ' <at> a'

Jan 12 09:08:21 (none) authpriv.warn pluto[1200]: " STEST1 /1x1"[191] X #273: responding to Aggressive Mode, state #273, connection "STEST/1x1" from 114.87.175.117

Jan 12 09:08:21 (none) authpriv.warn pluto[1200]: " STEST1 /1x1"[191] X #273: enabling possible NAT-traversal with method 4

Jan 12 09:08:21 (none) authpriv.warn pluto[1200]: " STEST1 /1x1"[191] X #273: transition from state STATE_AGGR_R0 to state STATE_AGGR_R1

Jan 12 09:08:21 (none) authpriv.warn pluto[1200]: " STEST1 /1x1"[191] X #273: STATE_AGGR_R1: sent AR1, expecting AI2

Jan 12 09:08:53 (none) authpriv.warn pluto[1200]: " STEST1 /1x1"[191] X #272: max number of retransmissions (2) reached STATE_AGGR_R1

Jan 12 09:09:31 (none) authpriv.warn pluto[1200]: " STEST1 /1x1"[191] X #273: max number of retransmissions (2) reached STATE_AGGR_R1

I tried restart ipsec on both side,even reboot the machine,nothing changed,it seems that udp 4500 between Server A and Server B is down,so i did tcpdump on Server A and Server B.

6. tcpdump on both side

tcpdump on Server A shows udp port 500 between A and B,and we can see udp 4500 packet send from Server A to Server B,but no reply!

On Server B,it only shows udp port 500 packet,no udp port 4500 at all.

7. Accidentally,i disabled ipsec on Server A for a few minutes,may be 5 minutes,and restart ipsec ,IPSEC SA establlished!

I think this issue is linux ip_conntrack module related,may be something bad happend in GWA with connection 1,after I stopped ipsec on Server A for 5 minutes,udp connection expires on GWA,

when i restart ipsec on Server A after 5 minutes ,new udp connections of port 500 and port 4500 can be established.

But i can't do anything on GWA,is this an openswan issue or linux ip_conntrack issue? Do we have some params to deal with this situation?

need your help!

Thanks in advance

--ZPL

_______________________________________________
Users <at> lists.openswan.org
http://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

headers

Abhinav Bhagwat | 6 Feb 11:38

Re: [Openswan Users] pluto segfaults when using SHA2 256 hash

Thanks Paul. That works! After recompiling the kernel with icv_tuncbits=128 I was able to successfully create a transport tunnel between linux and windows.

From: Paul Wouters <paul <at> nohats.ca>
Sent: Friday, February 3, 2012 10:48 PM
Subject: Re: [Openswan Users] pluto segfaults when using SHA2 256 hash

On Thu, 2 Feb 2012, Abhinav Bhagwat wrote:

> Thanks Paul. That works. However, I see another issue. If I connect two linux boxes it works fine.
> Simiarly if I connect two windows boxes, it works fine. However, if I try to connect to a windows 2K8 box
> to a linux box, it does not work. Phase 1 and phase 2 SAs are both successfully established. But, when I
> telnet to windows box, the ESP packet reaches the windows box but there is not reply back. If I replace
> sha256 with sha1, it all works fine.

That is probably due to the SHA2 256 Linux bug. In all kernels up to
2.6.32 or so, the SHA256 was truncated. For newer kernels, it requires
a different call via kernel_netlink to use the fixed up version of the
XFM code that fixed the truncation.

I started work on fixing that, but it did not yet quite work as
expected.

A quick and dirty hack could be to change the kernel truncation and
recompile the kernel. That would be in linux-2.6.xx/net/crypto/xfrm_algo.c
around the section:

{
.name = "hmac(sha256)",
.compat = "sha256",

.uinfo = {
.auth = {
.icv_truncbits = 96,
.icv_fullbits = 256,
}
},

While the draft had 96, the final RFC has fullbits/2, so you should make
it 128. For sha256 it would be "256".

I hope to get back on track to fix that so we can specify:

phase2alg=aes128-sha2_256-128

and

phase2alg=aes128-sha2_256-96

But those changes are more invasive then I had time for a few weeks ago.

I'll forward another message to the list with details that did not make
it to the dev archives.

Paul

_______________________________________________
Users <at> lists.openswan.org
http://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

headers

amir ali | 3 Feb 06:44

[Openswan Users] answer

Hello

This is a bug in openswan you can correct it .It is bcz of mismatching of constant # assign in constant.h or I don't remember correctly.But there is a comparision statement where this constant check constant value of SHA2_256 let suppose 7 But the value in the file from where it pick is wrong if you correct it than the bug is fix.

Regards

Amir Ali

_______________________________________________
Users <at> lists.openswan.org
http://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

headers

Peter McGill | 2 Feb 23:47

Re: [Openswan Users] Routing with OpenSwan and Amazon.

Replying to both is good, it allows someone with the same problem to search the list history and find the answer.

If the linux server can’t ping the windows server in the same subnet after the config change, then you probably changed the wrong subnet line.

should be left not right. Or it could be your right= line which you commented as private ip, it should be cisco public ip.

Cisco needs xauth turned off if not already done, but I expect that is done since you could connect and ping between cisco and linux private ips?

For example:

Public Private

Linux : 1.1.1.1 10.0.0.1

Windows: 1.1.1.2 10.0.0.2

Cisco: 2.2.2.2 10.2.0.1

Linux Openswan:

conn linux-cisco

left=1.1.1.1

leftid=1.1.1.1

leftsubnet=10.0.0.0/30

right=2.2.2.2

rightid=2.2.2.2

rightsubnet=10.2.0.1/32

etc…

Cisco:

access-list 133 permit ip 10.2.0.1 0.0.0.0 10.0.0.0 0.0.0.3

Peter

From: ajuliao <at> vsiteam.com [mailto:ajuliao <at> vsiteam.com]
Sent: February-02-12 1:59 PM
To: Peter McGill; users <at> openswan.org
Subject: RE: [Openswan Users] Routing with OpenSwan and Amazon.

Thanks for your quick response.

I don't know the etiquette regarding mailing lists, should I respond to you directly or to the mailing list or both?

I will try what you suggested, however I don't have access to the router so I have to make the request and wait. One question thought, even after changing that in the Linux server (the one with openswan) I can't ping my windows server in the same vpc. Is that supposed to happen or might that be for another reason/problem ?

Thanks again,

Andres Juliao
Senior Software Developer
VSI Nearshore Outsourcing
e-mail: ajuliao <at> vsiteam.com
website: www.vsiteam.com

From: Peter McGill [petermcgill <at> goco.net]
Sent: Thursday, February 02, 2012 12:08
To: ajuliao <at> vsiteam.com; users <at> openswan.org
Subject: RE: [Openswan Users] Routing with OpenSwan and Amazon.

You change the leftsubnet entry to a subnet that includes both your linux and windows servers.

You also need to change the equivalent subnet on the cisco asa.

When this is done, yes “routing” is automatic when the tunnel is connected.

Put another way any traffic you want routed through the connection must be included in the subnets defined for the connection.

Peter

From: users-bounces <at> lists.openswan.org [mailto:users-bounces <at> lists.openswan.org] On Behalf Of ajuliao <at> vsiteam.com
Sent: February-02-12 11:11 AM
To: users <at> openswan.org
Subject: [Openswan Users] Routing with OpenSwan and Amazon.

Hello,

I have succesfully established a VPN between a Linux server on Amazon Cloud to a Cisco asa. However I now need to comunicate a windows server within my Amazon VPC (both linux server and windows in same vpc and subnet) to a Server on the Cisco VPN side. I have been unable to do so. Can someone please help me or point me in the right direction?

All the configuration I made was, plus the secret key:

conn home
left=%defaultroute
leftsubnet=XXX.XX.X.XXX/32 (private linux server ip)
leftid=XXX.XX.XXX.XX (public linux server ip)
right=XXX.XXX.XXX.XX (Cisco private IP)
rightid=XXX.XXX.XXX.XX (Cisco public IP)
rightsubnet=XXX.XXX.XXX.XX/32 (private server on cisco side)
authby=secret
ike=aes128-sha1-modp1024
esp=aes128-sha1
pfs=no
forceencaps=yes
auto=start

I am thinking the problem relates to routing, but I was under the impression OpenSwan took care of that for you.

Thank you for any and all help.

Andres Juliao
Senior Software Developer
VSI Nearshore Outsourcing
e-mail: ajuliao <at> vsiteam.com
website: www.vsiteam.com

_______________________________________________
Users <at> lists.openswan.org
http://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

headers

ajuliao@vsiteam.com | 2 Feb 17:10

[Openswan Users] Routing with OpenSwan and Amazon.

Hello,

I have succesfully established a VPN between a Linux server on Amazon Cloud to a Cisco asa. However I now need to comunicate a windows server within my Amazon VPC (both linux server and windows in same vpc and subnet) to a Server on the Cisco VPN side. I have been unable to do so. Can someone please help me or point me in the right direction?

All the configuration I made was, plus the secret key:

conn home
left=%defaultroute
leftsubnet=XXX.XX.X.XXX/32 (private linux server ip)
leftid=XXX.XX.XXX.XX (public linux server ip)
right=XXX.XXX.XXX.XX (Cisco private IP)
rightid=XXX.XXX.XXX.XX (Cisco public IP)
rightsubnet=XXX.XXX.XXX.XX/32 (private server on cisco side)
authby=secret
ike=aes128-sha1-modp1024
esp=aes128-sha1
pfs=no
forceencaps=yes
auto=start

I am thinking the problem relates to routing, but I was under the impression OpenSwan took care of that for you.

Thank you for any and all help.

Andres Juliao
Senior Software Developer
VSI Nearshore Outsourcing
e-mail: ajuliao <at> vsiteam.com
website: www.vsiteam.com

_______________________________________________
Users <at> lists.openswan.org
http://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

headers

Stuart Oppery | 2 Feb 15:09

[Openswan Users] Cannot connect to SonicWall VPN

Hi All,

I am trying to connect to a VPN using IPSec, but have had problems connecting. I have a windows based SonicWall Global VPN client program that will connect to the SonicWall router. I have tried to replicate these details in the ipsec.conf as below:

config setup

dumpdir=/var/run/pluto/

nat_traversal=yes

virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10

oe=off

protostack=auto

interfaces="ipsec0=eth0"

conn sonicwall

type=tunnel

left=172.16.XX.XX (my IP)

leftnexthop=172.16.255.255 (my gateway)

leftid= <at> GroupVPN

leftxauthclient=yes

right=XX.XX.XX.XX (IP address of my sonicwall router)

rightsubnet=XX.XX.XX.XX/24 (gateway IP of my LAN)

rightxauthserver=yes

rightid= <at> 0006XXXXXXXX

keyingtries=0

keyexchange=ike

pfs=no

aggrmode=yes

auto=add

auth=esp

esp=aes256-sha1

ike=aes256-sha1-modp1024

authby=secret

Below is the output given when running the command “ipsec whack --listen --name sonicwall --initiate --xauthname XXXXXX --xauthpass XXXXXX”. Seems as though it fails on the second phase auth and I am unsure what else to try.

It has taken me a few days to get this far so any help would be much appreciated.

Many thanks,

Stuart

Feb 2 13:38:40 localhost pluto[26053]: "sonicwall" #12: initiating Aggressive Mode #12, connection "sonicwall"

Feb 2 13:38:40 localhost pluto[26053]: pluto_do_crypto: helper (0) is exiting

Feb 2 13:38:40 localhost pluto[26053]: | setting sec: 1

Feb 2 13:38:40 localhost pluto[26053]: "sonicwall" #12: ignoring Vendor ID payload [Sonicwall 1 (TZ 170 Standard?)]

Feb 2 13:38:40 localhost pluto[26053]: "sonicwall" #12: ignoring unknown Vendor ID payload [5bXXXXXXXXXXXX]

Feb 2 13:38:40 localhost pluto[26053]: "sonicwall" #12: received Vendor ID payload [RFC 3947] method set to=109

Feb 2 13:38:40 localhost pluto[26053]: "sonicwall" #12: received Vendor ID payload [Dead Peer Detection]

Feb 2 13:38:40 localhost pluto[26053]: "sonicwall" #12: received Vendor ID payload [XAUTH]

Feb 2 13:38:40 localhost pluto[26053]: "sonicwall" #12: Aggressive mode peer ID is ID_FQDN: ' <at> 0006XXXXXXXX'

Feb 2 13:38:40 localhost pluto[26053]: "sonicwall" #12: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): i am NATed

Feb 2 13:38:40 localhost pluto[26053]: pluto_do_crypto: helper (0) is exiting

Feb 2 13:38:40 localhost pluto[26053]: "sonicwall" #12: transition from state STATE_AGGR_I1 to state STATE_AGGR_I2

Feb 2 13:38:40 localhost pluto[26053]: "sonicwall" #12: STATE_AGGR_I2: sent AI2, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp1024}

Feb 2 13:38:40 localhost pluto[26053]: "sonicwall" #12: XAUTH: Answering XAUTH challenge with user='XXXXXX’

Feb 2 13:38:40 localhost pluto[26053]: "sonicwall" #12: transition from state STATE_XAUTH_I0 to state STATE_XAUTH_I1

Feb 2 13:38:40 localhost pluto[26053]: "sonicwall" #12: STATE_XAUTH_I1: XAUTH client - awaiting CFG_set

Feb 2 13:38:40 localhost pluto[26053]: "sonicwall" #12: ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000

Feb 2 13:38:40 localhost pluto[26053]: "sonicwall" #12: received and ignored informational message

Feb 2 13:38:40 localhost pluto[26053]: "sonicwall" #12: XAUTH: Successfully Authenticated

Feb 2 13:38:40 localhost pluto[26053]: "sonicwall" #12: transition from state STATE_XAUTH_I0 to state STATE_XAUTH_I1

Feb 2 13:38:40 localhost pluto[26053]: "sonicwall" #12: STATE_XAUTH_I1: XAUTH client - awaiting CFG_set

Feb 2 13:38:40 localhost pluto[26053]: "sonicwall" #13: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP+AGGRESSIVE+IKEv2ALLOW {using isakmp#12 msgid:46f6c0a8 proposal=AES(12)_256-SHA1(2)_160 pfsgroup=no-pfs}

Feb 2 13:38:40 localhost pluto[26053]: pluto_do_crypto: helper (0) is exiting

Feb 2 13:38:40 localhost pluto[26053]: "sonicwall" #12: ignoring informational payload, type INVALID_ID_INFORMATION msgid=00000000

Feb 2 13:38:40 localhost pluto[26053]: "sonicwall" #12: received and ignored informational message

Feb 2 13:39:10 localhost pluto[26053]: "sonicwall" #12: ignoring informational payload, type INVALID_ID_INFORMATION msgid=00000000

Feb 2 13:39:10 localhost pluto[26053]: "sonicwall" #12: received and ignored informational message

Feb 2 13:39:50 localhost pluto[26053]: "sonicwall" #13: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no roposal

Feb 2 13:39:50 localhost pluto[26053]: "sonicwall" #13: starting keying attempt 2 of an unlimited number, but releasing whack

Feb 2 13:39:50 localhost pluto[26053]: "sonicwall" #14: initiating Aggressive Mode #14, connection "sonicwall"

Feb 2 13:39:50 localhost pluto[26053]: "sonicwall" #14: pluto_do_crypto: helper (0) is exiting

Feb 2 13:39:50 localhost pluto[26053]: | setting sec: 1

Feb 2 13:39:50 localhost pluto[26053]: "sonicwall" #14: ignoring Vendor ID payload [Sonicwall 1 (TZ 170 Standard?)]

Feb 2 13:39:50 localhost pluto[26053]: "sonicwall" #14: ignoring unknown Vendor ID payload [5bXXXXXXXXXXXXXX]

Feb 2 13:39:50 localhost pluto[26053]: "sonicwall" #14: received Vendor ID payload [RFC 3947] method set to=109

Feb 2 13:39:50 localhost pluto[26053]: "sonicwall" #14: received Vendor ID payload [Dead Peer Detection]

Feb 2 13:39:50 localhost pluto[26053]: "sonicwall" #14: received Vendor ID payload [XAUTH]

Feb 2 13:39:50 localhost pluto[26053]: "sonicwall" #14: Aggressive mode peer ID is ID_FQDN: ' <at> 0006XXXXXXXX'

Feb 2 13:39:50 localhost pluto[26053]: "sonicwall" #14: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): i am NATed

Feb 2 13:39:50 localhost pluto[26053]: "sonicwall" #14: pluto_do_crypto: helper (0) is exiting

Feb 2 13:39:50 localhost pluto[26053]: "sonicwall" #14: transition from state STATE_AGGR_I1 to state STATE_AGGR_I2

Feb 2 13:39:50 localhost pluto[26053]: "sonicwall" #14: STATE_AGGR_I2: sent AI2, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp1024}

Feb 2 13:39:50 localhost pluto[26053]: "sonicwall" #14: XAUTH username requested, but no file descriptor available for prompt

Feb 2 13:39:50 localhost pluto[26053]: "sonicwall" #14: sending encrypted notification CERTIFICATE_UNAVAILABLE to XX.XX.XX.XX:4500 (IP address of my sonicwall router)

Feb 2 13:43:56 localhost pluto[26053]: "sonicwall" #12: received Delete SA payload: deleting ISAKMPState #12

Feb 2 13:43:56 localhost pluto[26053]: packet from XX.XX.XX.XX:4500: received and ignored informational message

Feb 2 13:43:56 localhost pluto[26053]: packet from XX.XX.XX.XX:4500: ignoring informational payload, type INVALID_COOKIE on st==NULL (deleted?)

Feb 2 13:43:56 localhost pluto[26053]: packet from XX.XX.XX.XX:4500: received and ignored informational message

_______________________________________________
Users <at> lists.openswan.org
http://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

headers

satpal parmar | 2 Feb 13:56

[Openswan Users] Ping fail after flushing SPD/SAD

Hi All;

I am trying to make ping work btn two boxes running IPSec. I am using
manual keying.  I am facing strange problem. Ping works without IPsec.
Then I apply setkey.config. Ping fails due to some hw/driver/error. I
flush the config and try ping again. But now ping is not working . I
have to reboot machine to make it work again.

Below is the log attached.

Appreciate any help to understand the issue.

-SP
+++++++++++++++
LOG
+++++++++++++++
Please press Enter to activate this console.
Linux version 2.6.37-svn5271 (satpal.parmar <at> ubuntu) (gcc version 4.3.3
(Sourcery G++ Lite 2009q1-203) ) #1 Thu Feb 2 11:17:25 IST 2012
root <at> R3BTS-CP-PFS1.0#
root <at> R3BTS-CP-PFS1.0#
root <at> R3BTS-CP-PFS1.0# ifconfig eth0 1.1.1.2 up
root <at> R3BTS-CP-PFS1.0# ping 1.1.1.1
PING 1.1.1.1 (1.1.1.1): 56 data bytes
64 bytes from 1.1.1.1: seq=0 ttl=64 time=8.617 ms
64 bytes from 1.1.1.1: seq=1 ttl=64 time=0.367 ms
^C
--- 1.1.1.1 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 0.367/4.492/8.617 ms
root <at> R3BTS-CP-PFS1.0# clear

root <at> R3BTS-CP-PFS1.0# ls
bin         home        linuxrc     opt         sbin        usr
dev         init        lost+found  proc        sys         var
etc         lib         mnt         root        tmp
root <at> R3BTS-CP-PFS1.0# vi /home/setkey.conf

#!/usr/sbin/setkey -f

# Configuration for 1.1.1.2

# Flush the SAD and SPD
flush;
spdflush;

# Attention: Use this keys only for testing purposes!
# Generate your own keys!

# AH SAs using 128 bit long keys
add 1.1.1.2 1.1.1.1  ah 0x200 -A hmac-md5
0xc0291ff014dccdd03874d9e8e4cdf3e6;
add 1.1.1.1 1.1.1.2 ah 0x300 -A hmac-md5
0x96358c90783bbfa3d7b196ceabe0536b;

# ESP SAs using 192 bit long keys (168 + 24 parity)
add 1.1.1.2  1.1.1.1 esp 0x201 -E 3des-cbc
0x7aeaca3f87d060a12f4a4487d5a5c3355920fae69a96c831;
add 1.1.1.1 1.1.1.2 esp 0x301 -E 3des-cbc
0xf6ddb555acfd9d77b03ea3843f2653255afe8eb5573965df;

# Security policies
spdadd 1.1.1.2 1.1.1.1 any -P out ipsec
esp/transport//require
ah/transport//require;

spdadd 1.1.1.1 1.1.1.2 any -P in ipsec
esp/transport//require
ah/transport//require;
~
~

root <at> R3BTS-CP-PFS1.0# ls
bin         home        linuxrc     opt         sbin        usr
dev         init        lost+found  proc        sys         var
etc         lib         mnt         root        tmp

r
root <at> R3BTS-CP-PFS1.0#
root <at> R3BTS-CP-PFS1.0# setkey -f /home/setkey.conf
alg: No test for authenc(digest_null,cbc(des3_ede))
(authenc(digest_null-generic,cbc(des3_ede-generic)))
root <at> R3BTS-CP-PFS1.0#
root <at> R3BTS-CP-PFS1.0#
root <at> R3BTS-CP-PFS1.0#
root <at> R3BTS-CP-PFS1.0# setkey -D
1.1.1.1 1.1.1.2
        esp mode=transport spi=769(0x00000301) reqid=0(0x00000000)
        E: 3des-cbc  f6ddb555 acfd9d77 b03ea384 3f265325 5afe8eb5 573965df
        seq=0x00000000 replay=0 flags=0x00000000 state=mature
        created: Jan  1 00:16:15 1970   current: Jan  1 00:16:42 1970
        diff: 27(s)     hard: 0(s)      soft: 0(s)
        last:                           hard: 0(s)      soft: 0(s)
        current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)
        allocated: 0    hard: 0 soft: 0
        sadb_seq=1 pid=297 refcnt=0
1.1.1.2 1.1.1.1
        esp mode=transport spi=513(0x00000201) reqid=0(0x00000000)
        E: 3des-cbc  7aeaca3f 87d060a1 2f4a4487 d5a5c335 5920fae6 9a96c831
        seq=0x00000000 replay=0 flags=0x00000000 state=mature
        created: Jan  1 00:16:15 1970   current: Jan  1 00:16:42 1970
        diff: 27(s)     hard: 0(s)      soft: 0(s)
        last:                           hard: 0(s)      soft: 0(s)
        current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)
        allocated: 0    hard: 0 soft: 0
        sadb_seq=2 pid=297 refcnt=0
1.1.1.1 1.1.1.2
        ah mode=transport spi=768(0x00000300) reqid=0(0x00000000)
        A: hmac-md5  96358c90 783bbfa3 d7b196ce abe0536b
        seq=0x00000000 replay=0 flags=0x00000000 state=mature
        created: Jan  1 00:16:15 1970   current: Jan  1 00:16:42 1970
        diff: 27(s)     hard: 0(s)      soft: 0(s)
        last:                           hard: 0(s)      soft: 0(s)
        current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)
        allocated: 0    hard: 0 soft: 0
        sadb_seq=3 pid=297 refcnt=0
1.1.1.2 1.1.1.1
        ah mode=transport spi=512(0x00000200) reqid=0(0x00000000)
        A: hmac-md5  c0291ff0 14dccdd0 3874d9e8 e4cdf3e6
        seq=0x00000000 replay=0 flags=0x00000000 state=mature
        created: Jan  1 00:16:15 1970   current: Jan  1 00:16:42 1970
        diff: 27(s)     hard: 0(s)      soft: 0(s)
        last:                           hard: 0(s)      soft: 0(s)
        current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)
        allocated: 0    hard: 0 soft: 0
        sadb_seq=0 pid=297 refcnt=0
root <at> R3BTS-CP-PFS1.0#
root <at> R3BTS-CP-PFS1.0#
root <at> R3BTS-CP-PFS1.0#
root <at> R3BTS-CP-PFS1.0# ping 1.1.1.1
PING 1.1.1.1 (1.1.1.1): 56 data bytes
^C
--- 1.1.1.1 ping statistics ---
21 packets transmitted, 0 packets received, 100% packet loss
root <at> R3BTS-CP-PFS1.0# setkey -F
root <at> R3BTS-CP-PFS1.0# ping 1.1.1.1
PING 1.1.1.1 (1.1.1.1): 56 data bytes
ping: sendto: Invalid argument
_______________________________________________
Users <at> lists.openswan.org
http://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

headers

Abhinav Bhagwat | 2 Feb 08:31

[Openswan Users] pluto segfaults when using SHA2 256 hash

Hi when I use sha2 hash to connect using openswan 2.6.37 the pluto daemon seg faults with a message

Jan 31 04:18:31 xxxxxxxxxxxxxxxxxxx kernel: pluto[25450]: egfault at 0000000000000004 rip 0000000000447509 rsp 00007fff17a021d0 error 6

Jan 31 04:18:31 xxxxxxxxxxxxxxxxxxx ipsec__plutorun: /usr/local/lib/ipsec/_plutorun: line 246: 25450 Segmentation fault /usr/local/libexec/ipsec/pluto --nofork --secretsfile /etc/ipsec.secrets --ipsecdir /etc/ipsec.d --use-netkey --uniqueids --strictcrlpolicy --nat_traversal

Jan 31 04:18:31 xxxxxxxxxxxxxxxxxxx ipsec__plutorun: !pluto failure!: exited with error status 139 (signal 11)

egfault at 0000000000000004 rip 0000000000447509 rsp 00007fff17a021d0 error 6

Jan 31 04:18:31 xxxxxxxxxxxxxxxxxxx ipsec__plutorun: /usr/local/lib/ipsec/_plutorun: line 246: 25450 Segmentation fault /usr/local/libexec/ipsec/pluto --nofork --secretsfile /etc/ipsec.secrets --ipsecdir /etc/ipsec.d --use-netkey --uniqueids --strictcrlpolicy --nat_traversal

Jan 31 04:18:31 xxxxxxxxxxxxxxxxxxx ipsec__plutorun: !pluto failure!: exited with error status 139 (signal 11)

Jan 31 04:18:31 xxxxxxxxxxxxxxxxxxx ipsec__plutorun: restarting IPsec after pause...

Jan 31 04:18:41 xxxxxxxxxxxxxxxxxxx ipsec_setup: Stopping Openswan IPsec...

Jan 31 04:18:41 xxxxxxxxxxxxxxxxxxx ipsec_setup: Removing orphaned /var/run/pluto/pluto.pid:

Jan 31 04:18:41 xxxxxxxxxxxxxxxxxxx kernel: NET: Unregistered protocol family 15

Putting in debug mode the crash is found to be at

~/openswan-2.6.37/programs/pluto/spdb_struct.c:316

The connection is defined in ipsec.conf file as

conn test

type=transport

right=10.1.3.18

rightprotoport=tcp/any

left=10.1.2.48

leftprotoport=tcp/23

pfs=yes

phase2=esp

phase2alg=aes128-sha2_256;modp1024

ike=aes128-sha2_256;modp1024

authby=secret

auto=add

Everything works fine if I replace sha2_256 with sha1.

Here is the output of ipsec setup status where it does not show OAKLEY sha2_256 getting loaded.

000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64

000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192

000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, keysizemin=40, keysizemax=128

000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448

000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0

000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256

000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8, keysizemin=128, keysizemax=256

000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8, keysizemin=128, keysizemax=256

000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8, keysizemin=128, keysizemax=256

000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8, keysizemin=128, keysizemax=256

000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8, keysizemin=128, keysizemax=256

000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=8, keysizemin=128, keysizemax=256

000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=8, keysizemin=128, keysizemax=256

000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256

000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256

000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128

000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160

000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256

000 algorithm ESP auth attr: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD, keysizemin=160, keysizemax=160

000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC, keysizemin=128, keysizemax=128

000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0

000

000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=131

000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192

000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128

000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16

000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20

000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024

000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536

000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048

000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=30

With openswan 2.6.33 OAKLEY SHA2_256 is shown and the connection gets established I can see the SP using setkey. But the telnet connection is not established. Again everything works fine if I replace sha2 with sha1.

Am I missing something here or this is a bug?

_______________________________________________
Users <at> lists.openswan.org
http://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

headers

Sam | 1 Feb 11:20

[Openswan Users] Max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal

Hi,

I have successfully installed Openswan but there seem to an issue with the connection to the Cisco VPN. From the logs am seeing something like "No acceptable response to our first Quick Mode message: perhaps peer likes no proposal".

Below is the full log and my config. I will really appreciate your help.

###################### CONFIG #############################

config setup

interfaces=%defaultroute

plutoopts="--perpeerlog"

protostack=netkey

conn VPNCon

type=tunnel

authby=secret

Ikelifetime=86400s

phase2=esp

Phase2alg=3des-md5;modp1536

lifetime=3600s

forceencaps=yes

pfs=no

keyexchange=ike

left=1.2.3.4

leftnexthop=%defaultroute

right=5.6.7.8

rightnexthop=%defaultroute

rekey=yes

remote_peer_type=cisco

auto=start

###################################################

###################### CONFIG #############################

Feb 1 10:55:16 box1 ipsec__plutorun: Starting Pluto subsystem...

Feb 1 10:55:16 box1 pluto[12241]: Starting Pluto (Openswan Version 2.6.37; Vendor ID OEu\134d\134jy\134\134ap) pid:12241

Feb 1 10:55:16 box1 pluto[12241]: LEAK_DETECTIVE support [disabled]

Feb 1 10:55:16 box1 pluto[12241]: OCF support for IKE [disabled]

Feb 1 10:55:16 box1 pluto[12241]: SAref support [disabled]: Protocol not available

Feb 1 10:55:16 box1 pluto[12241]: SAbind support [disabled]: Protocol not available

Feb 1 10:55:16 box1 pluto[12241]: NSS support [disabled]

Feb 1 10:55:16 box1 pluto[12241]: HAVE_STATSD notification support not compiled in

Feb 1 10:55:16 box1 pluto[12241]: Setting NAT-Traversal port-4500 floating to on

Feb 1 10:55:16 box1 pluto[12241]: port floating activation criteria nat_t=1/port_float=1

Feb 1 10:55:16 box1 pluto[12241]: NAT-Traversal support [enabled]

Feb 1 10:55:16 box1 pluto[12241]: using /dev/urandom as source of random entropy

Feb 1 10:55:16 box1 pluto[12241]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)

Feb 1 10:55:16 box1 pluto[12241]: starting up 1 cryptographic helpers

Feb 1 10:55:16 box1 pluto[12248]: using /dev/urandom as source of random entropy

Feb 1 10:55:16 box1 pluto[12241]: started helper pid=12248 (fd:6)

Feb 1 10:55:16 box1 pluto[12241]: Using Linux 2.6 IPsec interface code on 2.6.18-194.17.1.el5 (experimental code)

Feb 1 10:55:16 box1 pluto[12241]: ike_alg_register_enc(): Activating aes_ccm_8: Ok (ret=0)