headers
Sam | 1 Feb 11:20
Picon

[Openswan Users] Max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal

Hi,


I have successfully installed Openswan but there seem to an issue with the connection to the Cisco VPN. From the logs am seeing something like "No acceptable response to our first Quick Mode message: perhaps peer likes no proposal".

Below is the full log and my config. I will really appreciate your help.

###################### CONFIG #############################
config setup     
        interfaces=%defaultroute
        plutoopts="--perpeerlog"
        protostack=netkey


conn VPNCon
        type=tunnel
        authby=secret
        Ikelifetime=86400s
        phase2=esp
        Phase2alg=3des-md5;modp1536
        lifetime=3600s
        forceencaps=yes
        pfs=no
        keyexchange=ike
        left=1.2.3.4
        leftnexthop=%defaultroute
        right=5.6.7.8
        rightnexthop=%defaultroute
        rekey=yes
        remote_peer_type=cisco
        auto=start
###################################################


###################### CONFIG #############################
Feb  1 10:55:16 box1 ipsec__plutorun: Starting Pluto subsystem...
Feb  1 10:55:16 box1 pluto[12241]: Starting Pluto (Openswan Version 2.6.37; Vendor ID OEu\134d\134jy\134\134ap) pid:12241
Feb  1 10:55:16 box1 pluto[12241]: LEAK_DETECTIVE support [disabled]
Feb  1 10:55:16 box1 pluto[12241]: OCF support for IKE [disabled]
Feb  1 10:55:16 box1 pluto[12241]: SAref support [disabled]: Protocol not available
Feb  1 10:55:16 box1 pluto[12241]: SAbind support [disabled]: Protocol not available
Feb  1 10:55:16 box1 pluto[12241]: NSS support [disabled]
Feb  1 10:55:16 box1 pluto[12241]: HAVE_STATSD notification support not compiled in
Feb  1 10:55:16 box1 pluto[12241]: Setting NAT-Traversal port-4500 floating to on
Feb  1 10:55:16 box1 pluto[12241]:    port floating activation criteria nat_t=1/port_float=1
Feb  1 10:55:16 box1 pluto[12241]:    NAT-Traversal support  [enabled]
Feb  1 10:55:16 box1 pluto[12241]: using /dev/urandom as source of random entropy
Feb  1 10:55:16 box1 pluto[12241]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Feb  1 10:55:16 box1 pluto[12241]: starting up 1 cryptographic helpers
Feb  1 10:55:16 box1 pluto[12248]: using /dev/urandom as source of random entropy
Feb  1 10:55:16 box1 pluto[12241]: started helper pid=12248 (fd:6)
Feb  1 10:55:16 box1 pluto[12241]: Using Linux 2.6 IPsec interface code on 2.6.18-194.17.1.el5 (experimental code)
Feb  1 10:55:16 box1 pluto[12241]: ike_alg_register_enc(): Activating aes_ccm_8: Ok (ret=0)
Feb  1 10:55:16 box1 pluto[12241]: ike_alg_add(): ERROR: Algorithm already exists
Feb  1 10:55:16 box1 pluto[12241]: ike_alg_register_enc(): Activating aes_ccm_12: FAILED (ret=-17)
Feb  1 10:55:16 box1 pluto[12241]: ike_alg_add(): ERROR: Algorithm already exists
Feb  1 10:55:16 box1 pluto[12241]: ike_alg_register_enc(): Activating aes_ccm_16: FAILED (ret=-17)
Feb  1 10:55:16 box1 pluto[12241]: ike_alg_add(): ERROR: Algorithm already exists
Feb  1 10:55:16 box1 pluto[12241]: ike_alg_register_enc(): Activating aes_gcm_8: FAILED (ret=-17)
Feb  1 10:55:16 box1 pluto[12241]: ike_alg_add(): ERROR: Algorithm already exists
Feb  1 10:55:16 box1 pluto[12241]: ike_alg_register_enc(): Activating aes_gcm_12: FAILED (ret=-17)
Feb  1 10:55:16 box1 pluto[12241]: ike_alg_add(): ERROR: Algorithm already exists
Feb  1 10:55:16 box1 pluto[12241]: ike_alg_register_enc(): Activating aes_gcm_16: FAILED (ret=-17)
Feb  1 10:55:16 box1 pluto[12241]: Changed path to directory '/etc/ipsec.d/cacerts'
Feb  1 10:55:16 box1 pluto[12241]: Changed path to directory '/etc/ipsec.d/aacerts'
Feb  1 10:55:16 box1 pluto[12241]: Changed path to directory '/etc/ipsec.d/ocspcerts'
Feb  1 10:55:16 box1 pluto[12241]: Changing to directory '/etc/ipsec.d/crls'
Feb  1 10:55:16 box1 pluto[12241]:   Warning: empty directory
Feb  1 10:55:16 box1 pluto[12241]: added connection description "VPNCon"
Feb  1 10:55:17 box1 pluto[12241]: listening for IKE messages
Feb  1 10:55:17 box1 pluto[12241]: adding interface eth0/eth0 1.2.3.4.5:500
Feb  1 10:55:17 box1 pluto[12241]: adding interface eth0/eth0 1.2.3.4.5:4500
Feb  1 10:55:17 box1 pluto[12241]: adding interface lo/lo 127.0.0.1:500
Feb  1 10:55:17 box1 pluto[12241]: adding interface lo/lo 127.0.0.1:4500
Feb  1 10:55:17 box1 pluto[12241]: adding interface lo/lo ::1:500
Feb  1 10:55:17 box1 pluto[12241]: loading secrets from "/etc/ipsec.secrets"
Feb  1 10:55:17 box1 pluto[12241]: "VPNCon" #1: initiating Main Mode
Feb  1 10:55:17 box1 pluto[12241]: "VPNCon" #1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] method set to=108 
Feb  1 10:55:17 box1 pluto[12241]: "VPNCon" #1: enabling possible NAT-traversal with method draft-ietf-ipsec-nat-t-ike-05
Feb  1 10:55:17 box1 pluto[12241]: "VPNCon" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
Feb  1 10:55:17 box1 pluto[12241]: "VPNCon" #1: STATE_MAIN_I2: sent MI2, expecting MR2
Feb  1 10:55:17 box1 pluto[12241]: "VPNCon" #1: received Vendor ID payload [Cisco-Unity]
Feb  1 10:55:17 box1 pluto[12241]: "VPNCon" #1: received Vendor ID payload [Dead Peer Detection]
Feb  1 10:55:17 box1 pluto[12241]: "VPNCon" #1: ignoring unknown Vendor ID payload [3c1f79790ca4ddd867fa2623b80ac34b]
Feb  1 10:55:17 box1 pluto[12241]: "VPNCon" #1: received Vendor ID payload [XAUTH]
Feb  1 10:55:17 box1 pluto[12241]: "VPNCon" #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: both are NATed
Feb  1 10:55:17 box1 pluto[12241]: "VPNCon" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Feb  1 10:55:17 box1 pluto[12241]: "VPNCon" #1: STATE_MAIN_I3: sent MI3, expecting MR3
Feb  1 10:55:18 box1 pluto[12241]: | protocol/port in Phase 1 ID Payload is 17/0. accepted with port_floating NAT-T
Feb  1 10:55:18 box1 pluto[12241]: "VPNCon" #1: Main mode peer ID is ID_IPV4_ADDR: '5.6.7.8'
Feb  1 10:55:18 box1 pluto[12241]: "VPNCon" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
Feb  1 10:55:18 box1 pluto[12241]: "VPNCon" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
Feb  1 10:55:18 box1 pluto[12241]: "VPNCon" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#1 msgid:6ca6f49a proposal=3DES(3)_192-MD5(1)_128 pfsgroup=no-pfs}
Feb  1 10:55:18 box1 pluto[12241]: "VPNCon" #1: ignoring informational payload, type NO_PROPOSAL_CHOSEN msgid=00000000
Feb  1 10:55:18 box1 pluto[12241]: "VPNCon" #1: received and ignored informational message
Feb  1 10:56:28 box1 pluto[12241]: "VPNCon" #2: max number of retransmissions (2) reached STATE_QUICK_I1.  No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
Feb  1 10:56:28 box1 pluto[12241]: "VPNCon" #2: starting keying attempt 2 of an unlimited number
Feb  1 10:56:28 box1 pluto[12241]: "VPNCon" #3: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK to replace #2 {using isakmp#1 msgid:91d29c32 proposal=3DES(3)_192-MD5(1)_128 pfsgroup=no-pfs}
Feb  1 10:56:28 box1 pluto[12241]: "VPNCon" #1: ignoring informational payload, type NO_PROPOSAL_CHOSEN msgid=00000000
Feb  1 10:56:28 box1 pluto[12241]: "VPNCon" #1: received and ignored informational message
Feb  1 10:57:38 box1 pluto[12241]: "VPNCon" #3: max number of retransmissions (2) reached STATE_QUICK_I1.  No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
Feb  1 10:57:38 box1 pluto[12241]: "VPNCon" #3: starting keying attempt 3 of an unlimited number
Feb  1 10:57:38 box1 pluto[12241]: "VPNCon" #4: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK to replace #3 {using isakmp#1 msgid:fd01f2eb proposal=3DES(3)_192-MD5(1)_128 pfsgroup=no-pfs}
Feb  1 10:57:38 box1 pluto[12241]: "VPNCon" #1: ignoring informational payload, type NO_PROPOSAL_CHOSEN msgid=00000000
Feb  1 10:57:38 box1 pluto[12241]: "VPNCon" #1: received and ignored informational message

###################################################

_______________________________________________
Users <at> lists.openswan.org
http://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
Permalink | Reply | 0 comments |
headers
Abhinav Bhagwat | 2 Feb 08:31
Picon
Favicon

[Openswan Users] pluto segfaults when using SHA2 256 hash

Hi when I use sha2 hash to connect using openswan 2.6.37 the pluto daemon seg faults with a message 

Jan 31 04:18:31 xxxxxxxxxxxxxxxxxxx kernel: pluto[25450]: egfault at 0000000000000004 rip 0000000000447509 rsp 00007fff17a021d0 error 6
Jan 31 04:18:31 xxxxxxxxxxxxxxxxxxx ipsec__plutorun: /usr/local/lib/ipsec/_plutorun: line 246: 25450 Segmentation fault      /usr/local/libexec/ipsec/pluto --nofork --secretsfile /etc/ipsec.secrets --ipsecdir /etc/ipsec.d --use-netkey --uniqueids --strictcrlpolicy --nat_traversal
Jan 31 04:18:31 xxxxxxxxxxxxxxxxxxx ipsec__plutorun: !pluto failure!:  exited with error status 139 (signal 11)
egfault at 0000000000000004 rip 0000000000447509 rsp 00007fff17a021d0 error 6
Jan 31 04:18:31 xxxxxxxxxxxxxxxxxxx ipsec__plutorun: /usr/local/lib/ipsec/_plutorun: line 246: 25450 Segmentation fault      /usr/local/libexec/ipsec/pluto --nofork --secretsfile /etc/ipsec.secrets --ipsecdir /etc/ipsec.d --use-netkey --uniqueids --strictcrlpolicy --nat_traversal
Jan 31 04:18:31 xxxxxxxxxxxxxxxxxxx ipsec__plutorun: !pluto failure!:  exited with error status 139 (signal 11)
Jan 31 04:18:31 xxxxxxxxxxxxxxxxxxx ipsec__plutorun: restarting IPsec after pause...
Jan 31 04:18:41 xxxxxxxxxxxxxxxxxxx ipsec_setup: Stopping Openswan IPsec...
Jan 31 04:18:41 xxxxxxxxxxxxxxxxxxx ipsec_setup: Removing orphaned /var/run/pluto/pluto.pid:
Jan 31 04:18:41 xxxxxxxxxxxxxxxxxxx kernel: NET: Unregistered protocol family 15


Putting in debug mode the crash is found to be at 
~/openswan-2.6.37/programs/pluto/spdb_struct.c:316

The connection is defined in ipsec.conf file as

conn test
        type=transport
        right=10.1.3.18
        rightprotoport=tcp/any
        left=10.1.2.48
        leftprotoport=tcp/23
        pfs=yes
        phase2=esp
        phase2alg=aes128-sha2_256;modp1024
        ike=aes128-sha2_256;modp1024
        authby=secret
        auto=add

Everything works fine if I replace sha2_256 with sha1.

Here is the output of ipsec setup status where it does not show OAKLEY sha2_256 getting loaded.

000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, keysizemin=40, keysizemax=128
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0
000  
000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=131
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=30

With openswan 2.6.33 OAKLEY SHA2_256 is shown and the connection gets established I can see the SP using setkey. But the telnet connection is not established. Again everything works fine if I replace sha2 with sha1. 

Am I missing something here or this is a bug?
_______________________________________________
Users <at> lists.openswan.org
http://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
Permalink | Reply | 3 comments |
headers
satpal parmar | 2 Feb 13:56
Picon

[Openswan Users] Ping fail after flushing SPD/SAD

Hi All;

I am trying to make ping work btn two boxes running IPSec. I am using
manual keying.  I am facing strange problem. Ping works without IPsec.
Then I apply setkey.config. Ping fails due to some hw/driver/error. I
flush the config and try ping again. But now ping is not working . I
have to reboot machine to make it work again.

Below is the log attached.

Appreciate any help to understand the issue.

-SP
+++++++++++++++
LOG
+++++++++++++++
Please press Enter to activate this console.
Linux version 2.6.37-svn5271 (satpal.parmar <at> ubuntu) (gcc version 4.3.3
(Sourcery G++ Lite 2009q1-203) ) #1 Thu Feb 2 11:17:25 IST 2012
root <at> R3BTS-CP-PFS1.0#
root <at> R3BTS-CP-PFS1.0#
root <at> R3BTS-CP-PFS1.0# ifconfig eth0 1.1.1.2 up
root <at> R3BTS-CP-PFS1.0# ping 1.1.1.1
PING 1.1.1.1 (1.1.1.1): 56 data bytes
64 bytes from 1.1.1.1: seq=0 ttl=64 time=8.617 ms
64 bytes from 1.1.1.1: seq=1 ttl=64 time=0.367 ms
^C
--- 1.1.1.1 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 0.367/4.492/8.617 ms
root <at> R3BTS-CP-PFS1.0# clear

root <at> R3BTS-CP-PFS1.0# ls
bin         home        linuxrc     opt         sbin        usr
dev         init        lost+found  proc        sys         var
etc         lib         mnt         root        tmp
root <at> R3BTS-CP-PFS1.0# vi /home/setkey.conf

#!/usr/sbin/setkey -f

# Configuration for 1.1.1.2

# Flush the SAD and SPD
flush;
spdflush;

# Attention: Use this keys only for testing purposes!
# Generate your own keys!

# AH SAs using 128 bit long keys
add 1.1.1.2 1.1.1.1  ah 0x200 -A hmac-md5
0xc0291ff014dccdd03874d9e8e4cdf3e6;
add 1.1.1.1 1.1.1.2 ah 0x300 -A hmac-md5
0x96358c90783bbfa3d7b196ceabe0536b;

# ESP SAs using 192 bit long keys (168 + 24 parity)
add 1.1.1.2  1.1.1.1 esp 0x201 -E 3des-cbc
0x7aeaca3f87d060a12f4a4487d5a5c3355920fae69a96c831;
add 1.1.1.1 1.1.1.2 esp 0x301 -E 3des-cbc
0xf6ddb555acfd9d77b03ea3843f2653255afe8eb5573965df;

# Security policies
spdadd 1.1.1.2 1.1.1.1 any -P out ipsec
esp/transport//require
ah/transport//require;

spdadd 1.1.1.1 1.1.1.2 any -P in ipsec
esp/transport//require
ah/transport//require;
~
~

root <at> R3BTS-CP-PFS1.0# ls
bin         home        linuxrc     opt         sbin        usr
dev         init        lost+found  proc        sys         var
etc         lib         mnt         root        tmp

r
root <at> R3BTS-CP-PFS1.0#
root <at> R3BTS-CP-PFS1.0# setkey -f /home/setkey.conf
alg: No test for authenc(digest_null,cbc(des3_ede))
(authenc(digest_null-generic,cbc(des3_ede-generic)))
root <at> R3BTS-CP-PFS1.0#
root <at> R3BTS-CP-PFS1.0#
root <at> R3BTS-CP-PFS1.0#
root <at> R3BTS-CP-PFS1.0# setkey -D
1.1.1.1 1.1.1.2
        esp mode=transport spi=769(0x00000301) reqid=0(0x00000000)
        E: 3des-cbc  f6ddb555 acfd9d77 b03ea384 3f265325 5afe8eb5 573965df
        seq=0x00000000 replay=0 flags=0x00000000 state=mature
        created: Jan  1 00:16:15 1970   current: Jan  1 00:16:42 1970
        diff: 27(s)     hard: 0(s)      soft: 0(s)
        last:                           hard: 0(s)      soft: 0(s)
        current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)
        allocated: 0    hard: 0 soft: 0
        sadb_seq=1 pid=297 refcnt=0
1.1.1.2 1.1.1.1
        esp mode=transport spi=513(0x00000201) reqid=0(0x00000000)
        E: 3des-cbc  7aeaca3f 87d060a1 2f4a4487 d5a5c335 5920fae6 9a96c831
        seq=0x00000000 replay=0 flags=0x00000000 state=mature
        created: Jan  1 00:16:15 1970   current: Jan  1 00:16:42 1970
        diff: 27(s)     hard: 0(s)      soft: 0(s)
        last:                           hard: 0(s)      soft: 0(s)
        current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)
        allocated: 0    hard: 0 soft: 0
        sadb_seq=2 pid=297 refcnt=0
1.1.1.1 1.1.1.2
        ah mode=transport spi=768(0x00000300) reqid=0(0x00000000)
        A: hmac-md5  96358c90 783bbfa3 d7b196ce abe0536b
        seq=0x00000000 replay=0 flags=0x00000000 state=mature
        created: Jan  1 00:16:15 1970   current: Jan  1 00:16:42 1970
        diff: 27(s)     hard: 0(s)      soft: 0(s)
        last:                           hard: 0(s)      soft: 0(s)
        current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)
        allocated: 0    hard: 0 soft: 0
        sadb_seq=3 pid=297 refcnt=0
1.1.1.2 1.1.1.1
        ah mode=transport spi=512(0x00000200) reqid=0(0x00000000)
        A: hmac-md5  c0291ff0 14dccdd0 3874d9e8 e4cdf3e6
        seq=0x00000000 replay=0 flags=0x00000000 state=mature
        created: Jan  1 00:16:15 1970   current: Jan  1 00:16:42 1970
        diff: 27(s)     hard: 0(s)      soft: 0(s)
        last:                           hard: 0(s)      soft: 0(s)
        current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)
        allocated: 0    hard: 0 soft: 0
        sadb_seq=0 pid=297 refcnt=0
root <at> R3BTS-CP-PFS1.0#
root <at> R3BTS-CP-PFS1.0#
root <at> R3BTS-CP-PFS1.0#
root <at> R3BTS-CP-PFS1.0# ping 1.1.1.1
PING 1.1.1.1 (1.1.1.1): 56 data bytes
^C
--- 1.1.1.1 ping statistics ---
21 packets transmitted, 0 packets received, 100% packet loss
root <at> R3BTS-CP-PFS1.0# setkey -F
root <at> R3BTS-CP-PFS1.0# ping 1.1.1.1
PING 1.1.1.1 (1.1.1.1): 56 data bytes
ping: sendto: Invalid argument
_______________________________________________
Users <at> lists.openswan.org
http://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
Permalink | Reply | 1 comment |
headers
Stuart Oppery | 2 Feb 15:09
Picon

[Openswan Users] Cannot connect to SonicWall VPN

Hi All,

 

I am trying to connect to a VPN using IPSec, but have had problems connecting. I have a windows based SonicWall Global VPN client program that will connect to the SonicWall router. I have tried to replicate these details in the ipsec.conf as below:

 

config setup

            dumpdir=/var/run/pluto/

            nat_traversal=yes

            virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10

            oe=off

            protostack=auto

            interfaces="ipsec0=eth0"

conn sonicwall

     type=tunnel

     left=172.16.XX.XX (my IP)

     leftnexthop=172.16.255.255 (my gateway)

     leftid= <at> GroupVPN

     leftxauthclient=yes

     right=XX.XX.XX.XX (IP address of my sonicwall router)

     rightsubnet=XX.XX.XX.XX/24 (gateway IP of my LAN)

     rightxauthserver=yes

     rightid= <at> 0006XXXXXXXX

     keyingtries=0

     keyexchange=ike

     pfs=no

     aggrmode=yes

     auto=add

     auth=esp

     esp=aes256-sha1

     ike=aes256-sha1-modp1024

     authby=secret

 

Below is the output given when running the command “ipsec whack --listen --name sonicwall --initiate --xauthname XXXXXX --xauthpass XXXXXX”. Seems as though it fails on the second phase auth and I am unsure what else to try.

 

It has taken me a few days to get this far so any help would be much appreciated.

 

Many thanks,

Stuart

 

Feb  2 13:38:40 localhost pluto[26053]: "sonicwall" #12: initiating Aggressive Mode #12, connection "sonicwall"

Feb  2 13:38:40 localhost pluto[26053]: pluto_do_crypto: helper (0) is  exiting

Feb  2 13:38:40 localhost pluto[26053]: | setting sec: 1

Feb  2 13:38:40 localhost pluto[26053]: "sonicwall" #12: ignoring Vendor ID payload [Sonicwall 1 (TZ 170 Standard?)]

Feb  2 13:38:40 localhost pluto[26053]: "sonicwall" #12: ignoring unknown Vendor ID payload [5bXXXXXXXXXXXX]

Feb  2 13:38:40 localhost pluto[26053]: "sonicwall" #12: received Vendor ID payload [RFC 3947] method set to=109

Feb  2 13:38:40 localhost pluto[26053]: "sonicwall" #12: received Vendor ID payload [Dead Peer Detection]

Feb  2 13:38:40 localhost pluto[26053]: "sonicwall" #12: received Vendor ID payload [XAUTH]

Feb  2 13:38:40 localhost pluto[26053]: "sonicwall" #12: Aggressive mode peer ID is ID_FQDN: ' <at> 0006XXXXXXXX'

Feb  2 13:38:40 localhost pluto[26053]: "sonicwall" #12: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): i am NATed

Feb  2 13:38:40 localhost pluto[26053]: pluto_do_crypto: helper (0) is  exiting

Feb  2 13:38:40 localhost pluto[26053]: "sonicwall" #12: transition from state STATE_AGGR_I1 to state STATE_AGGR_I2

Feb  2 13:38:40 localhost pluto[26053]: "sonicwall" #12: STATE_AGGR_I2: sent AI2, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp1024}

Feb  2 13:38:40 localhost pluto[26053]: "sonicwall" #12: XAUTH: Answering XAUTH challenge with user='XXXXXX’

Feb  2 13:38:40 localhost pluto[26053]: "sonicwall" #12: transition from state STATE_XAUTH_I0 to state STATE_XAUTH_I1

Feb  2 13:38:40 localhost pluto[26053]: "sonicwall" #12: STATE_XAUTH_I1: XAUTH client - awaiting CFG_set

Feb  2 13:38:40 localhost pluto[26053]: "sonicwall" #12: ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000

Feb  2 13:38:40 localhost pluto[26053]: "sonicwall" #12: received and ignored informational message

Feb  2 13:38:40 localhost pluto[26053]: "sonicwall" #12: XAUTH: Successfully Authenticated

Feb  2 13:38:40 localhost pluto[26053]: "sonicwall" #12: transition from state STATE_XAUTH_I0 to state STATE_XAUTH_I1

Feb  2 13:38:40 localhost pluto[26053]: "sonicwall" #12: STATE_XAUTH_I1: XAUTH client - awaiting CFG_set

Feb  2 13:38:40 localhost pluto[26053]: "sonicwall" #13: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP+AGGRESSIVE+IKEv2ALLOW {using isakmp#12 msgid:46f6c0a8 proposal=AES(12)_256-SHA1(2)_160 pfsgroup=no-pfs}

Feb  2 13:38:40 localhost pluto[26053]: pluto_do_crypto: helper (0) is  exiting

Feb  2 13:38:40 localhost pluto[26053]: "sonicwall" #12: ignoring informational payload, type INVALID_ID_INFORMATION msgid=00000000

Feb  2 13:38:40 localhost pluto[26053]: "sonicwall" #12: received and ignored informational message

Feb  2 13:39:10 localhost pluto[26053]: "sonicwall" #12: ignoring informational payload, type INVALID_ID_INFORMATION msgid=00000000

Feb  2 13:39:10 localhost pluto[26053]: "sonicwall" #12: received and ignored informational message

Feb  2 13:39:50 localhost pluto[26053]: "sonicwall" #13: max number of retransmissions (2) reached STATE_QUICK_I1.  No acceptable response to our first Quick Mode message: perhaps peer likes no roposal

Feb  2 13:39:50 localhost pluto[26053]: "sonicwall" #13: starting keying attempt 2 of an unlimited number, but releasing whack

Feb  2 13:39:50 localhost pluto[26053]: "sonicwall" #14: initiating Aggressive Mode #14, connection "sonicwall"

Feb  2 13:39:50 localhost pluto[26053]: "sonicwall" #14: pluto_do_crypto: helper (0) is  exiting

Feb  2 13:39:50 localhost pluto[26053]: | setting sec: 1

Feb  2 13:39:50 localhost pluto[26053]: "sonicwall" #14: ignoring Vendor ID payload [Sonicwall 1 (TZ 170 Standard?)]

Feb  2 13:39:50 localhost pluto[26053]: "sonicwall" #14: ignoring unknown Vendor ID payload [5bXXXXXXXXXXXXXX]

Feb  2 13:39:50 localhost pluto[26053]: "sonicwall" #14: received Vendor ID payload [RFC 3947] method set to=109

Feb  2 13:39:50 localhost pluto[26053]: "sonicwall" #14: received Vendor ID payload [Dead Peer Detection]

Feb  2 13:39:50 localhost pluto[26053]: "sonicwall" #14: received Vendor ID payload [XAUTH]

Feb  2 13:39:50 localhost pluto[26053]: "sonicwall" #14: Aggressive mode peer ID is ID_FQDN: ' <at> 0006XXXXXXXX'

Feb  2 13:39:50 localhost pluto[26053]: "sonicwall" #14: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): i am NATed

Feb  2 13:39:50 localhost pluto[26053]: "sonicwall" #14: pluto_do_crypto: helper (0) is  exiting

Feb  2 13:39:50 localhost pluto[26053]: "sonicwall" #14: transition from state STATE_AGGR_I1 to state STATE_AGGR_I2

Feb  2 13:39:50 localhost pluto[26053]: "sonicwall" #14: STATE_AGGR_I2: sent AI2, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp1024}

Feb  2 13:39:50 localhost pluto[26053]: "sonicwall" #14: XAUTH username requested, but no file descriptor available for prompt

Feb  2 13:39:50 localhost pluto[26053]: "sonicwall" #14: sending encrypted notification CERTIFICATE_UNAVAILABLE to XX.XX.XX.XX:4500 (IP address of my sonicwall router)

Feb  2 13:43:56 localhost pluto[26053]: "sonicwall" #12: received Delete SA payload: deleting ISAKMPState #12

Feb  2 13:43:56 localhost pluto[26053]: packet from XX.XX.XX.XX:4500: received and ignored informational message

Feb  2 13:43:56 localhost pluto[26053]: packet from XX.XX.XX.XX:4500: ignoring informational payload, type INVALID_COOKIE on st==NULL (deleted?)

Feb  2 13:43:56 localhost pluto[26053]: packet from XX.XX.XX.XX:4500: received and ignored informational message

_______________________________________________
Users <at> lists.openswan.org
http://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
Permalink | Reply | 0 comments |
headers
Paul Wouters | 2 Feb 15:48
Picon

Re: [Openswan Users] pluto segfaults when using SHA2 256 hash

On Wed, 1 Feb 2012, Abhinav Bhagwat wrote:

> Hi when I use sha2 hash to connect using openswan 2.6.37 the pluto daemon
> seg faults with a messageĀ 

> Am I missing something here or this is a bug?

It's a fixed bug, but we haven't had a release yet to fix it.

If you recompile with USE_EXTRACRYPTO=true set it will work properly.
Otherwise, see:

http://git.openswan.org/cgi-bin/cgit/openswan/commit/?id=33aea96b36ff282f64bc9cc2a69f89ffa908826c
http://git.openswan.org/cgi-bin/cgit/openswan/commit/?id=d9c6bad2e2ab5bdafc07cb948c8af85711076f67
http://git.openswan.org/cgi-bin/cgit/openswan/commit/?id=3203cd13660e0e5f09c83fb4343cf784a42c6192

We will try to get a release out next week.

Paul
_______________________________________________
Users <at> lists.openswan.org
http://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
Permalink | Reply | 2 comments |
headers
Paul Wouters | 2 Feb 16:07
Picon

Re: [Openswan Users] Ping fail after flushing SPD/SAD

On Thu, 2 Feb 2012, satpal parmar wrote:

> I am trying to make ping work btn two boxes running IPSec. I am using
> manual keying.

Manual keying is like drilling for oil to fill up your car. Don't do it
:)

>  I am facing strange problem. Ping works without IPsec.
> Then I apply setkey.config. Ping fails due to some hw/driver/error. I
> flush the config and try ping again. But now ping is not working . I
> have to reboot machine to make it work again.

If you do things outside of an IKE daemon, you can probably use:

with NETKEY:

ip xfrm policy flush
ip xfrm state flush

with KLIPS:

ipsec eroute --clear

Paul
_______________________________________________
Users <at> lists.openswan.org
http://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
Permalink | Reply | 0 comments |
headers
ajuliao@vsiteam.com | 2 Feb 17:10
Favicon

[Openswan Users] Routing with OpenSwan and Amazon.

Hello,
 
I have succesfully established a VPN between a Linux server on Amazon Cloud to a Cisco asa. However I now need to comunicate a windows server within my Amazon VPC (both linux server and windows in same vpc and subnet) to a Server on the Cisco VPN side. I have been unable to do so. Can someone please help me or point me in the right direction?
 
All the configuration I made was, plus the secret key:
 
conn home
  left=%defaultroute
  leftsubnet=XXX.XX.X.XXX/32 (private linux server ip)
  leftid=XXX.XX.XXX.XX (public linux server ip)
  right=XXX.XXX.XXX.XX (Cisco private IP)
  rightid=XXX.XXX.XXX.XX (Cisco public IP)
  rightsubnet=XXX.XXX.XXX.XX/32 (private server on cisco side)
  authby=secret
  ike=aes128-sha1-modp1024
  esp=aes128-sha1
  pfs=no
  forceencaps=yes
  auto=start
 
I am thinking the problem relates to routing, but I was under the impression OpenSwan took care of that for you.
 
Thank you for any and all help.
 
 
Andres Juliao
Senior Software Developer
VSI Nearshore Outsourcing
e-mail: ajuliao <at> vsiteam.com
website: www.vsiteam.com
_______________________________________________
Users <at> lists.openswan.org
http://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
Permalink | Reply | 1 comment |
headers
Peter McGill | 2 Feb 18:08
Favicon

Re: [Openswan Users] Routing with OpenSwan and Amazon.

You change the leftsubnet entry to a subnet that includes both your linux and windows servers.

You also need to change the equivalent subnet on the cisco asa.

When this is done, yes “routing” is automatic when the tunnel is connected.

 

Put another way any traffic you want routed through the connection must be included in the subnets defined for the connection.

 

Peter

 

From: users-bounces <at> lists.openswan.org [mailto:users-bounces <at> lists.openswan.org] On Behalf Of ajuliao <at> vsiteam.com
Sent: February-02-12 11:11 AM
To: users <at> openswan.org
Subject: [Openswan Users] Routing with OpenSwan and Amazon.

 

Hello,

 

I have succesfully established a VPN between a Linux server on Amazon Cloud to a Cisco asa. However I now need to comunicate a windows server within my Amazon VPC (both linux server and windows in same vpc and subnet) to a Server on the Cisco VPN side. I have been unable to do so. Can someone please help me or point me in the right direction?

 

All the configuration I made was, plus the secret key:

 

conn home
  left=%defaultroute
  leftsubnet=XXX.XX.X.XXX/32 (private linux server ip)
  leftid=XXX.XX.XXX.XX (public linux server ip)
  right=XXX.XXX.XXX.XX (Cisco private IP)
  rightid=XXX.XXX.XXX.XX (Cisco public IP)
  rightsubnet=XXX.XXX.XXX.XX/32 (private server on cisco side)
  authby=secret
  ike=aes128-sha1-modp1024
  esp=aes128-sha1
  pfs=no
  forceencaps=yes
  auto=start

 

I am thinking the problem relates to routing, but I was under the impression OpenSwan took care of that for you.

 

Thank you for any and all help.

 

 

Andres Juliao
Senior Software Developer
VSI Nearshore Outsourcing
e-mail: ajuliao <at> vsiteam.com
website: www.vsiteam.com

_______________________________________________
Users <at> lists.openswan.org
http://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
Permalink | Reply | 0 comments |
headers
Peter McGill | 2 Feb 23:47
Favicon

Re: [Openswan Users] Routing with OpenSwan and Amazon.

Replying to both is good, it allows someone with the same problem to search the list history and find the answer.

 

If the linux server can’t ping the windows server in the same subnet after the config change, then you probably changed the wrong subnet line.

should be left not right. Or it could be your right= line which you commented as private ip, it should be cisco public ip.

Cisco needs xauth turned off if not already done, but I expect that is done since you could connect and ping between cisco and linux private ips?

 

For example:

 

                                Public    Private

Linux :                   1.1.1.1   10.0.0.1

Windows:            1.1.1.2   10.0.0.2

Cisco:                    2.2.2.2   10.2.0.1

 

Linux Openswan:

 

conn linux-cisco

                left=1.1.1.1

                leftid=1.1.1.1

                leftsubnet=10.0.0.0/30

                right=2.2.2.2

                rightid=2.2.2.2

                rightsubnet=10.2.0.1/32

                etc…

 

Cisco:

access-list 133 permit ip 10.2.0.1 0.0.0.0 10.0.0.0 0.0.0.3

 

Peter

 

From: ajuliao <at> vsiteam.com [mailto:ajuliao <at> vsiteam.com]
Sent: February-02-12 1:59 PM
To: Peter McGill; users <at> openswan.org
Subject: RE: [Openswan Users] Routing with OpenSwan and Amazon.

 

Thanks for your quick response.

 

I don't know the etiquette regarding mailing lists, should I respond to you directly or to the mailing list or both?

 

I will try what you suggested, however I don't have access to the router so I have to make the request and wait. One question thought, even after changing that in the Linux server (the one with openswan) I can't ping my windows server in the same vpc. Is that supposed to happen or might that be for another reason/problem ?

 

Thanks again,

 

Andres Juliao
Senior Software Developer
VSI Nearshore Outsourcing
e-mail: ajuliao <at> vsiteam.com
website: www.vsiteam.com

 

From: Peter McGill [petermcgill <at> goco.net]
Sent: Thursday, February 02, 2012 12:08
To: ajuliao <at> vsiteam.com; users <at> openswan.org
Subject: RE: [Openswan Users] Routing with OpenSwan and Amazon.

You change the leftsubnet entry to a subnet that includes both your linux and windows servers.

You also need to change the equivalent subnet on the cisco asa.

When this is done, yes “routing” is automatic when the tunnel is connected.

 

Put another way any traffic you want routed through the connection must be included in the subnets defined for the connection.

 

Peter

 

From: users-bounces <at> lists.openswan.org [mailto:users-bounces <at> lists.openswan.org] On Behalf Of ajuliao <at> vsiteam.com
Sent: February-02-12 11:11 AM
To: users <at> openswan.org
Subject: [Openswan Users] Routing with OpenSwan and Amazon.

 

Hello,

 

I have succesfully established a VPN between a Linux server on Amazon Cloud to a Cisco asa. However I now need to comunicate a windows server within my Amazon VPC (both linux server and windows in same vpc and subnet) to a Server on the Cisco VPN side. I have been unable to do so. Can someone please help me or point me in the right direction?

 

All the configuration I made was, plus the secret key:

 

conn home
  left=%defaultroute
  leftsubnet=XXX.XX.X.XXX/32 (private linux server ip)
  leftid=XXX.XX.XXX.XX (public linux server ip)
  right=XXX.XXX.XXX.XX (Cisco private IP)
  rightid=XXX.XXX.XXX.XX (Cisco public IP)
  rightsubnet=XXX.XXX.XXX.XX/32 (private server on cisco side)
  authby=secret
  ike=aes128-sha1-modp1024
  esp=aes128-sha1
  pfs=no
  forceencaps=yes
  auto=start

 

I am thinking the problem relates to routing, but I was under the impression OpenSwan took care of that for you.

 

Thank you for any and all help.

 

 

Andres Juliao
Senior Software Developer
VSI Nearshore Outsourcing
e-mail: ajuliao <at> vsiteam.com
website: www.vsiteam.com

_______________________________________________
Users <at> lists.openswan.org
http://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
Permalink | Reply | 0 comments |
headers
amir ali | 3 Feb 06:44
Picon
Favicon

[Openswan Users] answer

Hello 
This is a bug in openswan you can correct it .It is bcz of mismatching of constant # assign in constant.h or I don't remember correctly.But there is a comparision statement where this constant check constant value of SHA2_256 let suppose 7 But the value in the file from where it pick is wrong if you correct it than the bug is fix.
Regards
Amir Ali
_______________________________________________
Users <at> lists.openswan.org
http://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
Permalink | Reply | 1 comment |

Gmane