[clug] [Q] IPSec - OpenSwan <--> FreeSwan connection problem under Fedora Core 3

Donovan J. Edye donovan at edyeweb.com
Wed Nov 24 20:50:06 GMT 2004


G'Day,

 

- Apologies for the long post, but most of it is logs and config information

- Can someone point me in the right direction to get this going please?

- All suggestions welcomed and I can provide more debugging data if
required.

 

I have the following LAN config:

 

FedoraBox : 192.168.40.3  (GateWay:  192.168.40.1)

GateWayBox : 192.168.40.1 and connected to the Net. It just does a
passthrough of IPSEC

RemoteIPSecDeviceRunnningFreeSwan: Public Internet Address and on network
192.168.42.0/24

 

Now in essence I am attempting to set up a tunnel between FedoraBox and
RemoteIPSecDeviceRunnningFreeSwan so that I can access the 192.168.42.0/24
securely from my 192.168.40.0/24 network. However when I attempt to start
the connection using:

 

ipsec auto --up Namadgi

 

On FedoraBox I see:

 

104 "Namadgi" #1245: STATE_MAIN_I1: initiate

003 "Namadgi" #1245: ignoring Vendor ID payload [Dead Peer Detection]

106 "Namadgi" #1245: STATE_MAIN_I2: sent MI2, expecting MR2

108 "Namadgi" #1245: STATE_MAIN_I3: sent MI3, expecting MR3

004 "Namadgi" #1245: STATE_MAIN_I4: ISAKMP SA established

112 "Namadgi" #1246: STATE_QUICK_I1: initiate

003 "Namadgi" #1246: ERROR: netlink response for Add SA
comp.4608 at 192.168.40.3 included errno 22: Invalid argument

032 "Namadgi" #1246: STATE_QUICK_I1: internal error

010 "Namadgi" #1246: STATE_QUICK_I1: retransmission; will wait 20s for
response

003 "Namadgi" #1246: ERROR: netlink response for Add SA
comp.4608 at 192.168.40.3 included errno 22: Invalid argument

032 "Namadgi" #1246: STATE_QUICK_I1: internal error

010 "Namadgi" #1246: STATE_QUICK_I1: retransmission; will wait 40s for
response

003 "Namadgi" #1246: ERROR: netlink response for Add SA
comp.4608 at 192.168.40.3 included errno 22: Invalid argument

032 "Namadgi" #1246: STATE_QUICK_I1: internal error

031 "Namadgi" #1246: max number of retransmissions (2) reached
STATE_QUICK_I1.  No acceptable response to our first Quick Mode messa

ge: perhaps peer likes no proposal

000 "Namadgi" #1246: starting keying attempt 2 of an unlimited number, but
releasing whack

 

On RemoteIPSecDeviceRunnningFreeSwan I see:

 

Nov 23 21:03:19 Pluto[129]: "DonovanHome" 203.21x.xx.xx #5545: using deflate
compression 

Nov 23 21:03:19 Pluto[129]: "DonovanHome" 203.21x.xx.xx #5545: responding to
Quick Mode 

Nov 23 21:03:30 Pluto[129]: "DonovanHome" 203.21x.xx.xx #5545: discarding
duplicate packet; already STATE_QUICK_R1 

Nov 23 21:03:33 Pluto[129]: "DonovanHome" 203.21x.xx.xx #5543: max number of
retransmissions (2) reached STATE_QUICK_R1 

Nov 23 21:03:49 Pluto[129]: "DonovanHome" 203.21x.xx.xx #5545: discarding
duplicate packet; already STATE_QUICK_R1 

Nov 23 21:04:30 Pluto[129]: "DonovanHome" 203.21x.xx.xx #5546: using deflate
compression 

Nov 23 21:04:30 Pluto[129]: "DonovanHome" 203.21x.xx.xx #5546: responding to
Quick Mode 

Nov 23 21:04:30 Pluto[129]: "DonovanHome" 203.21x.xx.xx #5545: max number of
retransmissions (2) reached STATE_QUICK_R1 

Nov 23 21:04:39 Pluto[129]: "DonovanHome" 203.21x.xx.xx #5546: discarding
duplicate packet; already STATE_QUICK_R1 

Nov 23 21:05:39 Pluto[129]: "DonovanHome" 203.21x.xx.xx #5547: using deflate
compression 

Nov 23 21:05:39 Pluto[129]: "DonovanHome" 203.21x.xx.xx #5547: responding to
Quick Mode 

Nov 23 21:05:40 Pluto[129]: "DonovanHome" 203.21x.xx.xx #5546: max number of
retransmissions (2) reached STATE_QUICK_R1 

Nov 23 21:05:49 Pluto[129]: "DonovanHome" 203.21x.xx.xx #5547: discarding
duplicate packet; already STATE_QUICK_R1 

 

So it looks like the phase 1 part succeeds but not phase 2. Here is the
relevant config information from the FedoraBox:

 

[root at moe ~]# uname -va

Linux moe.home.local 2.6.9-1.678_FC3 #1 Mon Nov 15 18:28:07 EST 2004 i686
i686 i386 GNU/Linux

 

[root at moe ~]# ipsec --version

Linux Openswan U2.1.5/K2.6.9-1.678_FC3 (native) (native)

 

[root at moe ~]# ipsec whack --status

000 interface lo/lo ::1

000 interface lo/lo 127.0.0.1

000 interface eth0/eth0 192.168.40.3

000 %myid = (none)

000 debug
raw+crypt+parsing+emitting+control+lifecycle+klips+dns+oppo+controlmore+pfke
y+nattraversal

000

000 "Namadgi":
192.168.40.0/24===192.168.40.3[203.21x.xx.xx,S=C]---192.168.40.1...192.168.4
2.5---203.26.xx.xx[S=C]===192.168.42.0/24

; unrouted; eroute owner: #0

000 "Namadgi":   ike_life: 18000s; ipsec_life: 3600s; rekey_margin: 60s;
rekey_fuzz: 50%; keyingtries: 0

000 "Namadgi":   policy: PSK+ENCRYPT+COMPRESS+TUNNEL+PFS+DONTREKEY+UP; prio:
24,24; interface: eth0;

000 "Namadgi":   newest ISAKMP SA: #1245; newest IPsec SA: #0;

000

000 #1251: "Namadgi" STATE_QUICK_I1 (sent QI1, expecting QR1);
EVENT_RETRANSMIT in 4s

000 #1245: "Namadgi" STATE_MAIN_I4 (ISAKMP SA established);
EVENT_SA_REPLACE_IF_USED in 17566s; newest ISAKMP

000

 

[root at moe ~]# ipsec verify

Checking your system to see if IPsec got installed and started correctly:

Version check and ipsec on-path                                         [OK]

Linux Openswan U2.1.5/K2.6.9-1.678_FC3 (native) (native)

Checking for IPsec support in kernel                                    [OK]

Checking for RSA private key (/etc/ipsec.secrets)                       [OK]

Checking that pluto is running                                          [OK]

Two or more interfaces found, checking IP forwarding                    [OK]

Checking NAT and MASQUERADEing                                          [OK]

Checking for 'ip' command                                               [OK]

Checking for 'iptables' command                                         [OK]

Checking for 'setkey' command for native IPsec stack support            [OK]

 

Opportunistic Encryption DNS checks:

   Looking for TXT in forward dns zone: moe.home.local
[MISSING]

   Does the machine have at least one non-private address?
[FAILED]

 

# basic configuration

config setup

        # Debug-logging controls:  "none" for (almost) none, "all" for lots.

        klipsdebug=all

        plutodebug=all

 

 

# Add connections here.

conn Namadgi

       type=tunnel

       left=192.168.40.3

       leftsubnet=192.168.40.0/24

       leftnexthop=192.168.40.1

       right=203.26.16.136

       rightsubnet=192.168.42.0/24

       rightnexthop=192.168.42.5

       keyexchange = ike

       authby = secret

       auth = esp

       keyingtries = 0

       pfs = yes

       esp = 3DES-SHA1

       ikelifetime = 300m

       keylife = 60m

       compress = yes

       rekey = no

       leftid = somehost.somedomain.com

       rightid = 203.26.xx.xx

       rekeyfuzz = 50%

       rekeymargin = 1m

 

--Donovan

www.edyeweb.com <http://www.edyeweb.com/> 

 



More information about the linux mailing list