LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 11-23-2004, 04:16 AM   #1
TheEdge
LQ Newbie
 
Registered: Oct 2004
Posts: 15

Rep: Reputation: 0
[Q] IPSec OpenSwan (Fedora Core3) to FreeSwan device


G'Day,

- Apologies for the long post, but most of it is logs and config information
- Can someone point me in the right direction to get this going please?
- All suggestions welcomed and I can provide more debugging data if required.

I have the following LAN config:

FedoraBox : 192.168.40.3 (GateWay: 192.168.40.1)
GateWayBox : 192.168.40.1 and connected to the Net. It just does a passthrough of IPSEC
RemoteIPSecDeviceRunnningFreeSwan: Public Internet Address and on network 192.168.42.0/24

Now in essence I am attempting to set up a tunnel between FedoraBox and RemoteIPSecDeviceRunnningFreeSwan so that I can access the 192.168.42.0/24 securely from my 192.168.40.0/24 network. However when I attempt to start the connection using:

ipsec auto --up Namadgi

On FedoraBox I see:

104 "Namadgi" #1245: STATE_MAIN_I1: initiate
003 "Namadgi" #1245: ignoring Vendor ID payload [Dead Peer Detection]
106 "Namadgi" #1245: STATE_MAIN_I2: sent MI2, expecting MR2
108 "Namadgi" #1245: STATE_MAIN_I3: sent MI3, expecting MR3
004 "Namadgi" #1245: STATE_MAIN_I4: ISAKMP SA established
112 "Namadgi" #1246: STATE_QUICK_I1: initiate
003 "Namadgi" #1246: ERROR: netlink response for Add SA comp.4608@192.168.40.3 included errno 22: Invalid argument
032 "Namadgi" #1246: STATE_QUICK_I1: internal error
010 "Namadgi" #1246: STATE_QUICK_I1: retransmission; will wait 20s for response
003 "Namadgi" #1246: ERROR: netlink response for Add SA comp.4608@192.168.40.3 included errno 22: Invalid argument
032 "Namadgi" #1246: STATE_QUICK_I1: internal error
010 "Namadgi" #1246: STATE_QUICK_I1: retransmission; will wait 40s for response
003 "Namadgi" #1246: ERROR: netlink response for Add SA comp.4608@192.168.40.3 included errno 22: Invalid argument
032 "Namadgi" #1246: STATE_QUICK_I1: internal error
031 "Namadgi" #1246: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode messa
ge: perhaps peer likes no proposal
000 "Namadgi" #1246: starting keying attempt 2 of an unlimited number, but releasing whack

On RemoteIPSecDeviceRunnningFreeSwan I see:

Nov 23 21:03:19 Pluto[129]: "DonovanHome" 203.21x.xx.xx #5545: using deflate compression
Nov 23 21:03:19 Pluto[129]: "DonovanHome" 203.21x.xx.xx #5545: responding to Quick Mode
Nov 23 21:03:30 Pluto[129]: "DonovanHome" 203.21x.xx.xx #5545: discarding duplicate packet; already STATE_QUICK_R1
Nov 23 21:03:33 Pluto[129]: "DonovanHome" 203.21x.xx.xx #5543: max number of retransmissions (2) reached STATE_QUICK_R1
Nov 23 21:03:49 Pluto[129]: "DonovanHome" 203.21x.xx.xx #5545: discarding duplicate packet; already STATE_QUICK_R1
Nov 23 21:04:30 Pluto[129]: "DonovanHome" 203.21x.xx.xx #5546: using deflate compression
Nov 23 21:04:30 Pluto[129]: "DonovanHome" 203.21x.xx.xx #5546: responding to Quick Mode
Nov 23 21:04:30 Pluto[129]: "DonovanHome" 203.21x.xx.xx #5545: max number of retransmissions (2) reached STATE_QUICK_R1
Nov 23 21:04:39 Pluto[129]: "DonovanHome" 203.21x.xx.xx #5546: discarding duplicate packet; already STATE_QUICK_R1
Nov 23 21:05:39 Pluto[129]: "DonovanHome" 203.21x.xx.xx #5547: using deflate compression
Nov 23 21:05:39 Pluto[129]: "DonovanHome" 203.21x.xx.xx #5547: responding to Quick Mode
Nov 23 21:05:40 Pluto[129]: "DonovanHome" 203.21x.xx.xx #5546: max number of retransmissions (2) reached STATE_QUICK_R1
Nov 23 21:05:49 Pluto[129]: "DonovanHome" 203.21x.xx.xx #5547: discarding duplicate packet; already STATE_QUICK_R1

So it looks like the phase 1 part succeeds but not phase 2. Here is the relevant config information from the FedoraBox:

[root@moe ~]# uname -va
Linux moe.home.local 2.6.9-1.678_FC3 #1 Mon Nov 15 18:28:07 EST 2004 i686 i686 i386 GNU/Linux

[root@moe ~]# ipsec --version
Linux Openswan U2.1.5/K2.6.9-1.678_FC3 (native) (native)

[root@moe ~]# ipsec whack --status
000 interface lo/lo ::1
000 interface lo/lo 127.0.0.1
000 interface eth0/eth0 192.168.40.3
000 %myid = (none)
000 debug raw+crypt+parsing+emitting+control+lifecycle+klips+dns+oppo+controlmore+pfkey+nattraversal
000
000 "Namadgi": 192.168.40.0/24===192.168.40.3[203.21x.xx.xx,S=C]---192.168.40.1...192.168.42.5---203.26.xx.xx[S=C]===192.168.42.0/24
; unrouted; eroute owner: #0
000 "Namadgi": ike_life: 18000s; ipsec_life: 3600s; rekey_margin: 60s; rekey_fuzz: 50%; keyingtries: 0
000 "Namadgi": policy: PSK+ENCRYPT+COMPRESS+TUNNEL+PFS+DONTREKEY+UP; prio: 24,24; interface: eth0;
000 "Namadgi": newest ISAKMP SA: #1245; newest IPsec SA: #0;
000
000 #1251: "Namadgi" STATE_QUICK_I1 (sent QI1, expecting QR1); EVENT_RETRANSMIT in 4s
000 #1245: "Namadgi" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE_IF_USED in 17566s; newest ISAKMP
000

[root@moe ~]# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.1.5/K2.6.9-1.678_FC3 (native) (native)
Checking for IPsec support in kernel [OK]
Checking for RSA private key (/etc/ipsec.secrets) [OK]
Checking that pluto is running [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing [OK]
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Checking for 'setkey' command for native IPsec stack support [OK]

Opportunistic Encryption DNS checks:
Looking for TXT in forward dns zone: moe.home.local [MISSING]
Does the machine have at least one non-private address? [FAILED]

# basic configuration
config setup
# Debug-logging controls: "none" for (almost) none, "all" for lots.
klipsdebug=all
plutodebug=all


# Add connections here.
conn Namadgi
type=tunnel
left=192.168.40.3
leftsubnet=192.168.40.0/24
leftnexthop=192.168.40.1
right=203.26.16.136
rightsubnet=192.168.42.0/24
rightnexthop=192.168.42.5
keyexchange = ike
authby = secret
auth = esp
keyingtries = 0
pfs = yes
esp = 3DES-SHA1
ikelifetime = 300m
keylife = 60m
compress = yes
rekey = no
leftid = somehost.somedomain.com
rightid = 203.26.xx.xx
rekeyfuzz = 50%
rekeymargin = 1m
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
openswan - freeswan technik Linux - Networking 0 02-23-2005 06:16 AM
Openswan IPSEC blocks internet malharsire Linux - Networking 1 01-22-2005 04:01 PM
OpenSwan vs FreeSwan & Novell igormrbean Linux - Networking 1 12-27-2004 02:32 PM
Req help with FreeSwan IPSEC setup dwest576 Linux - Security 3 01-20-2004 01:00 PM
gettin ipsec/freeswan to run numismaati Linux - Networking 0 05-12-2003 02:19 PM


All times are GMT -5. The time now is 02:33 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration