Linux is wonderfull untill shit happens
So What's up
I'm trying to configure an ipsec tunnel from a linux debian stable server to a roadwarrior (Debian stable (kernel 2.8.6) & WINXP)
Machines:
Ultimate Situation:
MODEM----(xxx.xxx.xxx.xxx)ROUTER(192.168.1.1)--//----(192.168.1.102)DebServer(192.168.0.102/24)-----LAN
TESTING Situation (current):
LAPTOP(192.168.1.150)--Crossovercable--(192.168.1.102)DebServer(192.168.0.102/24)-----LAN
But when i start the negotiation i get the following:
#: ipsec auto --up myconn
Code:
104 "myconn" #1: STATE_MAIN_I1: initiate
106 "myconn" #1: STATE_MAIN_I2: sent MI2, expecting MR2
108 "myconn" #1: STATE_MAIN_I3: sent MI3, expecting MR3
004 "myconn" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1536}
117 "myconn" #2: STATE_QUICK_I1: initiate
010 "myconn" #2: STATE_QUICK_I1: retransmission; will wait 20s for response
010 "myconn" #2: STATE_QUICK_I1: retransmission; will wait 40s for response
031 "myconn" #2: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
000 "myconn" #2: starting keying attempt 2 of an unlimited number, but releasing whack
Can the problem be a NAT problem? If so what do I've to insert in IPTABLES to make it work?
THE SERVER:
ipsec verify:
Code:
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.2.0/K2.6.8-2-386 (native)
Checking for IPsec support in kernel [OK]
Checking for RSA private key (/etc/ipsec.secrets) [OK]
Checking that pluto is running [OK]
Pluto not listening on port udp 500. Check interfaces defintion in ipsec.conf.Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing [N/A]
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Checking for 'setkey' command for native IPsec stack support [OK]
Opportunistic Encryption DNS checks:
Looking for TXT in forward dns zone: debianServer [MISSING]
Does the machine have at least one non-private address? [FAILED]
ipsec.conf:
[CODE]
version 2.0
config setup
nat_traversal=yes
conn myconn
left=192.168.1.102
leftsubnet=192.168.0.0/24
leftrsasigkey=0sAQOuaY9ySnt6gk8dg9Pc/2/CS41XVxam9gUWnU2KjylcBQWkW3h/zqDzQesGR/3Fznp54Mjpp6U6lG4zoG3+3k6K54EhY1o/H1HweUIKDtWx1PxkJlAjJb9ILZFBmTK5zQrRo/FD6MEgFFEwJPqccS5hCWB2i14oKkeMcs/ESFTp5QBKydEoRxZ51UjuKlwl6ukWQZVUebo5hHcAPeuleMla1w6dqnfYvlG8j9GlsLz5UoORyv/bpMA/QDAeM0q9QMk+/qohdHZl6+W2mUSWXepx4DyCdLvC72Py7cqQGl/j4xDZ1wc+5YTXoF1rgKeIi5CtCTrx34w1l+Se9KQqxet7l9BojbhkgwHWZ+WLPLb6hPEb
right=192.168.1.150
rightnexthop=%any
rightrsasigkey=0sAQOcXEaX8QWIPe3JyOBNdEKu3dTR28y70xf4WNpdEUaFkfcrkIX010wI91atC+ECB09G9k+zXw3UXZlBZhj YdB971p3qR5HiYTagRFwEnWZV1BS8P8j352d6NEnAW9FAZHPCn+R+48zyj2EfDvbgjEOXSL08WRSb/c7ps+XNHpu3boXF/rq+WecnhVowJdPoM91VGo5Phn6y8l8w5ypacw/s/sHXLq+8+uSUJ1GCxn656XFNQYtt1r1FBIM/MM7IiJKs+PLXaYKqFfiaCghAFflI+IEkMEiLwI6t1KEH+P7BrckMZknOB2Kv8w8qx/bwKqQjiAc56PDZC501FSct5BEEUNA/Ua01x2DjVEyF8CGbry5V
auto=add
[\CODE]
ipse.secrets
[CODE]
: RSA {
# RSA 2192 bits debianServer Mon Oct 31 23:03:23 2005
# for signatures only, UNSAFE FOR ENCRYPTION
#pubkey=0sAQOuaY9ySnt6gk8dg9Pc/2/CS41XVxam9gUWnU2KjylcBQWkW3h/zqDzQesGR/3Fznp54Mjpp6U6lG4zoG3+3k6K54EhY1o/H1HweUIKDtWx1PxkJlAjJb9ILZFBmTK5zQrRo/FD6MEgFFEwJPqccS5hCWB2i14oKkeMcs/ESFTp5QBKydEoRxZ51UjuKlwl6ukWQZVUebo5hHcAPeuleMla1w6dqnfYvlG8j9GlsLz5UoORyv/bpMA/QDAeM0q9QMk+/qohdHZl6+W2mUSWXepx4DyCdLvC72Py7cqQGl/j4xDZ1wc+5YTXoF1rgKeIi5CtCTrx34w1l+Se9KQqxet7l9BojbhkgwHWZ+WLPLb6hPEb
Modulus: 0xae698f724a7b7a824f1d83d3dcff6fc24b8d575716a6f605169d4d8a8f295c0505a45b787fcea0f341eb0647fdc5ce7a79 e0c8e9a7a53a946e33a06dfede4e8ae78121635a3f1f51f079420a0ed5b1d4fc6426502325bf482d91419932b9cd0ad1a3f1 43e8c12014513024fa9c712e610960768b5e282a478c72cfc44854e9e5004ac9d128471679d548ee2a5c25eae91641955479 ba398477003deba578c95ad70e9daa77d8be51bc8fd1a5b0bcf9528391caffdba4c03f40301e334abd40c93efeaa21747665 ebe5b69944965dea71e03c8274bbc2ef63f2edca901a5fe3e310d9d7073ee584d7a05d6b80a7888b90ad093af1df8c3597e4 9ef4a42ac5eb7b97d0688db8648301d667e58b3cb6fa84f11b
PublicExponent: 0x03
# everything after this point is secret
PrivateExponent: 0x1d1197e861bf3f15b7da40a34f7fe7f5b74239392e712900d91a379717dc3a00d6460f3ebff7c57de051d66154f64d1469 a576d19bf0df18bd089abcffcfb7c1d140303b39b52fe2fd698b01ad239da37f660662b0864a8c0798359988744cd722f0a8 35fc20300362dd5b7f1a12dd102c3abe6c8fb15c61421322a0b6b8d1a62ab721a2dc0bd9144df062793552b455594613111a 277ddc69c550600d10586b2f31ab4116f3a48d4e0480cf05c601a28c1ba012ed8764945092a1728b9aec445b04db6894196a 444a56105e4a1fa7459850facaf5ee6e34b1aff29018f8bf517baa46cb93aa16cd9c93eb2447f2630d7b620df3948d587257 2d9877770f999001f41b2d992cd638f6145ed5558026fb5b6b
Prime1: 0xd50035550e28a2ebc2ad7ae970058b8df789be98f41baa9654ea07fed5193b84745b9b335148bb5949e616405a95f91568 97a0d1b2dee854a461b10c092378adcb6a5fad4c35eec4d9060862f0bd184f6d30bb7fb3a97c4f20001ff585393bee773846 dad6440e69f6a45670009bc00395b948cde7476d7abfacb64a328220e7778ff543d0c51e6341
Prime2: 0xd19f1dc727884612da7572f35d40ce6e68d1ecbe229b2d258fb01bef4dc9c6640071305ac7a6c7e1a224780a1dcecc4757 bde33368d846c83d23fcefd4c4d979e6ccaf2c53c8e1897d9baa953b9d0f7960ea7404d7be7ddbbc2e21d363c2ca066eb060 1d03f5315ec642e5f43b8729d5f7a88e92810aae115818c5d724fb8b2a761c95f7e54b82695b
Exponent1: 0x8e00238e09706c9d2c73a7464aae5d094fb129bb4d67c70ee346afff38bb7d02f83d122236307ce631440ed591b950b8f0 6515e121e9f0386d9676080617a5c93246ea738823f4833b595aeca07e1034f375d2552270fd8a15556aa3ae2627f44f7ad9 e73982b446a46d8ef555bd2aad0e7b85de9a2f9e51d51dcedc21ac15efa50aa3828b2e14422b
Exponent2: 0x8bbf692f6fb02eb73c4e4ca23e2b34499b369dd417121e190a7567f4de868442aaf6203c8519da966c185006be89dd84e5 29422245e584857e17fdf538833ba699ddca1d8d30965ba91271b8d268b4fb95f1a2ade529a93d281ec13797d731599f2040 1357f8cb94842c994d7d04c68ea51b09b700b1c960e565d93a18a7b21c4ebdb94fee3256f0e7
Coefficient: 0x118d42d1e228a9e450262d4d80489961c7920e0704eff1c19becb5364abed698a7adadb35965cbfafd61fd2ff0273dcea4 5be17ad231d4a98d497fd1bb4664905547121da1c9ff5056005c65e73515267143a327253fbd2b179229f5b05f65a8e5ac8a cfad5297991a0df3f84ec2cef77cbbabe99e90db12c96390e47c612deb0588aa95091303a388
}
# do not change the indenting of that "}"
[\CODE]
THE LAPTOP:
ipsec verify:
Code:
Version check and ipsec on-path [OK]
Linux Openswan U2.4.0/K2.6.8-2-686 (netkey)
Checking for IPsec support in kernel [OK]
Checking for RSA private key (/etc/ipsec.secrets) [OK]
Checking that pluto is running [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing [N/A]
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Checking for 'setkey' command for NETKEY IPsec stack support [OK]
Opportunistic Encryption DNS checks:
Looking for TXT in forward dns zone: debianLaptop [MISSING]
Does the machine have at least one non-private address? [FAILED]
ipsec.conf (laptop)
Code:
version 2.0 # conforms to second version of ipsec.conf specification
config setup
nat_traversal=yes
conn myconn
left=%defaultroute
leftrsasigkey=0sAQOcXEaX8QWIPe3JyOBNdEKu3dTR28y70xf4WNpdEUaFkfcrkIX010wI91atC+ECB09G9k+zXw3UXZlBZhjYdB971p3qR5HiYTagRFwEnWZV1BS8P8j352d6NEnAW9FAZHPCn+R+48zyj2EfDvbgjEOXSL08WRSb/c7ps+XNHpu3boXF/rq+WecnhVowJdPoM91VGo5Phn6y8l8w5ypacw/s/sHXLq+8+uSUJ1GCxn656XFNQYtt1r1FBIM/MM7IiJKs+PLXaYKqFfiaCghAFflI+IEkMEiLwI6t1KEH+P7BrckMZknOB2Kv8w8qx/bwKqQjiAc56PDZC501FSct5BEEUNA/Ua01x2DjVEyF8CGbry5V
right=192.168.1.102
rightsubnet=192.168.0.0/24
rightrsasigkey=0sAQOuaY9ySnt6gk8dg9Pc/2/CS41XVxam9gUWnU2KjylcBQWkW3h/zqDzQesGR/3Fznp54Mjpp6U6lG4zoG3+3k6K54EhY1o/H1HweUIKDtWx1PxkJlAjJb9ILZFBmTK5zQrRo/FD6MEgFFEwJPqccS5hCWB2i14oKkeMcs/ESFTp5QBKydEoRxZ51UjuKlwl6ukWQZVUebo5hHcAPeuleMla1w6dqnfYvlG8j9GlsLz5UoORyv/bpMA/QDAeM0q9QMk+/qohdHZl6+W2mUSWXepx4DyCdLvC72Py7cqQGl/j4xDZ1wc+5YTXoF1rgKeIi5CtCTrx34w1l+Se9KQqxet7l9BojbhkgwHWZ+WLPLb6hPEb
auto=add
ipsec.secrets
Code:
: RSA {
# RSA 2192 bits debianLaptop Mon Oct 31 21:46:11 2005
# for signatures only, UNSAFE FOR ENCRYPTION
#pubkey=0sAQOcXEaX8QWIPe3JyOBNdEKu3dTR28y70xf4WNpdEUaFkfcrkIX010wI91atC+ECB09G9k+zXw3UXZlBZhjYdB971p3qR5HiYTagRFwEnWZV1BS8P8j352d6NEnAW9FAZHPCn+R+48zyj2EfDvbgjEOXSL08WRSb/c7ps+XNHpu3boXF/rq+WecnhVowJdPoM91VGo5Phn6y8l8w5ypacw/s/sHXLq+8+uSUJ1GCxn656XFNQYtt1r1FBIM/MM7IiJKs+PLXaYKqFfiaCghAFflI+IEkMEiLwI6t1KEH+P7BrckMZknOB2Kv8w8qx/bwKqQjiAc56PDZC501FSct5BEEUNA/Ua01x2DjVEyF8CGbry5V
Modulus: 0x9c5c4697f105883dedc9c8e04d7442aeddd4d1dbccbbd317f858da5d11468591f72b9085f4d74c08f756ad0be102074f46f64fb35f0dd45d99416618d8741f7bd69dea4791e26136a0445c049d6655d414bc3fc8f7e7677a3449c05bd1406473c29fe47ee3ccf28f611f0ef6e08c439748bd3c59149bfdcee9b3e5cd1e9bb76e85c5febabe59e727855a3025d3e833dd551a8e4f867eb2f25f30e72a5a730fecfec1d72eafbcfae494275182c67eb9e9714d418b6dd6bd4504833f30cec88892acf8f2d76982aa15f89a0a084015f948f8812430488bc08eadd4a107f8fec1adc90c6649ce0762aff30f2ac7f6f02aa423880739e8f0d90b9d3515272de4110450d03f51ad35c760e3544c85f0219baf2e55
PublicExponent: 0x03
# everything after this point is secret
PrivateExponent: 0x1a0f611952d6415fa7a1a17ab79360727a4e22f9f774a32ea9642464d8366b9853dc981653793756d3e3c781fad5abe28bd3b7f33a824e0f998ae6597968afe9f91a51b6985065891ab60f561a3bb8f8ae1f5ff6d3fbe6945e0c4ab9f83566134b1aa61525f77dc2902fd7d3d017609936ca34b9836f54f7d19dfba22fc49e926ba0ffc9ca64513140a031b29e2c7a054fd78b8b75fbc4418f8dbd6690b7ce55f0daa3f6c8da40b033b2294baeff5c0121553a5559d114488849cababe9dab032dd8a8e723dc4c43d01924f34319495233215de4864f80abb99426576afb8ee6da3d8a8561d2f9466ef6b4a6e55b9b08971192e502b59a5731eda763697c6bb70ba0307f0343d79fd51b863c22406828e0bd
Prime1: 0xf6e64a5f289f74cfd3f3950b116c14dc29c87cad195859886f079ffff240c93887b23c28fc67228f2aa30701a4eff4bdfba90d288a28a0005788583caf507301fe3b7adbfa8e7d10c9521c1ea76e6d4816ba581f141416034a367a1f27c0d123a9f89513a410f2773de9fdf2278567350031276f95f1fa1718a1697e36f11c624a34f35e78fccdf9ef
Prime2: 0xa21fabbfb4b848a6395575b786ad5425b4ae46490ae18fd132f7c5faad35fa2572a78083862ac01a234084514b539d14ccd5c32e8c5ddf998d751455a9900c1604f0d9d183b2deb4ef9eb904074e1b0c4500a35805542ea850f0af63edca38359cf6498326777e21e0abdde687b5993ca2f7ab456398bff3f67aee1b67c8858264f229c4262debeffb
Exponent1: 0xa49986ea1b14f88a8d4d0e0760f2b892c685a873663ae65af4afbffff6d5db7b05217d70a844c1b4c7175a01189ff87ea7c608c5b1706aaae505902874e04cabfed251e7fc5efe0b30e168146f9ef385647c3abf62b80eacdc24516a1a808b6d1bfb0e0d180b4c4f7e9bfea16fae44ce0020c4f50ea15164bb16465424a0bd96dc234ce9a5fddea69f
Exponent2: 0x6c151d2a787adb197b8e4e7a59c8e2c3cdc98430b1ebb53621fa83fc7379516e4c6fab025971d566c22b02e0dce268b8888e821f083e951108f8b8391bb55d64034b3be102773f234a69d0ad5a3412082e006ce558e2c9c58b4b1f97f3dc2579134edbacc44fa96beb1d3e99afce66286ca51cd8ed107ff7f9a749679a85ae56edf6c682c41e9d4aa7
Coefficient: 0x777fc0976a10fb0a56c1db6e3111779038e4bbc12bc3855e8194a056511a71b23ba15f609bccfd5b1320ac5b6a4ec9f1d2d8254b778dd8871d42e14a8f8a2dce6e7c57fe2a33bf5bd0da68f617ef95a8dfd5e58c11bb2ef8b8900380cbbb9dd02c6ff4cfb185b56efbc5603463bbefa1d213089744cd6cc71a106fbc5c53307a28a002ccb38c4a5d8a
}
# do not change the indenting of that "}"