LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 11-03-2005, 12:04 PM   #1
havelino
LQ Newbie
 
Registered: Jan 2005
Location: The Netherlands
Distribution: Debian 3.0 Sarge
Posts: 29

Rep: Reputation: 15
Question Openswan: STATE_QUICK_I1: initiate (NAT Problem?)


Linux is wonderfull untill shit happens

So What's up
I'm trying to configure an ipsec tunnel from a linux debian stable server to a roadwarrior (Debian stable (kernel 2.8.6) & WINXP)

Machines:
Ultimate Situation:
MODEM----(xxx.xxx.xxx.xxx)ROUTER(192.168.1.1)--//----(192.168.1.102)DebServer(192.168.0.102/24)-----LAN

TESTING Situation (current):
LAPTOP(192.168.1.150)--Crossovercable--(192.168.1.102)DebServer(192.168.0.102/24)-----LAN

But when i start the negotiation i get the following:
#: ipsec auto --up myconn
Code:
104 "myconn" #1: STATE_MAIN_I1: initiate
106 "myconn" #1: STATE_MAIN_I2: sent MI2, expecting MR2
108 "myconn" #1: STATE_MAIN_I3: sent MI3, expecting MR3
004 "myconn" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1536}
117 "myconn" #2: STATE_QUICK_I1: initiate
010 "myconn" #2: STATE_QUICK_I1: retransmission; will wait 20s for response
010 "myconn" #2: STATE_QUICK_I1: retransmission; will wait 40s for response
031 "myconn" #2: max number of retransmissions (2) reached STATE_QUICK_I1.  No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
000 "myconn" #2: starting keying attempt 2 of an unlimited number, but releasing whack
Can the problem be a NAT problem? If so what do I've to insert in IPTABLES to make it work?

THE SERVER:
ipsec verify:
Code:
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                         [OK]
Linux Openswan U2.2.0/K2.6.8-2-386 (native)
Checking for IPsec support in kernel                                    [OK]
Checking for RSA private key (/etc/ipsec.secrets)                       [OK]
Checking that pluto is running                                          [OK]
Pluto not listening on port udp 500. Check interfaces defintion in ipsec.conf.Two or more interfaces found, checking IP forwarding              [OK]
Checking NAT and MASQUERADEing                                          [N/A]
Checking for 'ip' command                                               [OK]
Checking for 'iptables' command                                         [OK]
Checking for 'setkey' command for native IPsec stack support            [OK]

Opportunistic Encryption DNS checks:
   Looking for TXT in forward dns zone: debianServer                    [MISSING]
   Does the machine have at least one non-private address?              [FAILED]
ipsec.conf:
[CODE]
version 2.0

config setup
nat_traversal=yes
conn myconn
left=192.168.1.102
leftsubnet=192.168.0.0/24
leftrsasigkey=0sAQOuaY9ySnt6gk8dg9Pc/2/CS41XVxam9gUWnU2KjylcBQWkW3h/zqDzQesGR/3Fznp54Mjpp6U6lG4zoG3+3k6K54EhY1o/H1HweUIKDtWx1PxkJlAjJb9ILZFBmTK5zQrRo/FD6MEgFFEwJPqccS5hCWB2i14oKkeMcs/ESFTp5QBKydEoRxZ51UjuKlwl6ukWQZVUebo5hHcAPeuleMla1w6dqnfYvlG8j9GlsLz5UoORyv/bpMA/QDAeM0q9QMk+/qohdHZl6+W2mUSWXepx4DyCdLvC72Py7cqQGl/j4xDZ1wc+5YTXoF1rgKeIi5CtCTrx34w1l+Se9KQqxet7l9BojbhkgwHWZ+WLPLb6hPEb
right=192.168.1.150
rightnexthop=%any
rightrsasigkey=0sAQOcXEaX8QWIPe3JyOBNdEKu3dTR28y70xf4WNpdEUaFkfcrkIX010wI91atC+ECB09G9k+zXw3UXZlBZhj YdB971p3qR5HiYTagRFwEnWZV1BS8P8j352d6NEnAW9FAZHPCn+R+48zyj2EfDvbgjEOXSL08WRSb/c7ps+XNHpu3boXF/rq+WecnhVowJdPoM91VGo5Phn6y8l8w5ypacw/s/sHXLq+8+uSUJ1GCxn656XFNQYtt1r1FBIM/MM7IiJKs+PLXaYKqFfiaCghAFflI+IEkMEiLwI6t1KEH+P7BrckMZknOB2Kv8w8qx/bwKqQjiAc56PDZC501FSct5BEEUNA/Ua01x2DjVEyF8CGbry5V
auto=add

[\CODE]

ipse.secrets
[CODE]
: RSA {
# RSA 2192 bits debianServer Mon Oct 31 23:03:23 2005
# for signatures only, UNSAFE FOR ENCRYPTION
#pubkey=0sAQOuaY9ySnt6gk8dg9Pc/2/CS41XVxam9gUWnU2KjylcBQWkW3h/zqDzQesGR/3Fznp54Mjpp6U6lG4zoG3+3k6K54EhY1o/H1HweUIKDtWx1PxkJlAjJb9ILZFBmTK5zQrRo/FD6MEgFFEwJPqccS5hCWB2i14oKkeMcs/ESFTp5QBKydEoRxZ51UjuKlwl6ukWQZVUebo5hHcAPeuleMla1w6dqnfYvlG8j9GlsLz5UoORyv/bpMA/QDAeM0q9QMk+/qohdHZl6+W2mUSWXepx4DyCdLvC72Py7cqQGl/j4xDZ1wc+5YTXoF1rgKeIi5CtCTrx34w1l+Se9KQqxet7l9BojbhkgwHWZ+WLPLb6hPEb
Modulus: 0xae698f724a7b7a824f1d83d3dcff6fc24b8d575716a6f605169d4d8a8f295c0505a45b787fcea0f341eb0647fdc5ce7a79 e0c8e9a7a53a946e33a06dfede4e8ae78121635a3f1f51f079420a0ed5b1d4fc6426502325bf482d91419932b9cd0ad1a3f1 43e8c12014513024fa9c712e610960768b5e282a478c72cfc44854e9e5004ac9d128471679d548ee2a5c25eae91641955479 ba398477003deba578c95ad70e9daa77d8be51bc8fd1a5b0bcf9528391caffdba4c03f40301e334abd40c93efeaa21747665 ebe5b69944965dea71e03c8274bbc2ef63f2edca901a5fe3e310d9d7073ee584d7a05d6b80a7888b90ad093af1df8c3597e4 9ef4a42ac5eb7b97d0688db8648301d667e58b3cb6fa84f11b
PublicExponent: 0x03
# everything after this point is secret
PrivateExponent: 0x1d1197e861bf3f15b7da40a34f7fe7f5b74239392e712900d91a379717dc3a00d6460f3ebff7c57de051d66154f64d1469 a576d19bf0df18bd089abcffcfb7c1d140303b39b52fe2fd698b01ad239da37f660662b0864a8c0798359988744cd722f0a8 35fc20300362dd5b7f1a12dd102c3abe6c8fb15c61421322a0b6b8d1a62ab721a2dc0bd9144df062793552b455594613111a 277ddc69c550600d10586b2f31ab4116f3a48d4e0480cf05c601a28c1ba012ed8764945092a1728b9aec445b04db6894196a 444a56105e4a1fa7459850facaf5ee6e34b1aff29018f8bf517baa46cb93aa16cd9c93eb2447f2630d7b620df3948d587257 2d9877770f999001f41b2d992cd638f6145ed5558026fb5b6b
Prime1: 0xd50035550e28a2ebc2ad7ae970058b8df789be98f41baa9654ea07fed5193b84745b9b335148bb5949e616405a95f91568 97a0d1b2dee854a461b10c092378adcb6a5fad4c35eec4d9060862f0bd184f6d30bb7fb3a97c4f20001ff585393bee773846 dad6440e69f6a45670009bc00395b948cde7476d7abfacb64a328220e7778ff543d0c51e6341
Prime2: 0xd19f1dc727884612da7572f35d40ce6e68d1ecbe229b2d258fb01bef4dc9c6640071305ac7a6c7e1a224780a1dcecc4757 bde33368d846c83d23fcefd4c4d979e6ccaf2c53c8e1897d9baa953b9d0f7960ea7404d7be7ddbbc2e21d363c2ca066eb060 1d03f5315ec642e5f43b8729d5f7a88e92810aae115818c5d724fb8b2a761c95f7e54b82695b
Exponent1: 0x8e00238e09706c9d2c73a7464aae5d094fb129bb4d67c70ee346afff38bb7d02f83d122236307ce631440ed591b950b8f0 6515e121e9f0386d9676080617a5c93246ea738823f4833b595aeca07e1034f375d2552270fd8a15556aa3ae2627f44f7ad9 e73982b446a46d8ef555bd2aad0e7b85de9a2f9e51d51dcedc21ac15efa50aa3828b2e14422b
Exponent2: 0x8bbf692f6fb02eb73c4e4ca23e2b34499b369dd417121e190a7567f4de868442aaf6203c8519da966c185006be89dd84e5 29422245e584857e17fdf538833ba699ddca1d8d30965ba91271b8d268b4fb95f1a2ade529a93d281ec13797d731599f2040 1357f8cb94842c994d7d04c68ea51b09b700b1c960e565d93a18a7b21c4ebdb94fee3256f0e7
Coefficient: 0x118d42d1e228a9e450262d4d80489961c7920e0704eff1c19becb5364abed698a7adadb35965cbfafd61fd2ff0273dcea4 5be17ad231d4a98d497fd1bb4664905547121da1c9ff5056005c65e73515267143a327253fbd2b179229f5b05f65a8e5ac8a cfad5297991a0df3f84ec2cef77cbbabe99e90db12c96390e47c612deb0588aa95091303a388
}
# do not change the indenting of that "}"

[\CODE]

THE LAPTOP:

ipsec verify:
Code:
Version check and ipsec on-path                                 [OK]
Linux Openswan U2.4.0/K2.6.8-2-686 (netkey)
Checking for IPsec support in kernel                            [OK]
Checking for RSA private key (/etc/ipsec.secrets)               [OK]
Checking that pluto is running                                  [OK]
Two or more interfaces found, checking IP forwarding            [OK]
Checking NAT and MASQUERADEing                                  [N/A]
Checking for 'ip' command                                       [OK]
Checking for 'iptables' command                                 [OK]
Checking for 'setkey' command for NETKEY IPsec stack support    [OK]

Opportunistic Encryption DNS checks:
   Looking for TXT in forward dns zone: debianLaptop            [MISSING]
   Does the machine have at least one non-private address?      [FAILED]
ipsec.conf (laptop)
Code:
version 2.0     # conforms to second version of ipsec.conf specification
config setup
          nat_traversal=yes

conn myconn
    left=%defaultroute
    leftrsasigkey=0sAQOcXEaX8QWIPe3JyOBNdEKu3dTR28y70xf4WNpdEUaFkfcrkIX010wI91atC+ECB09G9k+zXw3UXZlBZhjYdB971p3qR5HiYTagRFwEnWZV1BS8P8j352d6NEnAW9FAZHPCn+R+48zyj2EfDvbgjEOXSL08WRSb/c7ps+XNHpu3boXF/rq+WecnhVowJdPoM91VGo5Phn6y8l8w5ypacw/s/sHXLq+8+uSUJ1GCxn656XFNQYtt1r1FBIM/MM7IiJKs+PLXaYKqFfiaCghAFflI+IEkMEiLwI6t1KEH+P7BrckMZknOB2Kv8w8qx/bwKqQjiAc56PDZC501FSct5BEEUNA/Ua01x2DjVEyF8CGbry5V
    right=192.168.1.102
    rightsubnet=192.168.0.0/24
    rightrsasigkey=0sAQOuaY9ySnt6gk8dg9Pc/2/CS41XVxam9gUWnU2KjylcBQWkW3h/zqDzQesGR/3Fznp54Mjpp6U6lG4zoG3+3k6K54EhY1o/H1HweUIKDtWx1PxkJlAjJb9ILZFBmTK5zQrRo/FD6MEgFFEwJPqccS5hCWB2i14oKkeMcs/ESFTp5QBKydEoRxZ51UjuKlwl6ukWQZVUebo5hHcAPeuleMla1w6dqnfYvlG8j9GlsLz5UoORyv/bpMA/QDAeM0q9QMk+/qohdHZl6+W2mUSWXepx4DyCdLvC72Py7cqQGl/j4xDZ1wc+5YTXoF1rgKeIi5CtCTrx34w1l+Se9KQqxet7l9BojbhkgwHWZ+WLPLb6hPEb
    auto=add
ipsec.secrets
Code:
: RSA   {
        # RSA 2192 bits   debianLaptop   Mon Oct 31 21:46:11 2005
        # for signatures only, UNSAFE FOR ENCRYPTION
        #pubkey=0sAQOcXEaX8QWIPe3JyOBNdEKu3dTR28y70xf4WNpdEUaFkfcrkIX010wI91atC+ECB09G9k+zXw3UXZlBZhjYdB971p3qR5HiYTagRFwEnWZV1BS8P8j352d6NEnAW9FAZHPCn+R+48zyj2EfDvbgjEOXSL08WRSb/c7ps+XNHpu3boXF/rq+WecnhVowJdPoM91VGo5Phn6y8l8w5ypacw/s/sHXLq+8+uSUJ1GCxn656XFNQYtt1r1FBIM/MM7IiJKs+PLXaYKqFfiaCghAFflI+IEkMEiLwI6t1KEH+P7BrckMZknOB2Kv8w8qx/bwKqQjiAc56PDZC501FSct5BEEUNA/Ua01x2DjVEyF8CGbry5V
        Modulus: 0x9c5c4697f105883dedc9c8e04d7442aeddd4d1dbccbbd317f858da5d11468591f72b9085f4d74c08f756ad0be102074f46f64fb35f0dd45d99416618d8741f7bd69dea4791e26136a0445c049d6655d414bc3fc8f7e7677a3449c05bd1406473c29fe47ee3ccf28f611f0ef6e08c439748bd3c59149bfdcee9b3e5cd1e9bb76e85c5febabe59e727855a3025d3e833dd551a8e4f867eb2f25f30e72a5a730fecfec1d72eafbcfae494275182c67eb9e9714d418b6dd6bd4504833f30cec88892acf8f2d76982aa15f89a0a084015f948f8812430488bc08eadd4a107f8fec1adc90c6649ce0762aff30f2ac7f6f02aa423880739e8f0d90b9d3515272de4110450d03f51ad35c760e3544c85f0219baf2e55
        PublicExponent: 0x03
        # everything after this point is secret
        PrivateExponent: 0x1a0f611952d6415fa7a1a17ab79360727a4e22f9f774a32ea9642464d8366b9853dc981653793756d3e3c781fad5abe28bd3b7f33a824e0f998ae6597968afe9f91a51b6985065891ab60f561a3bb8f8ae1f5ff6d3fbe6945e0c4ab9f83566134b1aa61525f77dc2902fd7d3d017609936ca34b9836f54f7d19dfba22fc49e926ba0ffc9ca64513140a031b29e2c7a054fd78b8b75fbc4418f8dbd6690b7ce55f0daa3f6c8da40b033b2294baeff5c0121553a5559d114488849cababe9dab032dd8a8e723dc4c43d01924f34319495233215de4864f80abb99426576afb8ee6da3d8a8561d2f9466ef6b4a6e55b9b08971192e502b59a5731eda763697c6bb70ba0307f0343d79fd51b863c22406828e0bd
        Prime1: 0xf6e64a5f289f74cfd3f3950b116c14dc29c87cad195859886f079ffff240c93887b23c28fc67228f2aa30701a4eff4bdfba90d288a28a0005788583caf507301fe3b7adbfa8e7d10c9521c1ea76e6d4816ba581f141416034a367a1f27c0d123a9f89513a410f2773de9fdf2278567350031276f95f1fa1718a1697e36f11c624a34f35e78fccdf9ef
        Prime2: 0xa21fabbfb4b848a6395575b786ad5425b4ae46490ae18fd132f7c5faad35fa2572a78083862ac01a234084514b539d14ccd5c32e8c5ddf998d751455a9900c1604f0d9d183b2deb4ef9eb904074e1b0c4500a35805542ea850f0af63edca38359cf6498326777e21e0abdde687b5993ca2f7ab456398bff3f67aee1b67c8858264f229c4262debeffb
        Exponent1: 0xa49986ea1b14f88a8d4d0e0760f2b892c685a873663ae65af4afbffff6d5db7b05217d70a844c1b4c7175a01189ff87ea7c608c5b1706aaae505902874e04cabfed251e7fc5efe0b30e168146f9ef385647c3abf62b80eacdc24516a1a808b6d1bfb0e0d180b4c4f7e9bfea16fae44ce0020c4f50ea15164bb16465424a0bd96dc234ce9a5fddea69f
        Exponent2: 0x6c151d2a787adb197b8e4e7a59c8e2c3cdc98430b1ebb53621fa83fc7379516e4c6fab025971d566c22b02e0dce268b8888e821f083e951108f8b8391bb55d64034b3be102773f234a69d0ad5a3412082e006ce558e2c9c58b4b1f97f3dc2579134edbacc44fa96beb1d3e99afce66286ca51cd8ed107ff7f9a749679a85ae56edf6c682c41e9d4aa7
        Coefficient: 0x777fc0976a10fb0a56c1db6e3111779038e4bbc12bc3855e8194a056511a71b23ba15f609bccfd5b1320ac5b6a4ec9f1d2d8254b778dd8871d42e14a8f8a2dce6e7c57fe2a33bf5bd0da68f617ef95a8dfd5e58c11bb2ef8b8900380cbbb9dd02c6ff4cfb185b56efbc5603463bbefa1d213089744cd6cc71a106fbc5c53307a28a002ccb38c4a5d8a
        }
# do not change the indenting of that "}"

Last edited by havelino; 11-03-2005 at 12:09 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
problem installing openswan Baracuda Linux - Security 1 11-24-2005 05:46 PM
Openswan NAT-T patch conflicts with RedHat 2.4.21 kernel barisdemiray Linux - Networking 1 07-14-2005 10:17 AM
initiate program as root Vindane Slackware 2 03-28-2005 03:23 PM
Susefirewall2 Nat Problem / nat 1:1 trubi Linux - Distributions 0 07-20-2004 06:50 AM
Evolution won't initiate mohapi Linux - Software 3 03-10-2003 10:48 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 01:58 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration