gmane.network.openswan.user

Re: [Openswan Users] Questions around Hub and spoke config androuting using Draytek 28x series

Giles — 2012-05-25T16:38:39

Hi,

I run a small company and interestingly am just putting in a set of 4
Draytek routers all connected to an OpenSwan endpoint in our data centre. As
there are relatively few Drayteks I have opted to mesh them together instead
of using a hub/spoke arrangement. This also saves on bandwidth to the data
centre.

I am using Vigor 2830Ns, and on those there is a "more" option in the VPN
configuration which, according to the manual lets you "Add a static route to
direct all traffic destined to more Remote Network IP Addresses/ Remote
Network Mask through the VPN connection. This is usually used when you find
there are several subnets behind the remote VPN router". This sounds like
what you want - so looks like it's a feature Draytek added to the newer
model.

My 4 Drayteks dial into the OpenSwan server, on which all profiles are set
as "auto=route". I've not noticed them stop forwarding traffic although I do
have the keepalive pings turned on from the Draytek end, and DPD enabled
with a fairly low timeout on the OpenSwan end.

Hope that helps,
Giles.

the
which was
and
host
the
Draytek
case with
to try
doesnt
respectively
both
automatically
my

_______________________________________________
Users< at >lists.openswan.org
https://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

[Openswan Users] Questions around Hub and spoke config and routing using Draytek 28x series

Daniel Cave — 2012-05-25T14:35:03

Hi all

Firstly I would like to introduce myself, I'm an IT professional based in the UK.. We have been using OpenSwan for a little while and My questions are around inter-op.

We are moving towards using Openswan exclusively to connect third parties and connecting to third party devices.

recently, I setup central host hosted with my provider using OpenSwan2.6 using netkey.. I also connected to it via our office Draytek 2820n, which was simple and easy enough. The routing was straight forward and we can do simple things like monitoring and SNMP via the tunnel between the 'hub' and office router .

A while later, I setup a 2nd node to another site, this was another linux host using 2.6.32.6 [ stock centos 5.8] with netkey also.

I wanted to route between this new node and our office via the hub, so i setup the appropriate routes to send traffic to our office node (which is terminated on the 2820n.)

However.. I discovered that the 2820n does not let me route traffic from the office lan to the new 2nd host via the hub. I raised a call with UK Draytek support who told me this.

"Theserouters don't support IPSec SA(security association) for multiple IP subnets
over one VPN connection, which means data is dropped/blocked when
comes from non associated IP subnet/range( TCP/IP Network Settings "

You can imagine that I was pretty surprised to hear that - Is this the case with Open Swan or is this draytek router a piece of crud ? I've not had time to try out a new hardware OpenSwan box at our office to initiate the tunnels..

Most of my experience has been with Cisco Pix/ASA with regard to Ipsec, and Openswan a while back so my understanding is that this *should* work..

Can anyone make any comment or feedback about this.. I'm quite disappointed that Draytek (support) seem very unhelpful and have made a pretty good device but lacks this standard functionality - however it doesnt surprise me.

My 2nd question is this.

I have noticed that between my two linux hosts ( and similarly between my hub OpenSwan device and our office draytek) when the tunnel and routes appear to be up, sometimes no traffic passes over the tunnel, I have to manually restart each tunnel instance on the left hand side and have configured the ipsec config for each site left and right hand side respectively to be ' auto=start' however I'm my experience with Cisco ipsec is that both endpoints are always up, if the tunnel drops for some reason, it automatically restarts when routing traffic is required or triggered via connectivity requests.

Is this normal behaviour or do I need to include some other directive in my config to facilitate this ?

thanks in advance for any reply/feedback.

Regards

Dan.

_______________________________________________
Users< at >lists.openswan.org
https://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

[Openswan Users] Openswan 2.6.35 interop with fortigate 200B

Siegfried Müller - MB Connect Line GmbH — 2012-05-24T15:14:50

Solved!
We disabled the ipsec replay windows with "echo "0" > /sys/module/ipsec/parameters/ipsec_replaywin_override" and after then everything was fine. The debug of klipsdebug = rcv shows an issue with "double packets" and replay. So I decided to disable replay. I have no idea why this helps, but it helps:-)
Maybe someone knows that problem, I would like to know!
Cheers
Siegfried

-----Ursprüngliche Nachricht-----
Von: Goffe, Don [mailto:Donald.Goffe< at >GTECH.COM] 
Gesendet: Freitag, 27. April 2012 17:39
An: Siegfried Müller - MB Connect Line GmbH; users< at >lists.openswan.org
Betreff: RE: [Openswan Users] Openswan 2.6.35 interop with fortigate 200B

I did see something like this once, I had two PC connected thru the same DSL modem. The first PC would connect and get an IP address, the second would then connect and get the same IP assigned to it and of course the first PC would stop. From the Fortinet point of view it was receiving the same source IP and port number of the DSL modem so it just assigned the same IP from its pool to the new MAC. The solution was to configure port forwarding on the modem and for each pc "create" a user session (in the firewall tab). That way the modem uses different ports. I don't know if this is relevant in your case just strange because neither OS or Foritnet complained. Each terminal would stop if the other was booted. Doing an ipaddr on both PC showed they both had the same IP. 

Good luck


-----Original Message-----
From: users-bounces< at >lists.openswan.org [mailto:users-bounces< at >lists.openswan.org] On Behalf Of Siegfried Müller - MB Connect Line GmbH
Sent: Friday, April 27, 2012 10:15 AM
To: users< at >lists.openswan.org
Subject: Re: [Openswan Users] Openswan 2.6.35 interop with fortigate 200B

I updated to 2.6.38 and tried it with NETKEY and klips. It is same issue. Any hints from somebody?
BR
Siegfried

-----Ursprüngliche Nachricht-----
Von: users-bounces< at >lists.openswan.org [mailto:users-bounces< at >lists.openswan.org] Im Auftrag von Goffe, Don
Gesendet: Mittwoch, 25. April 2012 20:34
An: Patrick Lists; users< at >lists.openswan.org
Betreff: Re: [Openswan Users] Openswan 2.6.35 interop with fortigate 200B

We use the 100D and the 600C with 2.6.38-NETKEY and no issues. We haven't tried the 200B product.
 

-----Original Message-----
From: users-bounces< at >lists.openswan.org [mailto:users-bounces< at >lists.openswan.org] On Behalf Of Patrick Lists
Sent: Wednesday, April 25, 2012 1:46 PM
To: users< at >lists.openswan.org
Subject: Re: [Openswan Users] Openswan 2.6.35 interop with fortigate 200B

On 04/25/2012 04:43 PM, Siegfried Müller - MB Connect Line GmbH wrote:

Unfortunately not. But the latest version is 2.6.38. Maybe you could upgrade to 2.6.38 and try again?

Regards,
Patrick

_______________________________________________
Users< at >lists.openswan.org
https://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
CONFIDENTIALITY NOTICE: The information contained in this email message is intended only for use of the intended recipient. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please immediately delete it from your system and notify the sender by replying to this email.  Thank you.

_______________________________________________
Users< at >lists.openswan.org
https://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

_______________________________________________
Users< at >lists.openswan.org
https://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
CONFIDENTIALITY NOTICE: The information contained in this email message is intended only for use of the intended recipient. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please immediately delete it from your system and notify the sender by replying to this email.  Thank you.

_______________________________________________
Users< at >lists.openswan.org
https://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

[Openswan Users] netkey openswan Hardware Acceleration

Ozai — 2012-05-24T09:47:06

Sorry,re-sent it.
  ----- Original Message ----- 
  From: Ozai 
  To: users< at >lists.openswan.org 
  Sent: Thursday, May 24, 2012 5:44 PM
  Subject: [Openswan Users] netkey openswan Hardware Acceleration


  Dear Sirs,

  About the openswan with netkey stack,I ever tried it before.But it's failed.
  PC1 can ping to PC2 but PC2 can not ping to PC1. I do not know what the 
  procedures I lost.Could someone help me on this question?thank's.
  ====================================
  <My test environment>
  PC1----------------GW1(ipsec-tool)------------------GW2(openswan)-------------PC2
  192.168.6.1        172.17.21.87                     172.17.21.80             192.168.1.100
  ================================
  <ipsec.conf >
  config setup
   interfaces=%defaultroute
   oe=off
   protostack=netkey

  conn %default
    connaddrfamily=ipv4
    keyexchange=ike
    ike=3des-md5;modp1024
    phase2alg=3des-md5;modp1024
    auth=esp
    type=tunnel
    authby=secret
    auto=start

  conn sample
    left=172.17.21.80
    leftsubnet=192.168.1.0/24
    right=172.17.21.87
    rightsubnet=192.168.6.0/24
  ==============================
  <ipsec.secrets>
  172.17.21.80 172.17.21.87 : PSK "12345"
  ========================================
  <Kernel feature>
  CONFIG_XFRM=y
  CONFIG_XFRM_USER=m
  CONFIG_XFRM_MIGRATE=y
  CONFIG_NET_KEY=y
  CONFIG_NET_KEY_MIGRATE=y
  ========================================
  <log>
  Jan  1 00:02:30 daemon err ipsec_setup: Starting Openswan IPsec U2.6.38/K2.6.30...
  Jan  1 00:02:31 daemon err ipsec_setup: Using NETKEY(XFRM) stack
  Jan  1 00:02:33 authpriv err ipsec__plutorun: Starting Pluto subsystem...
  Jan  1 00:02:33 daemon err ipsec_setup: ...Openswan IPsec started
  Jan  1 00:02:34 daemon err ipsec__plutorun: adjusting ipsec.d to /var/ipsec.d
  Jan  1 00:02:34 user warn syslog: adjusting ipsec.d to /var/ipsec.d
  Jan  1 00:02:34 authpriv warn pluto[1568]: LEAK_DETECTIVE support [disabled]
  Jan  1 00:02:34 authpriv warn pluto[1568]: OCF support for IKE [disabled]
  Jan  1 00:02:34 authpriv warn pluto[1568]: NSS support [disabled]
  Jan  1 00:02:34 authpriv warn pluto[1568]: HAVE_STATSD notification support not compiled in
  Jan  1 00:02:34 authpriv warn pluto[1568]: Setting NAT-Traversal port-4500 floating to off
  Jan  1 00:02:34 authpriv warn pluto[1568]:    port floating activation criteria nat_t=0/port_float=1
  Jan  1 00:02:34 authpriv warn pluto[1568]:    NAT-Traversal support  [disabled]
  Jan  1 00:02:34 authpriv warn pluto[1568]: using /dev/urandom as source of random entropy
  Jan  1 00:02:34 authpriv warn pluto[1568]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
  Jan  1 00:02:34 authpriv warn pluto[1568]: ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)
  Jan  1 00:02:34 authpriv warn pluto[1568]: ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)
  Jan  1 00:02:34 authpriv warn pluto[1568]: starting up 1 cryptographic helpers
  Jan  1 00:02:34 authpriv warn pluto[1583]: using /dev/urandom as source of random entropy
  Jan  1 00:02:34 authpriv warn pluto[1568]: started helper pid=1583 (fd:6)
  Jan  1 00:02:34 authpriv warn pluto[1568]: Using Linux 2.6 IPsec interface code on 2.6.30 (experimental code)
  Jan  1 00:02:36 authpriv warn pluto[1568]: ike_alg_register_enc(): Activating aes_ccm_8: Ok (ret=0)
  Jan  1 00:02:36 authpriv warn pluto[1568]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
  Jan  1 00:02:36 authpriv warn pluto[1568]: ike_alg_register_enc(): Activating aes_ccm_12: FAILED (ret=-17)
  Jan  1 00:02:36 authpriv warn pluto[1568]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
  Jan  1 00:02:36 authpriv warn pluto[1568]: ike_alg_register_enc(): Activating aes_ccm_16: FAILED (ret=-17)
  Jan  1 00:02:36 authpriv warn pluto[1568]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
  Jan  1 00:02:36 authpriv warn pluto[1568]: ike_alg_register_enc(): Activating aes_gcm_8: FAILED (ret=-17)
  Jan  1 00:02:36 authpriv warn pluto[1568]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
  Jan  1 00:02:36 authpriv warn pluto[1568]: ike_alg_register_enc(): Activating aes_gcm_12: FAILED (ret=-17)
  Jan  1 00:02:36 authpriv warn pluto[1568]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
  Jan  1 00:02:36 authpriv warn pluto[1568]: ike_alg_register_enc(): Activating aes_gcm_16: FAILED (ret=-17)
  Jan  1 00:02:37 authpriv warn pluto[1568]: Could not change to directory '/var/ipsec.d/cacerts': No such file or directory
  Jan  1 00:02:37 authpriv warn pluto[1568]: Could not change to directory '/var/ipsec.d/aacerts': No such file or directory
  Jan  1 00:02:37 authpriv warn pluto[1568]: Could not change to directory '/var/ipsec.d/ocspcerts': No such file or directory
  Jan  1 00:02:37 authpriv warn pluto[1568]: Could not change to directory '/var/ipsec.d/crls': 2 No such file or directory
  Jan  1 00:02:37 authpriv warn pluto[1568]: added connection description "sample"
  Jan  1 00:02:37 daemon err ipsec__plutorun: 002 added connection description "sample"
  Jan  1 00:02:37 authpriv warn pluto[1568]: listening for IKE messages
  Jan  1 00:02:37 authpriv warn pluto[1568]: adding interface eth0.1/eth0.1 172.17.21.80:500
  Jan  1 00:02:37 authpriv warn pluto[1568]: adding interface br0/br0 192.168.1.254:500
  Jan  1 00:02:37 authpriv warn pluto[1568]: adding interface lo/lo 127.0.0.1:500
  Jan  1 00:02:37 authpriv warn pluto[1568]: adding interface lo/lo ::1:500
  Jan  1 00:02:37 authpriv warn pluto[1568]: loading secrets from "/var/ipsec.secrets"
  Jan  1 00:02:38 authpriv warn pluto[1568]: "sample" #1: initiating Main Mode
  Jan  1 00:02:38 daemon err ipsec__plutorun: 104 "sample" #1: STATE_MAIN_I1: initiate
  Jan  1 00:02:38 authpriv warn pluto[1568]: "sample" #1: received Vendor ID payload [Dead Peer Detection]
  Jan  1 00:02:38 authpriv warn pluto[1568]: "sample" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
  Jan  1 00:02:38 authpriv warn pluto[1568]: "sample" #1: STATE_MAIN_I2: sent MI2, expecting MR2
  Jan  1 00:02:39 authpriv warn pluto[1568]: "sample" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
  Jan  1 00:02:39 authpriv warn pluto[1568]: "sample" #1: STATE_MAIN_I3: sent MI3, expecting MR3
  Jan  1 00:02:39 authpriv warn pluto[1568]: "sample" #1: Main mode peer ID is ID_IPV4_ADDR: '172.17.21.87'
  Jan  1 00:02:39 authpriv warn pluto[1568]: "sample" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
  Jan  1 00:02:39 authpriv warn pluto[1568]: "sample" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1024}
  Jan  1 00:02:39 authpriv warn pluto[1568]: "sample" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#1 msgid:eef2291d proposal=3DES(3)_192-MD5(1)_128 pfsgroup=OAKLEY_GROUP_MODP1024}
  ========================================
  <test step>
  When wan interface up
  1.configuration ipsec.conf
  2.configuration ipsec.secrets
  3.ipsec setup start


  Best Regards,
  Ozai
_______________________________________________
Users< at >lists.openswan.org
https://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

[Openswan Users] netkey openswan Hardware Acceleration

Ozai — 2012-05-24T09:44:42

Dear Sirs,

About the openswan with netkey stack,I ever tried it before.But it's failed.
PC1 can ping to PC2 but PC2 can not ping to PC1. I do not know what the 
procedures I lost.Could someone help me on this question?thank's.
====================================
<My test environment>
PC1----------------GW1(ipsec-tool)------------------GW2(openswan)-------------PC2
192.168.6.1        172.17.21.87                     172.17.21.80             192.168.1.100
================================
<ipsec.conf >
config setup
 interfaces=%defaultroute
 oe=off
 protostack=netkey

conn %default
  connaddrfamily=ipv4
  keyexchange=ike
  ike=3des-md5;modp1024
  phase2alg=3des-md5;modp1024
  auth=esp
  type=tunnel
  authby=secret
  auto=start

conn sample
  left=172.17.21.80
  leftsubnet=192.168.1.0/24
  right=172.17.21.87
  rightsubnet=192.168.6.0/24
==============================
<ipsec.secrets>
172.17.21.80 172.17.21.87 : PSK "12345"
========================================
<Kernel feature>
CONFIG_XFRM=y
CONFIG_XFRM_USER=m
CONFIG_XFRM_MIGRATE=y
CONFIG_NET_KEY=y
CONFIG_NET_KEY_MIGRATE=y
========================================
<log>
Jan  1 00:02:30 daemon err ipsec_setup: Starting Openswan IPsec U2.6.38/K2.6.30...
Jan  1 00:02:31 daemon err ipsec_setup: Using NETKEY(XFRM) stack
Jan  1 00:02:33 authpriv err ipsec__plutorun: Starting Pluto subsystem...
Jan  1 00:02:33 daemon err ipsec_setup: ...Openswan IPsec started
Jan  1 00:02:34 daemon err ipsec__plutorun: adjusting ipsec.d to /var/ipsec.d
Jan  1 00:02:34 user warn syslog: adjusting ipsec.d to /var/ipsec.d
Jan  1 00:02:34 authpriv warn pluto[1568]: LEAK_DETECTIVE support [disabled]
Jan  1 00:02:34 authpriv warn pluto[1568]: OCF support for IKE [disabled]
Jan  1 00:02:34 authpriv warn pluto[1568]: NSS support [disabled]
Jan  1 00:02:34 authpriv warn pluto[1568]: HAVE_STATSD notification support not compiled in
Jan  1 00:02:34 authpriv warn pluto[1568]: Setting NAT-Traversal port-4500 floating to off
Jan  1 00:02:34 authpriv warn pluto[1568]:    port floating activation criteria nat_t=0/port_float=1
Jan  1 00:02:34 authpriv warn pluto[1568]:    NAT-Traversal support  [disabled]
Jan  1 00:02:34 authpriv warn pluto[1568]: using /dev/urandom as source of random entropy
Jan  1 00:02:34 authpriv warn pluto[1568]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Jan  1 00:02:34 authpriv warn pluto[1568]: ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)
Jan  1 00:02:34 authpriv warn pluto[1568]: ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)
Jan  1 00:02:34 authpriv warn pluto[1568]: starting up 1 cryptographic helpers
Jan  1 00:02:34 authpriv warn pluto[1583]: using /dev/urandom as source of random entropy
Jan  1 00:02:34 authpriv warn pluto[1568]: started helper pid=1583 (fd:6)
Jan  1 00:02:34 authpriv warn pluto[1568]: Using Linux 2.6 IPsec interface code on 2.6.30 (experimental code)
Jan  1 00:02:36 authpriv warn pluto[1568]: ike_alg_register_enc(): Activating aes_ccm_8: Ok (ret=0)
Jan  1 00:02:36 authpriv warn pluto[1568]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
Jan  1 00:02:36 authpriv warn pluto[1568]: ike_alg_register_enc(): Activating aes_ccm_12: FAILED (ret=-17)
Jan  1 00:02:36 authpriv warn pluto[1568]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
Jan  1 00:02:36 authpriv warn pluto[1568]: ike_alg_register_enc(): Activating aes_ccm_16: FAILED (ret=-17)
Jan  1 00:02:36 authpriv warn pluto[1568]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
Jan  1 00:02:36 authpriv warn pluto[1568]: ike_alg_register_enc(): Activating aes_gcm_8: FAILED (ret=-17)
Jan  1 00:02:36 authpriv warn pluto[1568]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
Jan  1 00:02:36 authpriv warn pluto[1568]: ike_alg_register_enc(): Activating aes_gcm_12: FAILED (ret=-17)
Jan  1 00:02:36 authpriv warn pluto[1568]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
Jan  1 00:02:36 authpriv warn pluto[1568]: ike_alg_register_enc(): Activating aes_gcm_16: FAILED (ret=-17)
Jan  1 00:02:37 authpriv warn pluto[1568]: Could not change to directory '/var/ipsec.d/cacerts': No such file or directory
Jan  1 00:02:37 authpriv warn pluto[1568]: Could not change to directory '/var/ipsec.d/aacerts': No such file or directory
Jan  1 00:02:37 authpriv warn pluto[1568]: Could not change to directory '/var/ipsec.d/ocspcerts': No such file or directory
Jan  1 00:02:37 authpriv warn pluto[1568]: Could not change to directory '/var/ipsec.d/crls': 2 No such file or directory
Jan  1 00:02:37 authpriv warn pluto[1568]: added connection description "sample"
Jan  1 00:02:37 daemon err ipsec__plutorun: 002 added connection description "sample"
Jan  1 00:02:37 authpriv warn pluto[1568]: listening for IKE messages
Jan  1 00:02:37 authpriv warn pluto[1568]: adding interface eth0.1/eth0.1 172.17.21.80:500
Jan  1 00:02:37 authpriv warn pluto[1568]: adding interface br0/br0 192.168.1.254:500
Jan  1 00:02:37 authpriv warn pluto[1568]: adding interface lo/lo 127.0.0.1:500
Jan  1 00:02:37 authpriv warn pluto[1568]: adding interface lo/lo ::1:500
Jan  1 00:02:37 authpriv warn pluto[1568]: loading secrets from "/var/ipsec.secrets"
Jan  1 00:02:38 authpriv warn pluto[1568]: "sample" #1: initiating Main Mode
Jan  1 00:02:38 daemon err ipsec__plutorun: 104 "sample" #1: STATE_MAIN_I1: initiate
Jan  1 00:02:38 authpriv warn pluto[1568]: "sample" #1: received Vendor ID payload [Dead Peer Detection]
Jan  1 00:02:38 authpriv warn pluto[1568]: "sample" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
Jan  1 00:02:38 authpriv warn pluto[1568]: "sample" #1: STATE_MAIN_I2: sent MI2, expecting MR2
Jan  1 00:02:39 authpriv warn pluto[1568]: "sample" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Jan  1 00:02:39 authpriv warn pluto[1568]: "sample" #1: STATE_MAIN_I3: sent MI3, expecting MR3
Jan  1 00:02:39 authpriv warn pluto[1568]: "sample" #1: Main mode peer ID is ID_IPV4_ADDR: '172.17.21.87'
Jan  1 00:02:39 authpriv warn pluto[1568]: "sample" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
Jan  1 00:02:39 authpriv warn pluto[1568]: "sample" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1024}
Jan  1 00:02:39 authpriv warn pluto[1568]: "sample" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#1 msgid:eef2291d proposal=3DES(3)_192-MD5(1)_128 pfsgroup=OAKLEY_GROUP_MODP1024}
========================================
<test step>
When wan interface up
1.configuration ipsec.conf
2.configuration ipsec.secrets
3.ipsec setup start


Best Regards,
Ozai
_______________________________________________
Users< at >lists.openswan.org
https://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

[Openswan Users] netkey openswan Hardware Acceleration

Ozai — 2012-05-24T08:06:31

 Dear Sirs,

 About the openswan with netkey stack,I ever tried it before.But it's 
failed.
 PC1 can ping to PC2 but PC2 can not ping to PC1. I do not know what the
 procedures I lost. Could someone help me on this question?thank's.
 ====================================
 <My test environment>
 PC1----------------GW1(ipsec-tool)----------------GW2(openswan)-------------PC2192.168.6.1        172.17.21.87172.17.21.80             192.168.1.100 ================================ <ipsec.conf > config setup interfaces=%defaultroute oe=offprotostack=netkey conn %default  connaddrfamily=ipv4  keyexchange=ike  ike=3des-md5;modp1024  phase2alg=3des-md5;modp1024  auth=esp  type=tunnel  authby=secret  auto=start conn sample  left=172.17.21.80  leftsubnet=192.168.1.0/24  right=172.17.21.87  rightsubnet=192.168.6.0/24 ============================== <ipsec.secrets> 172.17.21.80 172.17.21.87 : PSK "12345" ======================================== <Kernel feature> CONFIG_XFRM=y CONFIG_XFRM_USER=m CONFIG_XFRM_MIGRATE=y CONFIG_NET_KEY=y CONFIG_NET_KEY_MIGRATE=y =======================================
 =<log>Jan  1 00:02:30 daemon err ipsec_setup: Starting Openswan IPsecU2.6.38/K2.6.30...Jan  1 00:02:31 daemon err ipsec_setup: Using NETKEY(XFRM) stackJan  1 00:02:33 authpriv err ipsec__plu
 torun: Starting Pluto subsystem...Jan  1 00:02:33 daemon err ipsec_setup: ...Openswan IPsec startedJan  1 00:02:34 daemon err ipsec__plutorun: adjusting ipsec.d to/var/ipsec.dJan  1 00:02:34 user warn syslog: adjusting ipsec.d to /var/ipsec.dJan  1 00:02:34 authpriv warn pluto[1568]: LEAK_DETECTIVE support [disabled]Jan  1 00:02:34 authpriv warn pluto[1568]: OCF support for IKE [disabled]Jan  1 00:02:34 authpriv warn pluto[1568]: NSS support [disabled]Jan  1 00:02:34 authpriv warn pluto[1568]: HAVE_STATSD notification supportnot compiled inJan  1 00:02:34 authpriv warn pluto[1568]: Setting NAT-Traversal port-4500floating to offJan  1 00:02:34 authpriv warn pluto[1568]:    port floating activationcriteria nat_t=0/port_float=1Jan  1 00:02:34 authpriv warn pluto[1568]:    NAT-Traversal suppo
 rt[disabled]Jan  1 00:02:34 authpriv warn pluto[1568]: using /dev/urandom as source ofrandom entropyJan  1 00:02:34 authpriv warn pluto[1568]: ike_alg_register_enc():Activating OAKLEY_AES_CB
 C: Ok (ret=0)Jan  1 00:02:34 authpriv warn pluto[1568]: ike_alg_register_hash():Activating OAKLEY_SHA2_512: Ok (ret=0)Jan  1 00:02:34 authpriv warn pluto[1568]: ike_alg_register_hash():Activating OAKLEY_SHA2_256: Ok (ret=0)Jan  1 00:02:34 authpriv warn pluto[1568]: starting up 1 cryptographichelpersJan  1 00:02:34 authpriv warn pluto[1583]: using /dev/urandom as source ofrandom entropyJan  1 00:02:34 authpriv warn pluto[1568]: started helper pid=1583 (fd:6)Jan  1 00:02:34 authpriv warn pluto[1568]: Using Linux 2.6 IPsec interfacecode on 2.6.30 (experimental code)Jan  1 00:02:36 authpriv warn pluto[1568]: ike_alg_register_enc():Activating aes_ccm_8: Ok (ret=0)Jan  1 00:02:36 authpriv warn pluto[1568]: ike_alg_add(): ERROR: algo_type'0', algo_id '0', Algorithm type already existsJan  1 00:0
 2:36 authpriv warn pluto[1568]: ike_alg_register_enc():Activating aes_ccm_12: FAILED (ret=-17)Jan  1 00:02:36 authpriv warn pluto[1568]: ike_alg_add(): ERROR: algo_type'0', algo_id '0', Algo
 rithm type already existsJan  1 00:02:36 authpriv warn pluto[1568]: ike_alg_register_enc():Activating aes_ccm_16: FAILED (ret=-17)Jan  1 00:02:36 authpriv warn pluto[1568]: ike_alg_add(): ERROR: algo_type'0', algo_id '0', Algorithm type already existsJan  1 00:02:36 authpriv warn pluto[1568]: ike_alg_register_enc():Activating aes_gcm_8: FAILED (ret=-17)Jan  1 00:02:36 authpriv warn pluto[1568]: ike_alg_add(): ERROR: algo_type'0', algo_id '0', Algorithm type already existsJan  1 00:02:36 authpriv warn pluto[1568]: ike_alg_register_enc():Activating aes_gcm_12: FAILED (ret=-17)Jan  1 00:02:36 authpriv warn pluto[1568]: ike_alg_add(): ERROR: algo_type'0', algo_id '0', Algorithm type already existsJan  1 00:02:36 authpriv warn pluto[1568]: ike_alg_register_enc():Activating aes_gcm_16: FAILED (
 ret=-17)Jan  1 00:02:37 authpriv warn pluto[1568]: Could not change to directory'/var/ipsec.d/cacerts': No such file or directoryJan  1 00:02:37 authpriv warn pluto[1568]: Could not change t
 o directory'/var/ipsec.d/aacerts': No such file or directoryJan  1 00:02:37 authpriv warn pluto[1568]: Could not change to directory'/var/ipsec.d/ocspcerts': No such file or directoryJan  1 00:02:37 authpriv warn pluto[1568]: Could not change to directory'/var/ipsec.d/crls': 2 No such file or directoryJan  1 00:02:37 authpriv warn pluto[1568]: added connection description"sample"Jan  1 00:02:37 daemon err ipsec__plutorun: 002 added connection description"sample"Jan  1 00:02:37 authpriv warn pluto[1568]: listening for IKE messagesJan  1 00:02:37 authpriv warn pluto[1568]: adding interface eth0.1/eth0.1172.17.21.80:500Jan  1 00:02:37 authpriv warn pluto[1568]: adding interface br0/br0192.168.1.254:500Jan  1 00:02:37 authpriv warn pluto[1568]: adding interface lo/lo127.0.0.1:500Jan  1 00:02:
 37 authpriv warn pluto[1568]: adding interface lo/lo ::1:500Jan  1 00:02:37 authpriv warn pluto[1568]: loading secrets from"/var/ipsec.secrets"Jan  1 00:02:38 authpriv warn pluto[1568]: "sam
 ple" #1: initiating Main ModeJan  1 00:02:38 daemon err ipsec__plutorun: 104 "sample" #1: STATE_MAIN_I1:initiateJan  1 00:02:38 authpriv warn pluto[1568]: "sample" #1: received Vendor IDpayload [Dead Peer Detection]Jan  1 00:02:38 authpriv warn pluto[1568]: "sample" #1: transition fromstate STATE_MAIN_I1 to state STATE_MAIN_I2Jan  1 00:02:38 authpriv warn pluto[1568]: "sample" #1: STATE_MAIN_I2: sentMI2, expecting MR2Jan  1 00:02:39 authpriv warn pluto[1568]: "sample" #1: transition fromstate STATE_MAIN_I2 to state STATE_MAIN_I3Jan  1 00:02:39 authpriv warn pluto[1568]: "sample" #1: STATE_MAIN_I3: sentMI3, expecting MR3Jan  1 00:02:39 authpriv warn pluto[1568]: "sample" #1: Main mode peer ID isID_IPV4_ADDR: '172.17.21.87'Jan  1 00:02:39 authpriv warn pluto[1568]: "sample" #1: transition f
 romstate STATE_MAIN_I3 to state STATE_MAIN_I4Jan  1 00:02:39 authpriv warn pluto[1568]: "sample" #1: STATE_MAIN_I4:ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192
 prf=oakley_md5 group=modp1024}Jan  1 00:02:39 authpriv warn pluto[1568]: "sample" #2: initiating QuickMode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#1msgid:eef2291d proposal=3DES(3)_192-MD5(1)_128pfsgroup=OAKLEY_GROUP_MODP1024}========================================== <test step> When wan interface up 1.configuration ipsec.conf 2.configuration ipsec.secrets 3.ipsec setup start Best Regards,Ozai
_______________________________________________
Users< at >lists.openswan.org
https://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

[Openswan Users] tunnels timing out since upgrading to 3.2.0

Brian J. Murrell — 2012-05-23T12:35:30

I did an upgrade of my Ubuntu system which included an upgrade of the
kernel to 3.2.0.  Since then, my l2tp tunnels seem to be timing out and
being destroyed, at which point I have to manually restart it.

On the 3.2.0 end, the following is logged when this happens:

May 23 08:07:03 brian-laptop pluto[14651]: "nm-ipsec-l2tpd-14325" #80: IPsec SA expired (LATEST!)
May 23 08:07:07 brian-laptop pluto[14651]: initiate on demand from 10.75.22.228:55728 to 2.1.21.22:1701 proto=17 state: fos_start because: acquire
May 23 08:07:39 brian-laptop pluto[14651]: initiate on demand from 10.75.22.228:55728 to 2.1.21.22:1701 proto=17 state: fos_start because: acquire
May 23 08:07:41 brian-laptop dbus[1536]: [system] Rejected send message, 2 matched rules; type="error", sender=":1.479" (uid=0 pid=14325 comm="/usr/lib/NetworkManager/nm-l2tp-service ") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.UnknownMethod" requested_reply="0" destination=":1.480" (uid=0 pid=14382 comm="/usr/sbin/pppd passive nodetach : name brian file ")
May 23 08:07:44 brian-laptop pluto[14651]: "nm-ipsec-l2tpd-14325": deleting connection
May 23 08:07:44 brian-laptop pluto[14651]: "nm-ipsec-l2tpd-14325" #78: deleting state (STATE_QUICK_I2)
May 23 08:07:44 brian-laptop pluto[14651]: "nm-ipsec-l2tpd-14325" #79: deleting state (STATE_MAIN_I1)

and on the other end, which is a Ubuntu machine also with kernel
2.6.32-37-server

May 23 05:07:03 brent pluto[15294]: "L2TP-PSK-NAT"[25] 21.5.3.5 #250: IPsec SA expired (--dontrekey)
May 23 05:07:03 brent pluto[15294]: "L2TP-PSK-NAT"[25] 21.5.3.5 #250: ERROR: netlink XFRM_MSG_DELPOLICY response for flow eroute_connection delete included errno 2: No such file or directory
May 23 05:07:03 brent pluto[15294]: "L2TP-PSK-NAT"[25] 21.5.3.5: deleting connection "L2TP-PSK-NAT" instance with peer 21.5.3.5 {isakmp=#0/ipsec=#0}
May 23 05:07:12 brent pluto[15294]: initiate on demand from 2.1.21.22:1701 to 21.5.3.5:55728 proto=17 state: fos_start because: acquire
May 23 05:07:45 brent pluto[15294]: initiate on demand from 2.1.21.22:1701 to 21.5.3.5:55728 proto=17 state: fos_start because: acquire

Any idea what the problem is here.  Clearly the IPsec tunnel is
not being renewed, but why?

Cheers,
b.

_______________________________________________
Users< at >lists.openswan.org
https://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

Re: [Openswan Users] openswan Hardware Acceleration

David McCullough — 2012-05-22T22:27:22

Jivin Ozai lays it down ...

You have 2 options for HW accelerating Openswan.

If there are native linux drivers for your HW crypto accelerator,  then just
use the netkey stack in linux with openswan.

Otherwise you can use ocf-linux + klips to get HW acceleration.

Cheers,
Davidm

[Openswan Users] openswan Hardware Acceleration

Ozai — 2012-05-22T09:41:58

Dear Sirs,

I merged the openswan 2.6.38 into embedded linux(2.6.30 mips).protostack is klips.Does openswan support the hardware acceleration?If yes,How could I enable it?thank's. 

Best Regards,
Ozai
_______________________________________________
Users< at >lists.openswan.org
https://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

Re: [Openswan Users] Trying to get openswan working with android

Patrick Lists — 2012-05-21T09:02:16

That's very cool. Thank you Paul!

Regards,
Patrick



_______________________________________________
Users< at >lists.openswan.org
https://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

[Openswan Users] Tunnels up,packets from routed machines not going through tunnel

Paul Goldbaum — 2012-05-21T08:09:36

Hi,

we have openswan running on our network's gateway and correctly negotiating
the tunnels. Here's how we are configuring it:
conn csq
        type=tunnel
        left=90.45.241.242 # left is our side
        leftsubnets={90.45.241.242/32,90.45.110.60/32}
        right=33.99.102.36
        rightsubnet=192.168.1.6/32
        authby=secret
        keyexchange=ike
        ikelifetime=24h
        ike=3des-md5;modp1024
        phase2=esp
        phase2alg=3des-md5;modp1024
        salifetime=24h
        auto=add

The gateway has two interfaces(90.45.110.1 and 90.45.241.242) configured to
do IP forwarding and there are no related iptables rules. All IPs on the
network are publicly accessible.

Our problem is that, while we can ping the machine on the other side from
our gateway just fine, the other machine in our subnet(90.45.110.60) is
apparently not being routed through one of the established tunnels but is
instead provoking the negotiation of a new tunnel in it's name. This fails
because on the other side, only the gateway is authorized to be an IKE
peer. What could be wrong in our configuration?

I'm attaching some outputs that might be useful:

This is the output from tcpdump on the gateway's external interface when we
start a ping from our other machine:

09:41:07.444918 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto UDP
(17), length 292)
    90.45.110.60.isakmp > 33.99.102.36.isakmp: [udp sum ok] isakmp 1.0
msgid 00000000 cookie 9ac0140efc0921e3->0000000000000000: phase 1 I agg:
    (sa: doi=ipsec situation=identity
        (p: #1 protoid=isakmp transform=1
            (t: #1 id=ike (type=lifetype value=sec)(type=lifeduration
value=7080)(type=enc value=3des)(type=auth value=preshared)(type=hash
value=sha1)(type=group desc value=modp1024))))
    (ke: key len=128)
    (nonce: n len=16
 data=(aff2b8326d0e86135e40...00000014afcad71368a1f1c96b8696fc77570100))
    (id: idtype=IPv4 protoid=udp port=500 len=4 90.45.110.60)
    (vid: len=16)
09:41:07.511314 IP (tos 0x0, ttl 239, id 19841, offset 0, flags [none],
proto UDP (17), length 376)
    33.99.102.36.isakmp > 90.45.110.60.isakmp: [udp sum ok] isakmp 1.0
msgid 00000000 cookie 9ac0140efc0921e3->3c7cc2a83564f6d4: phase 1 R agg:
    (sa: doi=ipsec situation=identity
        (p: #1 protoid=isakmp transform=1
            (t: #1 id=ike (type=enc value=3des)(type=hash
value=sha1)(type=group desc value=modp1024)(type=auth
value=preshared)(type=lifetype value=sec)(type=lifeduration value=7080))))
    (ke: key len=128)
    (nonce: n len=20
 data=(860c9a70bf2268a936be...000000141f07f70eaa6514d3b0fa96542a500100))
    (id: idtype=IPv4 protoid=udp port=0 len=4 33.99.102.36)
    (hash: len=20)
    (vid: len=16)
    (vid: len=8)
    (vid: len=20)
    (vid: len=16)
09:41:07.518286 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto UDP
(17), length 96)
    90.45.110.60.isakmp > 33.99.102.36.isakmp: [udp sum ok] isakmp 1.0
msgid bf1cb318 cookie 9ac0140efc0921e3->3c7cc2a83564f6d4: phase 2/others I
inf[E]: [encrypted hash]

The next packet is again like the first one.

# ip xfrm policy
src 90.45.241.242/32 dst 192.168.1.6/32
 dir out priority 2080 ptype main
tmpl src 90.45.241.242 dst 33.99.102.36
 proto esp reqid 16385 mode tunnel
src 90.45.110.60/32 dst 192.168.1.6/32
 dir out priority 2080 ptype main
tmpl src 90.45.241.242 dst 33.99.102.36
 proto esp reqid 16389 mode tunnel
src 192.168.1.6/32 dst 90.45.241.242/32
 dir fwd priority 2080 ptype main
tmpl src 33.99.102.36 dst 90.45.241.242
 proto esp reqid 16385 mode tunnel
src 192.168.1.6/32 dst 90.45.241.242/32
 dir in priority 2080 ptype main
tmpl src 33.99.102.36 dst 90.45.241.242
proto esp reqid 16385 mode tunnel
src 192.168.1.6/32 dst 90.45.110.60/32
dir fwd priority 2080 ptype main
 tmpl src 33.99.102.36 dst 90.45.241.242
proto esp reqid 16389 mode tunnel
src 192.168.1.6/32 dst 90.45.110.60/32
dir in priority 2080 ptype main
 tmpl src 33.99.102.36 dst 90.45.241.242
proto esp reqid 16389 mode tunnel
_______________________________________________
Users< at >lists.openswan.org
https://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

Re: [Openswan Users] Trying to get openswan working with android

Tuomo Soini — 2012-05-21T04:57:40

On Sat, 19 May 2012 22:55:25 +0300
Tuomo Soini <tis< at >foobar.fi> wrote:


Paul was able to generate a patch to work-around the problem at
openswan end.

http://people.redhat.com/pwouters/openswan-android-ics-natoa.patch

Re: [Openswan Users] Trying to get openswan working with android

Patrick Lists — 2012-05-20T12:05:57

[snip]

At least Google is aware of the issue:
http://code.google.com/p/android/issues/detail?id=23124

Regards,
Patrick
_______________________________________________
Users< at >lists.openswan.org
https://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

Re: [Openswan Users] Trying to get openswan working with android

John A. Sullivan III — 2012-05-19T20:32:18

Ouch! I do hope someone has reported it to the ipsec-tools maintainer -
John

_______________________________________________
Users< at >lists.openswan.org
https://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

Re: [Openswan Users] Trying to get openswan working with android

Patrick Lists — 2012-05-19T20:28:30

Thanks for that info Tuomo. Hopefully Google will soon provide an update 
that fixes this issue. I tried to connect my Nexus S with ICS 4.0.4 to a 
CentOS 6.2 x86_64 box with Openswan 2.6.38 and only got the previously 
reported error.

Regards,
Patrick


_______________________________________________
Users< at >lists.openswan.org
https://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

Re: [Openswan Users] Trying to get openswan working with android

Tuomo Soini — 2012-05-19T19:55:25

On Fri, 18 May 2012 14:35:59 +0100
Robert Laverick <robert+vpn< at >scabserver.com> wrote:



The problem can't be fixed in openswan - ipsec-tools do have a bug
where it behaves against spec.

Re: [Openswan Users] Trying to get openswan working with android

Robert Laverick — 2012-05-18T13:35:59

I have tried Paul's test server from Android 4.0.4 and see the same failure
to connect behaviour as on my local Fedora based VPN running the older
2.6.37 F16 RPM, tho obviously I can't see what his logs say it "feels" the
same in terms of time to failure on my android device.

Rob
_______________________________________________
Users< at >lists.openswan.org
https://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

Re: [Openswan Users] Trying to get openswan working with android

Robert Laverick — 2012-05-18T11:44:19


Actually the problem from the originally linked bug report appears to have only 
been introduced with Android 4.0.x and above when they moved to ipsec-tools 
0.8.0 so a test from 2.3.6 doesn't actually test if this is resolved

http://code.google.com/p/android/issues/detail?id=23124

I've attempted to connect to the test VPN you mentioned from my Android 4.0.4 
device and I get timeout failures which mirror the ones I get using 
openswan-2.6.37-1.fc16.x86_64 on my own server.

I'm more than happy to help test this, but I'm a beginner at this VPN stuff, all 
I know is that I've got it configured to that my Windows 7 laptop can connect to 
the VPN just fine.

Here's an example of what I see in the logs from when I was trying to get this 
working last night on my own fedora 16 box from Android 4.0.4 on my Nexus S:

May 17 00:13:27 gozer pluto[5124]: "home-ipsec"[7] 149.254.180.87 #6: responding 
to Main Mode from unknown peer 149.254.180.87
May 17 00:13:27 gozer pluto[5124]: "home-ipsec"[7] 149.254.180.87 #6: transition 
from state STATE_MAIN_R0 to state STATE_MAIN_R1
May 17 00:13:27 gozer pluto[5124]: "home-ipsec"[7] 149.254.180.87 #6: 
STATE_MAIN_R1: sent MR1, expecting MI2
May 17 00:13:28 gozer pluto[5124]: "home-ipsec"[7] 149.254.180.87 #6: NAT-
Traversal: Result using RFC 3947 (NAT-Traversal): peer is NATed
May 17 00:13:28 gozer pluto[5124]: "home-ipsec"[7] 149.254.180.87 #6: transition 
from state STATE_MAIN_R1 to state STATE_MAIN_R2
May 17 00:13:28 gozer pluto[5124]: "home-ipsec"[7] 149.254.180.87 #6: 
STATE_MAIN_R2: sent MR2, expecting MI3
May 17 00:13:28 gozer pluto[5124]: "home-ipsec"[7] 149.254.180.87 #6: Main mode 
peer ID is ID_IPV4_ADDR: '10.151.149.108'
May 17 00:13:28 gozer pluto[5124]: "home-ipsec"[7] 149.254.180.87 #6: switched 
from "home-ipsec" to "home-ipsec"
May 17 00:13:28 gozer pluto[5124]: "home-ipsec"[8] 149.254.180.87 #6: deleting 
connection "home-ipsec" instance with peer 149.254.180.87 {isakmp=#0/ipsec=#0}
May 17 00:13:28 gozer pluto[5124]: "home-ipsec"[8] 149.254.180.87 #6: transition 
from state STATE_MAIN_R2 to state STATE_MAIN_R3
May 17 00:13:28 gozer pluto[5124]: "home-ipsec"[8] 149.254.180.87 #6: new NAT 
mapping for #6, was 149.254.180.87:33678, now 149.254.180.87:33614
May 17 00:13:28 gozer pluto[5124]: "home-ipsec"[8] 149.254.180.87 #6: 
STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY 
cipher=aes_256 prf=oakley_sha group=modp1024}
May 17 00:13:28 gozer pluto[5124]: "home-ipsec"[8] 149.254.180.87 #6: ignoring 
informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000
May 17 00:13:28 gozer pluto[5124]: "home-ipsec"[8] 149.254.180.87 #6: received 
and ignored informational message
May 17 00:13:28 gozer pluto[5124]: "home-ipsec"[8] 149.254.180.87 #6: byte 7 of 
ISAKMP NAT-OA Payload must be zero, but is not
May 17 00:13:28 gozer pluto[5124]: "home-ipsec"[8] 149.254.180.87 #6: malformed 
payload in packet
May 17 00:13:28 gozer pluto[5124]: | payload malformed after IV
May 17 00:13:28 gozer pluto[5124]: |   c9 16 b7 aa  79 9c e4 84  45 8a bf 9d  7e 
84 67 e2
May 17 00:13:28 gozer pluto[5124]: "home-ipsec"[8] 149.254.180.87 #6: sending 
notification PAYLOAD_MALFORMED to 149.254.180.87:33614
May 17 00:13:31 gozer pluto[5124]: "home-ipsec"[8] 149.254.180.87 #6: byte 7 of 
ISAKMP NAT-OA Payload must be zero, but is not
May 17 00:13:31 gozer pluto[5124]: "home-ipsec"[8] 149.254.180.87 #6: malformed 
payload in packet
May 17 00:13:31 gozer pluto[5124]: | payload malformed after IV
May 17 00:13:31 gozer pluto[5124]: |   c9 16 b7 aa  79 9c e4 84  45 8a bf 9d  7e 
84 67 e2
May 17 00:13:31 gozer pluto[5124]: "home-ipsec"[8] 149.254.180.87 #6: sending 
notification PAYLOAD_MALFORMED to 149.254.180.87:33614


_______________________________________________
Users< at >lists.openswan.org
https://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

[Openswan Users] No routing done

Wilfredo I. Pachón López — 2012-05-16T15:21:47

Hello friends

I'm configuring a site-to-site VPN for a client but have problems with 
the routes, my tunnel is up and everything seems to be ok, but i have no 
communication between my two networks.

If the openswan service is down and i try to do a "traceroute" against 
the subnet i'm trying to connect the package is send trough the default 
route an jump until didn't find the route, this is obviously a normal 
behaviour:

$ traceroute 192.168.202.22
traceroute to 192.168.202.22 (192.168.202.22), 30 hops max, 60 byte packets
  1  * * *
  2  172.31.250.46 (172.31.250.46)  14.903 ms  14.916 ms  16.554 ms
  3  190.157.7.149 (190.157.7.149)  17.566 ms  17.568 ms  17.570 ms
  4  10.14.14.126 (10.14.14.126)  79.087 ms  79.102 ms  79.106 ms
  5  64.86.28.41 (64.86.28.41)  73.006 ms !H * *

But if the service is up and the tunnel established, the package doesn't 
route:
$ traceroute 192.168.202.22
traceroute to 192.168.202.22 (192.168.202.22), 30 hops max, 60 byte packets
  1  * * *
  2  * * *
  3  * * *
  4  * * *
  5  * * *

The routing table BEFORE the tunnel is:

  $ route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use 
Iface
0.0.0.0         190.147.229.1   0.0.0.0         UG    100    0        0 eth0
190.147.229.0   0.0.0.0         255.255.255.0   U     0      0        0 eth0
192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 eth1
192.168.2.0     0.0.0.0         255.255.255.0   U     0      0        0 eth2
192.168.5.0     0.0.0.0         255.255.255.0   U     0      0        0 eth2

And AFTER the tunnel is:
$ route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use 
Iface
0.0.0.0         190.147.229.1   0.0.0.0         UG    100    0        0 eth0
190.147.229.0   0.0.0.0         255.255.255.0   U     0      0        0 eth0
192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 eth1
192.168.2.0     0.0.0.0         255.255.255.0   U     0      0        0 eth2
192.168.5.0     0.0.0.0         255.255.255.0   U     0      0        0 eth2
192.168.202.0   0.0.0.0         255.255.255.0   U     0      0        0 
ipsec0


This are my configuration fiel ipsec.conf:
config setup
     # Do not set debug options to debug configuration issues!
     # plutodebug / klipsdebug = "all", "none" or a combation from below:
     # "raw crypt parsing emitting control klips pfkey natt x509 dpd 
private"
     # eg:
     plutodebug=none
     klipsdebug=none

     #
     # enable to get logs per-peer
     plutoopts="--perpeerlog"
     #
     # Again: only enable plutodebug or klipsdebug when asked by a developer
     #
     # NAT-TRAVERSAL support, see README.NAT-Traversal
     nat_traversal=yes
     # exclude networks used on server side by adding %v4:!a.b.c.0/24
     #virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
     #interfaces="ipsec0=eth0"

     # OE is now off by default. Uncomment and change to on, to enable.
     #oe = off
     # which IPsec stack to use. netkey,klips,mast,auto or none
     protostack=klips
     #nhelpers = 0
     plutostderrlog=/var/log/vpn

# Add connections here
conn net-super
     type=tunnel
     authby=secret                # Key exchange method
     left=190.147.229.25          # Public Internet IP address of the
     leftsubnet=192.168.0.0/24     # Subnet protected by the LEFT VPN device
     leftnexthop=190.147.229.1     # correct in many situations
     right=190.26.216.138         # Public Internet IP address of
     rightsubnet=192.168.202.0/24      # Subnet protected by the RIGHT 
VPN device
     rightnexthop=%defaultroute
     auto=start                   # authorizes and starts this connection
     aggrmode=no
     keyexchange=ike
     ike=3des-sha1-modp1024
     phase2=esp
     phase2alg=3des-sha1
     pfs=no

Even the firewall is with all default policies opened (ACCEPT) i set a 
few rules to allow the traffic:
Table Nat:
-A POSTROUTING -m policy -d 192.168.202.0/24 -o eth0 -j ACCEPT  --dir 
out --pol ipsec
Table Filter:
-A INPUT -m policy -j ACCEPT  --dir in --pol ipsec
-A INPUT -p esp -j ACCEPT
-A INPUT -p udp -m udp -m multiport -j ACCEPT --dports 500,4500
-A FORWARD -m policy -j ACCEPT  --dir in --pol ipsec

The last log (and output of ipsec auto --status) entries are:
000 #2: "net-super":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); 
EVENT_SA_REPLACE in 27194s; newest IPSEC; eroute owner; isakmp#1; idle; 
import:admin initiate
000 #2: "net-super" esp.db0b6ee1< at >190.26.216.138 
esp.7f45d825< at >190.147.229.25 tun.1001< at >190.26.216.138 
tun.1002< at >190.147.229.25 ref=3 refhim=1
000 #1: "net-super":500 STATE_MAIN_I4 (ISAKMP SA established); 
EVENT_SA_REPLACE in 1828s; newest ISAKMP; lastdpd=4s(seq in:0 out:0); 
idle; import:admin initiate

And the ipsec route shows:
$ipsec eroute
0          192.168.0.0/24     -> 192.168.202.0/24   => 
tun0x1001< at >190.26.216.138


In theory all is right but the server and the subnet 192.168.0.0/24 
can't contact the subnet 192.168.202.0/24.


Please any help is welcomed, i googled and made many different 
variations of the config but without result.
_______________________________________________
Users< at >lists.openswan.org
https://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

Re: [Openswan Users] Ipsec Linux-L2TP Windows

SVM — 2012-05-13T21:29:01

Hm... but, maybe I wasn't right...

_______________________________________________
Users< at >lists.openswan.org
https://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

Re: [Openswan Users] Ipsec Linux-L2TP Windows

SVM — 2012-05-13T21:07:55


There is no problem with IPSec/Openswan at all.

You have ip range, left and right in the same subnet 192.168.0.0/24
Change your ip range to the other subnet, 192.168.1.0/24, for example.

_______________________________________________
Users< at >lists.openswan.org
https://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155