http://blog.gmane.org/gmane.network.openswan.user hourly 1 1901-01-01T00:00+00:00 http://gmane.org/img/gmane-25t.png http://gmane.org http://comments.gmane.org/gmane.network.openswan.user/21125 <pre>Hi all Firstly I would like to introduce myself, I'm an IT professional based in the UK.. We have been using OpenSwan for a little while and My questions are around inter-op. We are moving towards using Openswan exclusively to connect third parties and connecting to third party devices. recently, I setup central host hosted with my provider using OpenSwan2.6 using netkey.. I also connected to it via our office Draytek 2820n, which was simple and easy enough. The routing was straight forward and we can do simple things like monitoring and SNMP via the tunnel between the 'hub' and office router . A while later, I setup a 2nd node to another site, this was another linux host using 2.6.32.6 [ stock centos 5.8] with netkey also. I wanted to route between this new node and our office via the hub, so i setup the appropriate routes to send traffic to our office node (which is terminated on the 2820n.) However.. I discovered that the 2820n does not let me route traffic from the office lan to the new 2nd host via the hub. I raised a call with UK Draytek support who told me this. "Theserouters don't support IPSec SA(security association) for multiple IP subnets over one VPN connection, which means data is dropped/blocked when comes from non associated IP subnet/range( TCP/IP Network Settings " You can imagine that I was pretty surprised to hear that - Is this the case with Open Swan or is this draytek router a piece of crud ? I've not had time to try out a new hardware OpenSwan box at our office to initiate the tunnels.. Most of my experience has been with Cisco Pix/ASA with regard to Ipsec, and Openswan a while back so my understanding is that this *should* work.. Can anyone make any comment or feedback about this.. I'm quite disappointed that Draytek (support) seem very unhelpful and have made a pretty good device but lacks this standard functionality - however it doesnt surprise me. My 2nd question is this. I have noticed that between my two linux hosts ( and similarly between my hub OpenSwan device and our office draytek) when the tunnel and routes appear to be up, sometimes no traffic passes over the tunnel, I have to manually restart each tunnel instance on the left hand side and have configured the ipsec config for each site left and right hand side respectively to be ' auto=start' however I'm my experience with Cisco ipsec is that both endpoints are always up, if the tunnel drops for some reason, it automatically restarts when routing traffic is required or triggered via connectivity requests. Is this normal behaviour or do I need to include some other directive in my config to facilitate this ? thanks in advance for any reply/feedback. Regards Dan. _______________________________________________ Users&lt; at &gt;lists.openswan.org https://lists.openswan.org/mailman/listinfo/users Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy Building and Integrating Virtual Private Networks with Openswan: http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155 </pre> Daniel Cave 2012-05-25T14:35:03 http://comments.gmane.org/gmane.network.openswan.user/21123 <pre>Sorry,re-sent it. ----- Original Message ----- From: Ozai To: users&lt; at &gt;lists.openswan.org Sent: Thursday, May 24, 2012 5:44 PM Subject: [Openswan Users] netkey openswan Hardware Acceleration Dear Sirs, About the openswan with netkey stack,I ever tried it before.But it's failed. PC1 can ping to PC2 but PC2 can not ping to PC1. I do not know what the procedures I lost.Could someone help me on this question?thank's. ==================================== &lt;My test environment&gt; PC1----------------GW1(ipsec-tool)------------------GW2(openswan)-------------PC2 192.168.6.1 172.17.21.87 172.17.21.80 192.168.1.100 ================================ &lt;ipsec.conf &gt; config setup interfaces=%defaultroute oe=off protostack=netkey conn %default connaddrfamily=ipv4 keyexchange=ike ike=3des-md5;modp1024 phase2alg=3des-md5;modp1024 auth=esp type=tunnel authby=secret auto=start conn sample left=172.17.21.80 leftsubnet=192.168.1.0/24 right=172.17.21.87 rightsubnet=192.168.6.0/24 ============================== &lt;ipsec.secrets&gt; 172.17.21.80 172.17.21.87 : PSK "12345" ======================================== &lt;Kernel feature&gt; CONFIG_XFRM=y CONFIG_XFRM_USER=m CONFIG_XFRM_MIGRATE=y CONFIG_NET_KEY=y CONFIG_NET_KEY_MIGRATE=y ======================================== &lt;log&gt; Jan 1 00:02:30 daemon err ipsec_setup: Starting Openswan IPsec U2.6.38/K2.6.30... Jan 1 00:02:31 daemon err ipsec_setup: Using NETKEY(XFRM) stack Jan 1 00:02:33 authpriv err ipsec__plutorun: Starting Pluto subsystem... Jan 1 00:02:33 daemon err ipsec_setup: ...Openswan IPsec started Jan 1 00:02:34 daemon err ipsec__plutorun: adjusting ipsec.d to /var/ipsec.d Jan 1 00:02:34 user warn syslog: adjusting ipsec.d to /var/ipsec.d Jan 1 00:02:34 authpriv warn pluto[1568]: LEAK_DETECTIVE support [disabled] Jan 1 00:02:34 authpriv warn pluto[1568]: OCF support for IKE [disabled] Jan 1 00:02:34 authpriv warn pluto[1568]: NSS support [disabled] Jan 1 00:02:34 authpriv warn pluto[1568]: HAVE_STATSD notification support not compiled in Jan 1 00:02:34 authpriv warn pluto[1568]: Setting NAT-Traversal port-4500 floating to off Jan 1 00:02:34 authpriv warn pluto[1568]: port floating activation criteria nat_t=0/port_float=1 Jan 1 00:02:34 authpriv warn pluto[1568]: NAT-Traversal support [disabled] Jan 1 00:02:34 authpriv warn pluto[1568]: using /dev/urandom as source of random entropy Jan 1 00:02:34 authpriv warn pluto[1568]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0) Jan 1 00:02:34 authpriv warn pluto[1568]: ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0) Jan 1 00:02:34 authpriv warn pluto[1568]: ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0) Jan 1 00:02:34 authpriv warn pluto[1568]: starting up 1 cryptographic helpers Jan 1 00:02:34 authpriv warn pluto[1583]: using /dev/urandom as source of random entropy Jan 1 00:02:34 authpriv warn pluto[1568]: started helper pid=1583 (fd:6) Jan 1 00:02:34 authpriv warn pluto[1568]: Using Linux 2.6 IPsec interface code on 2.6.30 (experimental code) Jan 1 00:02:36 authpriv warn pluto[1568]: ike_alg_register_enc(): Activating aes_ccm_8: Ok (ret=0) Jan 1 00:02:36 authpriv warn pluto[1568]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists Jan 1 00:02:36 authpriv warn pluto[1568]: ike_alg_register_enc(): Activating aes_ccm_12: FAILED (ret=-17) Jan 1 00:02:36 authpriv warn pluto[1568]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists Jan 1 00:02:36 authpriv warn pluto[1568]: ike_alg_register_enc(): Activating aes_ccm_16: FAILED (ret=-17) Jan 1 00:02:36 authpriv warn pluto[1568]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists Jan 1 00:02:36 authpriv warn pluto[1568]: ike_alg_register_enc(): Activating aes_gcm_8: FAILED (ret=-17) Jan 1 00:02:36 authpriv warn pluto[1568]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists Jan 1 00:02:36 authpriv warn pluto[1568]: ike_alg_register_enc(): Activating aes_gcm_12: FAILED (ret=-17) Jan 1 00:02:36 authpriv warn pluto[1568]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists Jan 1 00:02:36 authpriv warn pluto[1568]: ike_alg_register_enc(): Activating aes_gcm_16: FAILED (ret=-17) Jan 1 00:02:37 authpriv warn pluto[1568]: Could not change to directory '/var/ipsec.d/cacerts': No such file or directory Jan 1 00:02:37 authpriv warn pluto[1568]: Could not change to directory '/var/ipsec.d/aacerts': No such file or directory Jan 1 00:02:37 authpriv warn pluto[1568]: Could not change to directory '/var/ipsec.d/ocspcerts': No such file or directory Jan 1 00:02:37 authpriv warn pluto[1568]: Could not change to directory '/var/ipsec.d/crls': 2 No such file or directory Jan 1 00:02:37 authpriv warn pluto[1568]: added connection description "sample" Jan 1 00:02:37 daemon err ipsec__plutorun: 002 added connection description "sample" Jan 1 00:02:37 authpriv warn pluto[1568]: listening for IKE messages Jan 1 00:02:37 authpriv warn pluto[1568]: adding interface eth0.1/eth0.1 172.17.21.80:500 Jan 1 00:02:37 authpriv warn pluto[1568]: adding interface br0/br0 192.168.1.254:500 Jan 1 00:02:37 authpriv warn pluto[1568]: adding interface lo/lo 127.0.0.1:500 Jan 1 00:02:37 authpriv warn pluto[1568]: adding interface lo/lo ::1:500 Jan 1 00:02:37 authpriv warn pluto[1568]: loading secrets from "/var/ipsec.secrets" Jan 1 00:02:38 authpriv warn pluto[1568]: "sample" #1: initiating Main Mode Jan 1 00:02:38 daemon err ipsec__plutorun: 104 "sample" #1: STATE_MAIN_I1: initiate Jan 1 00:02:38 authpriv warn pluto[1568]: "sample" #1: received Vendor ID payload [Dead Peer Detection] Jan 1 00:02:38 authpriv warn pluto[1568]: "sample" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2 Jan 1 00:02:38 authpriv warn pluto[1568]: "sample" #1: STATE_MAIN_I2: sent MI2, expecting MR2 Jan 1 00:02:39 authpriv warn pluto[1568]: "sample" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3 Jan 1 00:02:39 authpriv warn pluto[1568]: "sample" #1: STATE_MAIN_I3: sent MI3, expecting MR3 Jan 1 00:02:39 authpriv warn pluto[1568]: "sample" #1: Main mode peer ID is ID_IPV4_ADDR: '172.17.21.87' Jan 1 00:02:39 authpriv warn pluto[1568]: "sample" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4 Jan 1 00:02:39 authpriv warn pluto[1568]: "sample" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1024} Jan 1 00:02:39 authpriv warn pluto[1568]: "sample" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#1 msgid:eef2291d proposal=3DES(3)_192-MD5(1)_128 pfsgroup=OAKLEY_GROUP_MODP1024} ======================================== &lt;test step&gt; When wan interface up 1.configuration ipsec.conf 2.configuration ipsec.secrets 3.ipsec setup start Best Regards, Ozai _______________________________________________ Users&lt; at &gt;lists.openswan.org https://lists.openswan.org/mailman/listinfo/users Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy Building and Integrating Virtual Private Networks with Openswan: http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155 </pre> Ozai 2012-05-24T09:47:06 http://comments.gmane.org/gmane.network.openswan.user/21122 <pre>Dear Sirs, About the openswan with netkey stack,I ever tried it before.But it's failed. PC1 can ping to PC2 but PC2 can not ping to PC1. I do not know what the procedures I lost.Could someone help me on this question?thank's. ==================================== &lt;My test environment&gt; PC1----------------GW1(ipsec-tool)------------------GW2(openswan)-------------PC2 192.168.6.1 172.17.21.87 172.17.21.80 192.168.1.100 ================================ &lt;ipsec.conf &gt; config setup interfaces=%defaultroute oe=off protostack=netkey conn %default connaddrfamily=ipv4 keyexchange=ike ike=3des-md5;modp1024 phase2alg=3des-md5;modp1024 auth=esp type=tunnel authby=secret auto=start conn sample left=172.17.21.80 leftsubnet=192.168.1.0/24 right=172.17.21.87 rightsubnet=192.168.6.0/24 ============================== &lt;ipsec.secrets&gt; 172.17.21.80 172.17.21.87 : PSK "12345" ======================================== &lt;Kernel feature&gt; CONFIG_XFRM=y CONFIG_XFRM_USER=m CONFIG_XFRM_MIGRATE=y CONFIG_NET_KEY=y CONFIG_NET_KEY_MIGRATE=y ======================================== &lt;log&gt; Jan 1 00:02:30 daemon err ipsec_setup: Starting Openswan IPsec U2.6.38/K2.6.30... Jan 1 00:02:31 daemon err ipsec_setup: Using NETKEY(XFRM) stack Jan 1 00:02:33 authpriv err ipsec__plutorun: Starting Pluto subsystem... Jan 1 00:02:33 daemon err ipsec_setup: ...Openswan IPsec started Jan 1 00:02:34 daemon err ipsec__plutorun: adjusting ipsec.d to /var/ipsec.d Jan 1 00:02:34 user warn syslog: adjusting ipsec.d to /var/ipsec.d Jan 1 00:02:34 authpriv warn pluto[1568]: LEAK_DETECTIVE support [disabled] Jan 1 00:02:34 authpriv warn pluto[1568]: OCF support for IKE [disabled] Jan 1 00:02:34 authpriv warn pluto[1568]: NSS support [disabled] Jan 1 00:02:34 authpriv warn pluto[1568]: HAVE_STATSD notification support not compiled in Jan 1 00:02:34 authpriv warn pluto[1568]: Setting NAT-Traversal port-4500 floating to off Jan 1 00:02:34 authpriv warn pluto[1568]: port floating activation criteria nat_t=0/port_float=1 Jan 1 00:02:34 authpriv warn pluto[1568]: NAT-Traversal support [disabled] Jan 1 00:02:34 authpriv warn pluto[1568]: using /dev/urandom as source of random entropy Jan 1 00:02:34 authpriv warn pluto[1568]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0) Jan 1 00:02:34 authpriv warn pluto[1568]: ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0) Jan 1 00:02:34 authpriv warn pluto[1568]: ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0) Jan 1 00:02:34 authpriv warn pluto[1568]: starting up 1 cryptographic helpers Jan 1 00:02:34 authpriv warn pluto[1583]: using /dev/urandom as source of random entropy Jan 1 00:02:34 authpriv warn pluto[1568]: started helper pid=1583 (fd:6) Jan 1 00:02:34 authpriv warn pluto[1568]: Using Linux 2.6 IPsec interface code on 2.6.30 (experimental code) Jan 1 00:02:36 authpriv warn pluto[1568]: ike_alg_register_enc(): Activating aes_ccm_8: Ok (ret=0) Jan 1 00:02:36 authpriv warn pluto[1568]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists Jan 1 00:02:36 authpriv warn pluto[1568]: ike_alg_register_enc(): Activating aes_ccm_12: FAILED (ret=-17) Jan 1 00:02:36 authpriv warn pluto[1568]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists Jan 1 00:02:36 authpriv warn pluto[1568]: ike_alg_register_enc(): Activating aes_ccm_16: FAILED (ret=-17) Jan 1 00:02:36 authpriv warn pluto[1568]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists Jan 1 00:02:36 authpriv warn pluto[1568]: ike_alg_register_enc(): Activating aes_gcm_8: FAILED (ret=-17) Jan 1 00:02:36 authpriv warn pluto[1568]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists Jan 1 00:02:36 authpriv warn pluto[1568]: ike_alg_register_enc(): Activating aes_gcm_12: FAILED (ret=-17) Jan 1 00:02:36 authpriv warn pluto[1568]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists Jan 1 00:02:36 authpriv warn pluto[1568]: ike_alg_register_enc(): Activating aes_gcm_16: FAILED (ret=-17) Jan 1 00:02:37 authpriv warn pluto[1568]: Could not change to directory '/var/ipsec.d/cacerts': No such file or directory Jan 1 00:02:37 authpriv warn pluto[1568]: Could not change to directory '/var/ipsec.d/aacerts': No such file or directory Jan 1 00:02:37 authpriv warn pluto[1568]: Could not change to directory '/var/ipsec.d/ocspcerts': No such file or directory Jan 1 00:02:37 authpriv warn pluto[1568]: Could not change to directory '/var/ipsec.d/crls': 2 No such file or directory Jan 1 00:02:37 authpriv warn pluto[1568]: added connection description "sample" Jan 1 00:02:37 daemon err ipsec__plutorun: 002 added connection description "sample" Jan 1 00:02:37 authpriv warn pluto[1568]: listening for IKE messages Jan 1 00:02:37 authpriv warn pluto[1568]: adding interface eth0.1/eth0.1 172.17.21.80:500 Jan 1 00:02:37 authpriv warn pluto[1568]: adding interface br0/br0 192.168.1.254:500 Jan 1 00:02:37 authpriv warn pluto[1568]: adding interface lo/lo 127.0.0.1:500 Jan 1 00:02:37 authpriv warn pluto[1568]: adding interface lo/lo ::1:500 Jan 1 00:02:37 authpriv warn pluto[1568]: loading secrets from "/var/ipsec.secrets" Jan 1 00:02:38 authpriv warn pluto[1568]: "sample" #1: initiating Main Mode Jan 1 00:02:38 daemon err ipsec__plutorun: 104 "sample" #1: STATE_MAIN_I1: initiate Jan 1 00:02:38 authpriv warn pluto[1568]: "sample" #1: received Vendor ID payload [Dead Peer Detection] Jan 1 00:02:38 authpriv warn pluto[1568]: "sample" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2 Jan 1 00:02:38 authpriv warn pluto[1568]: "sample" #1: STATE_MAIN_I2: sent MI2, expecting MR2 Jan 1 00:02:39 authpriv warn pluto[1568]: "sample" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3 Jan 1 00:02:39 authpriv warn pluto[1568]: "sample" #1: STATE_MAIN_I3: sent MI3, expecting MR3 Jan 1 00:02:39 authpriv warn pluto[1568]: "sample" #1: Main mode peer ID is ID_IPV4_ADDR: '172.17.21.87' Jan 1 00:02:39 authpriv warn pluto[1568]: "sample" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4 Jan 1 00:02:39 authpriv warn pluto[1568]: "sample" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1024} Jan 1 00:02:39 authpriv warn pluto[1568]: "sample" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#1 msgid:eef2291d proposal=3DES(3)_192-MD5(1)_128 pfsgroup=OAKLEY_GROUP_MODP1024} ======================================== &lt;test step&gt; When wan interface up 1.configuration ipsec.conf 2.configuration ipsec.secrets 3.ipsec setup start Best Regards, Ozai _______________________________________________ Users&lt; at &gt;lists.openswan.org https://lists.openswan.org/mailman/listinfo/users Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy Building and Integrating Virtual Private Networks with Openswan: http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155 </pre> Ozai 2012-05-24T09:44:42 http://comments.gmane.org/gmane.network.openswan.user/21121 <pre> Dear Sirs, About the openswan with netkey stack,I ever tried it before.But it's failed. PC1 can ping to PC2 but PC2 can not ping to PC1. I do not know what the procedures I lost. Could someone help me on this question?thank's. ==================================== &lt;My test environment&gt; PC1----------------GW1(ipsec-tool)----------------GW2(openswan)-------------PC2192.168.6.1 172.17.21.87172.17.21.80 192.168.1.100 ================================ &lt;ipsec.conf &gt; config setup interfaces=%defaultroute oe=offprotostack=netkey conn %default connaddrfamily=ipv4 keyexchange=ike ike=3des-md5;modp1024 phase2alg=3des-md5;modp1024 auth=esp type=tunnel authby=secret auto=start conn sample left=172.17.21.80 leftsubnet=192.168.1.0/24 right=172.17.21.87 rightsubnet=192.168.6.0/24 ============================== &lt;ipsec.secrets&gt; 172.17.21.80 172.17.21.87 : PSK "12345" ======================================== &lt;Kernel feature&gt; CONFIG_XFRM=y CONFIG_XFRM_USER=m CONFIG_XFRM_MIGRATE=y CONFIG_NET_KEY=y CONFIG_NET_KEY_MIGRATE=y ======================================= =&lt;log&gt;Jan 1 00:02:30 daemon err ipsec_setup: Starting Openswan IPsecU2.6.38/K2.6.30...Jan 1 00:02:31 daemon err ipsec_setup: Using NETKEY(XFRM) stackJan 1 00:02:33 authpriv err ipsec__plu torun: Starting Pluto subsystem...Jan 1 00:02:33 daemon err ipsec_setup: ...Openswan IPsec startedJan 1 00:02:34 daemon err ipsec__plutorun: adjusting ipsec.d to/var/ipsec.dJan 1 00:02:34 user warn syslog: adjusting ipsec.d to /var/ipsec.dJan 1 00:02:34 authpriv warn pluto[1568]: LEAK_DETECTIVE support [disabled]Jan 1 00:02:34 authpriv warn pluto[1568]: OCF support for IKE [disabled]Jan 1 00:02:34 authpriv warn pluto[1568]: NSS support [disabled]Jan 1 00:02:34 authpriv warn pluto[1568]: HAVE_STATSD notification supportnot compiled inJan 1 00:02:34 authpriv warn pluto[1568]: Setting NAT-Traversal port-4500floating to offJan 1 00:02:34 authpriv warn pluto[1568]: port floating activationcriteria nat_t=0/port_float=1Jan 1 00:02:34 authpriv warn pluto[1568]: NAT-Traversal suppo rt[disabled]Jan 1 00:02:34 authpriv warn pluto[1568]: using /dev/urandom as source ofrandom entropyJan 1 00:02:34 authpriv warn pluto[1568]: ike_alg_register_enc():Activating OAKLEY_AES_CB C: Ok (ret=0)Jan 1 00:02:34 authpriv warn pluto[1568]: ike_alg_register_hash():Activating OAKLEY_SHA2_512: Ok (ret=0)Jan 1 00:02:34 authpriv warn pluto[1568]: ike_alg_register_hash():Activating OAKLEY_SHA2_256: Ok (ret=0)Jan 1 00:02:34 authpriv warn pluto[1568]: starting up 1 cryptographichelpersJan 1 00:02:34 authpriv warn pluto[1583]: using /dev/urandom as source ofrandom entropyJan 1 00:02:34 authpriv warn pluto[1568]: started helper pid=1583 (fd:6)Jan 1 00:02:34 authpriv warn pluto[1568]: Using Linux 2.6 IPsec interfacecode on 2.6.30 (experimental code)Jan 1 00:02:36 authpriv warn pluto[1568]: ike_alg_register_enc():Activating aes_ccm_8: Ok (ret=0)Jan 1 00:02:36 authpriv warn pluto[1568]: ike_alg_add(): ERROR: algo_type'0', algo_id '0', Algorithm type already existsJan 1 00:0 2:36 authpriv warn pluto[1568]: ike_alg_register_enc():Activating aes_ccm_12: FAILED (ret=-17)Jan 1 00:02:36 authpriv warn pluto[1568]: ike_alg_add(): ERROR: algo_type'0', algo_id '0', Algo rithm type already existsJan 1 00:02:36 authpriv warn pluto[1568]: ike_alg_register_enc():Activating aes_ccm_16: FAILED (ret=-17)Jan 1 00:02:36 authpriv warn pluto[1568]: ike_alg_add(): ERROR: algo_type'0', algo_id '0', Algorithm type already existsJan 1 00:02:36 authpriv warn pluto[1568]: ike_alg_register_enc():Activating aes_gcm_8: FAILED (ret=-17)Jan 1 00:02:36 authpriv warn pluto[1568]: ike_alg_add(): ERROR: algo_type'0', algo_id '0', Algorithm type already existsJan 1 00:02:36 authpriv warn pluto[1568]: ike_alg_register_enc():Activating aes_gcm_12: FAILED (ret=-17)Jan 1 00:02:36 authpriv warn pluto[1568]: ike_alg_add(): ERROR: algo_type'0', algo_id '0', Algorithm type already existsJan 1 00:02:36 authpriv warn pluto[1568]: ike_alg_register_enc():Activating aes_gcm_16: FAILED ( ret=-17)Jan 1 00:02:37 authpriv warn pluto[1568]: Could not change to directory'/var/ipsec.d/cacerts': No such file or directoryJan 1 00:02:37 authpriv warn pluto[1568]: Could not change t o directory'/var/ipsec.d/aacerts': No such file or directoryJan 1 00:02:37 authpriv warn pluto[1568]: Could not change to directory'/var/ipsec.d/ocspcerts': No such file or directoryJan 1 00:02:37 authpriv warn pluto[1568]: Could not change to directory'/var/ipsec.d/crls': 2 No such file or directoryJan 1 00:02:37 authpriv warn pluto[1568]: added connection description"sample"Jan 1 00:02:37 daemon err ipsec__plutorun: 002 added connection description"sample"Jan 1 00:02:37 authpriv warn pluto[1568]: listening for IKE messagesJan 1 00:02:37 authpriv warn pluto[1568]: adding interface eth0.1/eth0.1172.17.21.80:500Jan 1 00:02:37 authpriv warn pluto[1568]: adding interface br0/br0192.168.1.254:500Jan 1 00:02:37 authpriv warn pluto[1568]: adding interface lo/lo127.0.0.1:500Jan 1 00:02: 37 authpriv warn pluto[1568]: adding interface lo/lo ::1:500Jan 1 00:02:37 authpriv warn pluto[1568]: loading secrets from"/var/ipsec.secrets"Jan 1 00:02:38 authpriv warn pluto[1568]: "sam ple" #1: initiating Main ModeJan 1 00:02:38 daemon err ipsec__plutorun: 104 "sample" #1: STATE_MAIN_I1:initiateJan 1 00:02:38 authpriv warn pluto[1568]: "sample" #1: received Vendor IDpayload [Dead Peer Detection]Jan 1 00:02:38 authpriv warn pluto[1568]: "sample" #1: transition fromstate STATE_MAIN_I1 to state STATE_MAIN_I2Jan 1 00:02:38 authpriv warn pluto[1568]: "sample" #1: STATE_MAIN_I2: sentMI2, expecting MR2Jan 1 00:02:39 authpriv warn pluto[1568]: "sample" #1: transition fromstate STATE_MAIN_I2 to state STATE_MAIN_I3Jan 1 00:02:39 authpriv warn pluto[1568]: "sample" #1: STATE_MAIN_I3: sentMI3, expecting MR3Jan 1 00:02:39 authpriv warn pluto[1568]: "sample" #1: Main mode peer ID isID_IPV4_ADDR: '172.17.21.87'Jan 1 00:02:39 authpriv warn pluto[1568]: "sample" #1: transition f romstate STATE_MAIN_I3 to state STATE_MAIN_I4Jan 1 00:02:39 authpriv warn pluto[1568]: "sample" #1: STATE_MAIN_I4:ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1024}Jan 1 00:02:39 authpriv warn pluto[1568]: "sample" #2: initiating QuickMode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#1msgid:eef2291d proposal=3DES(3)_192-MD5(1)_128pfsgroup=OAKLEY_GROUP_MODP1024}========================================== &lt;test step&gt; When wan interface up 1.configuration ipsec.conf 2.configuration ipsec.secrets 3.ipsec setup start Best Regards,Ozai _______________________________________________ Users&lt; at &gt;lists.openswan.org https://lists.openswan.org/mailman/listinfo/users Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy Building and Integrating Virtual Private Networks with Openswan: http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155 </pre> Ozai 2012-05-24T08:06:31 http://comments.gmane.org/gmane.network.openswan.user/21120 <pre>I did an upgrade of my Ubuntu system which included an upgrade of the kernel to 3.2.0. Since then, my l2tp tunnels seem to be timing out and being destroyed, at which point I have to manually restart it. On the 3.2.0 end, the following is logged when this happens: May 23 08:07:03 brian-laptop pluto[14651]: "nm-ipsec-l2tpd-14325" #80: IPsec SA expired (LATEST!) May 23 08:07:07 brian-laptop pluto[14651]: initiate on demand from 10.75.22.228:55728 to 2.1.21.22:1701 proto=17 state: fos_start because: acquire May 23 08:07:39 brian-laptop pluto[14651]: initiate on demand from 10.75.22.228:55728 to 2.1.21.22:1701 proto=17 state: fos_start because: acquire May 23 08:07:41 brian-laptop dbus[1536]: [system] Rejected send message, 2 matched rules; type="error", sender=":1.479" (uid=0 pid=14325 comm="/usr/lib/NetworkManager/nm-l2tp-service ") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.UnknownMethod" requested_reply="0" destination=":1.480" (uid=0 pid=14382 comm="/usr/sbin/pppd passive nodetach : name brian file ") May 23 08:07:44 brian-laptop pluto[14651]: "nm-ipsec-l2tpd-14325": deleting connection May 23 08:07:44 brian-laptop pluto[14651]: "nm-ipsec-l2tpd-14325" #78: deleting state (STATE_QUICK_I2) May 23 08:07:44 brian-laptop pluto[14651]: "nm-ipsec-l2tpd-14325" #79: deleting state (STATE_MAIN_I1) and on the other end, which is a Ubuntu machine also with kernel 2.6.32-37-server May 23 05:07:03 brent pluto[15294]: "L2TP-PSK-NAT"[25] 21.5.3.5 #250: IPsec SA expired (--dontrekey) May 23 05:07:03 brent pluto[15294]: "L2TP-PSK-NAT"[25] 21.5.3.5 #250: ERROR: netlink XFRM_MSG_DELPOLICY response for flow eroute_connection delete included errno 2: No such file or directory May 23 05:07:03 brent pluto[15294]: "L2TP-PSK-NAT"[25] 21.5.3.5: deleting connection "L2TP-PSK-NAT" instance with peer 21.5.3.5 {isakmp=#0/ipsec=#0} May 23 05:07:12 brent pluto[15294]: initiate on demand from 2.1.21.22:1701 to 21.5.3.5:55728 proto=17 state: fos_start because: acquire May 23 05:07:45 brent pluto[15294]: initiate on demand from 2.1.21.22:1701 to 21.5.3.5:55728 proto=17 state: fos_start because: acquire Any idea what the problem is here. Clearly the IPsec tunnel is not being renewed, but why? Cheers, b. _______________________________________________ Users&lt; at &gt;lists.openswan.org https://lists.openswan.org/mailman/listinfo/users Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy Building and Integrating Virtual Private Networks with Openswan: http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155 </pre> Brian J. Murrell 2012-05-23T12:35:30 http://comments.gmane.org/gmane.network.openswan.user/21118 <pre>Dear Sirs, I merged the openswan 2.6.38 into embedded linux(2.6.30 mips).protostack is klips.Does openswan support the hardware acceleration?If yes,How could I enable it?thank's. Best Regards, Ozai _______________________________________________ Users&lt; at &gt;lists.openswan.org https://lists.openswan.org/mailman/listinfo/users Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy Building and Integrating Virtual Private Networks with Openswan: http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155 </pre> Ozai 2012-05-22T09:41:58 http://comments.gmane.org/gmane.network.openswan.user/21116 <pre>Hi, we have openswan running on our network's gateway and correctly negotiating the tunnels. Here's how we are configuring it: conn csq type=tunnel left=90.45.241.242 # left is our side leftsubnets={90.45.241.242/32,90.45.110.60/32} right=33.99.102.36 rightsubnet=192.168.1.6/32 authby=secret keyexchange=ike ikelifetime=24h ike=3des-md5;modp1024 phase2=esp phase2alg=3des-md5;modp1024 salifetime=24h auto=add The gateway has two interfaces(90.45.110.1 and 90.45.241.242) configured to do IP forwarding and there are no related iptables rules. All IPs on the network are publicly accessible. Our problem is that, while we can ping the machine on the other side from our gateway just fine, the other machine in our subnet(90.45.110.60) is apparently not being routed through one of the established tunnels but is instead provoking the negotiation of a new tunnel in it's name. This fails because on the other side, only the gateway is authorized to be an IKE peer. What could be wrong in our configuration? I'm attaching some outputs that might be useful: This is the output from tcpdump on the gateway's external interface when we start a ping from our other machine: 09:41:07.444918 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto UDP (17), length 292) 90.45.110.60.isakmp &gt; 33.99.102.36.isakmp: [udp sum ok] isakmp 1.0 msgid 00000000 cookie 9ac0140efc0921e3-&gt;0000000000000000: phase 1 I agg: (sa: doi=ipsec situation=identity (p: #1 protoid=isakmp transform=1 (t: #1 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=3des)(type=auth value=preshared)(type=hash value=sha1)(type=group desc value=modp1024)))) (ke: key len=128) (nonce: n len=16 data=(aff2b8326d0e86135e40...00000014afcad71368a1f1c96b8696fc77570100)) (id: idtype=IPv4 protoid=udp port=500 len=4 90.45.110.60) (vid: len=16) 09:41:07.511314 IP (tos 0x0, ttl 239, id 19841, offset 0, flags [none], proto UDP (17), length 376) 33.99.102.36.isakmp &gt; 90.45.110.60.isakmp: [udp sum ok] isakmp 1.0 msgid 00000000 cookie 9ac0140efc0921e3-&gt;3c7cc2a83564f6d4: phase 1 R agg: (sa: doi=ipsec situation=identity (p: #1 protoid=isakmp transform=1 (t: #1 id=ike (type=enc value=3des)(type=hash value=sha1)(type=group desc value=modp1024)(type=auth value=preshared)(type=lifetype value=sec)(type=lifeduration value=7080)))) (ke: key len=128) (nonce: n len=20 data=(860c9a70bf2268a936be...000000141f07f70eaa6514d3b0fa96542a500100)) (id: idtype=IPv4 protoid=udp port=0 len=4 33.99.102.36) (hash: len=20) (vid: len=16) (vid: len=8) (vid: len=20) (vid: len=16) 09:41:07.518286 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto UDP (17), length 96) 90.45.110.60.isakmp &gt; 33.99.102.36.isakmp: [udp sum ok] isakmp 1.0 msgid bf1cb318 cookie 9ac0140efc0921e3-&gt;3c7cc2a83564f6d4: phase 2/others I inf[E]: [encrypted hash] The next packet is again like the first one. # ip xfrm policy src 90.45.241.242/32 dst 192.168.1.6/32 dir out priority 2080 ptype main tmpl src 90.45.241.242 dst 33.99.102.36 proto esp reqid 16385 mode tunnel src 90.45.110.60/32 dst 192.168.1.6/32 dir out priority 2080 ptype main tmpl src 90.45.241.242 dst 33.99.102.36 proto esp reqid 16389 mode tunnel src 192.168.1.6/32 dst 90.45.241.242/32 dir fwd priority 2080 ptype main tmpl src 33.99.102.36 dst 90.45.241.242 proto esp reqid 16385 mode tunnel src 192.168.1.6/32 dst 90.45.241.242/32 dir in priority 2080 ptype main tmpl src 33.99.102.36 dst 90.45.241.242 proto esp reqid 16385 mode tunnel src 192.168.1.6/32 dst 90.45.110.60/32 dir fwd priority 2080 ptype main tmpl src 33.99.102.36 dst 90.45.241.242 proto esp reqid 16389 mode tunnel src 192.168.1.6/32 dst 90.45.110.60/32 dir in priority 2080 ptype main tmpl src 33.99.102.36 dst 90.45.241.242 proto esp reqid 16389 mode tunnel _______________________________________________ Users&lt; at &gt;lists.openswan.org https://lists.openswan.org/mailman/listinfo/users Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy Building and Integrating Virtual Private Networks with Openswan: http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155 </pre> Paul Goldbaum 2012-05-21T08:09:36 http://comments.gmane.org/gmane.network.openswan.user/21107 <pre>Hello friends I'm configuring a site-to-site VPN for a client but have problems with the routes, my tunnel is up and everything seems to be ok, but i have no communication between my two networks. If the openswan service is down and i try to do a "traceroute" against the subnet i'm trying to connect the package is send trough the default route an jump until didn't find the route, this is obviously a normal behaviour: $ traceroute 192.168.202.22 traceroute to 192.168.202.22 (192.168.202.22), 30 hops max, 60 byte packets 1 * * * 2 172.31.250.46 (172.31.250.46) 14.903 ms 14.916 ms 16.554 ms 3 190.157.7.149 (190.157.7.149) 17.566 ms 17.568 ms 17.570 ms 4 10.14.14.126 (10.14.14.126) 79.087 ms 79.102 ms 79.106 ms 5 64.86.28.41 (64.86.28.41) 73.006 ms !H * * But if the service is up and the tunnel established, the package doesn't route: $ traceroute 192.168.202.22 traceroute to 192.168.202.22 (192.168.202.22), 30 hops max, 60 byte packets 1 * * * 2 * * * 3 * * * 4 * * * 5 * * * The routing table BEFORE the tunnel is: $ route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 190.147.229.1 0.0.0.0 UG 100 0 0 eth0 190.147.229.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2 192.168.5.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2 And AFTER the tunnel is: $ route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 190.147.229.1 0.0.0.0 UG 100 0 0 eth0 190.147.229.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2 192.168.5.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2 192.168.202.0 0.0.0.0 255.255.255.0 U 0 0 0 ipsec0 This are my configuration fiel ipsec.conf: config setup # Do not set debug options to debug configuration issues! # plutodebug / klipsdebug = "all", "none" or a combation from below: # "raw crypt parsing emitting control klips pfkey natt x509 dpd private" # eg: plutodebug=none klipsdebug=none # # enable to get logs per-peer plutoopts="--perpeerlog" # # Again: only enable plutodebug or klipsdebug when asked by a developer # # NAT-TRAVERSAL support, see README.NAT-Traversal nat_traversal=yes # exclude networks used on server side by adding %v4:!a.b.c.0/24 #virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12 #interfaces="ipsec0=eth0" # OE is now off by default. Uncomment and change to on, to enable. #oe = off # which IPsec stack to use. netkey,klips,mast,auto or none protostack=klips #nhelpers = 0 plutostderrlog=/var/log/vpn # Add connections here conn net-super type=tunnel authby=secret # Key exchange method left=190.147.229.25 # Public Internet IP address of the leftsubnet=192.168.0.0/24 # Subnet protected by the LEFT VPN device leftnexthop=190.147.229.1 # correct in many situations right=190.26.216.138 # Public Internet IP address of rightsubnet=192.168.202.0/24 # Subnet protected by the RIGHT VPN device rightnexthop=%defaultroute auto=start # authorizes and starts this connection aggrmode=no keyexchange=ike ike=3des-sha1-modp1024 phase2=esp phase2alg=3des-sha1 pfs=no Even the firewall is with all default policies opened (ACCEPT) i set a few rules to allow the traffic: Table Nat: -A POSTROUTING -m policy -d 192.168.202.0/24 -o eth0 -j ACCEPT --dir out --pol ipsec Table Filter: -A INPUT -m policy -j ACCEPT --dir in --pol ipsec -A INPUT -p esp -j ACCEPT -A INPUT -p udp -m udp -m multiport -j ACCEPT --dports 500,4500 -A FORWARD -m policy -j ACCEPT --dir in --pol ipsec The last log (and output of ipsec auto --status) entries are: 000 #2: "net-super":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 27194s; newest IPSEC; eroute owner; isakmp#1; idle; import:admin initiate 000 #2: "net-super" esp.db0b6ee1&lt; at &gt;190.26.216.138 esp.7f45d825&lt; at &gt;190.147.229.25 tun.1001&lt; at &gt;190.26.216.138 tun.1002&lt; at &gt;190.147.229.25 ref=3 refhim=1 000 #1: "net-super":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 1828s; newest ISAKMP; lastdpd=4s(seq in:0 out:0); idle; import:admin initiate And the ipsec route shows: $ipsec eroute 0 192.168.0.0/24 -&gt; 192.168.202.0/24 =&gt; tun0x1001&lt; at &gt;190.26.216.138 In theory all is right but the server and the subnet 192.168.0.0/24 can't contact the subnet 192.168.202.0/24. Please any help is welcomed, i googled and made many different variations of the config but without result. _______________________________________________ Users&lt; at &gt;lists.openswan.org https://lists.openswan.org/mailman/listinfo/users Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy Building and Integrating Virtual Private Networks with Openswan: http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155 </pre> Wilfredo I. Pachón López 2012-05-16T15:21:47 http://comments.gmane.org/gmane.network.openswan.user/21104 <pre>Welcome, I configuring an IPsec tunnel with Openswan and l2tpd anhand howto on site: http://www.natecarlson.com/2006/07/10/configuring-an-ipsec-tunnel-with-openswan-and-l2tpd. But i have problems with establishing conection. This is my ipsec.conf config setup nat_traversal=yes protostack=netkey virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12 interfaces=%none conn dupa type=transport #authby=secret left=192.168.0.149 leftid=%fromcert #leftrsasigkey=%cert leftcert=server.pem right=192.168.0.212 rightid=%fromcert #rightrsasigkey=%cert rightcert=dupa1.pem rightca=%same #keyingtries=3 #rekey=no #ikelifetime=8h #keylife=1h leftprotoport=17/1701 rightprotoport=17/%any auto=add pfs=no #xl2tpd.conf [global] port = 1701 auth file = /etc/l2tpd/l2tp-secrets [lns default] ip range = 192.168.0.1-192.168.0.250 local ip = 192.168.1.149 require chap = yes refuse pap = yes require authentication = yes name = dupa; * Report this as our ppp debug = yes; * Turn on PPP debugging pppoptfile = /etc/ppp/options.l2tpd.lns; * ppp options file # /etc/ppp/options ipcp-accept-local ipcp-accept-remote ms-dns 192.168.1.1 ms-dns 192.168.1.2 ms-wins 192.168.1.1 ms-wins 192.168.1.3 noccp asyncmap 0 auth crtscts idle 1800 mtu 1200 mru 1200 nodefaultroute debug lock proxyarp connect-delay 5000 # ---&lt;End of File&gt;--- On Windows machine i import certificate with certimport from ftp://ftp.openswan.org/openswan/windows/certimport/. When i try to connect i see on wireshark that phase 1 was successfull but whet start up phase 2 i see "Destination ureachable (Port unreachable)". Thanks for your advice ! _______________________________________________ Users&lt; at &gt;lists.openswan.org https://lists.openswan.org/mailman/listinfo/users Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy Building and Integrating Virtual Private Networks with Openswan: http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155 </pre> Jarek Joachimiak 2012-05-13T15:53:02 http://comments.gmane.org/gmane.network.openswan.user/21103 <pre>Hello friends i'm trying to configure a VPN openswan + Cisco, everything seems ok, even ping with remote machines is working, but if i try to communicate with TCP to a open port, it doesn't work. Even "traceroute" isn't working, you can please give me a help? I'm sure that the connection was or anything is happening because if if stop the ipsec daemon the ping stop to function. My configuration is: config setup plutodebug=none klipsdebug=none plutoopts="--perpeerlog" nat_traversal=yes #virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12 #interfaces=%defaultroute oe = off protostack=netkey nhelpers = 0 plutostderrlog=/var/log/vpn conn net-super type=tunnel authby=secret # Key exchange method left=240.125.229.25 # Public Internet IP address of the leftsubnet=192.168.0.0/24 # Subnet protected by the LEFT VPN device leftnexthop=240.125.229.1 # correct in many situations right=190.26.216.138 # Public Internet IP address of rightsubnet=192.168.202.0/24 # Subnet protected by the RIGHT VPN device rightnexthop=%defaultroute auto=start # authorizes and starts this connection aggrmode=no keyexchange=ike ike=3des-sha1-modp1024 phase2=esp phase2alg=3des-sha1 pfs=no When i try to do a traceroute from machine 192.168.0.155 to 192.168.202.22 this is the answer: jorge&lt; at &gt;jorge-HP-Z210-Workstation:~$ traceroute 192.168.202.22 traceroute to 192.168.202.22 (192.168.202.22), 30 hops max, 60 byte packets 1 192.168.0.1 (192.168.0.1) 0.265 ms 0.259 ms 0.253 ms 2 * * * ... 30 * * * And if i try to connect to a port in this machine: jorge&lt; at &gt;jorge-HP-Z210-Workstation:~$ telnet 192.168.202.22 7778 Trying 192.168.202.22... Thi is the log if i run ipsec auto --status : Plutorun started on Fri May 11 13:00:27 COT 2012 adjusting ipsec.d to /etc/ipsec.d Starting Pluto (Openswan Version 2.6.37; Vendor ID OEu\134d\134jy\134\134ap) pid:3036 LEAK_DETECTIVE support [disabled] OCF support for IKE [disabled] SAref support [disabled]: Protocol not available SAbind support [disabled]: Protocol not available NSS support [disabled] HAVE_STATSD notification support not compiled in Setting NAT-Traversal port-4500 floating to on port floating activation criteria nat_t=1/port_float=1 NAT-Traversal support [enabled] using /dev/urandom as source of random entropy ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0) no helpers will be started, all cryptographic operations will be done inline Using Linux 2.6 IPsec interface code on 3.2.0-24-generic-pae (experimental code) ike_alg_register_enc(): Activating aes_ccm_8: Ok (ret=0) ike_alg_add(): ERROR: Algorithm already exists ike_alg_register_enc(): Activating aes_ccm_12: FAILED (ret=-17) ike_alg_add(): ERROR: Algorithm already exists ike_alg_register_enc(): Activating aes_ccm_16: FAILED (ret=-17) ike_alg_add(): ERROR: Algorithm already exists ike_alg_register_enc(): Activating aes_gcm_8: FAILED (ret=-17) ike_alg_add(): ERROR: Algorithm already exists ike_alg_register_enc(): Activating aes_gcm_12: FAILED (ret=-17) ike_alg_add(): ERROR: Algorithm already exists ike_alg_register_enc(): Activating aes_gcm_16: FAILED (ret=-17) Changed path to directory '/etc/ipsec.d/cacerts' Changed path to directory '/etc/ipsec.d/aacerts' Changed path to directory '/etc/ipsec.d/ocspcerts' Changing to directory '/etc/ipsec.d/crls' Warning: empty directory added connection description "net-super" listening for IKE messages adding interface eth0/eth0 240.125.229.25:500 adding interface eth0/eth0 240.125.229.25:4500 adding interface eth1/eth1 192.168.0.1:500 adding interface eth1/eth1 192.168.0.1:4500 adding interface eth2:1/eth2:1 192.168.5.1:500 adding interface eth2:1/eth2:1 192.168.5.1:4500 adding interface eth2/eth2 192.168.2.1:500 adding interface eth2/eth2 192.168.2.1:4500 adding interface lo/lo 127.0.0.1:500 adding interface lo/lo 127.0.0.1:4500 adding interface lo/lo ::1:500 loading secrets from "/etc/ipsec.secrets" "net-super" #1: initiating Main Mode "net-super" #1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106 "net-super" #1: ignoring Vendor ID payload [Cisco IKE Fragmentation] "net-super" #1: enabling possible NAT-traversal with method draft-ietf-ipsec-nat-t-ike-05 "net-super" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2 "net-super" #1: STATE_MAIN_I2: sent MI2, expecting MR2 "net-super" #1: received Vendor ID payload [Cisco-Unity] "net-super" #1: received Vendor ID payload [XAUTH] "net-super" #1: ignoring unknown Vendor ID payload [3b76c9260b03c3aa779210047c597c79] "net-super" #1: ignoring Vendor ID payload [Cisco VPN 3000 Series] "net-super" #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: no NAT detected "net-super" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3 "net-super" #1: STATE_MAIN_I3: sent MI3, expecting MR3 "net-super" #1: received Vendor ID payload [Dead Peer Detection] | protocol/port in Phase 1 ID Payload is 17/0. accepted with port_floating NAT-T "net-super" #1: Main mode peer ID is ID_IPV4_ADDR: '190.26.216.138' "net-super" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4 "net-super" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024} "net-super" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#1 msgid:5b427f4e proposal=3DES(3)_192-SHA1(2)_160 pfsgroup=no-pfs} "net-super" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2 "net-super" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=&gt;0x7a1a4e9a &lt;0xfc3b703c xfrm=3DES_0-HMAC_SHA1 NATOA=none NATD=none DPD=none} My route table: Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 240.125.229.1 0.0.0.0 UG 100 0 0 eth0 240.125.229.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2 192.168.5.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2 And the output of iptables -t nat -L -n : Chain POSTROUTING (policy ACCEPT) target prot opt source destination MASQUERADE all -- 192.168.2.5 0.0.0.0/0 MASQUERADE tcp -- 192.168.0.2 240.125.229.25 tcp dpt:80 MASQUERADE tcp -- 192.168.0.0/24 192.168.5.2 tcp multiport dports 80,8080,8085,8090 MASQUERADE all -- 192.168.5.0/24 192.168.2.5 MASQUERADE all -- 192.168.5.0/24 0.0.0.0/0 MASQUERADE all -- 192.168.5.0/24 192.168.0.0/24 MASQUERADE all -- 192.168.2.3 0.0.0.0/0 MASQUERADE tcp -- 192.168.0.2 240.125.229.25 tcp dpt:80 MASQUERADE all -- 192.168.5.2 0.0.0.0/0 Please any idea? _______________________________________________ Users&lt; at &gt;lists.openswan.org https://lists.openswan.org/mailman/listinfo/users Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy Building and Integrating Virtual Private Networks with Openswan: http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155 </pre> Wilfredo I. Pachón López 2012-05-11T18:13:26 http://comments.gmane.org/gmane.network.openswan.user/21101 <pre>We recently did a security audit against the latest .38 release. The only thing that failed the Ernest &amp;&amp; Young test was that they were able to insert a MIM agent and grab one of our transactions which was encrypted with AES_128 DH5. We use NETKEY and PSK. While they couldn't decrypt the transaction they were able to flood the concentrator with enough transactions that eventually due to over load some of those old transaction did manage to show up on our inside network and began to consume bandwidth. So my question is (Paul or Tuomo) do you think that a change to RSA keys will prevent this brute force MIM attack? Thanks CONFIDENTIALITY NOTICE: The information contained in this email message is intended only for use of the intended recipient. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please immediately delete it from your system and notify the sender by replying to this email.  Thank you. _______________________________________________ Users&lt; at &gt;lists.openswan.org https://lists.openswan.org/mailman/listinfo/users Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy Building and Integrating Virtual Private Networks with Openswan: http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155 </pre> Goffe, Don 2012-05-11T15:54:07 http://comments.gmane.org/gmane.network.openswan.user/21098 <pre>Hi people: I'm almost a newbie OpenSwan user. I configured a two-way connection between openswan 2.6.32 using CentOS 5.8 x86 running 2.6.18-308.4.1.el5 kernel. My configuration file is the following: config setup protostack=netkey nat_traversal=yes nhelpers=0 conn %default ike=3des-sha1;modp1024 phase2=esp phase2alg=3des-sha1;modp1024 ikelifetime=480m pfs=yes type=tunnel authby=secret auto=start conn bank-cars right=W.X.Y.Z rightsubnet=10.108.3.0/24 left=A.B.C.D leftid=172.31.64.41 leftsubnet=130.30.0.0/16 aggrmode=no auto=start conn cars-bank right=A.B.C.D rightid=172.31.64.41 rightsubnet=130.30.0.0/16 left=W.X.Y.Z leftsubnet=10.108.3.0/24 aggrmode=no auto=start include /etc/ipsec.d/no_oe.conf My /etc/ipsec.secrets looks like this: A.B.C.D W.X.Y.Z : PSK "strongpassword" 172.31.64.41 W.X.Y.Z : PSK "strongpassword" W.X.Y.Z A.B.C.D : PSK "strongpassword" The Linux server running OpenSwan is "cars" and the other server is a Juniper NetScreen known as "bank". The connection is stablished, at least PING is working between subnets in both ways, but I'm getting some messages in logs that I'm not sure what they mean, like this: Message 1 ======== May 10 16:54:18 vpnmml pluto[13698]: "cars-bank" #31: starting keying attempt 30 of an unlimited number May 10 16:54:18 vpnmml pluto[13698]: "cars-bank" #32: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK to replace #31 {using isakmp#1 msgid:b3bc2b0b proposal=3DES(3)_192-SHA1(2)_160 pfsgroup=OAKLEY_GROUP_MODP1024} May 10 16:55:28 vpnmml pluto[13698]: "cars-bank" #32: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal May 10 16:55:28 vpnmml pluto[13698]: "cars-bank" #32: starting keying attempt 31 of an unlimited number May 10 16:55:28 vpnmml pluto[13698]: "cars-bank" #33: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK to replace #32 {using isakmp#1 msgid:138baa4c proposal=3DES(3)_192-SHA1(2)_160 pfsgroup=OAKLEY_GROUP_MODP1024} Message 2 ======== May 10 16:21:38 vpnmml pluto[13698]: "cars-interbank" #4: ignoring informational payload, type IPSEC_RESPONDER_LIFETIME msgid=f45f1aaf May 10 16:21:38 vpnmml pluto[13698]: "cars-bank" #4: cannot install eroute -- it is in use for "bank-cars" #3 What does "cannot install eroute" means? I started looking at this errors as a consequence of continuous (but randomly) disconnections reported by users. I don't know if I need to activate DPD, keepalive forced or something like that to deal with disconnections. I hope you can give me some ideas. thanks a lot _______________________________________________ Users&lt; at &gt;lists.openswan.org https://lists.openswan.org/mailman/listinfo/users Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy Building and Integrating Virtual Private Networks with Openswan: http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155 </pre> Jason Voorhees 2012-05-10T22:00:46 http://comments.gmane.org/gmane.network.openswan.user/21094 <pre> Brian &amp; SVM, Thank you very much for this. At least it confirms I wasn't missing a simple solution. Its going to take me a while to digest this, and the implications of running another DHCP server in our environment, and how to get a client to instigate a DHCPINFORM. Thanks again Greg _______________________________________________ Users&lt; at &gt;lists.openswan.org https://lists.openswan.org/mailman/listinfo/users Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy Building and Integrating Virtual Private Networks with Openswan: http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155 </pre> 5dxnea3pw8< at >snkmail.com 2012-05-08T20:59:56 http://comments.gmane.org/gmane.network.openswan.user/21092 <pre>Dear Sirs, I merged the openswan(2.6.37) into embedded linux(2.6.30 mips).The IPsec tunnel could work fine.One question:please see my ipsec.conf configuration as below.If I type 'ipsec setup start',the connname 'sample1' and 'sample2' will be started simultaneously.How could I only start one connname?thank's. Best Regards, Ozai # cat ipsec.conf config setup dumpdir=/var/run/pluto/ interfaces=ipsec0=ppp0.1 oe=off protostack=klips conn %default keyexchange=ike ike=3des-md5-modp1024 esp=3des-md5 auth=esp type=tunnel authby=secret auto=start conn sample1 left=111.243.154.145 leftsubnet=192.168.1.0/24 right=111.243.154.196 rightsubnet=192.168.2.0/24 conn sample2 left=111.243.154.145 leftsubnet=192.168.1.0/24 right=111.243.152.134 rightsubnet=192.168.3.0/24 Best Regards, Ozai_______________________________________________ Users&lt; at &gt;lists.openswan.org https://lists.openswan.org/mailman/listinfo/users Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy Building and Integrating Virtual Private Networks with Openswan: http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155 </pre> Ozai 2012-05-07T07:25:39 http://comments.gmane.org/gmane.network.openswan.user/21091 <pre>Oops! I think I sent this to an old list address. I'll repost now - John Hello, all. I've been beating my head against the wall for days trying to get the built-in iPhone IPSec only (Cisco) client working with OpenSWAN. We need to use the IPSec only approach rather than L2TP/IPSec because we need to preserve the association between the certificate fields and the IP address; we lose then when IPSec is only used to drop off a PPP packet as with L2TP. I'll try to summarize days of work and endless permutations as succinctly as possible. We first tried PSK. According to the iOS documentation, this requires XAUTH. I also apparently requires modecfg. Among many variations, we used these OpenSWAN settings - we are experimenting in our test lab so the "public" addresses are all RFC1918: conn iPhone leftxauthserver=yes rightxauthclient=yes rightmodecfgserver=yes #leftxauthusername=phone leftmodecfgserver=yes #leftmodecfgclient=yes ikev2=never rekey=no modecfgdns1=4.2.2.2 also=RWNAT conn Android rightprotoport=17/%any leftprotoport=17/1701 leftsubnet=192.168.223.81/32 also=RWNAT conn RWNAT rightsubnet=vhost:%priv also=RW conn RW right=%any #rightsubnet=vhost:%no,%priv #rightid=192.168.223.210 leftupdown=/etc/PEP/X509updown authby=secret #type=transport #pfs=no dpddelay=9 dpdtimeout=30 compress=no keylife=1h ikelifetime=3h auto=add conn %default keyingtries=10 disablearrivalcheck=no authby=rsasig left=192.168.223.81 #leftnexthop=%direct leftsubnet=192.168.15.0/24 leftrsasigkey=%cert leftcert="testswitch01c.pem" leftid="DC=com,DC=pacifera,OU=VPN,CN=testswitch01.pacifera.com" rightrsasigkey=%cert keylife=60m rekeymargin=5m ikelifetime=3h auto=ignore config setup nat_traversal=yes # exclude networks used on server side by adding %v4:!a.b.c.0/24 virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,% v4:172.16.0.0/12,%v4:!192.168.15.0/24.%v4:!192.168.20.0/24,%v4:! 192.168.223.0/24 oe=off protostack=netkey plutowait=no hidetos=no # Close down old connection when new one using same ID shows up. uniqueids=yes The server key is 2048 bits, the cert contains the FQDN in the CN, and the subjAltName contains both the FQDN and the IP address. The iPhone is set up to access the gateway by IP address at 192.168.223.81 from 192.168.223.208. It uses a local user account one the gateway to authenticate. XAUTH appears to succeed: switch01 pluto[2821]: "iPhone"[1] 192.168.223.208 #4: responding to Main Mode from unknown peer 192.168.223.208 switch01 pluto[2821]: "iPhone"[1] 192.168.223.208 #4: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1 switch01 pluto[2821]: "iPhone"[1] 192.168.223.208 #4: STATE_MAIN_R1: sent MR1, expecting MI2 switch01 pluto[2821]: "iPhone"[1] 192.168.223.208 #4: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): no NAT detected switch01 pluto[2821]: "iPhone"[1] 192.168.223.208 #4: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2 switch01 pluto[2821]: "iPhone"[1] 192.168.223.208 #4: STATE_MAIN_R2: sent MR2, expecting MI3 switch01 pluto[2821]: "iPhone"[1] 192.168.223.208 #4: ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000 switch01 pluto[2821]: "iPhone"[1] 192.168.223.208 #4: Main mode peer ID is ID_IPV4_ADDR: '192.168.223.208' switch01 pluto[2821]: "iPhone"[1] 192.168.223.208 #4: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3 switch01 pluto[2821]: "iPhone"[1] 192.168.223.208 #4: new NAT mapping for #4, was 192.168.223.208:500, now 192.168.223.208:4500 switch01 pluto[2821]: "iPhone"[1] 192.168.223.208 #4: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp1024} switch01 pluto[2821]: "iPhone"[1] 192.168.223.208 #4: Dead Peer Detection (RFC 3706): enabled switch01 pluto[2821]: "iPhone"[1] 192.168.223.208 #4: XAUTH: Sending XAUTH Login/Password Request switch01 pluto[2821]: "iPhone"[1] 192.168.223.208 #4: XAUTH: Sending Username/Password request (XAUTH_R0) switch01 pluto[2821]: XAUTH: User myuser: Attempting to login switch01 pluto[2821]: XAUTH: pam authentication being called to authenticate user myuser switch01 pluto[2821]: XAUTH: User myuser: Authentication Successful switch01 pluto[2821]: "iPhone"[1] 192.168.223.208 #4: XAUTH: xauth_inR1(STF_OK) switch01 pluto[2821]: "iPhone"[1] 192.168.223.208 #4: transition from state STATE_XAUTH_R1 to state STATE_MAIN_R3 switch01 pluto[2821]: "iPhone"[1] 192.168.223.208 #4: STATE_MAIN_R3: sent MR3, ISAKMP SA established switch01 pluto[2821]: "iPhone"[1] 192.168.223.208 #4: Dead Peer Detection (RFC 3706): enabled That's when the trouble starts with modecfg. It is almost as if the iPhone itself is trying to set parameters: switch01 pluto[2821]: "iPhone"[1] 192.168.223.208 #4: Sending MODE CONFIG set switch01 pluto[2821]: pam_unix(pluto:session): session opened for user user by (uid=0) switch01 pluto[2821]: "iPhone"[1] 192.168.223.208 #4: received MODECFG message when in state STATE_MODE_CFG_R1, and we aren't xauth client switch01 pluto[2821]: "iPhone"[1] 192.168.223.208 #4: received MODECFG message when in state STATE_MODE_CFG_R1, and we aren't xauth client switch01 pluto[2821]: "iPhone"[1] 192.168.223.208 #4: received MODECFG message when in state STATE_MODE_CFG_R1, and we aren't xauth client switch01 pluto[2821]: "iPhone"[1] 192.168.223.208 #4: DPD: could not find newest phase 1 state switch01 pluto[2821]: "iPhone"[1] 192.168.223.208 #4: received MODECFG message when in state STATE_MODE_CFG_R1, and we aren't xauth client As you can see from some of the commented and uncommented connection parameters above, I tried several approaches to resolve this. I tried designating rightmodecfgserver=yes, rightmodecfgclient=yes and none of those worked. I tried reversing it and making the gateway the client as much as that seemed wrong. That had a different effect but was still a failure. If I auto-started (not correct according to the man page), the iPhone prompted me for a user and password for the connection. If I tried to manually start the OpenSWAN connection with a username and password, it complained that it needed to know the address of the other side of the connection. So no success with PSK. What do we need to do to get PSK IPSec working? Actually our goal is to use certs. We tried that with XAUTH but had even less success. In that case, the XAUTH communication appears to break down. We commented out the above authby=secret, restarted OpenSWAN, and deleted the Android connection. After enabling the cert on the iPhone, we saw: 5 testswitch01 pluto[3475]: "iPhone"[1] 192.168.223.208 #4: responding to Main Mode from unknown peer 192.168.223.208 5 testswitch01 pluto[3475]: "iPhone"[1] 192.168.223.208 #4: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1 5 testswitch01 pluto[3475]: "iPhone"[1] 192.168.223.208 #4: STATE_MAIN_R1: sent MR1, expecting MI2 5 testswitch01 pluto[3475]: "iPhone"[1] 192.168.223.208 #4: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): no NAT detected 5 testswitch01 pluto[3475]: "iPhone"[1] 192.168.223.208 #4: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2 5 testswitch01 pluto[3475]: "iPhone"[1] 192.168.223.208 #4: STATE_MAIN_R2: sent MR2, expecting MI3 6 testswitch01 pluto[3475]: "iPhone"[1] 192.168.223.208 #4: ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000 6 testswitch01 pluto[3475]: "iPhone"[1] 192.168.223.208 #4: Main mode peer ID is ID_DER_ASN1_DN: 'DC=com, DC=pacifera, OU=Phone, CN=myphone' 6 testswitch01 pluto[3475]: "iPhone"[1] 192.168.223.208 #4: no crl from issuer "DC=com, DC=pacifera, OU=PKI, CN=TestCA" found (strict=no) 6 testswitch01 pluto[3475]: "iPhone"[1] 192.168.223.208 #4: switched from "iPhone" to "iPhone" 6 testswitch01 pluto[3475]: "iPhone"[2] 192.168.223.208 #4: deleting connection "iPhone" instance with peer 192.168.223.208 {isakmp=#0/ipsec=#0} 6 testswitch01 pluto[3475]: "iPhone"[2] 192.168.223.208 #4: I am sending my cert 7 testswitch01 pluto[3475]: "iPhone"[2] 192.168.223.208 #4: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3 7 testswitch01 pluto[3475]: "iPhone"[2] 192.168.223.208 #4: new NAT mapping for #4, was 192.168.223.208:500, now 192.168.223.208:4500 7 testswitch01 pluto[3475]: "iPhone"[2] 192.168.223.208 #4: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=aes_256 prf=oakley_sha group=modp1536} 7 testswitch01 pluto[3475]: "iPhone"[2] 192.168.223.208 #4: Dead Peer Detection (RFC 3706): enabled 7 testswitch01 pluto[3475]: "iPhone"[2] 192.168.223.208 #4: XAUTH: Sending XAUTH Login/Password Request 7 testswitch01 pluto[3475]: "iPhone"[2] 192.168.223.208 #4: XAUTH: Sending Username/Password request (XAUTH_R0) 0 testswitch01 pluto[3475]: "iPhone"[2] 192.168.223.208 #4: discarding duplicate packet; already STATE_XAUTH_R0 1 testswitch01 CRON[3559]: pam_unix(cron:session): session opened for user root by (uid=0) 1 testswitch01 CRON[3559]: pam_unix(cron:session): session closed for user root We then tried to disable XAUTH since the iOS docs state that IPSec without XAUTH is supported when using certificates so we restarted OpenSWAN, deleted the iPhone and Android connections, removed the user and password from the iPhone VPN connection definition and tried again. We assumed that not entering a name and password and not having the server advertise itself as an XAUTH server was the way to disable XAUTH and lots of Internet research yielded no firm instructions on how to do so. We got: 3798]: packet from 192.168.223.208:500: received Vendor ID payload [RFC 3947] method set to=109 3798]: packet from 192.168.223.208:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike] method set to=110 3798]: packet from 192.168.223.208:500: ignoring unknown Vendor ID payload [8f8d83826d246b6fc7a8a6a428c11de8] 3798]: packet from 192.168.223.208:500: ignoring unknown Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582] 3798]: packet from 192.168.223.208:500: ignoring unknown Vendor ID payload [4d1e0e136deafa34c4f3ea9f02ec7285] 3798]: packet from 192.168.223.208:500: ignoring unknown Vendor ID payload [80d0bb3def54565ee84645d4c85ce3ee] 3798]: packet from 192.168.223.208:500: ignoring unknown Vendor ID payload [9909b64eed937c6573de52ace952fa6b] 3798]: packet from 192.168.223.208:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 110 3798]: packet from 192.168.223.208:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 110 3798]: packet from 192.168.223.208:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 110 3798]: packet from 192.168.223.208:500: received Vendor ID payload [XAUTH] 3798]: packet from 192.168.223.208:500: received Vendor ID payload [Cisco-Unity] 3798]: packet from 192.168.223.208:500: received Vendor ID payload [Dead Peer Detection] 3798]: "RWNAT"[1] 192.168.223.208 #4: responding to Main Mode from unknown peer 192.168.223.208 3798]: "RWNAT"[1] 192.168.223.208 #4: policy does not allow Extended Authentication (XAUTH) with RSA of initiator (we are responder). Attribute OAKLEY_AUTHENTICATION_METHOD 3798]: "RWNAT"[1] 192.168.223.208 #4: policy does not allow Extended Authentication (XAUTH) with RSA of initiator (we are responder). Attribute OAKLEY_AUTHENTICATION_METHOD 3798]: "RWNAT"[1] 192.168.223.208 #4: policy does not allow Extended Authentication (XAUTH) with RSA of initiator (we are responder). Attribute OAKLEY_AUTHENTICATION_METHOD 3798]: "RWNAT"[1] 192.168.223.208 #4: policy does not allow Extended Authentication (XAUTH) with RSA of initiator (we are responder). Attribute OAKLEY_AUTHENTICATION_METHOD 3798]: "RWNAT"[1] 192.168.223.208 #4: policy does not allow Extended Authentication (XAUTH) with RSA of initiator (we are responder). Attribute OAKLEY_AUTHENTICATION_METHOD 3798]: "RWNAT"[1] 192.168.223.208 #4: policy does not allow Extended Authentication (XAUTH) with RSA of initiator (we are responder). Attribute OAKLEY_AUTHENTICATION_METHOD 3798]: "RWNAT"[1] 192.168.223.208 #4: policy does not allow Extended Authentication (XAUTH) with RSA of initiator (we are responder). Attribute OAKLEY_AUTHENTICATION_METHOD 3798]: "RWNAT"[1] 192.168.223.208 #4: policy does not allow Extended Authentication (XAUTH) with RSA of initiator (we are responder). Attribute OAKLEY_AUTHENTICATION_METHOD 3798]: "RWNAT"[1] 192.168.223.208 #4: OAKLEY_DES_CBC is not supported. Attribute OAKLEY_ENCRYPTION_ALGORITHM 3798]: "RWNAT"[1] 192.168.223.208 #4: OAKLEY_DES_CBC is not supported. Attribute OAKLEY_ENCRYPTION_ALGORITHM 3798]: "RWNAT"[1] 192.168.223.208 #4: no acceptable Oakley Transform 3798]: "RWNAT"[1] 192.168.223.208 #4: sending notification NO_PROPOSAL_CHOSEN to 192.168.223.208:500 3798]: "RWNAT"[1] 192.168.223.208: deleting connection "RWNAT" instance with peer 192.168.223.208 {isakmp=#0/ipsec=#0} So it appears it is trying to use XAUTH anyway. We commenting out the iPhone and Android sessions and then restarting OpenSWAN in case just having the connections defined loaded some XAUTH listener that remained listening even after the connections were deleted. So how do we get certs working with iPhone IPSec only and particularly, how do we do so with XAUTH disabled? Thanks. My apologies for the length. Hopefully the detail is helpful - John _______________________________________________ Users&lt; at &gt;lists.openswan.org https://lists.openswan.org/mailman/listinfo/users Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy Building and Integrating Virtual Private Networks with Openswan: http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155 </pre> John A. Sullivan III 2012-05-06T02:59:34 http://comments.gmane.org/gmane.network.openswan.user/21090 <pre>Hello, all. I've been beating my head against the wall for days trying to get the built-in iPhone IPSec only (Cisco) client working with OpenSWAN. We need to use the IPSec only approach rather than L2TP/IPSec because we need to preserve the association between the certificate fields and the IP address; we lose then when IPSec is only used to drop off a PPP packet as with L2TP. I'll try to summarize days of work and endless permutations as succinctly as possible. We first tried PSK. According to the iOS documentation, this requires XAUTH. I also apparently requires modecfg. Among many variations, we used these OpenSWAN settings - we are experimenting in our test lab so the "public" addresses are all RFC1918: conn iPhone leftxauthserver=yes rightxauthclient=yes rightmodecfgserver=yes #leftxauthusername=phone leftmodecfgserver=yes #leftmodecfgclient=yes ikev2=never rekey=no modecfgdns1=4.2.2.2 also=RWNAT conn Android rightprotoport=17/%any leftprotoport=17/1701 leftsubnet=192.168.223.81/32 also=RWNAT conn RWNAT rightsubnet=vhost:%priv also=RW conn RW right=%any #rightsubnet=vhost:%no,%priv #rightid=192.168.223.210 leftupdown=/etc/PEP/X509updown authby=secret #type=transport #pfs=no dpddelay=9 dpdtimeout=30 compress=no keylife=1h ikelifetime=3h auto=add conn %default keyingtries=10 disablearrivalcheck=no authby=rsasig left=192.168.223.81 #leftnexthop=%direct leftsubnet=192.168.15.0/24 leftrsasigkey=%cert leftcert="testswitch01c.pem" leftid="DC=com,DC=pacifera,OU=VPN,CN=testswitch01.pacifera.com" rightrsasigkey=%cert keylife=60m rekeymargin=5m ikelifetime=3h auto=ignore config setup nat_traversal=yes # exclude networks used on server side by adding %v4:!a.b.c.0/24 virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,% v4:172.16.0.0/12,%v4:!192.168.15.0/24.%v4:!192.168.20.0/24,%v4:! 192.168.223.0/24 oe=off protostack=netkey plutowait=no hidetos=no # Close down old connection when new one using same ID shows up. uniqueids=yes The server key is 2048 bits, the cert contains the FQDN in the CN, and the subjAltName contains both the FQDN and the IP address. The iPhone is set up to access the gateway by IP address at 192.168.223.81 from 192.168.223.208. It uses a local user account one the gateway to authenticate. XAUTH appears to succeed: switch01 pluto[2821]: "iPhone"[1] 192.168.223.208 #4: responding to Main Mode from unknown peer 192.168.223.208 switch01 pluto[2821]: "iPhone"[1] 192.168.223.208 #4: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1 switch01 pluto[2821]: "iPhone"[1] 192.168.223.208 #4: STATE_MAIN_R1: sent MR1, expecting MI2 switch01 pluto[2821]: "iPhone"[1] 192.168.223.208 #4: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): no NAT detected switch01 pluto[2821]: "iPhone"[1] 192.168.223.208 #4: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2 switch01 pluto[2821]: "iPhone"[1] 192.168.223.208 #4: STATE_MAIN_R2: sent MR2, expecting MI3 switch01 pluto[2821]: "iPhone"[1] 192.168.223.208 #4: ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000 switch01 pluto[2821]: "iPhone"[1] 192.168.223.208 #4: Main mode peer ID is ID_IPV4_ADDR: '192.168.223.208' switch01 pluto[2821]: "iPhone"[1] 192.168.223.208 #4: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3 switch01 pluto[2821]: "iPhone"[1] 192.168.223.208 #4: new NAT mapping for #4, was 192.168.223.208:500, now 192.168.223.208:4500 switch01 pluto[2821]: "iPhone"[1] 192.168.223.208 #4: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp1024} switch01 pluto[2821]: "iPhone"[1] 192.168.223.208 #4: Dead Peer Detection (RFC 3706): enabled switch01 pluto[2821]: "iPhone"[1] 192.168.223.208 #4: XAUTH: Sending XAUTH Login/Password Request switch01 pluto[2821]: "iPhone"[1] 192.168.223.208 #4: XAUTH: Sending Username/Password request (XAUTH_R0) switch01 pluto[2821]: XAUTH: User myuser: Attempting to login switch01 pluto[2821]: XAUTH: pam authentication being called to authenticate user myuser switch01 pluto[2821]: XAUTH: User myuser: Authentication Successful switch01 pluto[2821]: "iPhone"[1] 192.168.223.208 #4: XAUTH: xauth_inR1(STF_OK) switch01 pluto[2821]: "iPhone"[1] 192.168.223.208 #4: transition from state STATE_XAUTH_R1 to state STATE_MAIN_R3 switch01 pluto[2821]: "iPhone"[1] 192.168.223.208 #4: STATE_MAIN_R3: sent MR3, ISAKMP SA established switch01 pluto[2821]: "iPhone"[1] 192.168.223.208 #4: Dead Peer Detection (RFC 3706): enabled That's when the trouble starts with modecfg. It is almost as if the iPhone itself is trying to set parameters: switch01 pluto[2821]: "iPhone"[1] 192.168.223.208 #4: Sending MODE CONFIG set switch01 pluto[2821]: pam_unix(pluto:session): session opened for user user by (uid=0) switch01 pluto[2821]: "iPhone"[1] 192.168.223.208 #4: received MODECFG message when in state STATE_MODE_CFG_R1, and we aren't xauth client switch01 pluto[2821]: "iPhone"[1] 192.168.223.208 #4: received MODECFG message when in state STATE_MODE_CFG_R1, and we aren't xauth client switch01 pluto[2821]: "iPhone"[1] 192.168.223.208 #4: received MODECFG message when in state STATE_MODE_CFG_R1, and we aren't xauth client switch01 pluto[2821]: "iPhone"[1] 192.168.223.208 #4: DPD: could not find newest phase 1 state switch01 pluto[2821]: "iPhone"[1] 192.168.223.208 #4: received MODECFG message when in state STATE_MODE_CFG_R1, and we aren't xauth client As you can see from some of the commented and uncommented connection parameters above, I tried several approaches to resolve this. I tried designating rightmodecfgserver=yes, rightmodecfgclient=yes and none of those worked. I tried reversing it and making the gateway the client as much as that seemed wrong. That had a different effect but was still a failure. If I auto-started (not correct according to the man page), the iPhone prompted me for a user and password for the connection. If I tried to manually start the OpenSWAN connection with a username and password, it complained that it needed to know the address of the other side of the connection. So no success with PSK. What do we need to do to get PSK IPSec working? Actually our goal is to use certs. We tried that with XAUTH but had even less success. In that case, the XAUTH communication appears to break down. We commented out the above authby=secret, restarted OpenSWAN, and deleted the Android connection. After enabling the cert on the iPhone, we saw: 5 testswitch01 pluto[3475]: "iPhone"[1] 192.168.223.208 #4: responding to Main Mode from unknown peer 192.168.223.208 5 testswitch01 pluto[3475]: "iPhone"[1] 192.168.223.208 #4: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1 5 testswitch01 pluto[3475]: "iPhone"[1] 192.168.223.208 #4: STATE_MAIN_R1: sent MR1, expecting MI2 5 testswitch01 pluto[3475]: "iPhone"[1] 192.168.223.208 #4: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): no NAT detected 5 testswitch01 pluto[3475]: "iPhone"[1] 192.168.223.208 #4: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2 5 testswitch01 pluto[3475]: "iPhone"[1] 192.168.223.208 #4: STATE_MAIN_R2: sent MR2, expecting MI3 6 testswitch01 pluto[3475]: "iPhone"[1] 192.168.223.208 #4: ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000 6 testswitch01 pluto[3475]: "iPhone"[1] 192.168.223.208 #4: Main mode peer ID is ID_DER_ASN1_DN: 'DC=com, DC=pacifera, OU=Phone, CN=myphone' 6 testswitch01 pluto[3475]: "iPhone"[1] 192.168.223.208 #4: no crl from issuer "DC=com, DC=pacifera, OU=PKI, CN=TestCA" found (strict=no) 6 testswitch01 pluto[3475]: "iPhone"[1] 192.168.223.208 #4: switched from "iPhone" to "iPhone" 6 testswitch01 pluto[3475]: "iPhone"[2] 192.168.223.208 #4: deleting connection "iPhone" instance with peer 192.168.223.208 {isakmp=#0/ipsec=#0} 6 testswitch01 pluto[3475]: "iPhone"[2] 192.168.223.208 #4: I am sending my cert 7 testswitch01 pluto[3475]: "iPhone"[2] 192.168.223.208 #4: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3 7 testswitch01 pluto[3475]: "iPhone"[2] 192.168.223.208 #4: new NAT mapping for #4, was 192.168.223.208:500, now 192.168.223.208:4500 7 testswitch01 pluto[3475]: "iPhone"[2] 192.168.223.208 #4: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=aes_256 prf=oakley_sha group=modp1536} 7 testswitch01 pluto[3475]: "iPhone"[2] 192.168.223.208 #4: Dead Peer Detection (RFC 3706): enabled 7 testswitch01 pluto[3475]: "iPhone"[2] 192.168.223.208 #4: XAUTH: Sending XAUTH Login/Password Request 7 testswitch01 pluto[3475]: "iPhone"[2] 192.168.223.208 #4: XAUTH: Sending Username/Password request (XAUTH_R0) 0 testswitch01 pluto[3475]: "iPhone"[2] 192.168.223.208 #4: discarding duplicate packet; already STATE_XAUTH_R0 1 testswitch01 CRON[3559]: pam_unix(cron:session): session opened for user root by (uid=0) 1 testswitch01 CRON[3559]: pam_unix(cron:session): session closed for user root We then tried to disable XAUTH since the iOS docs state that IPSec without XAUTH is supported when using certificates so we restarted OpenSWAN, deleted the iPhone and Android connections, removed the user and password from the iPhone VPN connection definition and tried again. We assumed that not entering a name and password and not having the server advertise itself as an XAUTH server was the way to disable XAUTH and lots of Internet research yielded no firm instructions on how to do so. We got: 3798]: packet from 192.168.223.208:500: received Vendor ID payload [RFC 3947] method set to=109 3798]: packet from 192.168.223.208:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike] method set to=110 3798]: packet from 192.168.223.208:500: ignoring unknown Vendor ID payload [8f8d83826d246b6fc7a8a6a428c11de8] 3798]: packet from 192.168.223.208:500: ignoring unknown Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582] 3798]: packet from 192.168.223.208:500: ignoring unknown Vendor ID payload [4d1e0e136deafa34c4f3ea9f02ec7285] 3798]: packet from 192.168.223.208:500: ignoring unknown Vendor ID payload [80d0bb3def54565ee84645d4c85ce3ee] 3798]: packet from 192.168.223.208:500: ignoring unknown Vendor ID payload [9909b64eed937c6573de52ace952fa6b] 3798]: packet from 192.168.223.208:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 110 3798]: packet from 192.168.223.208:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 110 3798]: packet from 192.168.223.208:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 110 3798]: packet from 192.168.223.208:500: received Vendor ID payload [XAUTH] 3798]: packet from 192.168.223.208:500: received Vendor ID payload [Cisco-Unity] 3798]: packet from 192.168.223.208:500: received Vendor ID payload [Dead Peer Detection] 3798]: "RWNAT"[1] 192.168.223.208 #4: responding to Main Mode from unknown peer 192.168.223.208 3798]: "RWNAT"[1] 192.168.223.208 #4: policy does not allow Extended Authentication (XAUTH) with RSA of initiator (we are responder). Attribute OAKLEY_AUTHENTICATION_METHOD 3798]: "RWNAT"[1] 192.168.223.208 #4: policy does not allow Extended Authentication (XAUTH) with RSA of initiator (we are responder). Attribute OAKLEY_AUTHENTICATION_METHOD 3798]: "RWNAT"[1] 192.168.223.208 #4: policy does not allow Extended Authentication (XAUTH) with RSA of initiator (we are responder). Attribute OAKLEY_AUTHENTICATION_METHOD 3798]: "RWNAT"[1] 192.168.223.208 #4: policy does not allow Extended Authentication (XAUTH) with RSA of initiator (we are responder). Attribute OAKLEY_AUTHENTICATION_METHOD 3798]: "RWNAT"[1] 192.168.223.208 #4: policy does not allow Extended Authentication (XAUTH) with RSA of initiator (we are responder). Attribute OAKLEY_AUTHENTICATION_METHOD 3798]: "RWNAT"[1] 192.168.223.208 #4: policy does not allow Extended Authentication (XAUTH) with RSA of initiator (we are responder). Attribute OAKLEY_AUTHENTICATION_METHOD 3798]: "RWNAT"[1] 192.168.223.208 #4: policy does not allow Extended Authentication (XAUTH) with RSA of initiator (we are responder). Attribute OAKLEY_AUTHENTICATION_METHOD 3798]: "RWNAT"[1] 192.168.223.208 #4: policy does not allow Extended Authentication (XAUTH) with RSA of initiator (we are responder). Attribute OAKLEY_AUTHENTICATION_METHOD 3798]: "RWNAT"[1] 192.168.223.208 #4: OAKLEY_DES_CBC is not supported. Attribute OAKLEY_ENCRYPTION_ALGORITHM 3798]: "RWNAT"[1] 192.168.223.208 #4: OAKLEY_DES_CBC is not supported. Attribute OAKLEY_ENCRYPTION_ALGORITHM 3798]: "RWNAT"[1] 192.168.223.208 #4: no acceptable Oakley Transform 3798]: "RWNAT"[1] 192.168.223.208 #4: sending notification NO_PROPOSAL_CHOSEN to 192.168.223.208:500 3798]: "RWNAT"[1] 192.168.223.208: deleting connection "RWNAT" instance with peer 192.168.223.208 {isakmp=#0/ipsec=#0} So it appears it is trying to use XAUTH anyway. We commenting out the iPhone and Android sessions and then restarting OpenSWAN in case just having the connections defined loaded some XAUTH listener that remained listening even after the connections were deleted. So how do we get certs working with iPhone IPSec only and particularly, how do we do so with XAUTH disabled? Thanks. My apologies for the length. Hopefully the detail is helpful - John _______________________________________________ Users&lt; at &gt;lists.openswan.org https://lists.openswan.org/mailman/listinfo/users Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy Building and Integrating Virtual Private Networks with Openswan: http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155 </pre> John A. Sullivan III 2012-05-06T02:57:44 http://comments.gmane.org/gmane.network.openswan.user/21085 <pre>Hi, Our target configuration is road warriors using IPSEC/l2tp which connect on demand. A given user, may connect to multiple VPN servers concurrently depending on which suppliers they are working with (this means we can't just send all traffic over the VPN). Each VPN server has a variety of subnets behind it. We can connect to the VPN servers fine and if we hard code routes for the various subnets on the client all is well. However hardcoding these routes is a real pain in the backside. We haven't identified a reliable solution of our Mac users. Pushing the routes from the xl2tpd or ppp on a per connection basis would be much more manageable. Is this possible or ever likely to be possible ? Thanks Greg _______________________________________________ Users&lt; at &gt;lists.openswan.org https://lists.openswan.org/mailman/listinfo/users Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy Building and Integrating Virtual Private Networks with Openswan: http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155 </pre> 5dxnea3pw8< at >snkmail.com 2012-05-04T11:01:18 http://comments.gmane.org/gmane.network.openswan.user/21081 <pre>I have a functioning VPN connection between my centos box and a router with a dynamic connection. The VPN works, but I keep getting this message in the log files constantly - May 2 08:19:22 services pluto[23699]: "VOIP-VPN"[4] x.x.x.x #325300: ignoring informational payload, type NO_PROPOSAL_CHOSEN msgid=00000000 May 2 08:19:22 services pluto[23699]: "VOIP-VPN"[4] x.x.x.x #325300: received and ignored informational message What causes it? It is something to worry about and can I shut it off? - Jeremy _______________________________________________ Users&lt; at &gt;lists.openswan.org https://lists.openswan.org/mailman/listinfo/users Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy Building and Integrating Virtual Private Networks with Openswan: http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155 </pre> Jeremy Schaeffer 2012-05-02T19:48:14 http://comments.gmane.org/gmane.network.openswan.user/21080 <pre>I really hate to bother the list with this but there is no contact information at https://gsoc.xelerance.com/ and I have tried about 4 times now to reset my password there but it continues to fail to work. How do I get this fixed? Cheers, b. _______________________________________________ Users&lt; at &gt;lists.openswan.org https://lists.openswan.org/mailman/listinfo/users Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy Building and Integrating Virtual Private Networks with Openswan: http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155 </pre> Brian J. Murrell 2012-05-02T16:49:05 http://comments.gmane.org/gmane.network.openswan.user/21078 <pre>Hi list, I have installed Strongswan 4.4.1 on Debian arm (2.6.32-5-kirkwood) and to connect a third party supplier to our network in a site-to-site configuration: ipsec.d/unit4.conf config setup plutodebug=all charonstart=no conn %default ikelifetime=8h keylife=1h rekeymargin=3m keyingtries=1 keyexchange=ikev1 authby=secret ike=aes256-sha1-modp1024 esp=aes256-sha1 pfs=yes pfsgroup=modp1024 conn unit4 left=212.219.238.26 leftsubnet=212.219.139.96/28 leftfirewall=yes right=194.73.112.61 rightsubnet=172.30.0.8/29 auto=start strongswan.conf pluto { load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink } libstrongswan { dh_exponent_ansi_x9_42 = no } On ipsec start I see kernel-netlink failing to load: pluto[5588]: plugin 'kernel-netlink' failed to load: /usr/lib/ipsec/plugins/libstrongswan-kernel-netlink.so: undefined symbol: policy_dir_names The tunnel is set up but the problem is that we can send each other ESP but the packets don't come of at the other end: ipsec statusall 000 Status of IKEv1 pluto daemon (strongSwan 4.4.1): 000 interface lo/lo ::1:500 000 interface bond0/bond0 2001:630:1b:6fff:d8cf:1db8:3126:68b:500 000 interface lo/lo 127.0.0.1:500 000 interface bond0/bond0 212.219.238.26:500 000 interface bond0/bond0 212.219.139.97:500 000 %myid = '%any' 000 loaded plugins: sha1 sha2 md5 aes des hmac gmp random 000 debug options: none 000 000 "unit4": 212.219.139.96/28===212.219.238.26[212.219.238.26]...194.73.112.61[194.73.112.61]===172.30.0.8/29; erouted; eroute owner: #2 000 "unit4": ike_life: 28800s; ipsec_life: 3600s; rekey_margin: 180s; rekey_fuzz: 100%; keyingtries: 1 000 "unit4": policy: PSK+ENCRYPT+TUNNEL+PFS+UP; prio: 28,29; interface: bond0; 000 "unit4": newest ISAKMP SA: #1; newest IPsec SA: #2; 000 "unit4": IKE proposal: AES_CBC_256/HMAC_SHA1/MODP_1024 000 "unit4": ESP proposal: AES_CBC_256/HMAC_SHA1/MODP_1024 000 000 #2: "unit4" STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 2965s; newest IPSEC; eroute owner 000 #2: "unit4" esp.31f6b9e3&lt; at &gt;194.73.112.61 (180 bytes, 26s ago) esp.ce388bef&lt; at &gt;212.219.238.26 (0 bytes); tunnel 000 #1: "unit4" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 28084s; newest ISAKMP 000 ip xfrm state src 212.219.238.26 dst 194.73.112.61 proto esp spi 0x31f6b9e3 reqid 16385 mode tunnel replay-window 32 flag af-unspec auth hmac(sha1) 0xd27007615fa9a95732da5462837f1bdb6f0869b1 enc cbc(aes) 0x00cc37c0c121c63f7b526c787aa5361353b2c35b0f6c7ffe0cf00efc6a94ed70 src 194.73.112.61 dst 212.219.238.26 proto esp spi 0xce388bef reqid 16385 mode tunnel replay-window 32 flag af-unspec auth hmac(sha1) 0x5f6ec976accd3a3804e4a25a87faa008a04ed385 enc cbc(aes) 0xbe9be8d335aa27378cfb627c318bdad3f2fa38335ff933497dfb3414ef7bd559 ip xfrm monitor Updated src 194.73.112.61 dst 212.219.238.26 proto esp spi 0xce388bef reqid 16385 mode tunnel replay-window 32 flag af-unspec auth hmac(sha1) 0x5f6ec976accd3a3804e4a25a87faa008a04ed385 enc cbc(aes) 0xbe9be8d335aa27378cfb627c318bdad3f2fa38335ff933497dfb3414ef7bd559 src 172.30.0.8/29 dst 212.219.139.96/28 dir in priority 2211 ptype main tmpl src 194.73.112.61 dst 212.219.238.26 proto esp reqid 16385 mode tunnel src 172.30.0.8/29 dst 212.219.139.96/28 dir fwd priority 2211 ptype main tmpl src 194.73.112.61 dst 212.219.238.26 proto esp reqid 16385 mode tunnel src 212.219.238.26 dst 194.73.112.61 proto esp spi 0x31f6b9e3 reqid 16385 mode tunnel replay-window 32 flag af-unspec auth hmac(sha1) 0xd27007615fa9a95732da5462837f1bdb6f0869b1 enc cbc(aes) 0x00cc37c0c121c63f7b526c787aa5361353b2c35b0f6c7ffe0cf00efc6a94ed70 src 212.219.139.96/28 dst 172.30.0.8/29 dir out priority 2211 ptype main tmpl src 212.219.238.26 dst 194.73.112.61 proto esp reqid 16385 mode tunnel Async event (0x20) timer expired src 194.73.112.61 dst 212.219.238.26 reqid 0x4001 protocol esp SPI 0xce388bef Async event (0x20) timer expired src 212.219.238.26 dst 194.73.112.61 reqid 0x4001 protocol esp SPI 0x31f6b9e3 Async event (0x20) timer expired src 212.219.238.26 dst 194.73.112.61 reqid 0x4001 protocol esp SPI 0x31f6b9e3 Async event (0x20) timer expired src 212.219.238.26 dst 194.73.112.61 reqid 0x4001 protocol esp SPI 0x31f6b9e3 Async event (0x20) timer expired src 212.219.238.26 dst 194.73.112.61 reqid 0x4001 protocol esp SPI 0x31f6b9e3 Does kernel-netlink need to be loaded for ipsec routing to complete? we have a site-to-site vpn with another supplier on an almost identical server and strongswan version which works fine. (only differences are in the strongswan.conf - our working server has the same set of algo available but nothing being explicitly loaded in its pluto stanza) ipsec listall 000 000 List of registered IKEv1 Algorithms: 000 000 encryption: 3DES_CBC AES_CBC 000 integrity: HMAC_MD5 HMAC_SHA1 HMAC_SHA2_256 HMAC_SHA2_384 HMAC_SHA2_512 000 dh-group: MODP_1024 MODP_1536 MODP_2048 MODP_3072 MODP_4096 MODP_6144 MODP_8192 MODP_1024_160 MODP_2048_224 MODP_2048_256 000 000 List of registered ESP Algorithms: 000 000 encryption: DES_CBC 3DES_CBC CAST_CBC BLOWFISH_CBC NULL AES_CBC AES_CTR AES_CCM_8 AES_CCM_12 AES_CCM_16 AES_GCM_8 AES_GCM_12 AES_GCM_16 CAMELLIA_CBC AES_GMAC SERPENT_CBC TWOFISH_CBC 000 integrity: HMAC_MD5 HMAC_SHA1 HMAC_SHA2_256 HMAC_RIPEMD AES_XCBC_96 NULL HMAC_SHA2_256_96 ipsec version Linux strongSwan U4.4.1/K2.6.32-5-kirkwood Any help very gratefully received. Ed Spick </pre> Ed Spick 2012-05-02T08:44:37 http://comments.gmane.org/gmane.network.openswan.user/21077 <pre>Hi all, Topology _______ Hi, GW1 ---------------------------- GW2( openswan) Tunnel I formed a tunnel between GW1 and GW2. After some time the Ipsec service is stopped in GW1 and its intimating openswan GW with delete payload message. Upon receiving the message, openswan is deleting only SAD database but not SPD database. Because the SPD database lingers in Kernel , ping packets are getting dropped. Is this an expected behavior? Is there any RFC/Standard which talks about this? Regards, Anonymous cross. _______________________________________________ Users&lt; at &gt;lists.openswan.org https://lists.openswan.org/mailman/listinfo/users Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy Building and Integrating Virtual Private Networks with Openswan: http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155 </pre> Anonymous cross 2012-05-02T07:30:19 Search the mailing list at Gmane query http://search.gmane.org/?group=$group=gmane.network.openswan.user