gmane.network.openswan.user

[Openswan Users] Questions around Hub and spoke config and routing using Draytek 28x series

Daniel Cave — 2012-05-25T14:35:03

Hi all

Firstly I would like to introduce myself, I'm an IT professional based in the UK.. We have been using OpenSwan for a little while and My questions are around inter-op.

We are moving towards using Openswan exclusively to connect third parties and connecting to third party devices.


recently, I setup  central host hosted with my provider using OpenSwan2.6 using netkey..   I also connected to it via our office Draytek 2820n, which was simple and easy enough. The routing was straight forward and we can do simple things like monitoring and SNMP via the tunnel between the 'hub' and office router .

A while later, I setup a 2nd node to another site, this was another linux host using  2.6.32.6 [ stock centos 5.8]  with netkey also. 

I wanted to route between this new node and our office via the hub, so i setup the appropriate routes to send traffic to our office node (which is terminated on the 2820n.)

However.. I discovered that the 2820n does not let me route traffic from the office lan to the new 2nd

[Openswan Users] netkey openswan Hardware Acceleration

Ozai — 2012-05-24T09:47:06

Sorry,re-sent it.
  ----- Original Message ----- 
  From: Ozai 
  To: users< at >lists.openswan.org 
  Sent: Thursday, May 24, 2012 5:44 PM
  Subject: [Openswan Users] netkey openswan Hardware Acceleration

  Dear Sirs,

  About the openswan with netkey stack,I ever tried it before.But it's failed.
  PC1 can ping to PC2 but PC2 can not ping to PC1. I do not know what the 
  procedures I lost.Could someone help me on this question?thank's.
  ====================================
  <My test environment>
  PC1----------------GW1(ipsec-tool)------------------GW2(openswan)-------------PC2
  192.168.6.1        172.17.21.87                     172.17.21.80             192.168.1.100
  ================================
  <ipsec.conf >
  config setup
   interfaces=%defaultroute
   oe=off
   protostack=netkey

  conn %default
    connaddrfamily=ipv4
    keyexchange=ike
    ike=3des-md5;modp1024
    phase2alg=3des-md5;modp1024
    auth=esp
    type=tunnel
    authby=secret
    auto=start

  conn sample
    left=172.17.21.80

[Openswan Users] netkey openswan Hardware Acceleration

Ozai — 2012-05-24T09:44:42

Dear Sirs,

About the openswan with netkey stack,I ever tried it before.But it's failed.
PC1 can ping to PC2 but PC2 can not ping to PC1. I do not know what the 
procedures I lost.Could someone help me on this question?thank's.
====================================
<My test environment>
PC1----------------GW1(ipsec-tool)------------------GW2(openswan)-------------PC2
192.168.6.1        172.17.21.87                     172.17.21.80             192.168.1.100
================================
<ipsec.conf >
config setup
 interfaces=%defaultroute
 oe=off
 protostack=netkey

conn %default
  connaddrfamily=ipv4
  keyexchange=ike
  ike=3des-md5;modp1024
  phase2alg=3des-md5;modp1024
  auth=esp
  type=tunnel
  authby=secret
  auto=start

conn sample
  left=172.17.21.80
  leftsubnet=192.168.1.0/24
  right=172.17.21.87
  rightsubnet=192.168.6.0/24
==============================
<ipsec.secrets>
172.17.21.80 172.17.21.87 : PSK "12345"
========================================
<Kernel feature>
CONFIG_XFRM=y
CONFIG_XFRM_USER=

[Openswan Users] netkey openswan Hardware Acceleration

Ozai — 2012-05-24T08:06:31

 Dear Sirs,

 About the openswan with netkey stack,I ever tried it before.But it's 
failed.
 PC1 can ping to PC2 but PC2 can not ping to PC1. I do not know what the
 procedures I lost. Could someone help me on this question?thank's.
 ====================================
 <My test environment>
 PC1----------------GW1(ipsec-tool)----------------GW2(openswan)-------------PC2192.168.6.1        172.17.21.87172.17.21.80             192.168.1.100 ================================ <ipsec.conf > config setup interfaces=%defaultroute oe=offprotostack=netkey conn %default  connaddrfamily=ipv4  keyexchange=ike  ike=3des-md5;modp1024  phase2alg=3des-md5;modp1024  auth=esp  type=tunnel  authby=secret  auto=start conn sample  left=172.17.21.80  leftsubnet=192.168.1.0/24  right=172.17.21.87  rightsubnet=192.168.6.0/24 ============================== <ipsec.secrets> 172.17.21.80 172.17.21.87 : PSK "12345" ======================================== <Kernel feature> CONFIG_XFRM=y CONFIG_XFRM_USER=m CONFIG_XFRM_MIGRATE=y CONFIG_NET

[Openswan Users] tunnels timing out since upgrading to 3.2.0

Brian J. Murrell — 2012-05-23T12:35:30

I did an upgrade of my Ubuntu system which included an upgrade of the
kernel to 3.2.0.  Since then, my l2tp tunnels seem to be timing out and
being destroyed, at which point I have to manually restart it.

On the 3.2.0 end, the following is logged when this happens:

May 23 08:07:03 brian-laptop pluto[14651]: "nm-ipsec-l2tpd-14325" #80: IPsec SA expired (LATEST!)
May 23 08:07:07 brian-laptop pluto[14651]: initiate on demand from 10.75.22.228:55728 to 2.1.21.22:1701 proto=17 state: fos_start because: acquire
May 23 08:07:39 brian-laptop pluto[14651]: initiate on demand from 10.75.22.228:55728 to 2.1.21.22:1701 proto=17 state: fos_start because: acquire
May 23 08:07:41 brian-laptop dbus[1536]: [system] Rejected send message, 2 matched rules; type="error", sender=":1.479" (uid=0 pid=14325 comm="/usr/lib/NetworkManager/nm-l2tp-service ") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.UnknownMethod" requested_reply="0" destination=":1.480" (uid=0 pid=14382 comm="/usr/sbin/pppd passive

[Openswan Users] openswan Hardware Acceleration

Ozai — 2012-05-22T09:41:58

Dear Sirs,

I merged the openswan 2.6.38 into embedded linux(2.6.30 mips).protostack is klips.Does openswan support the hardware acceleration?If yes,How could I enable it?thank's. 

Best Regards,
Ozai
_______________________________________________
Users< at >lists.openswan.org
https://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

[Openswan Users] Tunnels up,packets from routed machines not going through tunnel

Paul Goldbaum — 2012-05-21T08:09:36

Hi,

we have openswan running on our network's gateway and correctly negotiating
the tunnels. Here's how we are configuring it:
conn csq
        type=tunnel
        left=90.45.241.242 # left is our side
        leftsubnets={90.45.241.242/32,90.45.110.60/32}
        right=33.99.102.36
        rightsubnet=192.168.1.6/32
        authby=secret
        keyexchange=ike
        ikelifetime=24h
        ike=3des-md5;modp1024
        phase2=esp
        phase2alg=3des-md5;modp1024
        salifetime=24h
        auto=add

The gateway has two interfaces(90.45.110.1 and 90.45.241.242) configured to
do IP forwarding and there are no related iptables rules. All IPs on the
network are publicly accessible.

Our problem is that, while we can ping the machine on the other side from
our gateway just fine, the other machine in our subnet(90.45.110.60) is
apparently not being routed through one of the established tunnels but is
instead provoking the negotiation of a new tunnel in it's name. This fails
because on the other side, on

[Openswan Users] No routing done

Wilfredo I. Pachón López — 2012-05-16T15:21:47

Hello friends

I'm configuring a site-to-site VPN for a client but have problems with 
the routes, my tunnel is up and everything seems to be ok, but i have no 
communication between my two networks.

If the openswan service is down and i try to do a "traceroute" against 
the subnet i'm trying to connect the package is send trough the default 
route an jump until didn't find the route, this is obviously a normal 
behaviour:

$ traceroute 192.168.202.22
traceroute to 192.168.202.22 (192.168.202.22), 30 hops max, 60 byte packets
  1  * * *
  2  172.31.250.46 (172.31.250.46)  14.903 ms  14.916 ms  16.554 ms
  3  190.157.7.149 (190.157.7.149)  17.566 ms  17.568 ms  17.570 ms
  4  10.14.14.126 (10.14.14.126)  79.087 ms  79.102 ms  79.106 ms
  5  64.86.28.41 (64.86.28.41)  73.006 ms !H * *

But if the service is up and the tunnel established, the package doesn't 
route:
$ traceroute 192.168.202.22
traceroute to 192.168.202.22 (192.168.202.22), 30 hops max, 60 byte packets
  1  * * *
  2  * * *
  3  * * *
  4  * *

[Openswan Users] Ipsec Linux-L2TP Windows

Jarek Joachimiak — 2012-05-13T15:53:02

Welcome,

I configuring an IPsec tunnel with Openswan and l2tpd anhand howto on site:
http://www.natecarlson.com/2006/07/10/configuring-an-ipsec-tunnel-with-openswan-and-l2tpd.
But i have problems with establishing conection.

This is my ipsec.conf
config setup
    nat_traversal=yes
    protostack=netkey
    virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
    interfaces=%none

conn dupa
    type=transport
    #authby=secret
    left=192.168.0.149
    leftid=%fromcert
    #leftrsasigkey=%cert
    leftcert=server.pem
    right=192.168.0.212
    rightid=%fromcert
    #rightrsasigkey=%cert
    rightcert=dupa1.pem
    rightca=%same
    #keyingtries=3
    #rekey=no
    #ikelifetime=8h
    #keylife=1h
    leftprotoport=17/1701
    rightprotoport=17/%any
    auto=add
    pfs=no


#xl2tpd.conf

[global]
port = 1701 
auth file = /etc/l2tpd/l2tp-secrets 

[lns default]
ip range = 192.168.0.1-192.168.0.250
local ip = 192.168.1.149
require chap = yes
refuse pap = yes

[Openswan Users] Only ping allowed in VPN

Wilfredo I. Pachón López — 2012-05-11T18:13:26

Hello friends i'm trying to configure a VPN openswan + Cisco, everything 
seems ok, even ping with remote machines is working, but if i try to 
communicate with TCP to a open port, it doesn't work.

Even "traceroute" isn't working, you can please give me a help?
I'm sure that the connection was or anything is happening because if if 
stop the ipsec daemon the ping stop to function.

My configuration is:

config setup
         plutodebug=none
         klipsdebug=none
         plutoopts="--perpeerlog"
         nat_traversal=yes
         
#virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
         #interfaces=%defaultroute
         oe = off
         protostack=netkey
         nhelpers = 0
         plutostderrlog=/var/log/vpn

conn net-super
         type=tunnel
         authby=secret                # Key exchange method
         left=240.125.229.25          # Public Internet IP address of the
         leftsubnet=192.168.0.0/24     # Subnet protected by the LEFT 
VPN device
         leftnexthop

[Openswan Users] Security attacks

Goffe, Don — 2012-05-11T15:54:07

We recently did a security audit against the latest .38 release. The only thing that failed the Ernest && Young test was that they were able to insert a MIM agent and grab one of our transactions which was encrypted with AES_128 DH5. We use NETKEY and PSK. While they couldn't decrypt the transaction they were able to flood the concentrator with enough transactions that eventually due to over load some of those old transaction did manage to show up on our inside network and began to consume bandwidth.

So my question is (Paul or Tuomo) do you think that a change to RSA keys will prevent this brute force MIM attack? 
Thanks

CONFIDENTIALITY NOTICE: The information contained in this email message is intended only for use of the intended recipient. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please immediately delete it from your

[Openswan Users] Understanding log messages

Jason Voorhees — 2012-05-10T22:00:46

Hi people:

I'm almost a newbie OpenSwan user. I configured a two-way connection
between openswan 2.6.32 using CentOS 5.8 x86 running
2.6.18-308.4.1.el5 kernel. My configuration file is the following:

config setup
        protostack=netkey
        nat_traversal=yes
        nhelpers=0

conn %default
        ike=3des-sha1;modp1024
        phase2=esp
        phase2alg=3des-sha1;modp1024
        ikelifetime=480m
        pfs=yes
        type=tunnel
        authby=secret
        auto=start

conn bank-cars
        right=W.X.Y.Z
        rightsubnet=10.108.3.0/24
        left=A.B.C.D
        leftid=172.31.64.41
        leftsubnet=130.30.0.0/16
        aggrmode=no
        auto=start

conn cars-bank
        right=A.B.C.D
        rightid=172.31.64.41
        rightsubnet=130.30.0.0/16
        left=W.X.Y.Z
        leftsubnet=10.108.3.0/24
        aggrmode=no
        auto=start

include /etc/ipsec.d/no_oe.conf

My /etc/ipsec.secrets looks like this:

A.B.C.D W.X.Y.Z : PSK "strongpassword"
172.31.64.41 W.X.Y.Z : PSK "stron

[Openswan Users] Pushing routes to clients

2012-05-08T20:59:56

Brian & SVM,

Thank you very much for this. At least it confirms I wasn't missing a simple
solution.

Its going to take me a while to digest this, and the implications of running
another DHCP server in our environment, and how to get a client to instigate 
a DHCPINFORM.

Thanks again

Greg
_______________________________________________
Users< at >lists.openswan.org
https://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

[Openswan Users] multiple start on openswan 2.6.37

Ozai — 2012-05-07T07:25:39

Dear Sirs,

I merged the openswan(2.6.37) into embedded linux(2.6.30 mips).The IPsec tunnel could work fine.One question:please see my ipsec.conf configuration as below.If I type 'ipsec setup start',the connname 'sample1' and 'sample2' will be started simultaneously.How could I only start one connname?thank's.

Best Regards,
Ozai

# cat ipsec.conf

config setup
        dumpdir=/var/run/pluto/
        interfaces=ipsec0=ppp0.1
        oe=off
        protostack=klips

conn %default
                keyexchange=ike
                ike=3des-md5-modp1024
                esp=3des-md5
                auth=esp
                type=tunnel
                authby=secret
                auto=start

conn sample1
                left=111.243.154.145
                leftsubnet=192.168.1.0/24
                right=111.243.154.196
                rightsubnet=192.168.2.0/24

conn sample2
                left=111.243.154.145
                leftsubnet=192.168.1.0/24
                right=111.243.152.134
                rightsubn

[Openswan Users] OpenSWAN and iPhone IPSec only VPN

John A. Sullivan III — 2012-05-06T02:59:34

Oops! I think I sent this to an old list address.  I'll repost now - John

Hello, all.  I've been beating my head against the wall for days trying
to get the built-in iPhone IPSec only (Cisco) client working with
OpenSWAN.  We need to use the IPSec only approach rather than L2TP/IPSec
because we need to preserve the association between the certificate
fields and the IP address; we lose then when IPSec is only used to drop
off a PPP packet as with L2TP.

I'll try to summarize days of work and endless permutations as
succinctly as possible.  We first tried PSK.  According to the iOS
documentation, this requires XAUTH.  I also apparently requires modecfg.
Among many variations, we used these OpenSWAN settings - we are
experimenting in our test lab so the "public" addresses are all RFC1918:

conn iPhone
        leftxauthserver=yes
        rightxauthclient=yes
        rightmodecfgserver=yes
        #leftxauthusername=phone
        leftmodecfgserver=yes
        #leftmodecfgclient=yes
        ikev2=never
        re

[Openswan Users] OpenSWAN and iPhone IPSec only VPN

John A. Sullivan III — 2012-05-06T02:57:44

Hello, all.  I've been beating my head against the wall for days trying
to get the built-in iPhone IPSec only (Cisco) client working with
OpenSWAN.  We need to use the IPSec only approach rather than L2TP/IPSec
because we need to preserve the association between the certificate
fields and the IP address; we lose then when IPSec is only used to drop
off a PPP packet as with L2TP.

I'll try to summarize days of work and endless permutations as
succinctly as possible.  We first tried PSK.  According to the iOS
documentation, this requires XAUTH.  I also apparently requires modecfg.
Among many variations, we used these OpenSWAN settings - we are
experimenting in our test lab so the "public" addresses are all RFC1918:

conn iPhone
        leftxauthserver=yes
        rightxauthclient=yes
        rightmodecfgserver=yes
        #leftxauthusername=phone
        leftmodecfgserver=yes
        #leftmodecfgclient=yes
        ikev2=never
        rekey=no
        modecfgdns1=4.2.2.2
        also=RWNAT

conn Android

[Openswan Users] Pushing routes to clients

2012-05-04T11:01:18

Hi,

Our target configuration is road warriors using IPSEC/l2tp which connect on demand. A given user, may connect to multiple VPN servers concurrently depending on which suppliers they are working with (this means we can't just send all traffic over the VPN). Each VPN server has a variety of subnets behind it.

We can connect to the VPN servers fine and if we hard code routes for the various subnets on the client all is well. However hardcoding these routes is a real pain in the backside. We haven't identified a reliable solution of our Mac users.

Pushing the routes from the xl2tpd or ppp on a per connection basis would be much more manageable. Is this possible or ever likely to be possible ?

Thanks

Greg
_______________________________________________
Users< at >lists.openswan.org
https://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/1

[Openswan Users] VPN works but getting errors

Jeremy Schaeffer — 2012-05-02T19:48:14

I have a functioning VPN connection between my centos box and a router 
with a dynamic connection. The VPN works, but I keep getting this 
message in the log files constantly -

May  2 08:19:22 services pluto[23699]: "VOIP-VPN"[4] x.x.x.x #325300: 
ignoring informational payload, type NO_PROPOSAL_CHOSEN msgid=00000000
May  2 08:19:22 services pluto[23699]: "VOIP-VPN"[4] x.x.x.x #325300: 
received and ignored informational message

What causes it? It is something to worry about and can I shut it off? - 
Jeremy
_______________________________________________
Users< at >lists.openswan.org
https://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

[Openswan Users] can't reset password on tracker

Brian J. Murrell — 2012-05-02T16:49:05

I really hate to bother the list with this but there is no contact
information at https://gsoc.xelerance.com/ and I have tried about 4
times now to reset my password there but it continues to fail to work.

How do I get this fixed?

Cheers,
b.

_______________________________________________
Users< at >lists.openswan.org
https://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

[Openswan Users] Strongswan 4.4.1 kernel-netlink problem?

Ed Spick — 2012-05-02T08:44:37

Hi list,

I have installed Strongswan 4.4.1 on Debian arm (2.6.32-5-kirkwood) and
to connect a third party supplier to our network in a site-to-site
configuration:

ipsec.d/unit4.conf

config setup
    plutodebug=all
    charonstart=no

conn %default
        ikelifetime=8h
        keylife=1h
        rekeymargin=3m
        keyingtries=1
        keyexchange=ikev1
        authby=secret
        ike=aes256-sha1-modp1024
        esp=aes256-sha1
        pfs=yes
        pfsgroup=modp1024

conn unit4
        left=212.219.238.26
        leftsubnet=212.219.139.96/28
        leftfirewall=yes
        right=194.73.112.61
        rightsubnet=172.30.0.8/29
        auto=start

strongswan.conf

pluto {
  load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink
}

libstrongswan {
  dh_exponent_ansi_x9_42 = no
}

On ipsec start I see kernel-netlink failing to load:

pluto[5588]: plugin 'kernel-netlink' failed to load:
/usr/lib/ipsec/plugins/libstrongswan-kernel-netlink.so: undefined
symbol: policy_dir_names

The tunnel is se

[Openswan Users] Delete Payload error in Openswan

Anonymous cross — 2012-05-02T07:30:19

Hi all,

Topology
_______


Hi,

GW1 ---------------------------- GW2( openswan)
              Tunnel


I formed a tunnel between GW1 and GW2. After some time the Ipsec service is
stopped in GW1 and
its intimating openswan GW with delete payload message. Upon receiving the
message, openswan
is deleting only SAD database but not SPD database. Because the SPD
database lingers in
Kernel , ping packets are getting dropped.

Is this an expected behavior?
Is there any RFC/Standard which talks about this?



Regards,
Anonymous cross.
_______________________________________________
Users< at >lists.openswan.org
https://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155