TheEdge
28th November 2004, 09:19 AM
G'Day,
- Apologies for the long post, but most of it is logs and config information
- Can someone point me in the right direction to get this going please?
- All suggestions welcomed and I can provide more debugging data if required.
I have the following LAN config:
FedoraBox : 192.168.40.3 (GateWay: 192.168.40.1)
GateWayBox : 192.168.40.1 and connected to the Net. It just does a passthrough of IPSEC
RemoteIPSecDeviceRunnningFreeSwan: Public Internet Address and on network 192.168.42.0/24
Now in essence I am attempting to set up a tunnel between FedoraBox and RemoteIPSecDeviceRunnningFreeSwan so that I can access the 192.168.42.0/24 securely from my 192.168.40.0/24 network. However when I attempt to start the connection using:
ipsec auto --up Namadgi
On FedoraBox I see:
104 "Namadgi" #1245: STATE_MAIN_I1: initiate
003 "Namadgi" #1245: ignoring Vendor ID payload [Dead Peer Detection]
106 "Namadgi" #1245: STATE_MAIN_I2: sent MI2, expecting MR2
108 "Namadgi" #1245: STATE_MAIN_I3: sent MI3, expecting MR3
004 "Namadgi" #1245: STATE_MAIN_I4: ISAKMP SA established
112 "Namadgi" #1246: STATE_QUICK_I1: initiate
003 "Namadgi" #1246: ERROR: netlink response for Add SA comp.4608@192.168.40.3 included errno 22: Invalid argument
032 "Namadgi" #1246: STATE_QUICK_I1: internal error
010 "Namadgi" #1246: STATE_QUICK_I1: retransmission; will wait 20s for response
003 "Namadgi" #1246: ERROR: netlink response for Add SA comp.4608@192.168.40.3 included errno 22: Invalid argument
032 "Namadgi" #1246: STATE_QUICK_I1: internal error
010 "Namadgi" #1246: STATE_QUICK_I1: retransmission; will wait 40s for response
003 "Namadgi" #1246: ERROR: netlink response for Add SA comp.4608@192.168.40.3 included errno 22: Invalid argument
032 "Namadgi" #1246: STATE_QUICK_I1: internal error
031 "Namadgi" #1246: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
000 "Namadgi" #1246: starting keying attempt 2 of an unlimited number, but releasing whack
On RemoteIPSecDeviceRunnningFreeSwan I see:
Nov 23 21:03:19 Pluto[129]: "DonovanHome" 203.21x.xx.xx #5545: using deflate compression
Nov 23 21:03:19 Pluto[129]: "DonovanHome" 203.21x.xx.xx #5545: responding to Quick Mode
Nov 23 21:03:30 Pluto[129]: "DonovanHome" 203.21x.xx.xx #5545: discarding duplicate packet; already STATE_QUICK_R1
Nov 23 21:03:33 Pluto[129]: "DonovanHome" 203.21x.xx.xx #5543: max number of retransmissions (2) reached STATE_QUICK_R1
Nov 23 21:03:49 Pluto[129]: "DonovanHome" 203.21x.xx.xx #5545: discarding duplicate packet; already STATE_QUICK_R1
Nov 23 21:04:30 Pluto[129]: "DonovanHome" 203.21x.xx.xx #5546: using deflate compression
Nov 23 21:04:30 Pluto[129]: "DonovanHome" 203.21x.xx.xx #5546: responding to Quick Mode
Nov 23 21:04:30 Pluto[129]: "DonovanHome" 203.21x.xx.xx #5545: max number of retransmissions (2) reached STATE_QUICK_R1
Nov 23 21:04:39 Pluto[129]: "DonovanHome" 203.21x.xx.xx #5546: discarding duplicate packet; already STATE_QUICK_R1
Nov 23 21:05:39 Pluto[129]: "DonovanHome" 203.21x.xx.xx #5547: using deflate compression
Nov 23 21:05:39 Pluto[129]: "DonovanHome" 203.21x.xx.xx #5547: responding to Quick Mode
Nov 23 21:05:40 Pluto[129]: "DonovanHome" 203.21x.xx.xx #5546: max number of retransmissions (2) reached STATE_QUICK_R1
Nov 23 21:05:49 Pluto[129]: "DonovanHome" 203.21x.xx.xx #5547: discarding duplicate packet; already STATE_QUICK_R1
So it looks like the phase 1 part succeeds but not phase 2. Here is the relevant config information from the FedoraBox:
[root@moe ~]# uname -va
Linux moe.home.local 2.6.9-1.678_FC3 #1 Mon Nov 15 18:28:07 EST 2004 i686 i686 i386 GNU/Linux
[root@moe ~]# ipsec --version
Linux Openswan U2.1.5/K2.6.9-1.678_FC3 (native) (native)
[root@moe ~]# ipsec whack --status
000 interface lo/lo ::1
000 interface lo/lo 127.0.0.1
000 interface eth0/eth0 192.168.40.3
000 %myid = (none)
000 debug
raw+crypt+parsing+emitting+control+lifecycle+klips +dns+oppo+controlmore+pfke
y+nattraversal
000
000 "Namadgi": 192.168.40.0/24===192.168.40.3[203.21x.xx.xx,S=C]---192.168.40.1...192.168.4
2.5---203.26.xx.xx[S=C]===192.168.42.0/24
; unrouted; eroute owner: #0
000 "Namadgi": ike_life: 18000s; ipsec_life: 3600s; rekey_margin: 60s;
rekey_fuzz: 50%; keyingtries: 0
000 "Namadgi": policy: PSK+ENCRYPT+COMPRESS+TUNNEL+PFS+DONTREKEY+UP; prio: 24,24; interface: eth0;
000 "Namadgi": newest ISAKMP SA: #1245; newest IPsec SA: #0;
000
000 #1251: "Namadgi" STATE_QUICK_I1 (sent QI1, expecting QR1); EVENT_RETRANSMIT in 4s
000 #1245: "Namadgi" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE_IF_USED in 17566s; newest ISAKMP
000
[root@moe ~]# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.1.5/K2.6.9-1.678_FC3 (native) (native)
Checking for IPsec support in kernel [OK]
Checking for RSA private key (/etc/ipsec.secrets) [OK]
Checking that pluto is running [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing [OK]
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Checking for 'setkey' command for native IPsec stack support [OK]
Opportunistic Encryption DNS checks:
Looking for TXT in forward dns zone: moe.home.local [MISSING]
Does the machine have at least one non-private address? [FAILED]
# basic configuration
config setup
# Debug-logging controls: "none" for (almost) none, "all" for lots.
klipsdebug=all
plutodebug=all
# Add connections here.
conn Namadgi
type=tunnel
left=192.168.40.3
leftsubnet=192.168.40.0/24
leftnexthop=192.168.40.1
right=203.26.16.136
rightsubnet=192.168.42.0/24
rightnexthop=192.168.42.5
keyexchange = ike
authby = secret
auth = esp
keyingtries = 0
pfs = yes
esp = 3DES-SHA1
ikelifetime = 300m
keylife = 60m
compress = yes
rekey = no
leftid = somehost.somedomain.com
rightid = 203.26.xx.xx
rekeyfuzz = 50%
rekeymargin = 1m
- Apologies for the long post, but most of it is logs and config information
- Can someone point me in the right direction to get this going please?
- All suggestions welcomed and I can provide more debugging data if required.
I have the following LAN config:
FedoraBox : 192.168.40.3 (GateWay: 192.168.40.1)
GateWayBox : 192.168.40.1 and connected to the Net. It just does a passthrough of IPSEC
RemoteIPSecDeviceRunnningFreeSwan: Public Internet Address and on network 192.168.42.0/24
Now in essence I am attempting to set up a tunnel between FedoraBox and RemoteIPSecDeviceRunnningFreeSwan so that I can access the 192.168.42.0/24 securely from my 192.168.40.0/24 network. However when I attempt to start the connection using:
ipsec auto --up Namadgi
On FedoraBox I see:
104 "Namadgi" #1245: STATE_MAIN_I1: initiate
003 "Namadgi" #1245: ignoring Vendor ID payload [Dead Peer Detection]
106 "Namadgi" #1245: STATE_MAIN_I2: sent MI2, expecting MR2
108 "Namadgi" #1245: STATE_MAIN_I3: sent MI3, expecting MR3
004 "Namadgi" #1245: STATE_MAIN_I4: ISAKMP SA established
112 "Namadgi" #1246: STATE_QUICK_I1: initiate
003 "Namadgi" #1246: ERROR: netlink response for Add SA comp.4608@192.168.40.3 included errno 22: Invalid argument
032 "Namadgi" #1246: STATE_QUICK_I1: internal error
010 "Namadgi" #1246: STATE_QUICK_I1: retransmission; will wait 20s for response
003 "Namadgi" #1246: ERROR: netlink response for Add SA comp.4608@192.168.40.3 included errno 22: Invalid argument
032 "Namadgi" #1246: STATE_QUICK_I1: internal error
010 "Namadgi" #1246: STATE_QUICK_I1: retransmission; will wait 40s for response
003 "Namadgi" #1246: ERROR: netlink response for Add SA comp.4608@192.168.40.3 included errno 22: Invalid argument
032 "Namadgi" #1246: STATE_QUICK_I1: internal error
031 "Namadgi" #1246: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
000 "Namadgi" #1246: starting keying attempt 2 of an unlimited number, but releasing whack
On RemoteIPSecDeviceRunnningFreeSwan I see:
Nov 23 21:03:19 Pluto[129]: "DonovanHome" 203.21x.xx.xx #5545: using deflate compression
Nov 23 21:03:19 Pluto[129]: "DonovanHome" 203.21x.xx.xx #5545: responding to Quick Mode
Nov 23 21:03:30 Pluto[129]: "DonovanHome" 203.21x.xx.xx #5545: discarding duplicate packet; already STATE_QUICK_R1
Nov 23 21:03:33 Pluto[129]: "DonovanHome" 203.21x.xx.xx #5543: max number of retransmissions (2) reached STATE_QUICK_R1
Nov 23 21:03:49 Pluto[129]: "DonovanHome" 203.21x.xx.xx #5545: discarding duplicate packet; already STATE_QUICK_R1
Nov 23 21:04:30 Pluto[129]: "DonovanHome" 203.21x.xx.xx #5546: using deflate compression
Nov 23 21:04:30 Pluto[129]: "DonovanHome" 203.21x.xx.xx #5546: responding to Quick Mode
Nov 23 21:04:30 Pluto[129]: "DonovanHome" 203.21x.xx.xx #5545: max number of retransmissions (2) reached STATE_QUICK_R1
Nov 23 21:04:39 Pluto[129]: "DonovanHome" 203.21x.xx.xx #5546: discarding duplicate packet; already STATE_QUICK_R1
Nov 23 21:05:39 Pluto[129]: "DonovanHome" 203.21x.xx.xx #5547: using deflate compression
Nov 23 21:05:39 Pluto[129]: "DonovanHome" 203.21x.xx.xx #5547: responding to Quick Mode
Nov 23 21:05:40 Pluto[129]: "DonovanHome" 203.21x.xx.xx #5546: max number of retransmissions (2) reached STATE_QUICK_R1
Nov 23 21:05:49 Pluto[129]: "DonovanHome" 203.21x.xx.xx #5547: discarding duplicate packet; already STATE_QUICK_R1
So it looks like the phase 1 part succeeds but not phase 2. Here is the relevant config information from the FedoraBox:
[root@moe ~]# uname -va
Linux moe.home.local 2.6.9-1.678_FC3 #1 Mon Nov 15 18:28:07 EST 2004 i686 i686 i386 GNU/Linux
[root@moe ~]# ipsec --version
Linux Openswan U2.1.5/K2.6.9-1.678_FC3 (native) (native)
[root@moe ~]# ipsec whack --status
000 interface lo/lo ::1
000 interface lo/lo 127.0.0.1
000 interface eth0/eth0 192.168.40.3
000 %myid = (none)
000 debug
raw+crypt+parsing+emitting+control+lifecycle+klips +dns+oppo+controlmore+pfke
y+nattraversal
000
000 "Namadgi": 192.168.40.0/24===192.168.40.3[203.21x.xx.xx,S=C]---192.168.40.1...192.168.4
2.5---203.26.xx.xx[S=C]===192.168.42.0/24
; unrouted; eroute owner: #0
000 "Namadgi": ike_life: 18000s; ipsec_life: 3600s; rekey_margin: 60s;
rekey_fuzz: 50%; keyingtries: 0
000 "Namadgi": policy: PSK+ENCRYPT+COMPRESS+TUNNEL+PFS+DONTREKEY+UP; prio: 24,24; interface: eth0;
000 "Namadgi": newest ISAKMP SA: #1245; newest IPsec SA: #0;
000
000 #1251: "Namadgi" STATE_QUICK_I1 (sent QI1, expecting QR1); EVENT_RETRANSMIT in 4s
000 #1245: "Namadgi" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE_IF_USED in 17566s; newest ISAKMP
000
[root@moe ~]# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.1.5/K2.6.9-1.678_FC3 (native) (native)
Checking for IPsec support in kernel [OK]
Checking for RSA private key (/etc/ipsec.secrets) [OK]
Checking that pluto is running [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing [OK]
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Checking for 'setkey' command for native IPsec stack support [OK]
Opportunistic Encryption DNS checks:
Looking for TXT in forward dns zone: moe.home.local [MISSING]
Does the machine have at least one non-private address? [FAILED]
# basic configuration
config setup
# Debug-logging controls: "none" for (almost) none, "all" for lots.
klipsdebug=all
plutodebug=all
# Add connections here.
conn Namadgi
type=tunnel
left=192.168.40.3
leftsubnet=192.168.40.0/24
leftnexthop=192.168.40.1
right=203.26.16.136
rightsubnet=192.168.42.0/24
rightnexthop=192.168.42.5
keyexchange = ike
authby = secret
auth = esp
keyingtries = 0
pfs = yes
esp = 3DES-SHA1
ikelifetime = 300m
keylife = 60m
compress = yes
rekey = no
leftid = somehost.somedomain.com
rightid = 203.26.xx.xx
rekeyfuzz = 50%
rekeymargin = 1m
