[prev in list] [next in list] [prev in thread] [next in thread]
List: openswan-users
Subject: [Openswan Users] BUG 1201: dpd + ddns does not work
From: Nrupen Chudasma <nrupen () gmail ! com>
Date: 2012-03-27 6:14:28
Message-ID: CAAf4D2wmHrnp8UbC7dw74JvGGRY=DZpWNhXvnQwTU6Qd3grztQ () mail ! gmail ! com
[Download RAW message or body]
Hi,
I have been using openswan 2.6.24 with NETKEY for quite a long time.
I had a requirement for DYNDNS based remote host support for making the
connections. As there is support added, I tried with the 2.6.24 version and
could not succeed.
I searched out for bug#1201 with the exact reason. So I uprated to version
2.6.33. But the problem is still there. Even I tried latest version i.e.
2.6.38 but the result is same.
According to the RCA done for the bug, "conn->dnshostname" is NULL. The
specified solution was to work with ipsec whack.
I tried with that. Please correct me if my approach for the problem is
wrong. I have put remote as "ddnstest" and added entry in the /etc/hosts
file.
I add one connection with ipsec whack. Initiate the connection. Later I
change my remote host's IP and add the according entry in /etc/hosts.
The dpdtimeout happens as the former IP no longer available and thus I get
the DPD in which case my action restart triggers the initiation of the
connection.
Still my connection is initiated to the same IP as before.
Point me if I am doing something wrong.
Find the details of the steps I have done so far and the logs as below.
root@ng:~# ipsec auto --status
000 using kernel interface: netkey
000 interface lo/lo 127.0.0.1
000 interface lo/lo 127.0.0.1
000 interface eth2.2/eth2.2 10.103.7.133
000 interface eth2.2/eth2.2 10.103.7.133
000 interface br-lan/br-lan 10.1.2.1
000 interface br-lan/br-lan 10.1.2.1
000 %myid = (none)
000 debug none
000
000 virtual_private (%priv):
000 - allowed 0 subnets:
000 - disallowed 0 subnets:
000 WARNING: Either virtual_private= is not specified, or there is a syntax
000 error in that line. 'left/rightsubnet=vhost:%priv' will not
work!
000 WARNING: Disallowed subnets in virtual_private= is empty. If you have
000 private address space in internal use, it should be excluded!
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64,
keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192,
keysizemax=192
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128,
keysizemax=256
000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
keysizemin=160, keysizemax=160
000
000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=131
000 algorithm IKE encrypt: id=3, name=OAKLEY_BLOWFISH_CBC, blocksize=8,
keydeflen=128
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
keydeflen=128
000 algorithm IKE encrypt: id=65004, name=OAKLEY_SERPENT_CBC, blocksize=16,
keydeflen=128
000 algorithm IKE encrypt: id=65005, name=OAKLEY_TWOFISH_CBC, blocksize=16,
keydeflen=128
000 algorithm IKE encrypt: id=65289, name=OAKLEY_TWOFISH_CBC_SSH,
blocksize=16, keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32
000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024
000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048
000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048
000
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,2,36}
trans={0,2,216} attrs={0,2,288}
000
000
000
root@ng:~#
root@ng:~#
root@ng:~#
root@ng:~#
root@ng:~#
root@ng:~#
root@ng:~#
root@ng:~# cat /etc/ipsec.conf
version 2.0 # conforms to second version of ipsec.conf specification
config setup
nat_traversal=yes
oe=off
protostack=netkey
conn ngpassthrough
left=10.1.2.1
right=0.0.0.0
leftsubnet=10.1.2.0/255.255.255.0
rightsubnet=10.1.2.0/255.255.255.0
authby=never
type=passthrough
auto=route
conn ng
right=ddnstest
rightsubnet=10.1.1.0/24
left=10.103.7.133
leftsubnet=10.1.2.0/255.255.255.0
leftnexthop=10.103.6.1
auto=start
#x_rightdynamic=yes
authby=secret
compress=no
failureshunt=drop
dpddelay=15
dpdtimeout=60
dpdaction=restart
pfs=yes
ike=aes128-md5-modp1024,aes192-md5-modp1024,aes256-md5-modp1024,aes128-sha1-modp1024,a \
es192-sha1-modp1024,aes256-sha1-modp1024,3des-md5-modp1024,3des-sha1-modp1024,aes128-m \
d5-modp1536,aes192-md5-modp1536,aes256-md5-modp1536,aes128-sha1-modp1536,aes192-sha1-m \
odp1536,aes256-sha1-modp1536,3des-md5-modp1536,3des-sha1-modp1536,aes128-md5-modp2048, \
aes192-md5-modp2048,aes256-md5-modp2048,aes128-sha1-modp2048,aes192-sha1-modp2048,aes256-sha1-modp2048,3des-md5-modp2048,3des-sha1-modp2048
esp=aes128-md5,aes192-md5,aes256-md5,aes128-sha1,aes192-sha1,aes256-sha1,3des-md5,3des-sha1
root@ng:~# cat /etc/ipsec.secrets
10.103.7.133 ddnstest : PSK "adminadmin"
root@ng:~#
root@ng:~#
root@ng:~# ipsec whack --name test --encrypt --tunnel --pfs --dpddelay 15
--dpdtimeout 60 --dpdaction restart --psk --host 10.
103.7.133 --nexthop 10.103.6.1 --client 10.1.2.0/24 --to --host ddnstest
--client 10.1.1.0/24
002 added connection description "test"
root@ng:~#
root@ng:~# ipsec whack --initiate --name test
002 "test" #11: initiating Main Mode
104 "test" #11: STATE_MAIN_I1: initiate
003 "test" #11: ignoring unknown Vendor ID payload
[4f45557d6068416e77737478]
003 "test" #11: received Vendor ID payload [Dead Peer Detection]
003 "test" #11: received Vendor ID payload [RFC 3947] method set to=109
002 "test" #11: enabling possible NAT-traversal with method 4
002 "test" #11: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
106 "test" #11: STATE_MAIN_I2: sent MI2, expecting MR2
003 "test" #11: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no
NAT detected
002 "test" #11: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
108 "test" #11: STATE_MAIN_I3: sent MI3, expecting MR3
003 "test" #11: received Vendor ID payload [CAN-IKEv2]
002 "test" #11: Main mode peer ID is ID_IPV4_ADDR: '10.103.6.70'
002 "test" #11: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
004 "test" #11: STATE_MAIN_I4: ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=aes_128 prf=oakley_sha group=modp2048}
002 "test" #11: Dead Peer Detection (RFC 3706): enabled
002 "test" #12: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP {using
isakmp#11 msgid:faa36d7a proposal=defaults pfsgroup=OAKLEY_GROUP_MODP2048}
117 "test" #12: STATE_QUICK_I1: initiate
002 "test" #12: Dead Peer Detection (RFC 3706): enabled
002 "test" #12: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
004 "test" #12: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode
{ESP=>0x81cd918c <0xf4534088 xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none
DPD=enabled}
root@ng:~#
root@ng:~#
root@ng:~# vi /etc/hosts
127.0.0.1 localhost.
10.103.6.71 ddnstest
LOGS from /var/log/messages...
Dec 4 17:35:31 ng authpriv.warn pluto[11096]: added connection description
"test"
Dec 4 17:35:42 ng authpriv.warn pluto[11096]: "test" #11: initiating Main
Mode
Dec 4 17:35:42 ng authpriv.warn pluto[11096]: "test" #11: ignoring unknown
Vendor ID payload [4f45557d6068416e77737478]
Dec 4 17:35:42 ng authpriv.warn pluto[11096]: "test" #11: received Vendor
ID payload [Dead Peer Detection]
Dec 4 17:35:42 ng authpriv.warn pluto[11096]: "test" #11: received Vendor
ID payload [RFC 3947] method set to=109
Dec 4 17:35:42 ng authpriv.warn pluto[11096]: "test" #11: enabling
possible NAT-traversal with method 4
Dec 4 17:35:42 ng authpriv.warn pluto[11096]: "test" #11: transition from
state STATE_MAIN_I1 to state STATE_MAIN_I2
Dec 4 17:35:42 ng authpriv.warn pluto[11096]: "test" #11: STATE_MAIN_I2:
sent MI2, expecting MR2
Dec 4 17:35:43 ng authpriv.warn pluto[11096]: "test" #11: NAT-Traversal:
Result using RFC 3947 (NAT-Traversal): no NAT detected
Dec 4 17:35:43 ng authpriv.warn pluto[11096]: "test" #11: transition from
state STATE_MAIN_I2 to state STATE_MAIN_I3
Dec 4 17:35:43 ng authpriv.warn pluto[11096]: "test" #11: STATE_MAIN_I3:
sent MI3, expecting MR3
Dec 4 17:35:43 ng authpriv.warn pluto[11096]: "test" #11: received Vendor
ID payload [CAN-IKEv2]
Dec 4 17:35:43 ng authpriv.warn pluto[11096]: "test" #11: Main mode peer
ID is ID_IPV4_ADDR: '10.103.6.70'
Dec 4 17:35:43 ng authpriv.warn pluto[11096]: "test" #11: transition from
state STATE_MAIN_I3 to state STATE_MAIN_I4
Dec 4 17:35:43 ng authpriv.warn pluto[11096]: "test" #11: STATE_MAIN_I4:
ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_128
prf=oakley_sha group=modp2048}
Dec 4 17:35:43 ng authpriv.warn pluto[11096]: "test" #11: Dead Peer
Detection (RFC 3706): enabled
Dec 4 17:35:43 ng authpriv.warn pluto[11096]: "test" #12: initiating Quick
Mode PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#11 msgid:faa36d7a
proposal=defaults pfsgroup=OAKLEY_GROUP_MODP2048}
Dec 4 17:35:43 ng authpriv.warn pluto[11096]: "test" #12: Dead Peer
Detection (RFC 3706): enabled
Dec 4 17:35:43 ng authpriv.warn pluto[11096]: "test" #12: transition from
state STATE_QUICK_I1 to state STATE_QUICK_I2
Dec 4 17:35:43 ng authpriv.warn pluto[11096]: "test" #12: STATE_QUICK_I2:
sent QI2, IPsec SA established tunnel mode {ESP=>0x81cd918c <0xf4534088
xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=enabled}
Dec 4 17:36:16 ng authpriv.warn pluto[11096]: ERROR: asynchronous network
error report on eth2.2 (sport=500) for message to 10.103.6.70 port 500,
complainant 10.103.6.71: No route to host [errno 148, origin ICMP type 3
code 1 (not authenticated)]
Dec 4 17:36:31 ng authpriv.warn pluto[11096]: ERROR: asynchronous network
error report on eth2.2 (sport=500) for message to 10.103.6.70 port 500,
complainant 10.103.6.71: No route to host [errno 148, origin ICMP type 3
code 1 (not authenticated)]
Dec 4 17:36:46 ng authpriv.warn pluto[11096]: ERROR: asynchronous network
error report on eth2.2 (sport=500) for message to 10.103.6.70 port 500,
complainant 10.103.7.133: No route to host [errno 148, origin ICMP type 3
code 1 (not authenticated)]
Dec 4 17:37:01 ng authpriv.warn pluto[11096]: ERROR: asynchronous network
error report on eth2.2 (sport=500) for message to 10.103.6.70 port 500,
complainant 10.103.7.133: No route to host [errno 148, origin ICMP type 3
code 1 (not authenticated)]
Dec 4 17:37:13 ng authpriv.warn pluto[11096]: "test" #11: DPD: No response
from peer - declaring peer dead
Dec 4 17:37:13 ng authpriv.warn pluto[11096]: "test" #11: DPD: Restarting
Connection
Dec 4 17:37:13 ng authpriv.warn pluto[11096]: "test" #12: rekeying state
(STATE_QUICK_I2)
Dec 4 17:37:13 ng authpriv.warn pluto[11096]: "test" #12: rekeying state
(STATE_QUICK_I2)
Dec 4 17:37:13 ng authpriv.warn pluto[11096]: "test" #12: ERROR: netlink
response for Del SA esp.81cd918c@10.103.6.70 included errno 3: No such
process
Dec 4 17:37:13 ng authpriv.warn pluto[11096]: "test" #12: ERROR: netlink
response for Del SA esp.f4534088@10.103.7.133 included errno 3: No such
process
Dec 4 17:37:13 ng authpriv.warn pluto[11096]: "test" #13: initiating Main
Mode to replace #11
Dec 4 17:37:16 ng authpriv.warn pluto[11096]: ERROR: asynchronous network
error report on eth2.2 (sport=500) for message to 10.103.6.70 port 500,
complainant 10.103.7.133: No route to host [errno 148, origin ICMP type 3
code 1 (not authenticated)]
Dec 4 17:37:16 ng authpriv.warn pluto[11096]: ERROR: asynchronous network
error report on eth2.2 (sport=500) for message to 10.103.6.70 port 500,
complainant 10.103.7.133: No route to host [errno 148, origin ICMP type 3
code 1 (not authenticated)]
Dec 4 17:37:26 ng authpriv.warn pluto[11096]: ERROR: asynchronous network
error report on eth2.2 (sport=500) for message to 10.103.6.70 port 500,
complainant 10.103.7.133: No route to host [errno 148, origin ICMP type 3
code 1 (not authenticated)]
Dec 4 17:37:46 ng authpriv.warn pluto[11096]: ERROR: asynchronous network
error report on eth2.2 (sport=500) for message to 10.103.6.70 port 500,
complainant 10.103.7.133: No route to host [errno 148, origin ICMP type 3
code 1 (not authenticated)]
Dec 4 17:38:26 ng authpriv.warn pluto[11096]: ERROR: asynchronous network
error report on eth2.2 (sport=500) for message to 10.103.6.70 port 500,
complainant 10.103.7.133: No route to host [errno 148, origin ICMP type 3
code 1 (not authenticated)]
Dec 4 17:39:06 ng authpriv.warn pluto[11096]: ERROR: asynchronous network
error report on eth2.2 (sport=500) for message to 10.103.6.70 port 500,
complainant 10.103.7.133: No route to host [errno 148, origin ICMP type 3
code 1 (not authenticated)]
[Attachment #3 (text/html)]
Hi,<br><br>I have been using openswan 2.6.24 with NETKEY for quite a long time.<br>I \
had a requirement for DYNDNS based remote host support for making the connections. As \
there is support added, I tried with the 2.6.24 version and could not succeed.<br> \
<br>I searched out for bug#1201 with the exact reason. So I uprated to version \
2.6.33. But the problem is still there. Even I tried latest version i.e. 2.6.38 but \
the result is same.<br><br>According to the RCA done for the bug, \
"conn->dnshostname" is NULL. The specified solution was to work with \
ipsec whack.<br> <br>I tried with that. Please correct me if my approach for the \
problem is wrong. I have put remote as "ddnstest" and added entry in the \
/etc/hosts file.<br>I add one connection with ipsec whack. Initiate the connection. \
Later I change my remote host's IP and add the according entry in /etc/hosts.<br> \
The dpdtimeout happens as the former IP no longer available and thus I get the DPD in \
which case my action restart triggers the initiation of the connection.<br>Still my \
connection is initiated to the same IP as before.<br> <br>Point me if I am doing \
something wrong.<br>Find the details of the steps I have done so far and the logs as \
below.<br><br>root@ng:~# ipsec auto --status<br>000 using kernel interface: \
netkey<br>000 interface lo/lo 127.0.0.1<br> 000 interface lo/lo 127.0.0.1<br>000 \
interface eth2.2/eth2.2 10.103.7.133<br>000 interface eth2.2/eth2.2 \
10.103.7.133<br>000 interface br-lan/br-lan 10.1.2.1<br>000 interface br-lan/br-lan \
10.1.2.1<br>000 %myid = (none)<br> 000 debug none<br>000 <br>000 virtual_private \
(%priv):<br>000 - allowed 0 subnets: <br>000 - disallowed 0 subnets: <br>000 WARNING: \
Either virtual_private= is not specified, or there is a syntax <br>000 error \
in that line. 'left/rightsubnet=vhost:%priv' will not work!<br> 000 WARNING: \
Disallowed subnets in virtual_private= is empty. If you have <br>000 private \
address space in internal use, it should be excluded!<br>000 <br>000 algorithm ESP \
encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64<br> 000 algorithm \
ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192<br>000 \
algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, \
keysizemax=256<br>000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8, \
keysizemin=128, keysizemax=256<br> 000 algorithm ESP encrypt: id=15, \
name=ESP_AES_CCM_B, ivlen=8, keysizemin=128, keysizemax=256<br>000 algorithm ESP \
encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8, keysizemin=128, keysizemax=256<br>000 \
algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8, keysizemin=128, \
keysizemax=256<br> 000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=8, \
keysizemin=128, keysizemax=256<br>000 algorithm ESP encrypt: id=20, \
name=ESP_AES_GCM_C, ivlen=8, keysizemin=128, keysizemax=256<br>000 algorithm ESP auth \
attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128<br> 000 \
algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, \
keysizemax=160<br>000 <br>000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, \
keydeflen=131<br>000 algorithm IKE encrypt: id=3, name=OAKLEY_BLOWFISH_CBC, \
blocksize=8, keydeflen=128<br> 000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, \
blocksize=8, keydeflen=192<br>000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, \
blocksize=16, keydeflen=128<br>000 algorithm IKE encrypt: id=65004, \
name=OAKLEY_SERPENT_CBC, blocksize=16, keydeflen=128<br> 000 algorithm IKE encrypt: \
id=65005, name=OAKLEY_TWOFISH_CBC, blocksize=16, keydeflen=128<br>000 algorithm IKE \
encrypt: id=65289, name=OAKLEY_TWOFISH_CBC_SSH, blocksize=16, keydeflen=128<br>000 \
algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16<br> 000 algorithm IKE hash: \
id=2, name=OAKLEY_SHA1, hashsize=20<br>000 algorithm IKE hash: id=4, \
name=OAKLEY_SHA2_256, hashsize=32<br>000 algorithm IKE hash: id=6, \
name=OAKLEY_SHA2_512, hashsize=64<br>000 algorithm IKE dh group: id=2, \
name=OAKLEY_GROUP_MODP1024, bits=1024<br> 000 algorithm IKE dh group: id=5, \
name=OAKLEY_GROUP_MODP1536, bits=1536<br>000 algorithm IKE dh group: id=14, \
name=OAKLEY_GROUP_MODP2048, bits=2048<br>000 algorithm IKE dh group: id=15, \
name=OAKLEY_GROUP_MODP3072, bits=3072<br> 000 algorithm IKE dh group: id=16, \
name=OAKLEY_GROUP_MODP4096, bits=4096<br>000 algorithm IKE dh group: id=17, \
name=OAKLEY_GROUP_MODP6144, bits=6144<br>000 algorithm IKE dh group: id=18, \
name=OAKLEY_GROUP_MODP8192, bits=8192<br> 000 algorithm IKE dh group: id=22, \
name=OAKLEY_GROUP_DH22, bits=1024<br>000 algorithm IKE dh group: id=23, \
name=OAKLEY_GROUP_DH23, bits=2048<br>000 algorithm IKE dh group: id=24, \
name=OAKLEY_GROUP_DH24, bits=2048<br>000 <br> 000 stats db_ops: {curr_cnt, total_cnt, \
maxsz} :context={0,2,36} trans={0,2,216} attrs={0,2,288} <br>000 <br>000 <br>000 \
<br>root@ng:~# <br>root@ng:~# <br>root@ng:~# <br>root@ng:~# <br>root@ng:~# \
<br>root@ng:~# <br>root@ng:~# <br> root@ng:~# cat /etc/ipsec.conf <br>version 2.0 \
# conforms to second version of ipsec.conf specification<br><br>config setup<br> \
nat_traversal=yes<br> oe=off<br> protostack=netkey<br><br><br>conn \
ngpassthrough<br> left=10.1.2.1<br> right=0.0.0.0<br> leftsubnet=<a \
href="http://10.1.2.0/255.255.255.0">10.1.2.0/255.255.255.0</a><br> \
rightsubnet=<a href="http://10.1.2.0/255.255.255.0">10.1.2.0/255.255.255.0</a><br> \
authby=never<br> type=passthrough<br> auto=route<br><br>conn ng<br> \
right=ddnstest<br> rightsubnet=<a \
href="http://10.1.1.0/24">10.1.1.0/24</a><br> left=10.103.7.133<br> \
leftsubnet=<a href="http://10.1.2.0/255.255.255.0">10.1.2.0/255.255.255.0</a><br> \
leftnexthop=10.103.6.1<br> auto=start<br> #x_rightdynamic=yes<br> \
authby=secret<br> compress=no<br> failureshunt=drop<br> \
dpddelay=15<br> dpdtimeout=60<br> dpdaction=restart<br> pfs=yes<br> \
ike=aes128-md5-modp1024,aes192-md5-modp1024,aes256-md5-modp1024,aes128-sha1-modp1024,a \
es192-sha1-modp1024,aes256-sha1-modp1024,3des-md5-modp1024,3des-sha1-modp1024,aes128-m \
d5-modp1536,aes192-md5-modp1536,aes256-md5-modp1536,aes128-sha1-modp1536,aes192-sha1-m \
odp1536,aes256-sha1-modp1536,3des-md5-modp1536,3des-sha1-modp1536,aes128-md5-modp2048, \
aes192-md5-modp2048,aes256-md5-modp2048,aes128-sha1-modp2048,aes192-sha1-modp2048,aes256-sha1-modp2048,3des-md5-modp2048,3des-sha1-modp2048<br>
esp=aes128-md5,aes192-md5,aes256-md5,aes128-sha1,aes192-sha1,aes256-sha1,3des-md5,3des-sha1<br><br>root@ng:~# \
cat /etc/ipsec.secrets <br>10.103.7.133 ddnstest : PSK \
"adminadmin"<br>root@ng:~# <br>root@ng:~# <br> root@ng:~# ipsec whack \
--name test --encrypt --tunnel --pfs --dpddelay 15 --dpdtimeout 60 --dpdaction \
restart --psk --host 10.<br>103.7.133 --nexthop 10.103.6.1 --client <a \
href="http://10.1.2.0/24">10.1.2.0/24</a> --to --host ddnstest --client <a \
href="http://10.1.1.0/24">10.1.1.0/24</a><br> 002 added connection description \
"test"<br>root@ng:~# <br>root@ng:~# ipsec whack --initiate --name \
test<br>002 "test" #11: initiating Main Mode<br>104 "test" #11: \
STATE_MAIN_I1: initiate<br>003 "test" #11: ignoring unknown Vendor ID \
payload [4f45557d6068416e77737478]<br> 003 "test" #11: received Vendor ID \
payload [Dead Peer Detection]<br>003 "test" #11: received Vendor ID payload \
[RFC 3947] method set to=109 <br>002 "test" #11: enabling possible \
NAT-traversal with method 4<br> 002 "test" #11: transition from state \
STATE_MAIN_I1 to state STATE_MAIN_I2<br>106 "test" #11: STATE_MAIN_I2: sent \
MI2, expecting MR2<br>003 "test" #11: NAT-Traversal: Result using RFC 3947 \
(NAT-Traversal): no NAT detected<br> 002 "test" #11: transition from state \
STATE_MAIN_I2 to state STATE_MAIN_I3<br>108 "test" #11: STATE_MAIN_I3: sent \
MI3, expecting MR3<br>003 "test" #11: received Vendor ID payload \
[CAN-IKEv2]<br> 002 "test" #11: Main mode peer ID is ID_IPV4_ADDR: \
'10.103.6.70'<br>002 "test" #11: transition from state \
STATE_MAIN_I3 to state STATE_MAIN_I4<br>004 "test" #11: STATE_MAIN_I4: \
ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_128 prf=oakley_sha \
group=modp2048}<br> 002 "test" #11: Dead Peer Detection (RFC 3706): \
enabled<br>002 "test" #12: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP \
{using isakmp#11 msgid:faa36d7a proposal=defaults pfsgroup=OAKLEY_GROUP_MODP2048}<br> \
117 "test" #12: STATE_QUICK_I1: initiate<br>002 "test" #12: Dead \
Peer Detection (RFC 3706): enabled<br>002 "test" #12: transition from state \
STATE_QUICK_I1 to state STATE_QUICK_I2<br>004 "test" #12: STATE_QUICK_I2: \
sent QI2, IPsec SA established tunnel mode {ESP=>0x81cd918c <0xf4534088 \
xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=enabled}<br> root@ng:~# \
<br>root@ng:~# <br>root@ng:~# vi /etc/hosts <br><br>127.0.0.1 \
localhost.<br>10.103.6.71 ddnstest<br><br><br><br><br><br>LOGS from \
/var/log/messages...<br>Dec 4 17:35:31 ng authpriv.warn pluto[11096]: added \
connection description "test"<br> <br>Dec 4 17:35:42 ng authpriv.warn \
pluto[11096]: "test" #11: initiating Main Mode<br>Dec 4 17:35:42 ng \
authpriv.warn pluto[11096]: "test" #11: ignoring unknown Vendor ID payload \
[4f45557d6068416e77737478]<br>
Dec 4 17:35:42 ng authpriv.warn pluto[11096]: "test" #11: received Vendor \
ID payload [Dead Peer Detection]<br>Dec 4 17:35:42 ng authpriv.warn pluto[11096]: \
"test" #11: received Vendor ID payload [RFC 3947] method \
set to=109 <br>
Dec 4 17:35:42 ng authpriv.warn pluto[11096]: "test" #11: enabling \
possible NAT-traversal with method 4<br>Dec 4 17:35:42 ng authpriv.warn \
pluto[11096]: "test" #11: transition from state STATE_MAIN_I1 to state \
STATE_MAIN_I2<br>
Dec 4 17:35:42 ng authpriv.warn pluto[11096]: "test" #11: STATE_MAIN_I2: \
sent MI2, expecting MR2<br>Dec 4 17:35:43 ng authpriv.warn pluto[11096]: \
"test" #11: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT \
detected<br>
Dec 4 17:35:43 ng authpriv.warn pluto[11096]: "test" #11: transition from \
state STATE_MAIN_I2 to state STATE_MAIN_I3<br>Dec 4 17:35:43 ng authpriv.warn \
pluto[11096]: "test" #11: STATE_MAIN_I3: sent MI3, \
expecting MR3<br>
Dec 4 17:35:43 ng authpriv.warn pluto[11096]: "test" #11: received Vendor \
ID payload [CAN-IKEv2]<br>Dec 4 17:35:43 ng authpriv.warn pluto[11096]: \
"test" #11: Main mode peer ID is ID_IPV4_ADDR: \
'10.103.6.70'<br>
Dec 4 17:35:43 ng authpriv.warn pluto[11096]: "test" #11: transition from \
state STATE_MAIN_I3 to state STATE_MAIN_I4<br>Dec 4 17:35:43 ng authpriv.warn \
pluto[11096]: "test" #11: STATE_MAIN_I4: ISAKMP SA established \
{auth=OAKLEY_PRESHARED_KEY cipher=aes_128 prf=oakley_sha \
group=modp2048}<br>
Dec 4 17:35:43 ng authpriv.warn pluto[11096]: "test" #11: Dead Peer \
Detection (RFC 3706): enabled<br>Dec 4 17:35:43 ng authpriv.warn pluto[11096]: \
"test" #12: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP {using \
isakmp#11 msgid:faa36d7a proposal=defaults \
pfsgroup=OAKLEY_GROUP_MODP2048}<br>
Dec 4 17:35:43 ng authpriv.warn pluto[11096]: "test" #12: Dead Peer \
Detection (RFC 3706): enabled<br>Dec 4 17:35:43 ng authpriv.warn pluto[11096]: \
"test" #12: transition from state STATE_QUICK_I1 to state \
STATE_QUICK_I2<br>
Dec 4 17:35:43 ng authpriv.warn pluto[11096]: "test" #12: STATE_QUICK_I2: \
sent QI2, IPsec SA established tunnel mode {ESP=>0x81cd918c <0xf4534088 \
xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=enabled}<br> <br><br>Dec 4 17:36:16 \
ng authpriv.warn pluto[11096]: ERROR: asynchronous network error report on eth2.2 \
(sport=500) for message to 10.103.6.70 port 500, complainant <a \
href="http://10.103.6.71">10.103.6.71</a>: No route to host [errno 148, origin ICMP \
type 3 code 1 (not authenticated)]<br> <br>Dec 4 17:36:31 ng authpriv.warn \
pluto[11096]: ERROR: asynchronous network error report on eth2.2 (sport=500) for \
message to 10.103.6.70 port 500, complainant <a \
href="http://10.103.6.71">10.103.6.71</a>: No route to host [errno 148, origin ICMP \
type 3 code 1 (not authenticated)]<br>
Dec 4 17:36:46 ng authpriv.warn pluto[11096]: ERROR: asynchronous network error \
report on eth2.2 (sport=500) for message to 10.103.6.70 port 500, complainant <a \
href="http://10.103.7.133">10.103.7.133</a>: No route to host [errno 148, origin ICMP \
type 3 code 1 (not authenticated)]<br>
Dec 4 17:37:01 ng authpriv.warn pluto[11096]: ERROR: asynchronous network error \
report on eth2.2 (sport=500) for message to 10.103.6.70 port 500, complainant <a \
href="http://10.103.7.133">10.103.7.133</a>: No route to host [errno 148, origin ICMP \
type 3 code 1 (not authenticated)]<br>
Dec 4 17:37:13 ng authpriv.warn pluto[11096]: "test" #11: DPD: No response \
from peer - declaring peer dead<br>Dec 4 17:37:13 ng authpriv.warn pluto[11096]: \
"test" #11: DPD: Restarting Connection<br>Dec 4 17:37:13 ng authpriv.warn \
pluto[11096]: "test" #12: rekeying state \
(STATE_QUICK_I2)<br>
Dec 4 17:37:13 ng authpriv.warn pluto[11096]: "test" #12: rekeying state \
(STATE_QUICK_I2)<br>Dec 4 17:37:13 ng authpriv.warn pluto[11096]: "test" \
#12: ERROR: netlink response for Del SA <a \
href="mailto:esp.81cd918c@10.103.6.70">esp.81cd918c@10.103.6.70</a> included errno 3: \
No such process<br>
Dec 4 17:37:13 ng authpriv.warn pluto[11096]: "test" #12: ERROR: netlink \
response for Del SA <a \
href="mailto:esp.f4534088@10.103.7.133">esp.f4534088@10.103.7.133</a> included errno \
3: No such process<br>Dec 4 17:37:13 ng authpriv.warn pluto[11096]: "test" \
#13: initiating Main Mode to replace #11<br>
Dec 4 17:37:16 ng authpriv.warn pluto[11096]: ERROR: asynchronous network error \
report on eth2.2 (sport=500) for message to 10.103.6.70 port 500, complainant <a \
href="http://10.103.7.133">10.103.7.133</a>: No route to host [errno 148, origin ICMP \
type 3 code 1 (not authenticated)]<br>
Dec 4 17:37:16 ng authpriv.warn pluto[11096]: ERROR: asynchronous network error \
report on eth2.2 (sport=500) for message to 10.103.6.70 port 500, complainant <a \
href="http://10.103.7.133">10.103.7.133</a>: No route to host [errno 148, origin ICMP \
type 3 code 1 (not authenticated)]<br>
Dec 4 17:37:26 ng authpriv.warn pluto[11096]: ERROR: asynchronous network error \
report on eth2.2 (sport=500) for message to 10.103.6.70 port 500, complainant <a \
href="http://10.103.7.133">10.103.7.133</a>: No route to host [errno 148, origin ICMP \
type 3 code 1 (not authenticated)]<br>
Dec 4 17:37:46 ng authpriv.warn pluto[11096]: ERROR: asynchronous network error \
report on eth2.2 (sport=500) for message to 10.103.6.70 port 500, complainant <a \
href="http://10.103.7.133">10.103.7.133</a>: No route to host [errno 148, origin ICMP \
type 3 code 1 (not authenticated)]<br>
Dec 4 17:38:26 ng authpriv.warn pluto[11096]: ERROR: asynchronous network error \
report on eth2.2 (sport=500) for message to 10.103.6.70 port 500, complainant <a \
href="http://10.103.7.133">10.103.7.133</a>: No route to host [errno 148, origin ICMP \
type 3 code 1 (not authenticated)]<br>
Dec 4 17:39:06 ng authpriv.warn pluto[11096]: ERROR: asynchronous network error \
report on eth2.2 (sport=500) for message to 10.103.6.70 port 500, complainant <a \
href="http://10.103.7.133">10.103.7.133</a>: No route to host [errno 148, origin ICMP \
type 3 code 1 (not authenticated)]<br> <br>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic