[prev in list] [next in list] [prev in thread] [next in thread]
List: openswan-users
Subject: Re: [Openswan Users] Assistance with configuration
From: Ian Barnes <ian.lidtech () gmail ! com>
Date: 2015-04-23 20:32:29
Message-ID: CAEDGOm3+KBKw=o2WgAp9uPe953GKHrgGO4JEukNRxOEX7doJQA () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Thanks - got that loaded and its now doing something:
New addition: x.x.x.w = Default Gateway on the eth0 interface
# ipsec status
000 using kernel interface: netkey
000 interface lo/lo ::1
000 interface lo/lo 127.0.0.1
000 interface eth0/eth0 197.189.240.195
000 interface eth1/eth1 10.0.64.150
000 %myid = (none)
000 debug none
000
000 virtual_private (%priv):
000 - allowed 0 subnets:
000 - disallowed 0 subnets:
000 WARNING: Either virtual_private= is not specified, or there is a syntax
000 error in that line. 'left/rightsubnet=vhost:%priv' will not
work!
000 WARNING: Disallowed subnets in virtual_private= is empty. If you have
000 private address space in internal use, it should be excluded!
000
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin�2,
keysizemax�2
000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, keysizemin�8,
keysizemax�8
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin@,
keysizemaxD8
000 algorithm ESP encrypt: id�, name=ESP_NULL, ivlen=0, keysizemin=0,
keysizemax=0
000 algorithm ESP encrypt: id�, name=ESP_AES, ivlen=8, keysizemin�8,
keysizemax%6
000 algorithm ESP encrypt: id�, name=ESP_AES_CTR, ivlen=8,
keysizemin�8, keysizemax%6
000 algorithm ESP encrypt: id�, name=ESP_AES_CCM_A, ivlen=8,
keysizemin�8, keysizemax%6
000 algorithm ESP encrypt: id�, name=ESP_AES_CCM_B, ivlen�,
keysizemin�8, keysizemax%6
000 algorithm ESP encrypt: id�, name=ESP_AES_CCM_C, ivlen�,
keysizemin�8, keysizemax%6
000 algorithm ESP encrypt: id�, name=ESP_AES_GCM_A, ivlen=8,
keysizemin�8, keysizemax%6
000 algorithm ESP encrypt: id�, name=ESP_AES_GCM_B, ivlen�,
keysizemin�8, keysizemax%6
000 algorithm ESP encrypt: id , name=ESP_AES_GCM_C, ivlen�,
keysizemin�8, keysizemax%6
000 algorithm ESP encrypt: id", name=(null), ivlen=8, keysizemin�8,
keysizemax%6
000 algorithm ESP encrypt: id%2, name=ESP_SERPENT, ivlen=8,
keysizemin�8, keysizemax%6
000 algorithm ESP encrypt: id%3, name=ESP_TWOFISH, ivlen=8,
keysizemin�8, keysizemax%6
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
keysizemin�8, keysizemax�8
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
keysizemin�0, keysizemax�0
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256,
keysizemin%6, keysizemax%6
000 algorithm ESP auth attr: id=6, name=AUTH_ALGORITHM_HMAC_SHA2_384,
keysizemin84, keysizemax84
000 algorithm ESP auth attr: id=7, name=AUTH_ALGORITHM_HMAC_SHA2_512,
keysizeminQ2, keysizemaxQ2
000 algorithm ESP auth attr: id=8, name=(null), keysizemin�0,
keysizemax�0
000 algorithm ESP auth attr: id=9, name=(null), keysizemin�8,
keysizemax�8
000 algorithm ESP auth attr: id%1, name=(null), keysizemin=0, keysizemax=0
000
000 algorithm IKE encrypt: id=0, name=(null), blocksize�, keydeflen�8
000 algorithm IKE encrypt: id=0, name=(null), blocksize�, keydeflen�8
000 algorithm IKE encrypt: id=0, name=(null), blocksize�, keydeflen�8
000 algorithm IKE encrypt: id=0, name=(null), blocksize�, keydeflen�8
000 algorithm IKE encrypt: id=0, name=(null), blocksize�, keydeflen�8
000 algorithm IKE encrypt: id=0, name=(null), blocksize�, keydeflen�8
000 algorithm IKE encrypt: id=3, name=OAKLEY_BLOWFISH_CBC, blocksize=8,
keydeflen�8
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
keydeflen�2
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize�,
keydeflen�8
000 algorithm IKE encrypt: ide004, name=OAKLEY_SERPENT_CBC, blocksize�,
keydeflen�8
000 algorithm IKE encrypt: ide005, name=OAKLEY_TWOFISH_CBC, blocksize�,
keydeflen�8
000 algorithm IKE encrypt: ide289, name=OAKLEY_TWOFISH_CBC_SSH,
blocksize�, keydeflen�8
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize�
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize
000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize2
000 algorithm IKE hash: id=5, name=OAKLEY_SHA2_384, hashsizeH
000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsized
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits�24
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits�36
000 algorithm IKE dh group: id�, name=OAKLEY_GROUP_MODP2048, bits 48
000 algorithm IKE dh group: id�, name=OAKLEY_GROUP_MODP3072, bits072
000 algorithm IKE dh group: id�, name=OAKLEY_GROUP_MODP4096, bits@96
000 algorithm IKE dh group: id�, name=OAKLEY_GROUP_MODP6144, bitsa44
000 algorithm IKE dh group: id�, name=OAKLEY_GROUP_MODP8192, bits92
000 algorithm IKE dh group: id", name=OAKLEY_GROUP_DH22, bits�24
000 algorithm IKE dh group: id#, name=OAKLEY_GROUP_DH23, bits 48
000 algorithm IKE dh group: id$, name=OAKLEY_GROUP_DH24, bits 48
000
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,2,64}
trans={0,2,3072} attrs={0,2,2048}
000
000 "tj-vpn": 10.0.0.0/16===x.x.x.x<x.x.x.x>[+S=C]---x.x.x.w...x.x.x.w---y.y.y.y<y.y.y.y>[+S=C]===z.z.z.z/32;
prospective erouted; eroute owner: #0
000 "tj-vpn": myip=unset; hisip=unset;
000 "tj-vpn": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s;
rekey_fuzz: 100%; keyingtries: 0; nat_keepalive: yes
000 "tj-vpn": policy:
PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 16,32;
interface: eth0;
000 "tj-vpn": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "tj-vpn": IKE algorithms wanted:
AES_CBC(7)_256-SHA1(2)_000-MODP1536(5),
AES_CBC(7)_256-SHA1(2)_000-MODP1024(2)
000 "tj-vpnt": IKE algorithms found:
AES_CBC(7)_256-SHA1(2)_160-MODP1536(5),
AES_CBC(7)_256-SHA1(2)_160-MODP1024(2)
000 "tj-vpn": ESP algorithms wanted: AES(12)_256-SHA1(2)_000
000 "tj-vpn": ESP algorithms loaded: AES(12)_256-SHA1(2)_160
000
000 #16: "tj-vpn":500 STATE_MAIN_I2 (sent MI2, expecting MR2);
EVENT_RETRANSMIT in 38s; nodpd; idle; import:admin initiate
000 #16: pending Phase 2 for "tj-vpn" replacing #0
000
# ipsec auto --up tj-vpn
104 "tj-vpn" #20: STATE_MAIN_I1: initiate
003 "tj-vpn" #20: ignoring Vendor ID payload [FRAGMENTATION c0000000]
106 "tj-vpn" #20: STATE_MAIN_I2: sent MI2, expecting MR2
010 "tj-vpn" #20: STATE_MAIN_I2: retransmission; will wait 20s for response
003 "tj-vpn" #20: ignoring informational payload, type INVALID_COOKIE
msgid�000000
003 "tj-vpn" #20: received and ignored informational message
010 "tj-vpn" #20: STATE_MAIN_I2: retransmission; will wait 40s for response
003 "tj-vpn" #20: ignoring informational payload, type INVALID_COOKIE
msgid�000000
003 "tj-vpn" #20: received and ignored informational message
031 "tj-vpn" #20: max number of retransmissions (2) reached STATE_MAIN_I2
000 "tj-vpn" #20: starting keying attempt 2 of an unlimited number, but
releasing whack
Any ideas whats happening?
Cheers
Ian
On Thu, Apr 23, 2015 at 10:00 PM, Neal Murphy <neal.p.murphy@alum.wpi.edu>
wrote:
> 'modprobe ipsec' to load the klips module. IIf that fails, remove
> 'protostack=klips' from the config and use netkey.
>
> N
>
> On Thursday, April 23, 2015 03:56:11 PM you wrote:
> > Hey Neal,
> >
> > Thanks for the prompt response.
> >
> > I am getting the following with your suggested config - have I done
> > something wrong?
> >
> > # /etc/init.d/ipsec restart
> > ipsec_setup: Stopping Openswan IPsec...
> > ipsec_setup: Starting Openswan IPsec 2.6.32...
> > ipsec_setup: No KLIPS support found while requested, desperately falling
> > back to netkey
> > ipsec_setup: NETKEY support found. Use protostack=netkey in
> /etc/ipsec.conf
> > to avoid attempts to use KLIPS. Attempting to continue with NETKEY
> > ipsec_setup: /usr/libexec/ipsec/addconn Non-fips mode set in
> > /proc/sys/crypto/fips_enabled
> >
> > # ipsec status
> > 000 using kernel interface: noklips
> > 000 %myid = (none)
> > 000 debug none
> > 000
> > 000 virtual_private (%priv):
> > 000 - allowed 0 subnets:
> > 000 - disallowed 0 subnets:
> > 000 WARNING: Either virtual_private= is not specified, or there is a
> syntax
> > 000 error in that line. 'left/rightsubnet=vhost:%priv' will not
> > work!
> > 000 WARNING: Disallowed subnets in virtual_private= is empty. If you have
> > 000 private address space in internal use, it should be
> excluded!
> > 000
> > 000
> > 000 algorithm IKE encrypt: id=3, name=OAKLEY_BLOWFISH_CBC, blocksize=8,
> > keydeflen�8
> > 000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
> > keydeflen�2
> > 000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize�,
> > keydeflen�8
> > 000 algorithm IKE encrypt: ide004, name=OAKLEY_SERPENT_CBC,
> blocksize�,
> > keydeflen�8
> > 000 algorithm IKE encrypt: ide005, name=OAKLEY_TWOFISH_CBC,
> blocksize�,
> > keydeflen�8
> > 000 algorithm IKE encrypt: ide289, name=OAKLEY_TWOFISH_CBC_SSH,
> > blocksize�, keydeflen�8
> > 000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize�
> > 000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize
> > 000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize2
> > 000 algorithm IKE hash: id=5, name=OAKLEY_SHA2_384, hashsizeH
> > 000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsized
> > 000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits�24
> > 000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits�36
> > 000 algorithm IKE dh group: id�, name=OAKLEY_GROUP_MODP2048, bits 48
> > 000 algorithm IKE dh group: id�, name=OAKLEY_GROUP_MODP3072, bits072
> > 000 algorithm IKE dh group: id�, name=OAKLEY_GROUP_MODP4096, bits@96
> > 000 algorithm IKE dh group: id�, name=OAKLEY_GROUP_MODP6144, bitsa44
> > 000 algorithm IKE dh group: id�, name=OAKLEY_GROUP_MODP8192, bits92
> > 000 algorithm IKE dh group: id", name=OAKLEY_GROUP_DH22, bits�24
> > 000 algorithm IKE dh group: id#, name=OAKLEY_GROUP_DH23, bits 48
> > 000 algorithm IKE dh group: id$, name=OAKLEY_GROUP_DH24, bits 48
> > 000
> > 000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0}
> > trans={0,0,0} attrs={0,0,0}
> > 000
> > 000
> > 000
> >
> >
> > # ipsec auto --add tj-vpn
> > /usr/libexec/ipsec/addconn Non-fips mode set in
> > /proc/sys/crypto/fips_enabled
> > 023 address family inconsistency in this connection=2 host=2/nexthop=0
> > 037 attempt to load incomplete connection
> >
> > Any suggestions?
> >
> > Cheers
> > Ian
> >
> > On Thu, Apr 23, 2015 at 8:50 PM, Neal Murphy <neal.p.murphy@alum.wpi.edu
> >
> >
> > wrote:
> > > Try a more minimal config:
> > >
> > > ---
> > > config setup
> > >
> > > protostack=klips
> > > interfaces=%defaultroute
> > > klipsdebug=none
> > > plutodebug=none
> > > plutowait=no
> > > uniqueids=yes
> > >
> > > conn tj-vpn
> > >
> > > authby=secret
> > > espŽs256-sha1
> > > ikeŽs256-sha1
> > > keyexchange=ike
> > > pfs=no
> > > left=x.x.x.x
> > > leftsubnet�.0.0.0/16
> > > leftnexthop=%defaultroute
> > > right=y.y.y.y
> > > rightsubnet=z.z.z.z/32
> > > rightnexthop=%defaultroute
> > > auto=start
> > >
> > > ---
> > >
> > > Come to think of it, you might just be missing rightnexthop.
> > >
> > > N
> > >
> > > On Thursday, April 23, 2015 02:31:10 PM Ian Barnes wrote:
> > > > Hi All
> > > >
> > > > Apologies for the probable stupid question - but I am having some
> > >
> > > problems
> > >
> > > > getting an IPSEC tunnel up and running to a provider.
> > > >
> > > > Here is my network config:
> > > >
> > > > *Connecting Server*
> > > > Connecting Server has two interfaces
> > > > eth0: x.x.x.x/28
> > > > eth1: 10.0.64.150/24
> > > >
> > > > Connecting server is running CentOS 6.6, OpenSwan (2.6.32-37.el6)
> > > >
> > > > Here is a verify:
> > > > # ipsec verify
> > > > Checking your system to see if IPsec got installed and started
> > > > correctly: Version check and ipsec on-path
> > > > [OK] Linux Openswan U2.6.32/K2.6.32-504.el6.x86_64 (netkey)
> > > > Checking for IPsec support in kernel [OK]
> > > >
> > > > SAref kernel support [N/A]
> > > > NETKEY: Testing for disabled ICMP send_redirects [OK]
> > > >
> > > > NETKEY detected, testing for disabled ICMP accept_redirects [OK]
> > > > Testing against enforced SElinux mode [OK]
> > > > Checking that pluto is running [OK]
> > > >
> > > > Pluto listening for IKE on udp 500 [OK]
> > > > Pluto listening for NAT-T on udp 4500 [OK]
> > > >
> > > > Two or more interfaces found, checking IP forwarding [OK]
> > > > Checking NAT and MASQUERADEing [OK]
> > > > Checking for 'ip' command [OK]
> > > > Checking /bin/sh is not /bin/dash [OK]
> > > > Checking for 'iptables' command [OK]
> > > > Opportunistic Encryption Support
> [DISABLED]
> > > >
> > > >
> > > > *Remote Server*
> > > > Here are the connection details of the remote connection i've been
> > > > given: Remote IP: y.y.y.y
> > > > Internal IP: z.z.z.z
> > > >
> > > > *Phase 1:*
> > > > Cipher: AES-256
> > > > MD Algorithm: SHA1
> > > > LifeTime: 86400sec
> > > > DH Group: 2
> > > > IKE Mode: Main
> > > > Auth Mode: PSK
> > > >
> > > > *Phase 2:*
> > > > IPSec Type: ESP
> > > > Cipher: AES-256
> > > > MD Algorithm: SHA1
> > > > PFS: NO
> > > > LifeTime: 3600seconds
> > > > Granularity: Host
> > > >
> > > >
> > > > *My Config*
> > > > conn tj-vpn
> > > >
> > > > type=tunnel
> > > > auth=esp
> > > > authby=secret
> > > > ikelifetime400m
> > > > rekeymargin�m
> > > > rekeyfuzz=0%
> > > > keylife600s
> > > > espŽs256-sha1
> > > > ikeŽs256-sha1
> > > > keyexchange=ike
> > > > pfs=no
> > > > left=x.x.x.x
> > > > leftsubnet�.0.0.0/16
> > > > leftnexthop=%defaultroute
> > > > right=y.y.y.y
> > > > rightsubnet=z.z.z.z/32
> > > > auto=start
> > > >
> > > > Startup shows the following:
> > > >
> > > > # ipsec auto --up tj-vpn
> > > > 104 "tj-vpn" #2: STATE_MAIN_I1: initiate
> > > > 003 "tj-vpn" #2: received Vendor ID payload [RFC 3947] method set
> > > > to�9 003 "tj-vpn" #2: ignoring Vendor ID payload [FRAGMENTATION
> > > > c0000000] 003 "tj-vpn" #2: peer requested 5184000 seconds which
> > > > exceeds our limit 86400 seconds. Attribute OAKLEY_LIFE_DURATION
> > > > (variable length) 003 "tj-vpn" #2: no acceptable Oakley Transform
> > > > 214 "tj-vpn" #2: STATE_MAIN_I1: NO_PROPOSAL_CHOSEN
> > > > *JUST HANGS THERE*
> > > >
> > > > # ipsec --status
> > > > 000 using kernel interface: netkey
> > > > 000 interface lo/lo ::1
> > > > 000 interface lo/lo 127.0.0.1
> > > > 000 interface lo/lo 127.0.0.1
> > > > 000 interface eth0/eth0 x.x.x.x
> > > > 000 interface eth0/eth0 x.x.x.x
> > > > 000 interface eth1/eth1 10.0.64.150
> > > > 000 interface eth1/eth1 10.0.64.150
> > > > 000 %myid = (none)
> > > > 000 debug none
> > > > 000
> > > > 000 virtual_private (%priv):
> > > > 000 - allowed 0 subnets:
> > > > 000 - disallowed 0 subnets:
> > > > 000 WARNING: Either virtual_private= is not specified, or there is a
> > >
> > > syntax
> > >
> > > > 000 error in that line. 'left/rightsubnet=vhost:%priv' will
> > > > not work!
> > > > 000 WARNING: Disallowed subnets in virtual_private= is empty. If you
> > > > have 000 private address space in internal use, it should be
> > >
> > > excluded!
> > >
> > > > 000
> > > > 000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8,
> > > > keysizemin�2, keysizemax�2
> > > > 000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8,
> > > > keysizemin�8, keysizemax�8
> > > > 000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8,
> > >
> > > keysizemin@,
> > >
> > > > keysizemaxD8
> > > > 000 algorithm ESP encrypt: id�, name=ESP_NULL, ivlen=0,
> keysizemin=0,
> > > > keysizemax=0
> > > > 000 algorithm ESP encrypt: id�, name=ESP_AES, ivlen=8,
> > > > keysizemin�8, keysizemax%6
> > > > 000 algorithm ESP encrypt: id�, name=ESP_AES_CTR, ivlen=8,
> > > > keysizemin�8, keysizemax%6
> > > > 000 algorithm ESP encrypt: id�, name=ESP_AES_CCM_A, ivlen=8,
> > > > keysizemin�8, keysizemax%6
> > > > 000 algorithm ESP encrypt: id�, name=ESP_AES_CCM_B, ivlen�,
> > > > keysizemin�8, keysizemax%6
> > > > 000 algorithm ESP encrypt: id�, name=ESP_AES_CCM_C, ivlen�,
> > > > keysizemin�8, keysizemax%6
> > > > 000 algorithm ESP encrypt: id�, name=ESP_AES_GCM_A, ivlen=8,
> > > > keysizemin�8, keysizemax%6
> > > > 000 algorithm ESP encrypt: id�, name=ESP_AES_GCM_B, ivlen�,
> > > > keysizemin�8, keysizemax%6
> > > > 000 algorithm ESP encrypt: id , name=ESP_AES_GCM_C, ivlen�,
> > > > keysizemin�8, keysizemax%6
> > > > 000 algorithm ESP encrypt: id", name=(null), ivlen=8,
> keysizemin�8,
> > > > keysizemax%6
> > > > 000 algorithm ESP encrypt: id%2, name=ESP_SERPENT, ivlen=8,
> > > > keysizemin�8, keysizemax%6
> > > > 000 algorithm ESP encrypt: id%3, name=ESP_TWOFISH, ivlen=8,
> > > > keysizemin�8, keysizemax%6
> > > > 000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
> > > > keysizemin�8, keysizemax�8
> > > > 000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
> > > > keysizemin�0, keysizemax�0
> > > > 000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256,
> > > > keysizemin%6, keysizemax%6
> > > > 000 algorithm ESP auth attr: id=6, name=AUTH_ALGORITHM_HMAC_SHA2_384,
> > > > keysizemin84, keysizemax84
> > > > 000 algorithm ESP auth attr: id=7, name=AUTH_ALGORITHM_HMAC_SHA2_512,
> > > > keysizeminQ2, keysizemaxQ2
> > > > 000 algorithm ESP auth attr: id=8, name=(null), keysizemin�0,
> > > > keysizemax�0
> > > > 000 algorithm ESP auth attr: id=9, name=(null), keysizemin�8,
> > > > keysizemax�8
> > > > 000 algorithm ESP auth attr: id%1, name=(null), keysizemin=0,
> > > > keysizemax=0 000
> > > > 000 algorithm IKE encrypt: id=0, name=(null), blocksize�,
> > > > keydeflen�8 000 algorithm IKE encrypt: id=0, name=(null),
> > > > blocksize�, keydeflen�8 000 algorithm IKE encrypt: id=0,
> > > > name=(null), blocksize�, keydeflen�8 000 algorithm IKE encrypt:
> > > > id=0, name=(null), blocksize�, keydeflen�8 000 algorithm IKE
> > > > encrypt: id=0, name=(null), blocksize�, keydeflen�8 000 algorithm
> > > > IKE encrypt: id=0, name=(null), blocksize�, keydeflen�8 000
> > > > algorithm IKE encrypt: id=3, name=OAKLEY_BLOWFISH_CBC, blocksize=8,
> > > > keydeflen�8
> > > > 000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
> > > > keydeflen�2
> > > > 000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize�,
> > > > keydeflen�8
> > > > 000 algorithm IKE encrypt: ide004, name=OAKLEY_SERPENT_CBC,
> > >
> > > blocksize�,
> > >
> > > > keydeflen�8
> > > > 000 algorithm IKE encrypt: ide005, name=OAKLEY_TWOFISH_CBC,
> > >
> > > blocksize�,
> > >
> > > > keydeflen�8
> > > > 000 algorithm IKE encrypt: ide289, name=OAKLEY_TWOFISH_CBC_SSH,
> > > > blocksize�, keydeflen�8
> > > > 000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize�
> > > > 000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize
> > > > 000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize2
> > > > 000 algorithm IKE hash: id=5, name=OAKLEY_SHA2_384, hashsizeH
> > > > 000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsized
> > > > 000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024,
> bits�24
> > > > 000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536,
> bits�36
> > > > 000 algorithm IKE dh group: id�, name=OAKLEY_GROUP_MODP2048,
> > > > bits 48 000 algorithm IKE dh group: id�,
> > > > name=OAKLEY_GROUP_MODP3072, bits072 000 algorithm IKE dh group:
> > > > id�, name=OAKLEY_GROUP_MODP4096, bits@96 000 algorithm IKE dh
> > > > group: id�, name=OAKLEY_GROUP_MODP6144, bitsa44 000 algorithm IKE
> > > > dh group: id�, name=OAKLEY_GROUP_MODP8192, bits92 000 algorithm
> > > > IKE dh group: id", name=OAKLEY_GROUP_DH22, bits�24 000 algorithm
> > > > IKE dh group: id#, name=OAKLEY_GROUP_DH23, bits 48 000 algorithm
> > > > IKE dh group: id$, name=OAKLEY_GROUP_DH24, bits 48 000
> > > > 000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,2,64}
> > > > trans={0,2,3072} attrs={0,2,2048}
> > > > 000
> > > > 000 "tj-vpn":
> > > > 10.0.0.0/16===x.x.x.x
> > >
> > > <x.x.x.x>[+S=C]...y.y.y.y<y.y.y.y>[+S=C]===z.z.z.z/32
> > >
> > > > ; prospective erouted; eroute owner: #0
> > > > 000 "tj-vpn": myip=unset; hisip=unset;
> > >
> > > > 000 "tj-vpn": ike_life: 5184000s; ipsec_life: 3600s; rekey_margin:
> > > 600s;
> > >
> > > > rekey_fuzz: 0%; keyingtries: 0; nat_keepalive: yes
> > > > 000 "tj-vpn": policy:
> > > > PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 16,32;
> > > > interface: eth0;
> > > > 000 "tj-vpn": newest ISAKMP SA: #0; newest IPsec SA: #0;
> > > > 000 "tj-vpn": IKE algorithms wanted:
> > > > AES_CBC(7)_256-SHA1(2)_000-MODP1536(5),
> > > > AES_CBC(7)_256-SHA1(2)_000-MODP1024(2)
> > > >
> > > > 000 "tj-vpn": IKE algorithms found:
> > > > AES_CBC(7)_256-SHA1(2)_160-MODP1536(5),
> > > >
> > > > AES_CBC(7)_256-SHA1(2)_160-MODP1024(2)
> > > > 000 "tj-vpn": ESP algorithms wanted: AES(12)_256-SHA1(2)_000
> > > > 000 "tj-vpn": ESP algorithms loaded: AES(12)_256-SHA1(2)_160
> > > > 000
> > > > 000 #2: "tj-vpn":500 STATE_MAIN_I1 (sent MI1, expecting MR1); none in
> > >
> > > -1s;
> > >
> > > > nodpd; idle; import:admin initiate
> > > > 000 #2: pending Phase 2 for "tj-vpn" replacing #0
> > > > 000
> > > >
> > > > # cat ipsec.secrets
> > > > x.x.x.x y.y.y.y: PSK "PSKGOESHERE"
> > > >
> > > > Anyone have any ideas what i'm doing wrong? I'd appreciate all
> > >
> > > assistance.
> > >
> > > > Thanks so much in advance!
> > > >
> > > > Cheers
> > > > Ian
> > >
> > > _______________________________________________
> > > Users@lists.openswan.org
> > > https://lists.openswan.org/mailman/listinfo/users
> > > Micropayments:
> https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> > > Building and Integrating Virtual Private Networks with Openswan:
> > >
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n(3155
>
[Attachment #5 (text/html)]
<div dir="ltr"><div>Thanks - got that loaded and its now doing \
something:<br></div><div><br></div><div style>New addition: x.x.x.w = Default Gateway \
on the eth0 interface</div><div><br></div><div><div># ipsec status</div><div>000 \
using kernel interface: netkey</div><div>000 interface lo/lo ::1</div><div>000 \
interface lo/lo 127.0.0.1</div><div>000 interface eth0/eth0 \
197.189.240.195</div><div>000 interface eth1/eth1 10.0.64.150</div><div>000 %myid = \
(none)</div><div>000 debug none</div><div>000</div><div>000 virtual_private \
(%priv):</div><div>000 - allowed 0 subnets:</div><div>000 - disallowed 0 \
subnets:</div><div>000 WARNING: Either virtual_private= is not specified, or there is \
a syntax</div><div>000 error in that line. \
'left/rightsubnet=vhost:%priv' will not work!</div><div>000 WARNING: \
Disallowed subnets in virtual_private= is empty. If you have</div><div>000 \
private address space in internal use, it should be \
excluded!</div><div>000</div><div>000 algorithm ESP encrypt: id=3, name=ESP_3DES, \
ivlen=8, keysizemin=192, keysizemax=192</div><div>000 algorithm ESP encrypt: id=6, \
name=ESP_CAST, ivlen=8, keysizemin=128, keysizemax=128</div><div>000 algorithm ESP \
encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, \
keysizemax=448</div><div>000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, \
keysizemin=0, keysizemax=0</div><div>000 algorithm ESP encrypt: id=12, name=ESP_AES, \
ivlen=8, keysizemin=128, keysizemax=256</div><div>000 algorithm ESP encrypt: id=13, \
name=ESP_AES_CTR, ivlen=8, keysizemin=128, keysizemax=256</div><div>000 algorithm ESP \
encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8, keysizemin=128, \
keysizemax=256</div><div>000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, \
ivlen=12, keysizemin=128, keysizemax=256</div><div>000 algorithm ESP encrypt: id=16, \
name=ESP_AES_CCM_C, ivlen=16, keysizemin=128, keysizemax=256</div><div>000 algorithm \
ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8, keysizemin=128, \
keysizemax=256</div><div>000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, \
ivlen=12, keysizemin=128, keysizemax=256</div><div>000 algorithm ESP encrypt: id=20, \
name=ESP_AES_GCM_C, ivlen=16, keysizemin=128, keysizemax=256</div><div>000 algorithm \
ESP encrypt: id=22, name=(null), ivlen=8, keysizemin=128, \
keysizemax=256</div><div>000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, \
ivlen=8, keysizemin=128, keysizemax=256</div><div>000 algorithm ESP encrypt: id=253, \
name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256</div><div>000 algorithm ESP \
auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, \
keysizemax=128</div><div>000 algorithm ESP auth attr: id=2, \
name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160</div><div>000 algorithm \
ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, \
keysizemax=256</div><div>000 algorithm ESP auth attr: id=6, \
name=AUTH_ALGORITHM_HMAC_SHA2_384, keysizemin=384, keysizemax=384</div><div>000 \
algorithm ESP auth attr: id=7, name=AUTH_ALGORITHM_HMAC_SHA2_512, keysizemin=512, \
keysizemax=512</div><div>000 algorithm ESP auth attr: id=8, name=(null), \
keysizemin=160, keysizemax=160</div><div>000 algorithm ESP auth attr: id=9, \
name=(null), keysizemin=128, keysizemax=128</div><div>000 algorithm ESP auth attr: \
id=251, name=(null), keysizemin=0, keysizemax=0</div><div>000</div><div>000 algorithm \
IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=128</div><div>000 algorithm \
IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=128</div><div>000 algorithm \
IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=128</div><div>000 algorithm \
IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=128</div><div>000 algorithm \
IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=128</div><div>000 algorithm \
IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=128</div><div>000 algorithm \
IKE encrypt: id=3, name=OAKLEY_BLOWFISH_CBC, blocksize=8, keydeflen=128</div><div>000 \
algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, \
keydeflen=192</div><div>000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, \
blocksize=16, keydeflen=128</div><div>000 algorithm IKE encrypt: id=65004, \
name=OAKLEY_SERPENT_CBC, blocksize=16, keydeflen=128</div><div>000 algorithm IKE \
encrypt: id=65005, name=OAKLEY_TWOFISH_CBC, blocksize=16, keydeflen=128</div><div>000 \
algorithm IKE encrypt: id=65289, name=OAKLEY_TWOFISH_CBC_SSH, blocksize=16, \
keydeflen=128</div><div>000 algorithm IKE hash: id=1, name=OAKLEY_MD5, \
hashsize=16</div><div>000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, \
hashsize=20</div><div>000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, \
hashsize=32</div><div>000 algorithm IKE hash: id=5, name=OAKLEY_SHA2_384, \
hashsize=48</div><div>000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, \
hashsize=64</div><div>000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, \
bits=1024</div><div>000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, \
bits=1536</div><div>000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, \
bits=2048</div><div>000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, \
bits=3072</div><div>000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, \
bits=4096</div><div>000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, \
bits=6144</div><div>000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, \
bits=8192</div><div>000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, \
bits=1024</div><div>000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, \
bits=2048</div><div>000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, \
bits=2048</div><div>000</div><div>000 stats db_ops: {curr_cnt, total_cnt, maxsz} \
:context={0,2,64} trans={0,2,3072} attrs={0,2,2048}</div><div>000</div><div>000 \
"tj-vpn": <a \
href="http://10.0.0.0/16===x.x.x.x">10.0.0.0/16===x.x.x.x</a><x.x.x.x>[+S=C]---x.x.x.w...x.x.x.w---y.y.y.y<y.y.y.y>[+S=C]===z.z.z.z/32; \
prospective erouted; eroute owner: #0</div><div>000 "tj-vpn": \
myip=unset; hisip=unset;</div><div>000 "tj-vpn": ike_life: 3600s; \
ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; \
nat_keepalive: yes</div><div>000 "tj-vpn": policy: \
PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 16,32; interface: \
eth0;</div><div>000 "tj-vpn": newest ISAKMP SA: #0; newest IPsec SA: \
#0;</div><div>000 "tj-vpn": IKE algorithms wanted: \
AES_CBC(7)_256-SHA1(2)_000-MODP1536(5), \
AES_CBC(7)_256-SHA1(2)_000-MODP1024(2)</div><div>000 "tj-vpnt": IKE \
algorithms found: AES_CBC(7)_256-SHA1(2)_160-MODP1536(5), \
AES_CBC(7)_256-SHA1(2)_160-MODP1024(2)</div><div>000 "tj-vpn": ESP \
algorithms wanted: AES(12)_256-SHA1(2)_000</div><div>000 "tj-vpn": ESP \
algorithms loaded: AES(12)_256-SHA1(2)_160</div><div>000</div><div>000 #16: \
"tj-vpn":500 STATE_MAIN_I2 (sent MI2, expecting MR2); EVENT_RETRANSMIT in \
38s; nodpd; idle; import:admin initiate</div><div>000 #16: pending Phase 2 for \
"tj-vpn" replacing #0</div><div>000</div></div><div><br></div><div><div># \
ipsec auto --up tj-vpn</div><div>104 "tj-vpn" #20: STATE_MAIN_I1: \
initiate</div><div>003 "tj-vpn" #20: ignoring Vendor ID payload \
[FRAGMENTATION c0000000]</div><div>106 "tj-vpn" #20: STATE_MAIN_I2: sent \
MI2, expecting MR2</div><div>010 "tj-vpn" #20: STATE_MAIN_I2: \
retransmission; will wait 20s for response</div><div>003 "tj-vpn" #20: \
ignoring informational payload, type INVALID_COOKIE msgid=00000000</div><div>003 \
"tj-vpn" #20: received and ignored informational message</div><div>010 \
"tj-vpn" #20: STATE_MAIN_I2: retransmission; will wait 40s for \
response</div><div>003 "tj-vpn" #20: ignoring informational payload, type \
INVALID_COOKIE msgid=00000000</div><div>003 "tj-vpn" #20: received and \
ignored informational message</div><div>031 "tj-vpn" #20: max number of \
retransmissions (2) reached STATE_MAIN_I2</div><div>000 "tj-vpn" #20: \
starting keying attempt 2 of an unlimited number, but releasing \
whack</div></div><div><br></div><div style>Any ideas whats \
happening?</div><div><br></div><div style>Cheers</div><div style>Ian</div><div \
class="gmail_extra"><br><div class="gmail_quote">On Thu, Apr 23, 2015 at 10:00 PM, \
Neal Murphy <span dir="ltr"><<a href="mailto:neal.p.murphy@alum.wpi.edu" \
target="_blank">neal.p.murphy@alum.wpi.edu</a>></span> wrote:<br><blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex">'modprobe ipsec' to load the klips module. IIf that \
fails, remove<br> 'protostack=klips' from the config and use netkey.<br>
<span class="HOEnZb"><font color="#888888"><br>
N<br>
</font></span><div class="HOEnZb"><div class="h5"><br>
On Thursday, April 23, 2015 03:56:11 PM you wrote:<br>
> Hey Neal,<br>
><br>
> Thanks for the prompt response.<br>
><br>
> I am getting the following with your suggested config - have I done<br>
> something wrong?<br>
><br>
> # /etc/init.d/ipsec restart<br>
> ipsec_setup: Stopping Openswan IPsec...<br>
> ipsec_setup: Starting Openswan IPsec 2.6.32...<br>
> ipsec_setup: No KLIPS support found while requested, desperately falling<br>
> back to netkey<br>
> ipsec_setup: NETKEY support found. Use protostack=netkey in /etc/ipsec.conf<br>
> to avoid attempts to use KLIPS. Attempting to continue with NETKEY<br>
> ipsec_setup: /usr/libexec/ipsec/addconn Non-fips mode set in<br>
> /proc/sys/crypto/fips_enabled<br>
><br>
> # ipsec status<br>
> 000 using kernel interface: noklips<br>
> 000 %myid = (none)<br>
> 000 debug none<br>
> 000<br>
> 000 virtual_private (%priv):<br>
> 000 - allowed 0 subnets:<br>
> 000 - disallowed 0 subnets:<br>
> 000 WARNING: Either virtual_private= is not specified, or there is a syntax<br>
> 000 error in that line. 'left/rightsubnet=vhost:%priv' \
will not<br> > work!<br>
> 000 WARNING: Disallowed subnets in virtual_private= is empty. If you have<br>
> 000 private address space in internal use, it should be \
excluded!<br> > 000<br>
> 000<br>
> 000 algorithm IKE encrypt: id=3, name=OAKLEY_BLOWFISH_CBC, blocksize=8,<br>
> keydeflen=128<br>
> 000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,<br>
> keydeflen=192<br>
> 000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,<br>
> keydeflen=128<br>
> 000 algorithm IKE encrypt: id=65004, name=OAKLEY_SERPENT_CBC, blocksize=16,<br>
> keydeflen=128<br>
> 000 algorithm IKE encrypt: id=65005, name=OAKLEY_TWOFISH_CBC, blocksize=16,<br>
> keydeflen=128<br>
> 000 algorithm IKE encrypt: id=65289, name=OAKLEY_TWOFISH_CBC_SSH,<br>
> blocksize=16, keydeflen=128<br>
> 000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16<br>
> 000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20<br>
> 000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32<br>
> 000 algorithm IKE hash: id=5, name=OAKLEY_SHA2_384, hashsize=48<br>
> 000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64<br>
> 000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024<br>
> 000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536<br>
> 000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048<br>
> 000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072<br>
> 000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096<br>
> 000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144<br>
> 000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192<br>
> 000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024<br>
> 000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048<br>
> 000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048<br>
> 000<br>
> 000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0}<br>
> trans={0,0,0} attrs={0,0,0}<br>
> 000<br>
> 000<br>
> 000<br>
><br>
><br>
> # ipsec auto --add tj-vpn<br>
> /usr/libexec/ipsec/addconn Non-fips mode set in<br>
> /proc/sys/crypto/fips_enabled<br>
> 023 address family inconsistency in this connection=2 host=2/nexthop=0<br>
> 037 attempt to load incomplete connection<br>
><br>
> Any suggestions?<br>
><br>
> Cheers<br>
> Ian<br>
><br>
> On Thu, Apr 23, 2015 at 8:50 PM, Neal Murphy <<a \
href="mailto:neal.p.murphy@alum.wpi.edu">neal.p.murphy@alum.wpi.edu</a>><br> \
><br> > wrote:<br>
> > Try a more minimal config:<br>
> ><br>
> > ---<br>
> > config setup<br>
> ><br>
> > protostack=klips<br>
> > interfaces=%defaultroute<br>
> > klipsdebug=none<br>
> > plutodebug=none<br>
> > plutowait=no<br>
> > uniqueids=yes<br>
> ><br>
> > conn tj-vpn<br>
> ><br>
> > authby=secret<br>
> > esp=aes256-sha1<br>
> > ike=aes256-sha1<br>
> > keyexchange=ike<br>
> > pfs=no<br>
> > left=x.x.x.x<br>
> > leftsubnet=<a href="http://10.0.0.0/16" \
target="_blank">10.0.0.0/16</a><br> > > \
leftnexthop=%defaultroute<br> > > right=y.y.y.y<br>
> > rightsubnet=z.z.z.z/32<br>
> > rightnexthop=%defaultroute<br>
> > auto=start<br>
> ><br>
> > ---<br>
> ><br>
> > Come to think of it, you might just be missing rightnexthop.<br>
> ><br>
> > N<br>
> ><br>
> > On Thursday, April 23, 2015 02:31:10 PM Ian Barnes wrote:<br>
> > > Hi All<br>
> > ><br>
> > > Apologies for the probable stupid question - but I am having some<br>
> ><br>
> > problems<br>
> ><br>
> > > getting an IPSEC tunnel up and running to a provider.<br>
> > ><br>
> > > Here is my network config:<br>
> > ><br>
> > > *Connecting Server*<br>
> > > Connecting Server has two interfaces<br>
> > > eth0: x.x.x.x/28<br>
> > > eth1: <a href="http://10.0.64.150/24" \
target="_blank">10.0.64.150/24</a><br> > > ><br>
> > > Connecting server is running CentOS 6.6, OpenSwan (2.6.32-37.el6)<br>
> > ><br>
> > > Here is a verify:<br>
> > > # ipsec verify<br>
> > > Checking your system to see if IPsec got installed and started<br>
> > > correctly: Version check and ipsec on-path<br>
> > > [OK] Linux Openswan U2.6.32/K2.6.32-504.el6.x86_64 (netkey)<br>
> > > Checking for IPsec support in kernel \
[OK]<br> > > ><br>
> > > SAref kernel support \
[N/A]<br> > > > NETKEY: Testing for disabled ICMP send_redirects \
[OK]<br> > > ><br>
> > > NETKEY detected, testing for disabled ICMP accept_redirects [OK]<br>
> > > Testing against enforced SElinux mode \
[OK]<br> > > > Checking that pluto is running \
[OK]<br> > > ><br>
> > > Pluto listening for IKE on udp 500 \
[OK]<br> > > > Pluto listening for NAT-T on udp 4500 \
[OK]<br> > > ><br>
> > > Two or more interfaces found, checking IP forwarding \
[OK]<br> > > > Checking NAT and MASQUERADEing \
[OK]<br> > > > Checking for 'ip' command \
[OK]<br> > > > Checking /bin/sh is not /bin/dash \
[OK]<br> > > > Checking for 'iptables' command \
[OK]<br> > > > Opportunistic Encryption Support \
[DISABLED]<br> > > ><br>
> > ><br>
> > > *Remote Server*<br>
> > > Here are the connection details of the remote connection i've \
been<br> > > > given: Remote IP: y.y.y.y<br>
> > > Internal IP: z.z.z.z<br>
> > ><br>
> > > *Phase 1:*<br>
> > > Cipher: AES-256<br>
> > > MD Algorithm: SHA1<br>
> > > LifeTime: 86400sec<br>
> > > DH Group: 2<br>
> > > IKE Mode: Main<br>
> > > Auth Mode: PSK<br>
> > ><br>
> > > *Phase 2:*<br>
> > > IPSec Type: ESP<br>
> > > Cipher: AES-256<br>
> > > MD Algorithm: SHA1<br>
> > > PFS: NO<br>
> > > LifeTime: 3600seconds<br>
> > > Granularity: Host<br>
> > ><br>
> > ><br>
> > > *My Config*<br>
> > > conn tj-vpn<br>
> > ><br>
> > > type=tunnel<br>
> > > auth=esp<br>
> > > authby=secret<br>
> > > ikelifetime=86400m<br>
> > > rekeymargin=10m<br>
> > > rekeyfuzz=0%<br>
> > > keylife=3600s<br>
> > > esp=aes256-sha1<br>
> > > ike=aes256-sha1<br>
> > > keyexchange=ike<br>
> > > pfs=no<br>
> > > left=x.x.x.x<br>
> > > leftsubnet=<a href="http://10.0.0.0/16" \
target="_blank">10.0.0.0/16</a><br> > > > \
leftnexthop=%defaultroute<br> > > > right=y.y.y.y<br>
> > > rightsubnet=z.z.z.z/32<br>
> > > auto=start<br>
> > ><br>
> > > Startup shows the following:<br>
> > ><br>
> > > # ipsec auto --up tj-vpn<br>
> > > 104 "tj-vpn" #2: STATE_MAIN_I1: initiate<br>
> > > 003 "tj-vpn" #2: received Vendor ID payload [RFC 3947] \
method set<br> > > > to=109 003 "tj-vpn" #2: ignoring Vendor ID \
payload [FRAGMENTATION<br> > > > c0000000] 003 "tj-vpn" #2: peer \
requested 5184000 seconds which<br> > > > exceeds our limit 86400 seconds. \
Attribute OAKLEY_LIFE_DURATION<br> > > > (variable length) 003 \
"tj-vpn" #2: no acceptable Oakley Transform<br> > > > 214 \
"tj-vpn" #2: STATE_MAIN_I1: NO_PROPOSAL_CHOSEN<br> > > > *JUST \
HANGS THERE*<br> > > ><br>
> > > # ipsec --status<br>
> > > 000 using kernel interface: netkey<br>
> > > 000 interface lo/lo ::1<br>
> > > 000 interface lo/lo 127.0.0.1<br>
> > > 000 interface lo/lo 127.0.0.1<br>
> > > 000 interface eth0/eth0 x.x.x.x<br>
> > > 000 interface eth0/eth0 x.x.x.x<br>
> > > 000 interface eth1/eth1 10.0.64.150<br>
> > > 000 interface eth1/eth1 10.0.64.150<br>
> > > 000 %myid = (none)<br>
> > > 000 debug none<br>
> > > 000<br>
> > > 000 virtual_private (%priv):<br>
> > > 000 - allowed 0 subnets:<br>
> > > 000 - disallowed 0 subnets:<br>
> > > 000 WARNING: Either virtual_private= is not specified, or there is \
a<br> > ><br>
> > syntax<br>
> ><br>
> > > 000 error in that line. \
'left/rightsubnet=vhost:%priv' will<br> > > > not work!<br>
> > > 000 WARNING: Disallowed subnets in virtual_private= is empty. If \
you<br> > > > have 000 private address space in internal use, \
it should be<br> > ><br>
> > excluded!<br>
> ><br>
> > > 000<br>
> > > 000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8,<br>
> > > keysizemin=192, keysizemax=192<br>
> > > 000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8,<br>
> > > keysizemin=128, keysizemax=128<br>
> > > 000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8,<br>
> ><br>
> > keysizemin=40,<br>
> ><br>
> > > keysizemax=448<br>
> > > 000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, \
keysizemin=0,<br> > > > keysizemax=0<br>
> > > 000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8,<br>
> > > keysizemin=128, keysizemax=256<br>
> > > 000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8,<br>
> > > keysizemin=128, keysizemax=256<br>
> > > 000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8,<br>
> > > keysizemin=128, keysizemax=256<br>
> > > 000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=12,<br>
> > > keysizemin=128, keysizemax=256<br>
> > > 000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=16,<br>
> > > keysizemin=128, keysizemax=256<br>
> > > 000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8,<br>
> > > keysizemin=128, keysizemax=256<br>
> > > 000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=12,<br>
> > > keysizemin=128, keysizemax=256<br>
> > > 000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=16,<br>
> > > keysizemin=128, keysizemax=256<br>
> > > 000 algorithm ESP encrypt: id=22, name=(null), ivlen=8, \
keysizemin=128,<br> > > > keysizemax=256<br>
> > > 000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8,<br>
> > > keysizemin=128, keysizemax=256<br>
> > > 000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8,<br>
> > > keysizemin=128, keysizemax=256<br>
> > > 000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,<br>
> > > keysizemin=128, keysizemax=128<br>
> > > 000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,<br>
> > > keysizemin=160, keysizemax=160<br>
> > > 000 algorithm ESP auth attr: id=5, \
name=AUTH_ALGORITHM_HMAC_SHA2_256,<br> > > > keysizemin=256, \
keysizemax=256<br> > > > 000 algorithm ESP auth attr: id=6, \
name=AUTH_ALGORITHM_HMAC_SHA2_384,<br> > > > keysizemin=384, \
keysizemax=384<br> > > > 000 algorithm ESP auth attr: id=7, \
name=AUTH_ALGORITHM_HMAC_SHA2_512,<br> > > > keysizemin=512, \
keysizemax=512<br> > > > 000 algorithm ESP auth attr: id=8, name=(null), \
keysizemin=160,<br> > > > keysizemax=160<br>
> > > 000 algorithm ESP auth attr: id=9, name=(null), keysizemin=128,<br>
> > > keysizemax=128<br>
> > > 000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0,<br>
> > > keysizemax=0 000<br>
> > > 000 algorithm IKE encrypt: id=0, name=(null), blocksize=16,<br>
> > > keydeflen=128 000 algorithm IKE encrypt: id=0, name=(null),<br>
> > > blocksize=16, keydeflen=128 000 algorithm IKE encrypt: id=0,<br>
> > > name=(null), blocksize=16, keydeflen=128 000 algorithm IKE \
encrypt:<br> > > > id=0, name=(null), blocksize=16, keydeflen=128 000 \
algorithm IKE<br> > > > encrypt: id=0, name=(null), blocksize=16, \
keydeflen=128 000 algorithm<br> > > > IKE encrypt: id=0, name=(null), \
blocksize=16, keydeflen=128 000<br> > > > algorithm IKE encrypt: id=3, \
name=OAKLEY_BLOWFISH_CBC, blocksize=8,<br> > > > keydeflen=128<br>
> > > 000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, \
blocksize=8,<br> > > > keydeflen=192<br>
> > > 000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, \
blocksize=16,<br> > > > keydeflen=128<br>
> > > 000 algorithm IKE encrypt: id=65004, name=OAKLEY_SERPENT_CBC,<br>
> ><br>
> > blocksize=16,<br>
> ><br>
> > > keydeflen=128<br>
> > > 000 algorithm IKE encrypt: id=65005, name=OAKLEY_TWOFISH_CBC,<br>
> ><br>
> > blocksize=16,<br>
> ><br>
> > > keydeflen=128<br>
> > > 000 algorithm IKE encrypt: id=65289, name=OAKLEY_TWOFISH_CBC_SSH,<br>
> > > blocksize=16, keydeflen=128<br>
> > > 000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16<br>
> > > 000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20<br>
> > > 000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32<br>
> > > 000 algorithm IKE hash: id=5, name=OAKLEY_SHA2_384, hashsize=48<br>
> > > 000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64<br>
> > > 000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, \
bits=1024<br> > > > 000 algorithm IKE dh group: id=5, \
name=OAKLEY_GROUP_MODP1536, bits=1536<br> > > > 000 algorithm IKE dh group: \
id=14, name=OAKLEY_GROUP_MODP2048,<br> > > > bits=2048 000 algorithm IKE dh \
group: id=15,<br> > > > name=OAKLEY_GROUP_MODP3072, bits=3072 000 algorithm \
IKE dh group:<br> > > > id=16, name=OAKLEY_GROUP_MODP4096, bits=4096 000 \
algorithm IKE dh<br> > > > group: id=17, name=OAKLEY_GROUP_MODP6144, \
bits=6144 000 algorithm IKE<br> > > > dh group: id=18, \
name=OAKLEY_GROUP_MODP8192, bits=8192 000 algorithm<br> > > > IKE dh group: \
id=22, name=OAKLEY_GROUP_DH22, bits=1024 000 algorithm<br> > > > IKE dh \
group: id=23, name=OAKLEY_GROUP_DH23, bits=2048 000 algorithm<br> > > > IKE \
dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048 000<br> > > > 000 stats \
db_ops: {curr_cnt, total_cnt, maxsz} :context={0,2,64}<br> > > > \
trans={0,2,3072} attrs={0,2,2048}<br> > > > 000<br>
> > > 000 "tj-vpn":<br>
> > > <a href="http://10.0.0.0/16===x.x.x.x" \
target="_blank">10.0.0.0/16===x.x.x.x</a><br> > ><br>
> > <x.x.x.x>[+S=C]...y.y.y.y<y.y.y.y>[+S=C]===z.z.z.z/32<br>
> ><br>
> > > ; prospective erouted; eroute owner: #0<br>
> > > 000 "tj-vpn": myip=unset; hisip=unset;<br>
> ><br>
> > > 000 "tj-vpn": ike_life: 5184000s; ipsec_life: 3600s; \
rekey_margin:<br> > > 600s;<br>
> ><br>
> > > rekey_fuzz: 0%; keyingtries: 0; nat_keepalive: yes<br>
> > > 000 "tj-vpn": policy:<br>
> > > PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: \
16,32;<br> > > > interface: eth0;<br>
> > > 000 "tj-vpn": newest ISAKMP SA: #0; newest IPsec SA: \
#0;<br> > > > 000 "tj-vpn": IKE algorithms wanted:<br>
> > > AES_CBC(7)_256-SHA1(2)_000-MODP1536(5),<br>
> > > AES_CBC(7)_256-SHA1(2)_000-MODP1024(2)<br>
> > ><br>
> > > 000 "tj-vpn": IKE algorithms found:<br>
> > > AES_CBC(7)_256-SHA1(2)_160-MODP1536(5),<br>
> > ><br>
> > > AES_CBC(7)_256-SHA1(2)_160-MODP1024(2)<br>
> > > 000 "tj-vpn": ESP algorithms wanted: \
AES(12)_256-SHA1(2)_000<br> > > > 000 "tj-vpn": ESP algorithms \
loaded: AES(12)_256-SHA1(2)_160<br> > > > 000<br>
> > > 000 #2: "tj-vpn":500 STATE_MAIN_I1 (sent MI1, expecting \
MR1); none in<br> > ><br>
> > -1s;<br>
> ><br>
> > > nodpd; idle; import:admin initiate<br>
> > > 000 #2: pending Phase 2 for "tj-vpn" replacing #0<br>
> > > 000<br>
> > ><br>
> > > # cat ipsec.secrets<br>
> > > x.x.x.x y.y.y.y: PSK "PSKGOESHERE"<br>
> > ><br>
> > > Anyone have any ideas what i'm doing wrong? I'd appreciate \
all<br> > ><br>
> > assistance.<br>
> ><br>
> > > Thanks so much in advance!<br>
> > ><br>
> > > Cheers<br>
> > > Ian<br>
> ><br>
> > _______________________________________________<br>
> > <a href="mailto:Users@lists.openswan.org">Users@lists.openswan.org</a><br>
> > <a href="https://lists.openswan.org/mailman/listinfo/users" \
target="_blank">https://lists.openswan.org/mailman/listinfo/users</a><br> > > \
Micropayments: <a href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy" \
target="_blank">https://flattr.com/thing/38387/IPsec-for-Linux-made-easy</a><br> > \
> Building and Integrating Virtual Private Networks with Openswan:<br> > > \
<a href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155" \
target="_blank">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a><br>
</div></div></blockquote></div><br></div></div>
_______________________________________________
Users@lists.openswan.org
https://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic