This list is for general questions regarding OpenSWAN (and older freeswan) deployment and configuration. ()

Den | 8 Feb 13:23

Picon

[Openswan Users] openswan + Win7 + pre-shared key

Hello!

I can't setup VPN

Windows 7 client 192.168.1.38 <--> Linux sever Openswan 192.168.1.15

I think that VPN is established.

But I can't access Linux server from Windows 7 client.

I setup VPN on Win7 in "ip security policies on local computer"

Windows's firewall is turned off.

Can somebody help me?

Thank you

>ipsec --version

Linux Openswan U2.6.37/K(no kernel code presently loaded)

/var/log/secure:

Feb 8 14:04:40 linux pluto[836]: "lnx-win" #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
Feb 8 14:04:40 linux pluto[836]: "lnx-win" #1: Dead Peer Detection (RFC 3706): not enabled because peer did not advertise it
Feb 8 14:04:40 linux pluto[836]: "lnx-win" #1: the peer proposed: 192.168.1.15/32:0/0 -> 192.168.1.38/32:0/0
Feb 8 14:04:40 linux pluto[836]: "lnx-win" #1: NAT-Traversal: received 2 NAT-OA. using first, ignoring others
Feb 8 14:04:40 linux pluto[836]: "lnx-win" #2: responding to Quick Mode proposal {msgid:01000000}
Feb 8 14:04:40 linux pluto[836]: "lnx-win" #2: us: 192.168.1.15<192.168.1.15>[+S=C]
Feb 8 14:04:40 linux pluto[836]: "lnx-win" #2: them: 192.168.1.38<192.168.1.38>[+S=C]
Feb 8 14:04:40 linux pluto[836]: "lnx-win" #2: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Feb 8 14:04:40 linux pluto[836]: "lnx-win" #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Feb 8 14:04:40 linux pluto[836]: "lnx-win" #2: Dead Peer Detection (RFC 3706): not enabled because peer did not advertise it
Feb 8 14:04:40 linux pluto[836]: "lnx-win" #2: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Feb 8 14:04:40 linux pluto[836]: "lnx-win" #2: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP/NAT=>0x89c5ef96 <0x3d6e53aa xfrm=3DES_0-HMAC_SHA1 NATOA=192.168.1.38 NATD=192.168.1.38:4500 DPD=none}

/etc/ipsec.conf:

version 2.0 # conforms to second version of ipsec.conf specification

# basic configuration
config setup
interfaces="ipsec0=eth0"
protostack=klips
nat_traversal=yes
virtual_private=
oe=off
nhelpers=0

conn lnx-win
type=tunnel
auto=add
pfs=yes
right=192.168.1.38
left=192.168.1.15
auth=esp
authby=secret
forceencaps=yes
esp=3des-sha1-96
rekey=no
dpdaction=clear
dpddelay=30
dpdtimeout=30

_______________________________________________
Users <at> lists.openswan.org
http://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

Paul Wouters | 8 Feb 17:25

Picon

Re: [Openswan Users] openswan + Win7 + pre-shared key

On Wed, 8 Feb 2012, Den wrote:

> I can't setup VPN 
>    Windows 7 client  192.168.1.38 <--> Linux sever  Openswan  192.168.1.15 
> 
> I think that VPN is  established.
> But I can't access Linux server from Windows 7 client.
> I setup VPN on Win7  in "ip security policies on local computer"
> Windows's firewall is turned off.
> 
> Can somebody help me?
> Thank you
> 
> 
> >ipsec --version
> Linux Openswan U2.6.37/K(no kernel code presently loaded)
> 
> /var/log/secure: 
> Feb 8 14:04:40 linux pluto[836]: "lnx-win" #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
> Feb 8 14:04:40 linux pluto[836]: "lnx-win" #1: Dead Peer Detection (RFC 3706): not enabled because peer
did not advertise it
> Feb 8 14:04:40 linux pluto[836]: "lnx-win" #1: the peer proposed: 192.168.1.15/32:0/0 -> 192.168.1.38/32:0/0
> Feb 8 14:04:40 linux pluto[836]: "lnx-win" #1: NAT-Traversal: received 2 NAT-OA. using first, ignoring others
> Feb 8 14:04:40 linux pluto[836]: "lnx-win" #2: responding to Quick Mode proposal {msgid:01000000}
> Feb 8 14:04:40 linux pluto[836]: "lnx-win" #2: us: 192.168.1.15<192.168.1.15>[+S=C]
> Feb 8 14:04:40 linux pluto[836]: "lnx-win" #2: them: 192.168.1.38<192.168.1.38>[+S=C]
> Feb 8 14:04:40 linux pluto[836]: "lnx-win" #2: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
> Feb 8 14:04:40 linux pluto[836]: "lnx-win" #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed,
expecting QI2
> Feb 8 14:04:40 linux pluto[836]: "lnx-win" #2: Dead Peer Detection (RFC 3706): not enabled because peer
did not advertise it
> Feb 8 14:04:40 linux pluto[836]: "lnx-win" #2: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
> Feb 8 14:04:40 linux pluto[836]: "lnx-win" #2: STATE_QUICK_R2: IPsec SA established tunnel mode
{ESP/NAT=>0x89c5ef96 <0x3d6e53aa xfrm=3DES_0-HMAC_SHA1 NATOA=192.168.1.38
> NATD=192.168.1.38:4500 DPD=none}
> 
> /etc/ipsec.conf:

> right=192.168.1.38
> left=192.168.1.15

> forceencaps=yes

forceencaps will result in NAT-T, which over the local lan might not
work at all?

Paul
_______________________________________________
Users <at> lists.openswan.org
http://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

Bradley Peterson | 9 Feb 02:40

Picon

Re: [Openswan Users] openswan + Win7 + pre-shared key

On Wed, Feb 8, 2012 at 10:25 AM, Paul Wouters <paul <at> nohats.ca> wrote:
> On Wed, 8 Feb 2012, Den wrote:
>
>> I can't setup VPN
>>    Windows 7 client  192.168.1.38 <--> Linux sever  Openswan
>>  192.168.1.15
>>
>> I think that VPN is  established.
>> But I can't access Linux server from Windows 7 client.
>> I setup VPN on Win7  in "ip security policies on local computer"
>> Windows's firewall is turned off.
>>
>> Can somebody help me?
>> Thank you
>>
>>
>> >ipsec --version
>> Linux Openswan U2.6.37/K(no kernel code presently loaded)
>>
>> /var/log/secure:
>> Feb 8 14:04:40 linux pluto[836]: "lnx-win" #1: STATE_MAIN_R3: sent MR3,
>> ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192
>> prf=oakley_sha group=modp1024}
>> Feb 8 14:04:40 linux pluto[836]: "lnx-win" #1: Dead Peer Detection (RFC
>> 3706): not enabled because peer did not advertise it
>> Feb 8 14:04:40 linux pluto[836]: "lnx-win" #1: the peer proposed:
>> 192.168.1.15/32:0/0 -> 192.168.1.38/32:0/0
>> Feb 8 14:04:40 linux pluto[836]: "lnx-win" #1: NAT-Traversal: received 2
>> NAT-OA. using first, ignoring others
>> Feb 8 14:04:40 linux pluto[836]: "lnx-win" #2: responding to Quick Mode
>> proposal {msgid:01000000}
>> Feb 8 14:04:40 linux pluto[836]: "lnx-win" #2: us:
>> 192.168.1.15<192.168.1.15>[+S=C]
>> Feb 8 14:04:40 linux pluto[836]: "lnx-win" #2: them:
>> 192.168.1.38<192.168.1.38>[+S=C]
>> Feb 8 14:04:40 linux pluto[836]: "lnx-win" #2: transition from state
>> STATE_QUICK_R0 to state STATE_QUICK_R1
>> Feb 8 14:04:40 linux pluto[836]: "lnx-win" #2: STATE_QUICK_R1: sent QR1,
>> inbound IPsec SA installed, expecting QI2
>> Feb 8 14:04:40 linux pluto[836]: "lnx-win" #2: Dead Peer Detection (RFC
>> 3706): not enabled because peer did not advertise it
>> Feb 8 14:04:40 linux pluto[836]: "lnx-win" #2: transition from state
>> STATE_QUICK_R1 to state STATE_QUICK_R2
>> Feb 8 14:04:40 linux pluto[836]: "lnx-win" #2: STATE_QUICK_R2: IPsec SA
>> established tunnel mode {ESP/NAT=>0x89c5ef96 <0x3d6e53aa
>> xfrm=3DES_0-HMAC_SHA1 NATOA=192.168.1.38
>> NATD=192.168.1.38:4500 DPD=none}
>>
>> /etc/ipsec.conf:
>
>
>> right=192.168.1.38
>> left=192.168.1.15
>
>
>> forceencaps=yes
>
>
> forceencaps will result in NAT-T, which over the local lan might not
> work at all?
>
> Paul
> _______________________________________________
> Users <at> lists.openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

Also, Win7 by default won't connect if it detects the server is behind
a NAT (which forceencaps causes).  You would have to create the DWORD
registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent\AssumeUDPEncapsulationContextOnSendRule
and set it to 2.

Or just turn off forceencaps.

Brad
_______________________________________________
Users <at> lists.openswan.org
http://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

Den | 9 Feb 11:28

Picon

Re: [Openswan Users] openswan + Win7 + pre-shared key

Hello!

There are no results :(

I can't use linux,openswan + win7 over VPN.

I think that problem is in Windows. But I can't find where it is.

Linux, openswan, /etc/ipsec.conf:

conn lnx-win
type=tunnel
auto=add
pfs=yes
right=192.168.1.38
left=192.168.1.15
auth=esp
authby=secret
forceencaps=no
esp=3des-sha1-96
rekey=no
dpdaction=clear
dpddelay=30
dpdtimeout=30

linux, openswan, ~>ipsec auto --status
000
000 "lnx-win": 192.168.1.15<192.168.1.15>[+S=C]...192.168.1.38<192.168.1.38>[+S=C]; erouted; eroute owner: #2
000 "lnx-win": myip=unset; hisip=unset;
000 "lnx-win": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "lnx-win": policy: PSK+ENCRYPT+TUNNEL+PFS+DONTREKEY+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 32,32; interface: eth0;
000 "lnx-win": dpd: action:clear; delay:30; timeout:30;
000 "lnx-win": newest ISAKMP SA: #1; newest IPsec SA: #2;
000 "lnx-win": IKE algorithm newest: 3DES_CBC_192-SHA1-MODP1024
000 "lnx-win": ESP algorithms wanted: 3DES(3)_000-SHA1(2)_096; flags=-strict
000 "lnx-win": ESP algorithms loaded: 3DES(3)_192-SHA1(2)_096
000 "lnx-win": ESP algorithm newest: 3DES_000-HMAC_SHA1; pfsgroup=<Phase1>
000
000 #2: "lnx-win":500 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_EXPIRE in 28764s; newest IPSEC; eroute owner; isakmp#1; idle; import:not set
000 #2: "lnx-win" esp.55efcd42 <at> 192.168.1.38 esp.4a96971d <at> 192.168.1.15 ref=2 refhim=1
000 #1: "lnx-win":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_EXPIRE in 28764s; newest ISAKMP; nodpd; idle; import:not set
000

linux, openswan, /var/log/secure:
Feb 9 11:52:34 linux pluto[25699]: "lnx-win" #1: responding to Main Mode
Feb 9 11:52:34 linux pluto[25699]: "lnx-win" #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Feb 9 11:52:34 linux pluto[25699]: "lnx-win" #1: STATE_MAIN_R1: sent MR1, expecting MI2
Feb 9 11:52:34 linux pluto[25699]: "lnx-win" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected
Feb 9 11:52:34 linux pluto[25699]: "lnx-win" #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Feb 9 11:52:34 linux pluto[25699]: "lnx-win" #1: STATE_MAIN_R2: sent MR2, expecting MI3
Feb 9 11:52:34 linux pluto[25699]: "lnx-win" #1: Main mode peer ID is ID_IPV4_ADDR: '192.168.1.38'
Feb 9 11:52:34 linux pluto[25699]: "lnx-win" #1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Feb 9 11:52:34 linux pluto[25699]: "lnx-win" #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
Feb 9 11:52:34 linux pluto[25699]: "lnx-win" #1: Dead Peer Detection (RFC 3706): not enabled because peer did not advertise it
Feb 9 11:52:34 linux pluto[25699]: "lnx-win" #1: the peer proposed: 192.168.1.15/32:0/0 -> 192.168.1.38/32:0/0
Feb 9 11:52:34 linux pluto[25699]: "lnx-win" #2: responding to Quick Mode proposal {msgid:01000000}
Feb 9 11:52:34 linux pluto[25699]: "lnx-win" #2: us: 192.168.1.15<192.168.1.15>[+S=C]
Feb 9 11:52:34 linux pluto[25699]: "lnx-win" #2: them: 192.168.1.38<192.168.1.38>[+S=C]
Feb 9 11:52:34 linux pluto[25699]: "lnx-win" #2: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Feb 9 11:52:34 linux pluto[25699]: "lnx-win" #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Feb 9 11:52:34 linux pluto[25699]: "lnx-win" #2: Dead Peer Detection (RFC 3706): not enabled because peer did not advertise it
Feb 9 11:52:34 linux pluto[25699]: "lnx-win" #2: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2

Windows 7 (192.168.1.38), VPN is ON
C:\>ping 192.168.1.15

Pinging 192.168.1.15 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 192.168.1.15:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

Windows 7 (192.168.1.38), VPN is OFF
C:\>ping 192.168.1.15

Pinging 192.168.1.15 with 32 bytes of data:
Reply from 192.168.1.15: bytes=32 time=1ms TTL=64
Reply from 192.168.1.15: bytes=32 time<1ms TTL=64
Reply from 192.168.1.15: bytes=32 time<1ms TTL=64
Reply from 192.168.1.15: bytes=32 time<1ms TTL=64

Ping statistics for 192.168.1.15:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 1ms, Average = 0ms

Windows 7 registry
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\IPSec]
"AssumeUDPEncapsulationContextOnSendRule"=dword:00000002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\PolicyAgent]
"AssumeUDPEncapsulationContextOnSendRule"=dword:00000002

_______________________________________________
Users <at> lists.openswan.org
http://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

Paul Wouters | 9 Feb 15:55

Picon

Re: [Openswan Users] openswan + Win7 + pre-shared key

On Thu, 9 Feb 2012, Den wrote:

> I think that problem is in Windows. But I can't find where it is.

It looks like a mismatching configuration, because:

> Feb 9 11:52:34 linux pluto[25699]: "lnx-win" #2: transition from state
> STATE_QUICK_R0 to state STATE_QUICK_R1
> Feb 9 11:52:34 linux pluto[25699]: "lnx-win" #2: STATE_QUICK_R1: sent QR1,
> inbound IPsec SA installed, expecting QI2
> Feb 9 11:52:34 linux pluto[25699]: "lnx-win" #2: Dead Peer Detection (RFC
> 3706): not enabled because peer did not advertise it
> Feb 9 11:52:34 linux pluto[25699]: "lnx-win" #2: transition from state
> STATE_QUICK_R1 to state STATE_QUICK_R2

linux is waiting on the final message of windows to install the 2nd half

Paul
_______________________________________________
Users <at> lists.openswan.org
http://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

Pavel Kopchyk | 10 Feb 00:12

Picon

Re: [Openswan Users] openswan + Win7 + pre-shared key

Hello

2012/2/9 Den <brusok <at> gmail.com>

Hello!

There are no results :(

I can't use linux,openswan + win7 over VPN.

I think that problem is in Windows. But I can't find where it is.

Linux, openswan, /etc/ipsec.conf:

conn lnx-win
type=tunnel
auto=add
pfs=yes
right=192.168.1.38
left=192.168.1.15
auth=esp
authby=secret
forceencaps=no
esp=3des-sha1-96
rekey=no
dpdaction=clear
dpddelay=30
dpdtimeout=30

...

You do not use NAT so you do not need it.
Just delete.

Windows 7 registry
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\IPSec]
"AssumeUDPEncapsulationContextOnSendRule"=dword:00000002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\PolicyAgent]
"AssumeUDPEncapsulationContextOnSendRule"=dword:00000002

I created a policy for windows win7-linux_tun.ipsec. You need to import it.
The old policy is better disable (or remove).

To import this security policy, simply navigate to (and click on) administrative tools (start, settings, control panel),local security policy, right click on IP security policies on local computer, all tasks, import policies and choose the location of the win7-linux_tun.ipsec file you extracted from the zip file win7-linux_tun.ipsec.zip.

How to Activate the IPSec Policy:
To activate the IPSec policy, simply right clicking on the new policy (TEST Pol) and choose assign.
You can also use the command prompt to import the security policy, simply type:

netsh ipsec static importpolicy c:\win7-linux_tun.ipsec

Here is the configs for Openswan

cat /etc/ipsec.conf

version 2.0

config setup

klipsdebug=none

plutodebug=none

uniqueids=yes

strictcrlpolicy=no

protostack=netkey

nhelpers=0

oe=off

conn win-tun

type=tunnel

authby=secret

auth=esp

keyingtries=0

compress=no

pfs=yes

esp=3des-sha1

ike=3des-sha1

ikelifetime=7200s

keylife=900s

rekey=yes

rekeymargin=90s

rekeyfuzz=5%

left=192.168.1.15

leftsubnet=192.168.1.15/32

right=192.168.1.38

rightsubnet=192.168.1.38/32

auto=route

cat /etc/ipsec.secrets

192.168.1.15 %any: "test"

Attachment (win7-linux_tun.ipsec.zip): application/zip, 2993 bytes

_______________________________________________
Users <at> lists.openswan.org
http://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

Den | 10 Feb 12:28

Picon

Re: [Openswan Users] openswan + Win7 + pre-shared key

Thanks for answer!

There is working configuration.

VPN is Ok if I use protostack=netkey.

If I use protostack=klips VPN doesn't work.

But I'd like to use protostack=klips, because I need ipsec interface(ipsec0).

Is there a workaround?

I uesed Pavle's ipsec.conf configuration, only changed 'auto=route' to 'auto=add' , because VPN with protostack=klips didn't start at all.

Sorry for long listing.

I don't like theese lines (you can see full listing below)

13:02:50.166199 ARP, Request who-has 192.168.1.15 tell 192.168.1.38, length 46
13:02:51.165956 ARP, Request who-has 192.168.1.15 tell 192.168.1.38, length 46
13:02:52.165894 ARP, Request who-has 192.168.1.15 tell 192.168.1.38, length 46
13:02:55.165892 ARP, Request who-has 192.168.1.15 tell 192.168.1.38, length 46

PROTOSTACK=KLIPS

linux>ipsec auto --status
000 #2: "win-tun":500 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 801s; newest IPSEC; eroute owner; isakmp#1; idle; import:not set
000 #2: "win-tun" esp.9023a4eb <at> 192.168.1.38 esp.6ba38ad2 <at> 192.168.1.15 ref=2 refhim=1
000 #1: "win-tun":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 7101s; newest ISAKMP; nodpd; idle; import:not set

linux,/var/log/secure
Feb 10 12:37:02 linux pluto[2997]: "win-tun" #1: responding to Main Mode
Feb 10 12:37:02 linux pluto[2997]: "win-tun" #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Feb 10 12:37:02 linux pluto[2997]: "win-tun" #1: STATE_MAIN_R1: sent MR1, expecting MI2
Feb 10 12:37:02 linux pluto[2997]: "win-tun" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected
Feb 10 12:37:02 linux pluto[2997]: "win-tun" #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Feb 10 12:37:02 linux pluto[2997]: "win-tun" #1: STATE_MAIN_R2: sent MR2, expecting MI3
Feb 10 12:37:02 linux pluto[2997]: "win-tun" #1: Main mode peer ID is ID_IPV4_ADDR: '192.168.1.38'
Feb 10 12:37:02 linux pluto[2997]: "win-tun" #1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Feb 10 12:37:02 linux pluto[2997]: "win-tun" #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
Feb 10 12:37:02 linux pluto[2997]: "win-tun" #1: the peer proposed: 192.168.1.15/32:0/0 -> 192.168.1.38/32:0/0
Feb 10 12:37:02 linux pluto[2997]: "win-tun" #2: responding to Quick Mode proposal {msgid:01000000}
Feb 10 12:37:02 linux pluto[2997]: "win-tun" #2: us: 192.168.1.15/32===192.168.1.15<192.168.1.15>[+S=C]
Feb 10 12:37:02 linux pluto[2997]: "win-tun" #2: them: 192.168.1.38<192.168.1.38>[+S=C]===192.168.1.38/32
Feb 10 12:37:02 linux pluto[2997]: "win-tun" #2: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Feb 10 12:37:02 linux pluto[2997]: "win-tun" #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Feb 10 12:37:02 linux pluto[2997]: "win-tun" #2: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Feb 10 12:37:02 linux pluto[2997]: "win-tun" #2: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP=>0x9023a4eb <0x6ba38ad2 xfrm=3DES_0-HMAC_SHA1 NATOA=none NATD=none DPD=none}

linux>tcpdump -n -i eth0 host 192.168.1.38
device eth0 entered promiscuous mode
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
13:02:05.172050 IP 192.168.1.38 > 192.168.1.15: ESP(spi=0x2ec052f8,seq=0x3), length 76
13:02:10.169239 IP 192.168.1.38 > 192.168.1.15: ESP(spi=0x2ec052f8,seq=0x4), length 76
13:02:15.168938 IP 192.168.1.38 > 192.168.1.15: ESP(spi=0x2ec052f8,seq=0x5), length 76
13:02:20.168511 IP 192.168.1.38 > 192.168.1.15: ESP(spi=0x2ec052f8,seq=0x6), length 76
13:02:25.168122 IP 192.168.1.38 > 192.168.1.15: ESP(spi=0x2ec052f8,seq=0x7), length 76
13:02:30.167715 IP 192.168.1.38 > 192.168.1.15: ESP(spi=0x2ec052f8,seq=0x8), length 76
13:02:32.009961 ARP, Request who-has 192.168.1.90 tell 192.168.1.38, length 46
13:02:35.167311 IP 192.168.1.38 > 192.168.1.15: ESP(spi=0x2ec052f8,seq=0x9), length 76
13:02:40.166957 IP 192.168.1.38 > 192.168.1.15: ESP(spi=0x2ec052f8,seq=0xa), length 76
13:02:45.166405 ARP, Request who-has 192.168.1.15 (38:60:77:13:42:e8) tell 192.168.1.38, length 46
13:02:45.166416 IP 192.168.1.38 > 192.168.1.15: ESP(spi=0x2ec052f8,seq=0xb), length 76
13:02:46.166340 ARP, Request who-has 192.168.1.15 (38:60:77:13:42:e8) tell 192.168.1.38, length 46
13:02:47.166251 ARP, Request who-has 192.168.1.15 (38:60:77:13:42:e8) tell 192.168.1.38, length 46
13:02:50.166199 ARP, Request who-has 192.168.1.15 tell 192.168.1.38, length 46
13:02:51.165956 ARP, Request who-has 192.168.1.15 tell 192.168.1.38, length 46
13:02:52.165894 ARP, Request who-has 192.168.1.15 tell 192.168.1.38, length 46
13:02:55.165892 ARP, Request who-has 192.168.1.15 tell 192.168.1.38, length 46
13:02:56.165612 ARP, Request who-has 192.168.1.15 tell 192.168.1.38, length 46
13:02:57.165531 ARP, Request who-has 192.168.1.15 tell 192.168.1.38, length 46

>tcpdump -n -i ipsec0 host 192.168.1.38
device ipsec0 entered promiscuous mode
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ipsec0, link-type EN10MB (Ethernet), capture size 65535 bytes
12:59:49.207724 IP 192.168.1.38 > 192.168.1.15: ICMP echo request, id 1, seq 173, length 40

##################

PROTOSTACK=NETKEY

linux>ipsec auto --status
000 #3: "win-tun":500 STATE_QUICK_I1 (sent QI1, expecting QR1); EVENT_RETRANSMIT in 18s; nodpd; idle; import:local rekey
000 #2: "win-tun":500 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 843s; newest IPSEC; eroute owner; isakmp#1; idle; import:not set
000 #2: "win-tun" esp.fe035afe <at> 192.168.1.38 esp.85be7d3d <at> 192.168.1.15 ref=0 refhim=4294901761
000 #1: "win-tun":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 7143s; newest ISAKMP; nodpd; idle; import:local rekey
000

linux,/var/log/secure
Feb 10 12:45:18 linux pluto[4370]: "win-tun" #1: responding to Main Mode
Feb 10 12:45:18 linux pluto[4370]: "win-tun" #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Feb 10 12:45:18 linux pluto[4370]: "win-tun" #1: STATE_MAIN_R1: sent MR1, expecting MI2
Feb 10 12:45:18 linux pluto[4370]: "win-tun" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected
Feb 10 12:45:18 linux pluto[4370]: "win-tun" #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Feb 10 12:45:18 linux pluto[4370]: "win-tun" #1: STATE_MAIN_R2: sent MR2, expecting MI3
Feb 10 12:45:18 linux pluto[4370]: "win-tun" #1: Main mode peer ID is ID_IPV4_ADDR: '192.168.1.38'
Feb 10 12:45:18 linux pluto[4370]: "win-tun" #1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Feb 10 12:45:18 linux pluto[4370]: "win-tun" #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
Feb 10 12:45:18 linux pluto[4370]: "win-tun" #1: the peer proposed: 192.168.1.15/32:0/0 -> 192.168.1.38/32:0/0
Feb 10 12:45:18 linux pluto[4370]: "win-tun" #2: responding to Quick Mode proposal {msgid:01000000}
Feb 10 12:45:18 linux pluto[4370]: "win-tun" #2: us: 192.168.1.15/32===192.168.1.15<192.168.1.15>[+S=C]
Feb 10 12:45:18 linux pluto[4370]: "win-tun" #2: them: 192.168.1.38<192.168.1.38>[+S=C]===192.168.1.38/32
Feb 10 12:45:18 linux pluto[4370]: "win-tun" #2: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Feb 10 12:45:18 linux pluto[4370]: "win-tun" #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Feb 10 12:45:18 linux pluto[4370]: initiate on demand from 192.168.1.15:0 to 192.168.1.38:0 proto=1 state: fos_start because: acquire
Feb 10 12:45:18 linux pluto[4370]: "win-tun" #3: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+IKEv2ALLOW+SAREFTRACK {using isakmp#1 msgid:52f4fba5 proposal=3DES(3)_192-SHA1(2)_160 pfsgroup=OAKLEY_GROUP_MODP1024}
Feb 10 12:45:18 linux pluto[4370]: "win-tun" #2: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Feb 10 12:45:18 linux pluto[4370]: "win-tun" #2: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP=>0xfe035afe <0x85be7d3d xfrm=3DES_0-HMAC_SHA1 NATOA=none NATD=none DPD=none}
Feb 10 12:45:18 linux pluto[4370]: "win-tun" #1: ignoring informational payload, type INVALID_ID_INFORMATION msgid=00000000
Feb 10 12:45:18 linux pluto[4370]: "win-tun" #1: received and ignored informational message

linux>tcpdump -n -i eth0 host 192.168.1.38
device eth0 entered promiscuous mode
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
12:48:15.854050 IP 192.168.1.38 > 192.168.1.15: ESP(spi=0x85be7d3d,seq=0x16), length 76
12:48:15.854124 IP 192.168.1.15 > 192.168.1.38: ESP(spi=0xfe035afe,seq=0x15), length 76
12:48:16.856592 IP 192.168.1.38 > 192.168.1.15: ESP(spi=0x85be7d3d,seq=0x17), length 76

_______________________________________________
Users <at> lists.openswan.org
http://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

Paul Wouters | 10 Feb 13:58

Picon

Re: [Openswan Users] openswan + Win7 + pre-shared key

On Fri, 10 Feb 2012, Den wrote:

> There is working configuration.
> VPN is Ok if I use  protostack=netkey.
> If I use protostack=klips VPN doesn't work.

Do you have an interfaces= line in "config setup" ?

> linux>ipsec auto --status
> 000 #2: "win-tun":500 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 801s; newest IPSEC; eroute
> owner; isakmp#1; idle; import:not set
> 000 #2: "win-tun" esp.9023a4eb <at> 192.168.1.38 esp.6ba38ad2 <at> 192.168.1.15 ref=2 refhim=1
> 000 #1: "win-tun":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 7101s;
newest ISAKMP;
> nodpd; idle; import:not set

So this says there is a tunnel up?

> Feb 10 12:37:02 linux pluto[2997]: "win-tun" #1: the peer proposed: 192.168.1.15/32:0/0 -> 192.168.1.38/32:0/0
> Feb 10 12:37:02 linux pluto[2997]: "win-tun" #2: responding to Quick Mode proposal {msgid:01000000}
> Feb 10 12:37:02 linux pluto[2997]: "win-tun" #2: us: 192.168.1.15/32===192.168.1.15<192.168.1.15>[+S=C]
> Feb 10 12:37:02 linux pluto[2997]: "win-tun" #2: them: 192.168.1.38<192.168.1.38>[+S=C]===192.168.1.38/32
> Feb 10 12:37:02 linux pluto[2997]: "win-tun" #2: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
> Feb 10 12:37:02 linux pluto[2997]: "win-tun" #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting
> QI2
> Feb 10 12:37:02 linux pluto[2997]: "win-tun" #2: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
> Feb 10 12:37:02 linux pluto[2997]: "win-tun" #2: STATE_QUICK_R2: IPsec SA established tunnel mode
> {ESP=>0x9023a4eb <0x6ba38ad2 xfrm=3DES_0-HMAC_SHA1 NATOA=none NATD=none DPD=none}

This says the tunnel is up too

> linux>tcpdump -n -i eth0 host 192.168.1.38
> device eth0 entered promiscuous mode
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
> 13:02:05.172050 IP 192.168.1.38 > 192.168.1.15: ESP(spi=0x2ec052f8,seq=0x3), length 76

This shows crypted packets....

> Feb 10 12:45:18 linux pluto[4370]: "win-tun" #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting
> QI2
> Feb 10 12:45:18 linux pluto[4370]: initiate on demand from 192.168.1.15:0 to 192.168.1.38:0 proto=1 state:
> fos_start because: acquire
> Feb 10 12:45:18 linux pluto[4370]: "win-tun" #3: initiating Quick Mode
> PSK+ENCRYPT+TUNNEL+PFS+IKEv2ALLOW+SAREFTRACK {using isakmp#1 msgid:52f4fba5 proposal=3DES(3)_192-SHA1(2)_160
> pfsgroup=OAKLEY_GROUP_MODP1024}
> Feb 10 12:45:18 linux pluto[4370]: "win-tun" #2: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
> Feb 10 12:45:18 linux pluto[4370]: "win-tun" #2: STATE_QUICK_R2: IPsec SA established tunnel mode
> {ESP=>0xfe035afe <0x85be7d3d xfrm=3DES_0-HMAC_SHA1 NATOA=none NATD=none DPD=none}
> Feb 10 12:45:18 linux pluto[4370]: "win-tun" #1: ignoring informational payload, type INVALID_ID_INFORMATION
> msgid=00000000
> Feb 10 12:45:18 linux pluto[4370]: "win-tun" #1: received and ignored informational message

This shows as a tunnel up, but then it seems to race another connection
that is failing?

What does "ipsec verify" say for you?

Note that excluding NAT is slightly different on netkey and klips stacks
due to the difference interface.

Paul
_______________________________________________
Users <at> lists.openswan.org
http://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

Den | 10 Feb 16:05

Picon

Re: [Openswan Users] openswan + Win7 + pre-shared key

2012/2/10 Paul Wouters <pwouters <at> redhat.com>

On Fri, 10 Feb 2012, Den wrote:

There is working configuration.
VPN is Ok if I use protostack=netkey.
If I use protostack=klips VPN doesn't work.

Do you have an interfaces= line in "config setup" ?

Yes if protostack=klips. ( interfaces="ipsec0=eth0")

linux>ipsec auto --status
000 #2: "win-tun":500 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 801s; newest IPSEC; eroute
owner; isakmp#1; idle; import:not set
000 #2: "win-tun" esp.9023a4eb <at> 192.168.1.38 esp.6ba38ad2 <at> 192.168.1.15 ref=2 refhim=1
000 #1: "win-tun":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 7101s; newest ISAKMP;
nodpd; idle; import:not set

So this says there is a tunnel up?

Feb 10 12:37:02 linux pluto[2997]: "win-tun" #1: the peer proposed: 192.168.1.15/32:0/0 -> 192.168.1.38/32:0/0
Feb 10 12:37:02 linux pluto[2997]: "win-tun" #2: responding to Quick Mode proposal {msgid:01000000}
Feb 10 12:37:02 linux pluto[2997]: "win-tun" #2: us: 192.168.1.15/32===192.168.1.15<192.168.1.15>[+S=C]
Feb 10 12:37:02 linux pluto[2997]: "win-tun" #2: them: 192.168.1.38<192.168.1.38>[+S=C]===192.168.1.38/32
Feb 10 12:37:02 linux pluto[2997]: "win-tun" #2: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Feb 10 12:37:02 linux pluto[2997]: "win-tun" #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting
QI2
Feb 10 12:37:02 linux pluto[2997]: "win-tun" #2: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Feb 10 12:37:02 linux pluto[2997]: "win-tun" #2: STATE_QUICK_R2: IPsec SA established tunnel mode
{ESP=>0x9023a4eb <0x6ba38ad2 xfrm=3DES_0-HMAC_SHA1 NATOA=none NATD=none DPD=none}

This says the tunnel is up too

linux>tcpdump -n -i eth0 host 192.168.1.38
device eth0 entered promiscuous mode
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
13:02:05.172050 IP 192.168.1.38 > 192.168.1.15: ESP(spi=0x2ec052f8,seq=0x3), length 76

This shows crypted packets....

Feb 10 12:45:18 linux pluto[4370]: "win-tun" #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting
QI2
Feb 10 12:45:18 linux pluto[4370]: initiate on demand from 192.168.1.15:0 to 192.168.1.38:0 proto=1 state:
fos_start because: acquire
Feb 10 12:45:18 linux pluto[4370]: "win-tun" #3: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+PFS+IKEv2ALLOW+SAREFTRACK {using isakmp#1 msgid:52f4fba5 proposal=3DES(3)_192-SHA1(2)_160
pfsgroup=OAKLEY_GROUP_MODP1024}
Feb 10 12:45:18 linux pluto[4370]: "win-tun" #2: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Feb 10 12:45:18 linux pluto[4370]: "win-tun" #2: STATE_QUICK_R2: IPsec SA established tunnel mode
{ESP=>0xfe035afe <0x85be7d3d xfrm=3DES_0-HMAC_SHA1 NATOA=none NATD=none DPD=none}
Feb 10 12:45:18 linux pluto[4370]: "win-tun" #1: ignoring informational payload, type INVALID_ID_INFORMATION
msgid=00000000
Feb 10 12:45:18 linux pluto[4370]: "win-tun" #1: received and ignored informational message

This shows as a tunnel up, but then it seems to race another connection
that is failing?

What does "ipsec verify" say for you?

Note that excluding NAT is slightly different on netkey and klips stacks
due to the difference interface.

Paul

NETKEY

>ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.6.24/K2.6.38.8 (netkey)
Checking for IPsec support in kernel [OK]
SAref kernel support [N/A]
NETKEY: Testing XFRM related proc values [FAILED]

Please disable /proc/sys/net/ipv4/conf/*/send_redirects
or NETKEY will cause the sending of bogus ICMP redirects!

[FAILED]

Please disable /proc/sys/net/ipv4/conf/*/accept_redirects
or NETKEY will accept bogus ICMP redirects!

[OK]
Testing against enforced SElinux mode [OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for NAT-T on udp 4500 [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing [OK]
Checking for 'ip' command [OK]
Checking /bin/sh is not /bin/dash [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]

KLIPS

>ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.6.24/K2.6.37 (klips)
Checking for IPsec support in kernel [OK]
KLIPS: checking for NAT Traversal support [OK]
KLIPS: checking for OCF crypto offload support [N/A]
SAref kernel support [N/A]
Testing against enforced SElinux mode [OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for NAT-T on udp 4500 [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing [OK]
Checking for 'ip' command [OK]
Checking /bin/sh is not /bin/dash [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]

_______________________________________________
Users <at> lists.openswan.org
http://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

Return

Return to gmane.network.openswan.user.

Project Web Page

This list is for general questions regarding OpenSWAN (and older freeswan) deployment and configuration. ()

Search Archive

Language

Change language

Options

Current view: Threads only / Showing whole messages / Not hiding cited text.
Change to All messages, shortened messages, or hide cited text.

Post a message
NNTP Newsgroup
Classic Gmane web interface
XML

XML

RSS Feed
List Information

About Gmane