Re: [Swan] racoon ipsec with openswan

Sat, 13 Dec 2014 19:37:52 -0800 

On Thu, 11 Dec 2014, Ted Toth wrote:


sainfo anonymous
{
   pfs_group 2;
   lifetime time 36 hours ;
   encryption_algorithm 3des, aes ;
   authentication_algorithm hmac_sha1 ;
   compression_algorithm deflate ;
}


ok, 3des-sha1


#base
remote anonymous
{
   exchange_mode main;
   lifetime time 36 hours ;
   proposal {
       encryption_algorithm 3des;
       hash_algorithm sha1;
       authentication_method pre_shared_key;
       dh_group 2;


3des-sha1 and dh2 (modp1024)


spdadd 192.168.10.200 192.168.10.10 any -P out ipsec esp/transport//require;
spdadd 192.168.10.10 192.168.10.200 any -P in  ipsec esp/transport//require;


transport mode.


psk.txt
192.168.10.10        123456789


Openswan
c200.conf:
conn c200
    auto=start
    authby=secret
    type=transport
    left=192.168.10.10
    right=192.168.10.200
    ikelifetime=24h
    salifetime=24h


        type=transport
        ike=3des-sha1;modp1024
        esp=3des-sha1


# basic configuration
config setup
   # Debug-logging controls:  "none" for (almost) none, "all" for lots.
   # klipsdebug=none
   # plutodebug="control parsing"
   # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
   protostack=netkey
   nat_traversal=yes
   virtual_private=


don't leave it empty. either set it or comment out the entire option.


Dec 11 18:16:16 comms racoon: INFO: respond new phase 1 negotiation:
192.168.10.200[500]<=>192.168.10.10[500]
Dec 11 18:16:16 comms racoon: INFO: begin Identity Protection mode.
Dec 11 18:16:16 comms racoon: INFO: received Vendor ID: DPD
Dec 11 18:16:16 comms racoon: INFO: received Vendor ID: RFC 3947
Dec 11 18:16:16 comms racoon: INFO: received Vendor ID:
draft-ietf-ipsec-nat-t-ike-03
Dec 11 18:16:16 comms racoon: INFO: received Vendor ID:
draft-ietf-ipsec-nat-t-ike-02#012
Dec 11 18:16:16 comms racoon: INFO: received Vendor ID:
draft-ietf-ipsec-nat-t-ike-02
Dec 11 18:16:16 comms racoon: INFO: received Vendor ID:
draft-ietf-ipsec-nat-t-ike-00
Dec 11 18:17:06 comms racoon: ERROR: phase1 negotiation failed due to
time up. 7b6f84e2992d11b6:64a1d35251dea3c0


Those logs look incomplete. That is receiving the first packet, but
nothing else?


Logging from openswan side:
Dec 11 17:08:38 comms pluto[2054]: packet from 192.168.10.200:500:
phase 1 message is part of an unknown exchange
Dec 11 17:08:48 comms pluto[2054]: packet from 192.168.10.200:500:
phase 1 message is part of an unknown exchange


Those are from a previous attempet, you've restarted racoon since then.


Dec 11 17:08:50 comms pluto[2054]: "c200" #20: initiating Main Mode
Dec 11 17:08:50 comms pluto[2054]: "c200" #20: received Vendor ID
payload [Dead Peer Detection]
Dec 11 17:08:50 comms pluto[2054]: "c200" #20: transition from state
STATE_MAIN_I1 to state STATE_MAIN_I2
Dec 11 17:08:50 comms pluto[2054]: "c200" #20: STATE_MAIN_I2: sent
MI2, expecting MR2


So it started by sending a packet seen above by racoon, then it sent a
second packet that it seems racoon never shows in the log?


Dec 11 17:08:50 comms pluto[2054]: "c200" #20: I will NOT send an
initial contact payload
Dec 11 17:08:50 comms pluto[2054]: "c200" #20: Not sending INITIAL_CONTACT
Dec 11 17:08:50 comms pluto[2054]: "c200" #20: transition from state
STATE_MAIN_I2 to state STATE_MAIN_I3
Dec 11 17:08:50 comms pluto[2054]: "c200" #20: STATE_MAIN_I3: sent
MI3, expecting MR3


But we did receive a reply and send our 3rd packet


Dec 11 17:08:59 comms pluto[2054]: packet from 192.168.10.200:500:
phase 1 message is part of an unknown exchange


and racoon has been restarted again??


Dec 11 17:09:01 comms pluto[2054]: "c200" #20: discarding duplicate
packet; already STATE_MAIN_I3
Dec 11 17:09:11 comms pluto[2054]: "c200" #20: discarding duplicate
packet; already STATE_MAIN_I3
Dec 11 17:09:21 comms pluto[2054]: "c200" #20: discarding duplicate
packet; already STATE_MAIN_I3
Dec 11 17:09:31 comms pluto[2054]: "c200" #20: discarding duplicate
packet; already STATE_MAIN_I3


and retransmitting every 10s ?


It's difficult for me a mere mortal to parse the logs and figure out
what the issue is, any ideas? Anyone successfully done this, if so can
you share your config?


racoon2 is configured very similarly, we have an example test case at:

https://github.com/libreswan/libreswan/tree/master/testing/pluto/interop-ikev2-racoon-02-psk-responder

Obviously that's for IKEv2, not IKEv1 as you need, but otherwise might
be helpful.

You might want to look at the linux machines not dropping syslog
messages or use plutostderrlog=/var/log/pluto.log to ensure a log
file that didnt get some log messages rate limited.

Paul
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan






















					Reply via email to