Discussion:
[Openswan Users] IPSEC Tunnel To NETASQ
Luc MAIGNAN
2010-12-19 17:48:32 UTC
Permalink
Hi everybody,

I'm running openSwan under Fedora 14 6'bits.

I have to setup an IPSEC Tunnel (Host To Host) from my Fedora box to a
NETASQ F200 router.

I have a lot of errors, so my first question : IS IT POSSIBLE TO SETUP A
SUCH ARCHITECTURE ?

If no, why ?


Thanks for any help

Best regards
Paul Wouters
2010-12-19 20:59:57 UTC
Permalink
Post by Luc MAIGNAN
I'm running openSwan under Fedora 14 6'bits.
I have to setup an IPSEC Tunnel (Host To Host) from my Fedora box to a
NETASQ F200 router.
I have a lot of errors, so my first question : IS IT POSSIBLE TO SETUP A
SUCH ARCHITECTURE ?
If the NETASQ F200 router supports IPsec, then yes.

Paul
Luc MAIGNAN
2010-12-19 21:10:35 UTC
Permalink
Thanks for your answer.

The documentation says that it supports IPSEC.

I can establish phase 1 but not phase 2 :

racoon: INFO: initiate new phase 2 negotiation:
192.168.50.181[4500]<=>83.206.50.37[4500]
Dec 17 22:34:59 Fedora-64-2 racoon: INFO: NAT detected -> UDP
encapsulation (ENC_MODE 2->4).
Dec 17 22:34:59 Fedora-64-2 racoon: INFO: NAT detected -> UDP
encapsulation (ENC_MODE 2->4).
Dec 17 22:35:10 Fedora-64-2 racoon: ERROR: 8x.xxx.xx.xx give up to get
IPsec-SA due to time up to wait.
Dec 17 22:35:29 Fedora-64-2 racoon: INFO: IPsec-SA expired: AH/Transport
8x.xxx.xx.xx[0]->192.168.50.181[0] spi=112387376(0x6b2e530)
Dec 17 22:35:29 Fedora-64-2 racoon: WARNING: the expire message is
received but the handler has not been established.
Dec 17 22:35:29 Fedora-64-2 racoon: INFO: IPsec-SA expired:
ESP/Transport 8x.xxx.xx.xx[0]->192.168.50.181[0] spi=82003743(0x4e3471f)
Dec 17 22:35:59 Fedora-64-2 racoon: ERROR: 8x.xxx.xx.xx give up to get
IPsec-SA due to time up to wait.
Dec 17 23:33:26 Fedora-64-2 racoon: INFO: ISAKMP-SA expired
192.168.50.181[4500]-8x.xxx.xx.xx[4500]
spi:621461833610c445:41dcaae6ade3f6d2
Dec 17 23:33:27 Fedora-64-2 racoon: INFO: ISAKMP-SA deleted
192.168.50.181[4500]-8x.xxx.xx.xx[4500]
spi:621461833610c445:41dcaae6ade3f6d2
Dec 17 23:33:27 Fedora-64-2 racoon: INFO: KA remove:
192.168.50.181[4500]->8x.xxx.xx.xx[4500]


Has anyone an idea ???

Best regards
Post by Paul Wouters
Post by Luc MAIGNAN
I'm running openSwan under Fedora 14 6'bits.
I have to setup an IPSEC Tunnel (Host To Host) from my Fedora box to a
NETASQ F200 router.
I have a lot of errors, so my first question : IS IT POSSIBLE TO SETUP A
SUCH ARCHITECTURE ?
If the NETASQ F200 router supports IPsec, then yes.
Paul
Randy Wyatt
2010-12-19 21:17:14 UTC
Permalink
Don't mix racoon and openswan.. racoon is part of ipsec-tools which is a different implementation.

Randy

-----Original Message-----
From: users-***@openswan.org on behalf of Luc MAIGNAN
Sent: Sun 12/19/2010 1:10 PM
To: Paul Wouters
Cc: ***@openswan.org
Subject: Re: [Openswan Users] IPSEC Tunnel To NETASQ

Thanks for your answer.

The documentation says that it supports IPSEC.

I can establish phase 1 but not phase 2 :

racoon: INFO: initiate new phase 2 negotiation:
192.168.50.181[4500]<=>83.206.50.37[4500]
Dec 17 22:34:59 Fedora-64-2 racoon: INFO: NAT detected -> UDP
encapsulation (ENC_MODE 2->4).
Dec 17 22:34:59 Fedora-64-2 racoon: INFO: NAT detected -> UDP
encapsulation (ENC_MODE 2->4).
Dec 17 22:35:10 Fedora-64-2 racoon: ERROR: 8x.xxx.xx.xx give up to get
IPsec-SA due to time up to wait.
Dec 17 22:35:29 Fedora-64-2 racoon: INFO: IPsec-SA expired: AH/Transport
8x.xxx.xx.xx[0]->192.168.50.181[0] spi=112387376(0x6b2e530)
Dec 17 22:35:29 Fedora-64-2 racoon: WARNING: the expire message is
received but the handler has not been established.
Dec 17 22:35:29 Fedora-64-2 racoon: INFO: IPsec-SA expired:
ESP/Transport 8x.xxx.xx.xx[0]->192.168.50.181[0] spi=82003743(0x4e3471f)
Dec 17 22:35:59 Fedora-64-2 racoon: ERROR: 8x.xxx.xx.xx give up to get
IPsec-SA due to time up to wait.
Dec 17 23:33:26 Fedora-64-2 racoon: INFO: ISAKMP-SA expired
192.168.50.181[4500]-8x.xxx.xx.xx[4500]
spi:621461833610c445:41dcaae6ade3f6d2
Dec 17 23:33:27 Fedora-64-2 racoon: INFO: ISAKMP-SA deleted
192.168.50.181[4500]-8x.xxx.xx.xx[4500]
spi:621461833610c445:41dcaae6ade3f6d2
Dec 17 23:33:27 Fedora-64-2 racoon: INFO: KA remove:
192.168.50.181[4500]->8x.xxx.xx.xx[4500]


Has anyone an idea ???

Best regards
Post by Paul Wouters
Post by Luc MAIGNAN
I'm running openSwan under Fedora 14 6'bits.
I have to setup an IPSEC Tunnel (Host To Host) from my Fedora box to a
NETASQ F200 router.
I have a lot of errors, so my first question : IS IT POSSIBLE TO SETUP A
SUCH ARCHITECTURE ?
If the NETASQ F200 router supports IPsec, then yes.
Paul
_______________________________________________
***@openswan.org
http://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
Paul Wouters
2010-12-19 21:21:56 UTC
Permalink
That's usually a configuration mismatch.
Post by Luc MAIGNAN
192.168.50.181[4500]<=>83.206.50.37[4500]
Dec 17 22:34:59 Fedora-64-2 racoon: INFO: NAT detected -> UDP encapsulation
(ENC_MODE 2->4).
That's racoon, not openswan.

Paul
Luc MAIGNAN
2010-12-20 09:15:24 UTC
Permalink
Yes, I had the two packages on my server. So I have removed ipsec-tools
to leave only openswan.

Now when I try to do an : ipsec auto --up ses

I have the error :

022 "ses": We cannot identify ourselves with either end of this connection

How can I solve it ???



Another interrogation for me... Pluto said to me :

SAref support [disabled]: Protocol not available
SAbind support [disabled]: Protocol not available

Is it normal or have I still a configuration problem ?

Thanks for any help
Post by Paul Wouters
That's usually a configuration mismatch.
Post by Luc MAIGNAN
192.168.50.181[4500]<=>83.206.50.37[4500]
Dec 17 22:34:59 Fedora-64-2 racoon: INFO: NAT detected -> UDP
encapsulation (ENC_MODE 2->4).
That's racoon, not openswan.
Paul
Gary Long
2010-12-20 09:23:10 UTC
Permalink
I already had this error message once. Try to use IDs for your left side
and right side in ipsec.conf and ipsec.secrets.

Regards,
Gary
Post by Luc MAIGNAN
022 "ses": We cannot identify ourselves with either end of this connection
How can I solve it ???
Luc MAIGNAN
2010-12-20 09:34:01 UTC
Permalink
In fact, I am the left sidr and a NETASQ F200 router is the right side.
SO I cannot change anything on the right side.

Here is the conf for the left side :

conn ses
type=tunnel
connaddrfamily=ipv4
authby=secret
salifetime=3600s
ike=aes-sha1
phase2alg=aes-sha1
left=7x.xxx.xxx.xx
right=8x.xxx.xx.xx
leftsubnet=192.168.50.0/24
rightsubnet=172.16.2.0/24
Post by Gary Long
I already had this error message once. Try to use IDs for your left side
and right side in ipsec.conf and ipsec.secrets.
Regards,
Gary
Post by Luc MAIGNAN
022 "ses": We cannot identify ourselves with either end of this connection
How can I solve it ???
_______________________________________________
http://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
Paul Wouters
2010-12-20 10:34:36 UTC
Permalink
Post by Luc MAIGNAN
Yes, I had the two packages on my server. So I have removed ipsec-tools
to leave only openswan.
Now when I try to do an : ipsec auto --up ses
022 "ses": We cannot identify ourselves with either end of this connection
Specify the correct REAL ip address, not the public address of the NAT router.
Post by Luc MAIGNAN
SAref support [disabled]: Protocol not available
SAbind support [disabled]: Protocol not available
Is it normal or have I still a configuration problem ?
This is harmless. It just means you do not have a kernel that supports those
optional features.

Paul
Luc MAIGNAN
2010-12-20 10:40:10 UTC
Permalink
I'm so sorry but there are things I can't understand...

My conf is :

conn ses
type=tunnel
connaddrfamily=ipv4
authby=secret
salifetime=3600s
ike=aes-sha1
phase2alg=aes-sha1
left=7x.xxx.xxx.xx
right=8x.xxx.xx.xx
leftsubnet=192.168.50.0/24
rightsubnet=172.16.2.0/24

If I don't put the public IP address of the NAT router in the 'right'
field, how can it join it to make the tunnel ? Or shall I put the public
IP address in another Place ?

Luc
Post by Paul Wouters
Post by Luc MAIGNAN
Yes, I had the two packages on my server. So I have removed ipsec-tools
to leave only openswan.
Now when I try to do an : ipsec auto --up ses
022 "ses": We cannot identify ourselves with either end of this connection
Specify the correct REAL ip address, not the public address of the NAT router.
Post by Luc MAIGNAN
SAref support [disabled]: Protocol not available
SAbind support [disabled]: Protocol not available
Is it normal or have I still a configuration problem ?
This is harmless. It just means you do not have a kernel that supports those
optional features.
Paul
Paul Wouters
2010-12-20 10:50:06 UTC
Permalink
Post by Luc MAIGNAN
I'm so sorry but there are things I can't understand...
conn ses
type=tunnel
connaddrfamily=ipv4
authby=secret
salifetime=3600s
ike=aes-sha1
phase2alg=aes-sha1
left=7x.xxx.xxx.xx
right=8x.xxx.xx.xx
leftsubnet=192.168.50.0/24
rightsubnet=172.16.2.0/24
If I don't put the public IP address of the NAT router in the 'right'
field, how can it join it to make the tunnel ? Or shall I put the public
IP address in another Place ?
Probably using this will work fine (assuming left= is your local side)

conn ses
type=tunnel
connaddrfamily=ipv4
authby=secret
salifetime=3600s
ike=aes-sha1
phase2alg=aes-sha1
left=%defaultroute
leftid=7x.xxx.xxx.xx
right=8x.xxx.xx.xx
leftsubnet=192.168.50.0/24
rightsubnet=172.16.2.0/24

Paul
Luc MAIGNAN
2010-12-20 11:06:46 UTC
Permalink
Yes, your tip succeeded to remove my error message !!!

But unfortunaly, the connection isn't yet up.

It looks like I fall in timeout during phase 2.


Have you one idea more ?

Many thanks for your help

Regards
Post by Paul Wouters
Post by Luc MAIGNAN
I'm so sorry but there are things I can't understand...
conn ses
type=tunnel
connaddrfamily=ipv4
authby=secret
salifetime=3600s
ike=aes-sha1
phase2alg=aes-sha1
left=7x.xxx.xxx.xx
right=8x.xxx.xx.xx
leftsubnet=192.168.50.0/24
rightsubnet=172.16.2.0/24
If I don't put the public IP address of the NAT router in the 'right'
field, how can it join it to make the tunnel ? Or shall I put the public
IP address in another Place ?
Probably using this will work fine (assuming left= is your local side)
conn ses
type=tunnel
connaddrfamily=ipv4
authby=secret
salifetime=3600s
ike=aes-sha1
phase2alg=aes-sha1
left=%defaultroute
leftid=7x.xxx.xxx.xx
right=8x.xxx.xx.xx
leftsubnet=192.168.50.0/24
rightsubnet=172.16.2.0/24
Paul
Paul Wouters
2010-12-20 11:21:48 UTC
Permalink
Post by Luc MAIGNAN
Yes, your tip succeeded to remove my error message !!!
But unfortunaly, the connection isn't yet up.
It looks like I fall in timeout during phase 2.
check /var/log/secure or /var/log/auth* for log messages?

Or show the output of:

ipsec auto --replace ses
ipsec auto --up ses

you might also want to check your system with:

ipsec verify

Paul
Luc MAIGNAN
2010-12-20 11:29:49 UTC
Permalink
" ipsec auto --up ses " gives :

ipsec auto --up ses
104 "ses" #4: STATE_MAIN_I1: initiate
010 "ses" #4: STATE_MAIN_I1: retransmission; will wait 20s for response
010 "ses" #4: STATE_MAIN_I1: retransmission; will wait 40s for response
010 "ses" #4: STATE_MAIN_I1: retransmission; will wait 40s for response
010 "ses" #4: STATE_MAIN_I1: retransmission; will wait 40s for response
010 "ses" #4: STATE_MAIN_I1: retransmission; will wait 40s for response


"ipsec verify" gives:

Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.6.31/K2.6.35.9-64.fc14.x86_64 (netkey)
Checking for IPsec support in kernel [OK]
SAref kernel support [N/A]
NETKEY detected, testing for disabled ICMP send_redirects [OK]
NETKEY detected, testing for disabled ICMP accept_redirects [OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for NAT-T on udp 4500 [OK]
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]
Post by Paul Wouters
Post by Luc MAIGNAN
Yes, your tip succeeded to remove my error message !!!
But unfortunaly, the connection isn't yet up.
It looks like I fall in timeout during phase 2.
check /var/log/secure or /var/log/auth* for log messages?
ipsec auto --replace ses
ipsec auto --up ses
ipsec verify
Paul
Paul Wouters
2010-12-20 11:35:04 UTC
Permalink
Post by Luc MAIGNAN
ipsec auto --up ses
104 "ses" #4: STATE_MAIN_I1: initiate
010 "ses" #4: STATE_MAIN_I1: retransmission; will wait 20s for response
010 "ses" #4: STATE_MAIN_I1: retransmission; will wait 40s for response
010 "ses" #4: STATE_MAIN_I1: retransmission; will wait 40s for response
There is a firewall active somewhere.

Paul
Luc MAIGNAN
2010-12-20 11:39:56 UTC
Permalink
Indeed.
On my side I have a iptables-driven firewall.
I have enabled the protocols ESP,AH. Is it enough or is there others
rules I have to set ?
Post by Paul Wouters
Post by Luc MAIGNAN
ipsec auto --up ses
104 "ses" #4: STATE_MAIN_I1: initiate
010 "ses" #4: STATE_MAIN_I1: retransmission; will wait 20s for response
010 "ses" #4: STATE_MAIN_I1: retransmission; will wait 40s for response
010 "ses" #4: STATE_MAIN_I1: retransmission; will wait 40s for response
There is a firewall active somewhere.
Paul
Luc MAIGNAN
2010-12-20 15:12:11 UTC
Permalink
If the problem is the firewall, why the phase 1 is ok ?
I mean that because of phase 1 is OK, the firewall is out of cause.
AM I right ?
Post by Paul Wouters
Post by Luc MAIGNAN
ipsec auto --up ses
104 "ses" #4: STATE_MAIN_I1: initiate
010 "ses" #4: STATE_MAIN_I1: retransmission; will wait 20s for response
010 "ses" #4: STATE_MAIN_I1: retransmission; will wait 40s for response
010 "ses" #4: STATE_MAIN_I1: retransmission; will wait 40s for response
There is a firewall active somewhere.
Paul
Willie Gillespie
2010-12-21 00:32:14 UTC
Permalink
Besides ESP, IPsec talks on udp/500 (and udp/4500 with NAT-T).
Perhaps iptables -L output would be handy... or perhaps the ports are
filtered on the NETASQ side.
Post by Luc MAIGNAN
If the problem is the firewall, why the phase 1 is ok ?
I mean that because of phase 1 is OK, the firewall is out of cause.
AM I right ?
Post by Paul Wouters
Post by Luc MAIGNAN
ipsec auto --up ses
104 "ses" #4: STATE_MAIN_I1: initiate
010 "ses" #4: STATE_MAIN_I1: retransmission; will wait 20s for response
010 "ses" #4: STATE_MAIN_I1: retransmission; will wait 40s for response
010 "ses" #4: STATE_MAIN_I1: retransmission; will wait 40s for response
There is a firewall active somewhere.
Paul
_______________________________________________
http://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
Loading...